Add Domain User to local group

ACalcutt · July 8, 2006

I am trying to add a domain user to a local group

based on this acticle

http://www.microsoft.com/technet/scriptcen...04/hey1008.mspx

I thought i could do this

$objGroup = ObjGet("WinNT://" & @ComputerName & "/" & $level)
$objUser = ObjGet("WinNT://" & $domain & "/" & $user)
$objGroup.Add($objUser.ADsPath)

that works for a local user, but when i try to do a domain user i get

$objGroup.Add($objUser.ADsPath)
$objGroup.Add($objUser.^ERROR

Error: Variable must be of type "Object"

I'm assuming thats because it needs my credentials to check that the user exists....how whould i provide that information?

;complete function

Func _User($action, $user, $pass="", $domain=@ComputerName, $level="")
    Select
        Case $action = "ADD"
            $objLocalComputer = ObjGet("WinNT://" & @ComputerName); Init COM object
            $objUser = $objLocalComputer.Create ("user", $user); Create user
            $objUser.SetPassword ($pass)
            $objUser.SetInfo
            _User("SET_GROUP", $user, $pass, $domain, $level)
        Case $action = "REMOVE"
;_Profile("REMOVE", $user, $domain)
            $objLocalComputer = ObjGet("WinNT://" & @ComputerName); Init COM object
            $objLocalComputer.Delete("user", $user); Delete user
        Case $action = "SET_GROUP"
            $objGroup = ObjGet("WinNT://" & @ComputerName & "/" & $level)
            $objUser = ObjGet("WinNT://" & $domain & "/" & $user)
            $objGroup.Add($objUser.ADsPath)
        Case $action = "REMOVE_GROUP"
            $objGroup = ObjGet("WinNT://" & @ComputerName & "/" & $level)
            $objUser = ObjGet("WinNT://" & $domain & "/" & $user)
            $objGroup.Remove($objUser.ADsPath)
    EndSelect
EndFunc;==>_User

Edited July 9, 2006 by ACalcutt

Jos · July 9, 2006

what error do you get when you add these lines ?

$oMyError = ObjEvent("AutoIt.Error","MyErrFunc") ; Install a custom error handler 
; <+++++ You code goes here ++++
; This is my custom error handler 
Func MyErrFunc() 
   $HexNumber=hex($oMyError.number,8) 
   Msgbox(0,"","We intercepted a COM Error !" & @CRLF & _
                "Number is: " & $HexNumber & @CRLF & _
                "Linenbr is: " & $oMyError.scriptline  & @CRLF & _
                "Description is: " & $oMyError.description  & @CRLF & _
                "Windescription is: " & $oMyError.windescription ) 

   SetError(1) ; something to check for when this function returns 
Endfunc

ACalcutt · July 10, 2006

A friend from work helped me get it working...

i ended up with this

Func _User($action, $user, $pass="", $domain=@ComputerName, $level="")
    Select
        Case $action = "ADD"
            $objLocalComputer = ObjGet("WinNT://" & @ComputerName); Init COM object
            $objUser = $objLocalComputer.Create ("user", $user); Create user
            $objUser.SetPassword ($pass)
            $objUser.SetInfo
            _User("SET_GROUP", $user, $pass, $domain, $level)
        Case $action = "REMOVE"
            _Profile("REMOVE", $user, $domain)
            $objLocalComputer = ObjGet("WinNT://" & @ComputerName); Init COM object
            $objLocalComputer.Delete("user", $user); Delete user
        Case $action = "SET_GROUP"
            $dso = ObjGet("WinNT:")
            $objGroup = ObjGet("WinNT://" & @ComputerName & "/" & $level & ",group") 
            $objUser = $dso.OpenDSObject("WinNT://" & $domain & "/" & $user,$domain & "\" & $user, $pass, 1) 
            $objGroup.Add($objUser.ADsPath)
        Case $action = "REMOVE_GROUP"
            $objGroup = ObjGet("WinNT://" & @ComputerName & "/" & $level)
            $objUser = ObjGet("WinNT://" & $domain & "/" & $user)
            $objGroup.Remove($objUser.ADsPath)
    EndSelect
EndFunc ;==>_User

if i have some spare time i will see what the other code gave me as an error

Edited July 10, 2006 by ACalcutt

HaeMHuK · January 20, 2011

Hi!

I'm trying to use your script. It goes to en error "The requested action with this object has failed".

$level = 'Administrators'
$domain = 'domainname'
$user = 'domainadmin'
$password = 'domainpassword'
$user1 = 'username'
$dso = ObjGet("WinNT:")
$objGroup = ObjGet("WinNT://" & @ComputerName & "/" & $level & ",group") 
$objUser1 = $dso.OpenDSObject("WinNT://" & $fulldomain & "/" & $user1,$domain & "\" & $user, $password, 1) 
$objGroup.Add ($objUser1.AdsPath)

Could you please help me to reedit it?

Edited January 20, 2011 by HaeMHuK

water · January 20, 2011

All Active Directory related functions can be done using the Active Directory UDF (for download please see my signature) as well.

HaeMHuK · January 20, 2011

All Active Directory related functions can be done using the Active Directory UDF (for download please see my signature) as well.

Thanks for UDF. I've already created script for me based on it.

But I didn't find there what I've mentioned before.

water · January 20, 2011

But I didn't find there what I've mentioned before.

That's true. The only WINNT stuff is related to the functions to join/unjoin a computer to the domain.

But with the AD UDF you can at least get the ADSPATH of the user.

HaeMHuK · January 20, 2011

That's true. The only WINNT stuff is related to the functions to join/unjoin a computer to the domain.
But with the AD UDF you can at least get the ADSPATH of the user.

I don't need to add pc to domain. I just only need to add domain user to local group.

How can I do it with AD UDF?

water · January 20, 2011

#include <ad.au3>
_AD_Open()
; Get ADSPath for specified user
$user = @UserName
$sFQDN = _AD_SamAccountNameToFQDN($user)
$sADSPath = "LDAP://" & $sAD_HostServer & "/" & $sFQDN
_AD_Close()
; access group
$level = 'Administrators'
$objGroup = ObjGet("WinNT://" & @ComputerName & "/" & $level & ",group")
; Add user to group
$objGroup.Add ($sADSPath)

This example runs with the credentials of the current user. If you need a userid/password to access the AD then pass them as parameters to _AD_Open().

If you get:

Test.au3 (13) : ==> The requested action with this object has failed.:
$objGroup.Add ($sADSPath)
$objGroup.Add ($sADSPath)^ ERROR

then you're missing the necessary rights to add the user to the local group. Edited January 20, 2011 by water

HaeMHuK · January 20, 2011

*****.au3 (12) : ==> The requested action with this object has failed.:

$objGroup.Add ($sADSPath)

$objGroup.Add ($sADSPath)^ ERROR

Maybe I'm doing something wrong?

I have this rights. There is something else.

Edited January 20, 2011 by HaeMHuK

water · January 20, 2011

*****.au3 (12) : ==> The requested action with this object has failed.:
$objGroup.Add ($sADSPath)
$objGroup.Add ($sADSPath)^ ERROR
Maybe I'm doing something wrong?

No, I think you're just missing the necessary rights to add the user to the local group.

I tested that the $objGroup exists.

To ensure that you aren't doing anything wrong with AutoIt you could download a VB script from the internet and test.

HaeMHuK · January 20, 2011

No, I think you're just missing the necessary rights to add the user to the local group.
I tested that the $objGroup exists.
To ensure that you aren't doing anything wrong with AutoIt you could download a VB script from the internet and test.

Well. After rebooting this works fine:

$dso = ObjGet("WinNT:")

$objGroup = ObjGet("WinNT://" & @ComputerName & "/" & $level & ",group")

$objUser = $dso.OpenDSObject("WinNT://" & $fulldomain & "/" & $user1,$domain & "\" & $user, $password, 1)

$objGroup.Add($objUser.ADsPath)

MsgBox(0, "111", "User added")

Sometimes it works sometimes not.

What is the reason, do you have any suggestions?

water · January 20, 2011

Sometimes it works sometimes not.
What is the reason, do you have any suggestions?

Unfortunately I have no idea. That's not my area of expertise

Anyone else? Edited January 20, 2011 by water

Juvigy · January 21, 2011

Try in cmd :

"Net localgroup administrators domain\user /add"

If this works just RUNDOS it with autoit.

HaeMHuK · January 21, 2011

Guys, nevermind. Now works fine!

Thanks a lot for help.

CrabChuck · November 12, 2018

I'm stuck, again. I have an application that uses local group membership to control the user roles. Nesting AD groups into those local groups doesn't work, so my plan is to use a scheduled task to sync the AD group members to the local group. I've got about 20 machines that need to keep synced, and it's been a pain doing it machine by machine. I'm to the point where I can get the FQDN list of users out of AD, but I'm too new at this to understand how to take that list and add them to the local group. Here's what I've got so far trying to make it work based on various threads. Yes, I am an admin on the PC where I'm running it. I think I read somewhere about an escape character in the FQDN that was needed, but can't find it again.

$ADresult = _AD_Open("MYacct","MYpassword","","","",3)
$ADlist = _ad_getgroupmembers("PSuser")
_ad_Close()

$objGroup = ObjGet("WinNT://" & @ComputerName & "/" & "PSoperator")

For $i=1 to $ADlist[0] step +1
$uADS = "LDAP://" & $sAD_HostServer & "/" & $ADlist[$i]
$objGroup.add ($ADlist[$i])
Next

I get this:

"The requested action with this object has failed.:"

$objGroup^ ERROR

Edited November 12, 2018 by CrabChuck

AdamUL · November 12, 2018

I have had consistent results using "net localgroup" to add AD groups and users to a local groups. Example below.

#RequireAdmin
#include <Constants.au3>

;~ _AddADAccountToLocalGroup("AD\GroupName", "Administrators")
;~ If @error Then MsgBox($MB_ICONERROR, "Error", "Error adding user/group to local group.")

_AddADAccountToLocalGroup("AD\PSUser", "PSoperator")
If @error Then MsgBox($MB_ICONERROR, "Error", "Error adding user/group to local group.")

Func _AddADAccountToLocalGroup($sAccountName, $sLocalGroup)
    If StringLeft($sAccountName, 3) = "AD\" Then $sAccountName = StringTrimLeft($sAccountName, 3)
    
    Local $iPIDNet = Run('net localgroup ' & $sLocalGroup & ' ' & $sAccountName & ' /add', @SystemDir, @SW_HIDE, $STDERR_MERGED)
    ProcessWaitClose($iPIDNet)
    Local $sNetOutput = StringStripWS(StdoutRead($iPIDNet), $STR_STRIPLEADING + $STR_STRIPTRAILING)

    If Not (StringInStr($sNetOutput, "The command completed successfully.") Or StringInStr($sNetOutput, "The specified account name is already a member of the group.")) Then Return SetError(1, 0, False)

    Return True
EndFunc   ;==>_AddToLocalAdminGroup

Adam

CrabChuck · November 12, 2018

What's the format of your $sAccountName variable? I'm still working to try and solve my own issue, and discovered one problem with the $sAD_HostServer variable. I capture it while I have my AD connection open. That got my $uADS variable looking better. I've got a debug message box where I return $objGroup.name and it's giving me the name of the group I want to update, so I'm pretty sure my group object is okay. That means what I'm passing it isn't. Right now, $uADS looks like this:

LDAP://server123.bob.company.com/CN=Mike Jones,OU=Users,OU=Americas,DC=bob,DC=company,DC=com

AdamUL · November 12, 2018

The $sAccounName is the format for the SamAccountName. You can use _AD_FQDNToSamAccountName to convert it to the proper format.

Adam

CrabChuck · November 12, 2018

9 minutes ago, AdamUL said:

The $sAccounName is the format for the SamAccountName. You can use _AD_FQDNToSamAccountName to convert it to the proper format.

Adam

That's what I was just reading about. Problem is, all I can get it to return is still the FQDN. If I wrap my FQDN in quotes, it returns the FQDN. If I don't, it returns an error.

I've also been playing with _AD_GetObjectProperties but I can't get it to return anything.

Edited November 12, 2018 by CrabChuck

Add Domain User to local group

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members