Jump to content

tarankov

Members
  • Posts

    11
  • Joined

  • Last visited

Everything posted by tarankov

  1. Good day. did you read my last post about diagnostic results? If the results show nothing could you help me with getting content of created object please? I'm sure the origins of this error will be understood under results comparing.
  2. Hi Water! I'm surely come close to understanding this problem. I compared your scripts reports on the created by the domain computer mashine and so on created by non-domain computer. It turned out that they differ only in 9(!) records of access rights. The very records that must be entered through AccessControlEntry in script. I've started researching this problem. I've commented 8 right designations to localize the problem and I think that it is localized to the lilmit. On domain mashine during the creation the AccessControlEntry object one of properties is value of domain or something else, I'm not sure. And on non-domain mashine it not happens. Regretfully I didn't managed to list all properties of created object to compare because of lack of experience working with COM objects. Possibly we can do it with your knowledge. Here's the function: Func _AD_CreateComputer($sAD_OU, $sAD_Computer, $sAD_User) If Not _AD_ObjectExists($sAD_OU) Then Return SetError(1, 0, 0) If _AD_ObjectExists("CN=" & $sAD_Computer & "," & $sAD_OU) Then Return SetError(2, 0, 0) ;If Not _AD_ObjectExists($sAD_User) Then Return SetError(3, 0, 0) If StringMid($sAD_OU, 3, 1) <> "=" Then $sAD_OU = _AD_SamAccountNameToFQDN($sAD_OU) ; sAMACccountName provided If StringMid($sAD_User, 3, 1) = "=" Then $sAD_User = _AD_FQDNToSamAccountName($sAD_User) ; FQDN provided ConsoleWrite('$sAD_User: ' & $sAD_User & @CRLF) Local $oAD_Container = __AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_OU) Local $oAD_Computer = $oAD_Container.Create("Computer", "cn=" & $sAD_Computer) $oAD_Computer.Put("sAMAccountName", $sAD_Computer & "$") $oAD_Computer.Put("userAccountControl", BitOR($ADS_UF_PASSWD_NOTREQD, $ADS_UF_WORKSTATION_TRUST_ACCOUNT)) $oAD_Computer.SetInfo If @error <> 0 Then Return SetError(@error, 0, 0) Local $oAD_SD = $oAD_Computer.Get("ntSecurityDescriptor") Local $oAD_DACL = $oAD_SD.DiscretionaryAcl Local $oAD_ACE1 = ObjCreate("AccessControlEntry") $oAD_ACE1.Trustee = $sAD_User $oAD_ACE1.AccessMask = $ADS_RIGHT_GENERIC_READ $oAD_ACE1.AceFlags = 0 $oAD_ACE1.AceType = $ADS_ACETYPE_ACCESS_ALLOWED Local $oAD_ACE2 = ObjCreate("AccessControlEntry") $oAD_ACE2.Trustee = $sAD_User $oAD_ACE2.AccessMask = $ADS_RIGHT_DS_CONTROL_ACCESS $oAD_ACE2.AceFlags = 0 $oAD_ACE2.AceType = $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT $oAD_ACE2.Flags = $ADS_FLAG_OBJECT_TYPE_PRESENT $oAD_ACE2.ObjectType = $ALLOWED_TO_AUTHENTICATE Local $oAD_ACE3 = ObjCreate("AccessControlEntry") $oAD_ACE3.Trustee = $sAD_User $oAD_ACE3.AccessMask = $ADS_RIGHT_DS_CONTROL_ACCESS $oAD_ACE3.AceFlags = 0 $oAD_ACE3.AceType = $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT $oAD_ACE3.Flags = $ADS_FLAG_OBJECT_TYPE_PRESENT $oAD_ACE3.ObjectType = $RECEIVE_AS ;$oAD_ACE3.Trustee.Domain = "ad.pu.ru" ;$oAD_ACE3.SID = 'S-1-5-21-1625984058-1322545667-1880170995-25467' ;ConsoleWrite('Trustee: ' & $oAD_ACE3.Trustee.Domain & @CRLF) Local $oAD_ACE4 = ObjCreate("AccessControlEntry") $oAD_ACE4.Trustee = $sAD_User $oAD_ACE4.AccessMask = $ADS_RIGHT_DS_CONTROL_ACCESS $oAD_ACE4.AceFlags = 0 $oAD_ACE4.AceType = $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT $oAD_ACE4.Flags = $ADS_FLAG_OBJECT_TYPE_PRESENT $oAD_ACE4.ObjectType = $SEND_AS Local $oAD_ACE5 = ObjCreate("AccessControlEntry") $oAD_ACE5.Trustee = $sAD_User $oAD_ACE5.AccessMask = $ADS_RIGHT_DS_CONTROL_ACCESS $oAD_ACE5.AceFlags = 0 $oAD_ACE5.AceType = $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT $oAD_ACE5.Flags = $ADS_FLAG_OBJECT_TYPE_PRESENT $oAD_ACE5.ObjectType = $USER_CHANGE_PASSWORD Local $oAD_ACE6 = ObjCreate("AccessControlEntry") $oAD_ACE6.Trustee = $sAD_User $oAD_ACE6.AccessMask = $ADS_RIGHT_DS_CONTROL_ACCESS $oAD_ACE6.AceFlags = 0 $oAD_ACE6.AceType = $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT $oAD_ACE6.Flags = $ADS_FLAG_OBJECT_TYPE_PRESENT $oAD_ACE6.ObjectType = $USER_FORCE_CHANGE_PASSWORD Local $oAD_ACE7 = ObjCreate("AccessControlEntry") $oAD_ACE7.Trustee = $sAD_User $oAD_ACE7.AccessMask = $ADS_RIGHT_DS_WRITE_PROP $oAD_ACE7.AceFlags = 0 $oAD_ACE7.AceType = $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT $oAD_ACE7.Flags = $ADS_FLAG_OBJECT_TYPE_PRESENT $oAD_ACE7.ObjectType = $USER_ACCOUNT_RESTRICTIONS Local $oAD_ACE8 = ObjCreate("AccessControlEntry") $oAD_ACE8.Trustee = $sAD_User $oAD_ACE8.AccessMask = $ADS_RIGHT_DS_SELF $oAD_ACE8.AceFlags = 0 $oAD_ACE8.AceType = $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT $oAD_ACE8.Flags = $ADS_FLAG_OBJECT_TYPE_PRESENT $oAD_ACE8.ObjectType = $VALIDATED_DNS_HOST_NAME Local $oAD_ACE9 = ObjCreate("AccessControlEntry") $oAD_ACE9.Trustee = $sAD_User $oAD_ACE9.AccessMask = $ADS_RIGHT_DS_SELF $oAD_ACE9.AceFlags = 0 $oAD_ACE9.AceType = $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT $oAD_ACE9.Flags = $ADS_FLAG_OBJECT_TYPE_PRESENT $oAD_ACE9.ObjectType = $VALIDATED_SPN ;$oAD_DACL.AddAce($oAD_ACE1) ;$oAD_DACL.AddAce($oAD_ACE2) $oAD_DACL.AddAce($oAD_ACE3) ;$oAD_DACL.AddAce($oAD_ACE4) ;$oAD_DACL.AddAce($oAD_ACE5) ;$oAD_DACL.AddAce($oAD_ACE6) ;$oAD_DACL.AddAce($oAD_ACE7) ;$oAD_DACL.AddAce($oAD_ACE8) ;$oAD_DACL.AddAce($oAD_ACE9) $oAD_SD.DiscretionaryAcl = $oAD_DACL $oAD_Computer.Put("ntSecurityDescriptor", $oAD_SD) $oAD_Computer.SetInfo If @error <> 0 Then Return SetError(@error, 0, 0) Return 1 EndFunc ;==>_AD_CreateComputer Also in support of my version here is description of Trustee property: http://msdn.microsoft.com/en-us/library/system.messaging.accesscontrolentry.trustee(v=vs.90).aspx which said the domain can be specified. Furthermore I have an additional version. I found many errors "Security identifier has wrong structure" when it was about wrong SID declaring. In this case we do not declare it at all.
  3. Hi Water! Yet I haven't test the script you've shared but I have an idea that possibly will give an understanding. Function crashes on line 2430 at module AD.au3 This is it: $oAD_Computer.Put("ntSecurityDescriptor", $oAD_SD) But I cannot get values of this object and its properties because of lack of experience working with objects. If I could derive object content I woluld compare values with values of proper example on donain computer. Do you know how to do it?
  4. Hi Water! Those steps didn't worked. Please note, I didn't mention it before. Computer account appears in OU so object is created. Pehaps the problem emerges on rights granting phase
  5. Messages now appears at msgBox, they was shown at console before. And won't get more detailed. Colleagues from microsoft have an idea that it's nessesary to be authentificated to AD. May be some additional key on domain computer during connecton?
  6. Hi Water! Have you any idea how to diagnose running of this function? We could solve the problem together. If you are interested I even consider the feasibility of remote connection to the problem workstation.
  7. Maybe I can provide additional information for analysis?
  8. ; Open Connection to the Active Directory _AD_Open('admin','admin_password','DC=ad,DC=pu,DC=ru','dc.ad.pu.ru',"CN=Configuration,DC=ad,DC=pu,DC=ru") If @error Then Exit MsgBox(16, "Active Directory Example Skript", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)
  9. It's impossible. I call function _AD_Open() as the same user. I create computer account successfully from domain computer and on non-domain I get an error. Using the domain admin account for testing excludes abscence of any permissions.
  10. Security identifier has improper structure.
  11. Greetings! I've encountered an error. I have written creating AD computer account script. Running script on domain computer has positive results. when running it on non-domain computer the account created but script dies with following error: ======================================================== OM Error Encountered in JoinDomain.au3 AD UDF version = 1.3.0 @AutoItVersion = 3.3.8.1 @AutoItX64 = 0 @Compiled = 0 @OSArch = X64 @OSVersion = WIN_7 Scriptline = 2430 NumberHex = 80020009 Number = -2147352567 WinDescription = Идентификатор безопасности имеет неверную структуру. Description = Source = HelpFile = HelpContext = 0 LastDllError = 0 ======================================================== Running the same script. Computers' operating systems are equal Source: Func create_pc($sComputer) $sOU = 'OU=Факультет психологии,OU=СПбГУ,DC=ad,DC=pu,DC=ru' $sUser = 'admins_psy' local $status = False ; Create a new computer account Global $iValue = _AD_CreateComputer($sOU, $sComputer, $sUser) If $iValue = 1 Then ;MsgBox(64, "Active Directory Functions - Example 1", "Computer '" & $sComputer & "' in OU '" & $sOU & "' successfully created") $status = True ElseIf @error = 1 Then ;MsgBox(64, "Active Directory Functions - Example 1", "OU '" & $sOU & "' does not exist") ElseIf @error = 2 Then ;MsgBox(64, "Active Directory Functions - Example 1", "Computer '" & $sComputer & "' already exists") ElseIf @error = 3 Then ;MsgBox(64, "Active Directory Functions - Example 1", "User/group '" & $sOU & "' does not exist") Else ;MsgBox(64, "Active Directory Functions - Example 1", "Return code '" & @error & "' from Active Directory") EndIf Return $status EndFunc
×
×
  • Create New...