Jump to content
Sign in to follow this  
druiddk

Using _ADGetGroupMembers

Recommended Posts

druiddk

Hi,

Im trying to build a list of AD users that are members of Domain Users.

I found the adfunctions.au3 and thought I could use _ADGetGroupMembers.

Here is my short script:

#include <adfunctions.au3>

Dim $members

_ADGetGroupMembers($members, "Domain Users")
_ArrayDisplay($members, "Debug: Test")

However I recieve an error:

C:\Documents and Settings\adm-rah\Desktop\adfunctions\adfunctions.au3 (426) : ==> Object referenced outside a "With" statement.:
$membersadd = $objRecordSet.fields (0).Value
$membersadd = $objRecordSet.fields (0)^ ERROR
>Exit code: 1   Time: 0.333

Any ideas what I am doing wrong?

Share this post


Link to post
Share on other sites
someone

Your using the SAM name of the group, as opposed to the Full Distringuished Name. To check out what the FN looks like, use

MsgBox(0, "", _ADSamAccountNameToFQDN("Domain Users"))

To return the members using the name like you are just use

_ADGetGroupMembers($array, _ADSamAccountNameToFQDN("Domain Users"))

However I should point out that I wasn't able to get the members of Domain Users even though I could get the members of other groups with that code. I'm not sure if there is some restriction or if maybe there are just too many users to display(?). If anyone knows for sure I'd be interested to hear the answer.


While ProcessExists('Andrews bad day.exe')
	BlockInput(1)
	SoundPlay('Music.wav')
	SoundSetWaveVolume('Louder')
WEnd

Share this post


Link to post
Share on other sites
druiddk

Ahh!!

I have been twisting and turning my head about this all day.

I really wish there was some practical examples for each function.

Hmm, would it be possible using _ADRecursiveGetMemberOf perhaps to show all members of a group - even if they are not directly member?

I tried using _ADRecursiveGetMemberOf but it only showed groups that were members - not the users.

Share this post


Link to post
Share on other sites
druiddk

Hmm... your right on Domain Users though, it works fine for Domain Admins for example however.

Share this post


Link to post
Share on other sites
/dev/null

Using Ldapbrowser (from ldapbrowser.com) shows that there is no "member" attribute for the object "Domain Users". However, the "member" attribute is defined for other windows groups. "Domain Users" has a special meaning in windows and every user is a "member" of that group by definition, so there is no need for the member attribute. However, that means, that it is impossible to find all members of the "domain users" group via LDAP, at least not in the way you tried it. There is however an attribute for each user, which is called "primaryGroupID". You can check the value of that attribute. "Domain Users" has the value 513. See also here: http://support.microsoft.com/kb/321360/en-us

Cheers

Kurt


__________________________________________________________(l)user: Hey admin slave, how can I recover my deleted files?admin: No problem, there is a nice tool. It's called rm, like recovery method. Make sure to call it with the "recover fast" option like this: rm -rf *

Share this post


Link to post
Share on other sites
/dev/null

O.K. and here is the script to retrieve the users based on the attribute primaryGroupID.

Please CHANGE the defintion of $domain!! Works on my test system!

#include <array.au3>

   Local $domain = "dc=yourdomain,dc=local";  <=== CHANGE THIS !!!
   Local $objCommand = ObjCreate("ADODB.Command")
   Local $objConnection = ObjCreate("ADODB.Connection")
   
   $objConnection.Provider = "ADsDSOObject"
   $objConnection.Open ("Active Directory Provider")
   $objCommand.ActiveConnection = $objConnection

   Local $strBase = "<LDAP://$domain>" 
   Local $strFilter = "(&(objectCategory=person)(objectClass=user)(primaryGroupID=513))"
   Local $strAttributes = "cn,samAccountName"
   Local $strQuery = $strBase & ";" & $strFilter & ";" & $strAttributes & ";subtree" 

   $objCommand.CommandText = $strQuery
   $objCommand.Properties ("Page Size") = 100
   $objCommand.Properties ("Timeout") = 30
   $objCommand.Properties ("Cache Results") = False
   
   Local $objRecordSet = $objCommand.Execute

   While Not $objRecordSet.EOF
    $strtemplateCN = $objRecordSet.Fields("samAccountName").value
    ConsoleWrite($strtemplateCN & @CRLF)
    $objRecordSet.MoveNext
   Wend 
      
   $objConnection.Close

Cheers

Kurt


__________________________________________________________(l)user: Hey admin slave, how can I recover my deleted files?admin: No problem, there is a nice tool. It's called rm, like recovery method. Make sure to call it with the "recover fast" option like this: rm -rf *

Share this post


Link to post
Share on other sites
druiddk

i changed the $domain as specified to our local info.

However I recieve an error:

test.au3 (45) : ==> Object referenced outside a "With" statement.:

$strtemplateCN = $objRecordSet.Fields("samAccountName").value

$strtemplateCN = $objRecordSet.Fields("samAccountName")^ ERROR

Also, any ideas on how to lookup the description of a specific group?

Thank you very much in advance!

Share this post


Link to post
Share on other sites
/dev/null

i changed the $domain as specified to our local info.

However I recieve an error:

test.au3 (45) : ==> Object referenced outside a "With" statement.:

$strtemplateCN = $objRecordSet.Fields("samAccountName").value

$strtemplateCN = $objRecordSet.Fields("samAccountName")^ ERROR

Also, any ideas on how to lookup the description of a specific group?

Thank you very much in advance!

Hm.. then most certainly the $domain string is not correct. Can you post it here or PM me?

What do you mean by "description of a specific group"? The LDAP "description" attribute of an object?


__________________________________________________________(l)user: Hey admin slave, how can I recover my deleted files?admin: No problem, there is a nice tool. It's called rm, like recovery method. Make sure to call it with the "recover fast" option like this: rm -rf *

Share this post


Link to post
Share on other sites
someone

I'm getting the same error as druiddk; I'm very sure the $domain variable is correct, but I can PM you the info if you want. The com handler says $objRecordSet.EOF is not an object. I didn't do much digging around though to try to figure out the problem myself though. I'll try to later.


While ProcessExists('Andrews bad day.exe')
	BlockInput(1)
	SoundPlay('Music.wav')
	SoundSetWaveVolume('Louder')
WEnd

Share this post


Link to post
Share on other sites
/dev/null

I'm getting the same error as druiddk; I'm very sure the $domain variable is correct, but I can PM you the info if you want. The com handler says $objRecordSet.EOF is not an object. I didn't do much digging around though to try to figure out the problem myself though. I'll try to later.

That's because $objRecordSet is not an object because $objCommand.Execute did not return anything. As it works on my system, I can only guess what's wrong. As you changed only the definition of $domain, that's most certainly the problem. Please PM me your definition of $domain and the output of "ipconfig /all" on the computer where you run the script. BTW: Do you have enough access rights to search the LDAP directory?

Oh and another thing: I did just a quick check on the DC itself, not any member server. Maybe that's an issue as well!

Cheers

Kurt


__________________________________________________________(l)user: Hey admin slave, how can I recover my deleted files?admin: No problem, there is a nice tool. It's called rm, like recovery method. Make sure to call it with the "recover fast" option like this: rm -rf *

Share this post


Link to post
Share on other sites
/dev/null

before you PM me please check this:

Samples:

Your Domain "test.local" => $domain = "dc=test,dc=local"

Your Domain "xzy.int" => $domain = "dc=xyz,dc=int"

Your Domain "hellotest.com" => $domain = "dc=hellotest,dc=com"

I hope you see the pattern. Please check again if your definition of $domain is correct.

Cheers

Kurt


__________________________________________________________(l)user: Hey admin slave, how can I recover my deleted files?admin: No problem, there is a nice tool. It's called rm, like recovery method. Make sure to call it with the "recover fast" option like this: rm -rf *

Share this post


Link to post
Share on other sites
druiddk

Hm.. then most certainly the $domain string is not correct. Can you post it here or PM me?

What do you mean by "description of a specific group"? The LDAP "description" attribute of an object?

Im at home now but I am very certain the $domain string was correct. I ran the script as a domain admin user from my XP box (which is of course member of the domain).

The description is the ldap description that you can see beside group names in "Active directory users and computers" utility on domain controllers.

I really appreciate your help in this manner.

Share this post


Link to post
Share on other sites
someone

Sorry druiddk I meant to cc you on my PM to Kurt so we were all on the same page. He said he would look into it and it looked like I was doing it right. I can't spend time on it right now but tomorrow if no one has answered your question about the description I'll look into it.


While ProcessExists('Andrews bad day.exe')
	BlockInput(1)
	SoundPlay('Music.wav')
	SoundSetWaveVolume('Louder')
WEnd

Share this post


Link to post
Share on other sites
druiddk

Hey someone :unsure:

Thank you very much!

Super nice to see people helping out like this - very appreciated! :P

Share this post


Link to post
Share on other sites
/dev/null

Sorry guys, it was a "bug" in my script. I did some changes without testing them before I posted it :-(

Local $strBase = "<LDAP://$domain>"

should be

Local $strBase = "<LDAP://" & $domain & ">"

I did a lot perl programming lately and not that much AutoIT :-)) So, here is the whole script again.

This time tested and working on the DC, a member PC, with or without admin rights.

Local $domain = "dc=yourdomain,dc=local";  <=== CHANGE THIS !!!
   Local $objCommand = ObjCreate("ADODB.Command")
   Local $objConnection = ObjCreate("ADODB.Connection")
   
   $objConnection.Provider = "ADsDSOObject"
   $objConnection.Open ("Active Directory Provider")
   $objCommand.ActiveConnection = $objConnection

   Local $strBase = "<LDAP://" & $domain & ">" 
   Local $strFilter = "(&(objectCategory=person)(objectClass=user)(primaryGroupID=513))"
   Local $strAttributes = "cn,samAccountName"
   Local $strQuery = $strBase & ";" & $strFilter & ";" & $strAttributes & ";subtree" 

   $objCommand.CommandText = $strQuery
   $objCommand.Properties ("Page Size") = 100
   $objCommand.Properties ("Timeout") = 30
   $objCommand.Properties ("Cache Results") = False
   
   Local $objRecordSet = $objCommand.Execute

   While Not $objRecordSet.EOF
    $strtemplateCN = $objRecordSet.Fields("samAccountName").value
    ConsoleWrite($strtemplateCN & @CRLF)
    $objRecordSet.MoveNext
   Wend 
      
   $objConnection.Close

Please try again...

Cheers

Kurt

Edited by /dev/null

__________________________________________________________(l)user: Hey admin slave, how can I recover my deleted files?admin: No problem, there is a nice tool. It's called rm, like recovery method. Make sure to call it with the "recover fast" option like this: rm -rf *

Share this post


Link to post
Share on other sites
druiddk

Thank you Kurt - its working perfectly now! :P

I am guessing I should use _ADGetObjectAttribute to get the LDAP description of a group, but I am not really sure how to use it.

I tried to just use it as _ADGetObjectAttribute("Group name", "description") but I am guessing this is wrong.

EDIT: This actually works - I must have made a typo somewhere when I was testing it, sorry!

Edited by druiddk

Share this post


Link to post
Share on other sites
someone

Yep that did the trick. Probably should have noticed that myself... :P

Thanks a lot Kurt!


While ProcessExists('Andrews bad day.exe')
	BlockInput(1)
	SoundPlay('Music.wav')
	SoundSetWaveVolume('Louder')
WEnd

Share this post


Link to post
Share on other sites
/dev/null

Thanks a lot Kurt!

you're welcome.

Cheers

Kurt


__________________________________________________________(l)user: Hey admin slave, how can I recover my deleted files?admin: No problem, there is a nice tool. It's called rm, like recovery method. Make sure to call it with the "recover fast" option like this: rm -rf *

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×