Jump to content

Using _ADGetGroupMembers


Recommended Posts

Hi,

Im trying to build a list of AD users that are members of Domain Users.

I found the adfunctions.au3 and thought I could use _ADGetGroupMembers.

Here is my short script:

#include <adfunctions.au3>

Dim $members

_ADGetGroupMembers($members, "Domain Users")
_ArrayDisplay($members, "Debug: Test")

However I recieve an error:

C:\Documents and Settings\adm-rah\Desktop\adfunctions\adfunctions.au3 (426) : ==> Object referenced outside a "With" statement.:
$membersadd = $objRecordSet.fields (0).Value
$membersadd = $objRecordSet.fields (0)^ ERROR
>Exit code: 1   Time: 0.333

Any ideas what I am doing wrong?

Link to comment
Share on other sites

Your using the SAM name of the group, as opposed to the Full Distringuished Name. To check out what the FN looks like, use

MsgBox(0, "", _ADSamAccountNameToFQDN("Domain Users"))

To return the members using the name like you are just use

_ADGetGroupMembers($array, _ADSamAccountNameToFQDN("Domain Users"))

However I should point out that I wasn't able to get the members of Domain Users even though I could get the members of other groups with that code. I'm not sure if there is some restriction or if maybe there are just too many users to display(?). If anyone knows for sure I'd be interested to hear the answer.

While ProcessExists('Andrews bad day.exe')
	BlockInput(1)
	SoundPlay('Music.wav')
	SoundSetWaveVolume('Louder')
WEnd
Link to comment
Share on other sites

Ahh!!

I have been twisting and turning my head about this all day.

I really wish there was some practical examples for each function.

Hmm, would it be possible using _ADRecursiveGetMemberOf perhaps to show all members of a group - even if they are not directly member?

I tried using _ADRecursiveGetMemberOf but it only showed groups that were members - not the users.

Link to comment
Share on other sites

Using Ldapbrowser (from ldapbrowser.com) shows that there is no "member" attribute for the object "Domain Users". However, the "member" attribute is defined for other windows groups. "Domain Users" has a special meaning in windows and every user is a "member" of that group by definition, so there is no need for the member attribute. However, that means, that it is impossible to find all members of the "domain users" group via LDAP, at least not in the way you tried it. There is however an attribute for each user, which is called "primaryGroupID". You can check the value of that attribute. "Domain Users" has the value 513. See also here: http://support.microsoft.com/kb/321360/en-us

Cheers

Kurt

__________________________________________________________(l)user: Hey admin slave, how can I recover my deleted files?admin: No problem, there is a nice tool. It's called rm, like recovery method. Make sure to call it with the "recover fast" option like this: rm -rf *

Link to comment
Share on other sites

O.K. and here is the script to retrieve the users based on the attribute primaryGroupID.

Please CHANGE the defintion of $domain!! Works on my test system!

#include <array.au3>

   Local $domain = "dc=yourdomain,dc=local";  <=== CHANGE THIS !!!
   Local $objCommand = ObjCreate("ADODB.Command")
   Local $objConnection = ObjCreate("ADODB.Connection")
   
   $objConnection.Provider = "ADsDSOObject"
   $objConnection.Open ("Active Directory Provider")
   $objCommand.ActiveConnection = $objConnection

   Local $strBase = "<LDAP://$domain>" 
   Local $strFilter = "(&(objectCategory=person)(objectClass=user)(primaryGroupID=513))"
   Local $strAttributes = "cn,samAccountName"
   Local $strQuery = $strBase & ";" & $strFilter & ";" & $strAttributes & ";subtree" 

   $objCommand.CommandText = $strQuery
   $objCommand.Properties ("Page Size") = 100
   $objCommand.Properties ("Timeout") = 30
   $objCommand.Properties ("Cache Results") = False
   
   Local $objRecordSet = $objCommand.Execute

   While Not $objRecordSet.EOF
    $strtemplateCN = $objRecordSet.Fields("samAccountName").value
    ConsoleWrite($strtemplateCN & @CRLF)
    $objRecordSet.MoveNext
   Wend 
      
   $objConnection.Close

Cheers

Kurt

__________________________________________________________(l)user: Hey admin slave, how can I recover my deleted files?admin: No problem, there is a nice tool. It's called rm, like recovery method. Make sure to call it with the "recover fast" option like this: rm -rf *

Link to comment
Share on other sites

i changed the $domain as specified to our local info.

However I recieve an error:

test.au3 (45) : ==> Object referenced outside a "With" statement.:

$strtemplateCN = $objRecordSet.Fields("samAccountName").value

$strtemplateCN = $objRecordSet.Fields("samAccountName")^ ERROR

Also, any ideas on how to lookup the description of a specific group?

Thank you very much in advance!

Link to comment
Share on other sites

i changed the $domain as specified to our local info.

However I recieve an error:

test.au3 (45) : ==> Object referenced outside a "With" statement.:

$strtemplateCN = $objRecordSet.Fields("samAccountName").value

$strtemplateCN = $objRecordSet.Fields("samAccountName")^ ERROR

Also, any ideas on how to lookup the description of a specific group?

Thank you very much in advance!

Hm.. then most certainly the $domain string is not correct. Can you post it here or PM me?

What do you mean by "description of a specific group"? The LDAP "description" attribute of an object?

__________________________________________________________(l)user: Hey admin slave, how can I recover my deleted files?admin: No problem, there is a nice tool. It's called rm, like recovery method. Make sure to call it with the "recover fast" option like this: rm -rf *

Link to comment
Share on other sites

I'm getting the same error as druiddk; I'm very sure the $domain variable is correct, but I can PM you the info if you want. The com handler says $objRecordSet.EOF is not an object. I didn't do much digging around though to try to figure out the problem myself though. I'll try to later.

While ProcessExists('Andrews bad day.exe')
	BlockInput(1)
	SoundPlay('Music.wav')
	SoundSetWaveVolume('Louder')
WEnd
Link to comment
Share on other sites

I'm getting the same error as druiddk; I'm very sure the $domain variable is correct, but I can PM you the info if you want. The com handler says $objRecordSet.EOF is not an object. I didn't do much digging around though to try to figure out the problem myself though. I'll try to later.

That's because $objRecordSet is not an object because $objCommand.Execute did not return anything. As it works on my system, I can only guess what's wrong. As you changed only the definition of $domain, that's most certainly the problem. Please PM me your definition of $domain and the output of "ipconfig /all" on the computer where you run the script. BTW: Do you have enough access rights to search the LDAP directory?

Oh and another thing: I did just a quick check on the DC itself, not any member server. Maybe that's an issue as well!

Cheers

Kurt

__________________________________________________________(l)user: Hey admin slave, how can I recover my deleted files?admin: No problem, there is a nice tool. It's called rm, like recovery method. Make sure to call it with the "recover fast" option like this: rm -rf *

Link to comment
Share on other sites

before you PM me please check this:

Samples:

Your Domain "test.local" => $domain = "dc=test,dc=local"

Your Domain "xzy.int" => $domain = "dc=xyz,dc=int"

Your Domain "hellotest.com" => $domain = "dc=hellotest,dc=com"

I hope you see the pattern. Please check again if your definition of $domain is correct.

Cheers

Kurt

__________________________________________________________(l)user: Hey admin slave, how can I recover my deleted files?admin: No problem, there is a nice tool. It's called rm, like recovery method. Make sure to call it with the "recover fast" option like this: rm -rf *

Link to comment
Share on other sites

Hm.. then most certainly the $domain string is not correct. Can you post it here or PM me?

What do you mean by "description of a specific group"? The LDAP "description" attribute of an object?

Im at home now but I am very certain the $domain string was correct. I ran the script as a domain admin user from my XP box (which is of course member of the domain).

The description is the ldap description that you can see beside group names in "Active directory users and computers" utility on domain controllers.

I really appreciate your help in this manner.

Link to comment
Share on other sites

Sorry druiddk I meant to cc you on my PM to Kurt so we were all on the same page. He said he would look into it and it looked like I was doing it right. I can't spend time on it right now but tomorrow if no one has answered your question about the description I'll look into it.

While ProcessExists('Andrews bad day.exe')
	BlockInput(1)
	SoundPlay('Music.wav')
	SoundSetWaveVolume('Louder')
WEnd
Link to comment
Share on other sites

Sorry guys, it was a "bug" in my script. I did some changes without testing them before I posted it :-(

Local $strBase = "<LDAP://$domain>"

should be

Local $strBase = "<LDAP://" & $domain & ">"

I did a lot perl programming lately and not that much AutoIT :-)) So, here is the whole script again.

This time tested and working on the DC, a member PC, with or without admin rights.

Local $domain = "dc=yourdomain,dc=local";  <=== CHANGE THIS !!!
   Local $objCommand = ObjCreate("ADODB.Command")
   Local $objConnection = ObjCreate("ADODB.Connection")
   
   $objConnection.Provider = "ADsDSOObject"
   $objConnection.Open ("Active Directory Provider")
   $objCommand.ActiveConnection = $objConnection

   Local $strBase = "<LDAP://" & $domain & ">" 
   Local $strFilter = "(&(objectCategory=person)(objectClass=user)(primaryGroupID=513))"
   Local $strAttributes = "cn,samAccountName"
   Local $strQuery = $strBase & ";" & $strFilter & ";" & $strAttributes & ";subtree" 

   $objCommand.CommandText = $strQuery
   $objCommand.Properties ("Page Size") = 100
   $objCommand.Properties ("Timeout") = 30
   $objCommand.Properties ("Cache Results") = False
   
   Local $objRecordSet = $objCommand.Execute

   While Not $objRecordSet.EOF
    $strtemplateCN = $objRecordSet.Fields("samAccountName").value
    ConsoleWrite($strtemplateCN & @CRLF)
    $objRecordSet.MoveNext
   Wend 
      
   $objConnection.Close

Please try again...

Cheers

Kurt

Edited by /dev/null

__________________________________________________________(l)user: Hey admin slave, how can I recover my deleted files?admin: No problem, there is a nice tool. It's called rm, like recovery method. Make sure to call it with the "recover fast" option like this: rm -rf *

Link to comment
Share on other sites

Thank you Kurt - its working perfectly now! :P

I am guessing I should use _ADGetObjectAttribute to get the LDAP description of a group, but I am not really sure how to use it.

I tried to just use it as _ADGetObjectAttribute("Group name", "description") but I am guessing this is wrong.

EDIT: This actually works - I must have made a typo somewhere when I was testing it, sorry!

Edited by druiddk
Link to comment
Share on other sites

Thanks a lot Kurt!

you're welcome.

Cheers

Kurt

__________________________________________________________(l)user: Hey admin slave, how can I recover my deleted files?admin: No problem, there is a nice tool. It's called rm, like recovery method. Make sure to call it with the "recover fast" option like this: rm -rf *

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...