Sign in to follow this  
Followers 0

Query AD Group Membership

16 posts in this topic

Posted

hi all,

I've searched the forums for something like this. I came across ADFunctions.au3 but I am unsure this is exactly what I need (and I am also getting an error on line 78 of ADFunctions.au3).

I basically want to find out what (group/ou?) attributes are assigned to the current computer object. For instance, I want to be able to run a script on the local machine, have it query that machine's AD group membership, create a new computer object and copy those attributes over to the new computer object. First and foremost, I just want to be able to DISPLAY (echo) the group membership just so I am sure it's correct.

I found some VB Code that's supposed to do just this but I can't make heads or tails of it:

Set objCompt = _
    GetObject("LDAP://cn=Computers,dc=NA,dc=fabrikam,dc=com")
Set objComptCopy = objCompt.Create("computer", "cn=SEA-SQL-01")
objComptCopy.Put "sAMAccountName", "sea-sql-01"
objComptCopy.SetInfo
 
Set objComptTemplate = GetObject _
    ("LDAP://cn=SEA-PM-01,cn=Computers,dc=NA,dc=fabrikam,dc=com")
arrAttributes = Array("description", "location")
 
For Each strAttrib in arrAttributes
    strValue = objComptTemplate.Get(strAttrib)
    objComptCopy.Put strAttrib, strValue
Next
 
objComptCopy.SetInfo

I know I can import it into AutoIt via a variety of ways but can someone please enlighten me as to what it's actually doing and how I can query AD first to make this happen? Thanks ahead of time for all of your help!!!!

-redfive

Share this post


Link to post
Share on other sites



Posted

What are you trying to do? Just wondering.

Share this post


Link to post
Share on other sites

Posted

I'm trying to duplicate group membership for new PC's. So if a user has Windows 2000 now and that computer is part of the SALES OU, I want to make sure that the new COMPUTER (running windows XP) will be added to the domain with the same exact group membership (new PC name).

Share this post


Link to post
Share on other sites

Posted (edited)

Make sure you have the current ADFunctions UDF.

http://www.autoitscript.com/forum/index.ph...st&p=294788

Then use _ADGetObjectAttribute() and maybe try _ADGetGroupMembers()

Read the UDF for syntax and examples.

I'm trying to duplicate group membership for new PC's. So if a user has Windows 2000 now and that computer is part of the SALES OU, I want to make sure that the new COMPUTER (running windows XP) will be added to the domain with the same exact group membership (new PC name).

That shoudn't be diffictult to do using the adfunctions UDF.

Edited by EndFunc

Share this post


Link to post
Share on other sites

Posted

@redfive19

This the translation, but according to me this code doen not get the attribs. But writes it ?!

#include <array.au3>

 $objCompt = ObjGet("LDAP://cn=Computers,dc=NA,dc=fabrikam,dc=com")
 $objComptCopy = $objCompt.Create("computer", "cn=compaq_7010_01")
$objComptCopy.Put ("sAMAccountName", "sea-sql-01")
$objComptCopy.SetInfo()

 $objComptTemplate = ObjGet ("LDAP://cn=SEA-PM-01,cn=Computers,dc=NA,dc=fabrikam,dc=com")
$arrAttributes = _ArrayCreate("description", "location")

For $strAttrib in $arrAttributes
    $strValue = $objComptTemplate.Get($strAttrib)
    $objComptCopy.Put ($strAttrib, $strValue)
Next

$objComptCopy.SetInfo()

Enjoy

ptrex

Share this post


Link to post
Share on other sites

Posted

Hi,

I've just been looking at aufunctions.au3 and would appreciate if someone can clarify how the authentication to AD via LDAP works.

It seems to me that no "logon credentials" are provided, if you like, an anonymous connection is made. Am I right about that?

I would be surprised if an anonymous connection would be permitted to perform any (or at least any significant) update or query for that matter, but where is the logon / authentication statements?

VW

Share this post


Link to post
Share on other sites

Posted

Thank you guys for all of your help. I'm going to try this out and repost.

Share this post


Link to post
Share on other sites

Posted

Hi,

I've just been looking at aufunctions.au3 and would appreciate if someone can clarify how the authentication to AD via LDAP works.

It seems to me that no "logon credentials" are provided, if you like, an anonymous connection is made. Am I right about that?

I would be surprised if an anonymous connection would be permitted to perform any (or at least any significant) update or query for that matter, but where is the logon / authentication statements?

VW

You're right and I asked this question along time ago, but never got an answer. Some of these functions will work with out authentication but usually to modify or create something you need authentication. So right now to me it's only usually for tasks that I have access to. But if running from another computer there seems to be no way to authenticate without logging in as yourself. I would sure like that added myself.

Share this post


Link to post
Share on other sites

Posted

Couldn't you just do a RunAsSet?

Share this post


Link to post
Share on other sites

Posted

Hi,

I've just been looking at aufunctions.au3 and would appreciate if someone can clarify how the authentication to AD via LDAP works.

It seems to me that no "logon credentials" are provided, if you like, an anonymous connection is made. Am I right about that?

I would be surprised if an anonymous connection would be permitted to perform any (or at least any significant) update or query for that matter, but where is the logon / authentication statements?

VW

You're right and I asked this question along time ago, but never got an answer. Some of these functions will work with out authentication but usually to modify or create something you need authentication. So right now to me it's only usually for tasks that I have access to. But if running from another computer there seems to be no way to authenticate without logging in as yourself. I would sure like that added myself.

Not sure I understand this question but am pretty sure that the credentials of the useraccount running the script are used. When this is not an AD account it will try to access by means of the guest account but most installations disable the Guest account for security reasons ...

Share this post


Link to post
Share on other sites

Posted

Yeah you know it's weird, I'm going to need to run this from a PE environment so I will not be logged on an account that will have domain admin rights. EndFunc's previous post mentioned that he tried the RunAsSet to no avail. Does anyone know if you can login to an account that has rights to run the entire script?

Share this post


Link to post
Share on other sites

Posted

Yeah you know it's weird, I'm going to need to run this from a PE environment so I will not be logged on an account that will have domain admin rights. EndFunc's previous post mentioned that he tried the RunAsSet to no avail. Does anyone know if you can login to an account that has rights to run the entire script?

How was that tried ? Restart the script with Admin credential using RunAsSet() And Run() ?

Share this post


Link to post
Share on other sites

Posted

I'm unsure. I hope EndFunc can shed some light on how he ran it. I'm still waiting for QA domain access to test it in my script.

Share this post


Link to post
Share on other sites

Posted

You're right and I asked this question along time ago, but never got an answer. Some of these functions will work with out authentication but usually to modify or create something you need authentication. So right now to me it's only usually for tasks that I have access to. But if running from another computer there seems to be no way to authenticate without logging in as yourself. I would sure like that added myself.

This may help http://www.autoitscript.com/forum/index.ph...st&p=314230

If not I need to do some work with AD and I'll need to authenticate, but I have other tasks that I need to complete before hand, so I may not get to look at this for a while yet.

Certainly with authentication in a "work" environment aufunctions.au3 offers many possibilities to automate tasks but unfortunately without authentication it's use is somewhat more limited.

VW

Share this post


Link to post
Share on other sites

Posted

Okay I've made some progress on this....I'm still trying to figure out how to remove a group from a computer object. Here's my code:

$legcompname='CN=TESTBOX1,OU=Computers,OU=Corporate,OU=HomeOffice,DC=test,DC=test,DC=com'
IniWrite('c:\distribution\exe\legsysinfo.ini', 'GROUPS', 'OUPATH', $legcompname)
$strComputerPath = "LDAP://" & $legcompname 
 $objComputer = ObjGet($strComputerPath) 
$x=1
For $strGroup in $objComputer.MemberOf ()
    $strGroupPath = "LDAP://" & $strGroup 
     $objGroup = ObjGet($strGroupPath)
     IniWrite('c:\distribution\exe\legsysinfo.ini', 'GROUPS', 'OldGroupName' & $x, $objGroup.CN); Writes group name(s) to legsysinfo.ini in format GroupName1, GroupName2, GroupName3, etc.
     If IniRead('c:\distribution\exe\GroupINFO.ini', 'OLDGROUP', $objGroup.CN, '') = 'FALSE' Then
        IniWrite('c:\distribution\exe\legsysinfo.ini', 'GROUPS', 'OldGroupName' & $x & '_DEL', 'TRUE')
        IniWrite('c:\distribution\exe\legsysinfo.ini', 'GROUPS', 'NewGroupName' & $x, 'NA')
    ElseIf IniRead('c:\distribution\exe\GroupINFO.ini', 'OLDGROUP', $objGroup.CN, '') = 'TRUE' Then
        IniWrite('c:\distribution\exe\legsysinfo.ini', 'GROUPS', 'OldGroupName' & $x & '_DEL', 'FALSE')
    ElseIf IniRead('c:\distribution\exe\GroupINFO.ini', 'OLDGROUP', $objGroup.CN, '') = 'NEWGROUP' Then
        IniWrite('c:\distribution\exe\legsysinfo.ini', 'GROUPS', 'OldGroupName' & $x & '_DEL', 'TRUE')
        $newgroup = IniRead('c:\distribution\exe\GroupINFO.ini', 'NEWGROUP', 'NEWGROUP.' & $objGroup.CN, '')
        IniWrite('c:\distribution\exe\legsysinfo.ini', 'GROUPS', 'NewGroupName' & $x, $newgroup)
        EndIf
    $x = $x + 1
Next

What I'm trying to do is, if an old group does not exist in the new domain structure, to remove that group from the computer object. Furthermore, if an old group is being replaced by a new group, to remove that group from the computer object and add the computer object to the group that it replaces. I'm logging all of this activity in a .INI file as you can see. Any help would be greatly appreciated! Thank you!

Share this post


Link to post
Share on other sites

Posted

/bump

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.