Active Directory UDF

[water]

Hi supersonic,

I've just released version 1.0.0 of the AD UDF.

Now it's possible to connect to the current domain and specify the DC you want to use. If - in addition - you specify port 3268 then you are connected to the GC on this machine.

Let's say _AD_ListDomainControllers says "DC-Server1.microsoft.com" is a GC as well. Using

#include <ad.au3>
$iAD_Debug = 2
_AD_Open("", "", "", "DC-Server1.microsoft.com:3268")
If @error <> 0 Then Exit MsgBox(0,"", "Error in _AD_Open: @error = " & @error & ", @extended = " & @extended)
$aResult = _AD_GetObjectsInOU("","(&(objectclass=user)(name=A*))", 2, "sAmAccountName, distinguishedname")
If @error <> 0 Then Exit MsgBox(0,"", "Error in _AD_GetObjectsInOU: @error = " & @error & ", @extended = " & @extended)
_ArrayDisplay($aResult)
_AD_Close()

connects you to the GC and returns an array of users starting with "a" in the whole forest.

I can't test it myself because we only have a single domain.

If you want to try this please make sure to run it in a test enironment - it's completely untested by me!

[supersonic]

Hi water,

thank you very much! The new UDF seems to work well...

Greets,

-supersonic.

[Yorn]

water, What would you recommend as the best route to pull Bitlocker recovery keys? I've gotten it to work with objects directly, but that method seems to bypass the UDF. Would it be possible to maybe add this function to the UDF? I'm trying to get it set up so that I don't even have to open up Active Directory Users & Computers anymore.

[water]

Haven't used the BitLocker information from Active Directory before. The properties of a computer object starting with "msFVE-" seem to contain the required information (Full Volume Encryption (FVE) was the prerelease name for BitLocker Drive Encryption):

msFVE-KeyPackage, msFVE-RecoveryGuid, msFVE-RecoveryPassword, msFVE-VolumeGuid.

Check the attributes here.

So if you use _AD_GetObjectProperties of a computer object you will get the required info.

I've found a script to extract some of this information.

Is this what you are looking for?

Edit:

What do you have so far? Could you please post the code so I can decide if it needs to be added to the UDF?

Edited June 22, 2011 by water

[HaeMHuK]

Hi water!

Please. give an example open Ad connection to different DC.

I've already tried many ways but all the same it works with DC in my location.

my location DC: dc-bbb1.domain.com

DC I need to connect: dc-aaa1.domain.com

Thanks in advance.

[water]

Please have a look at the Wiki (link can be found in my signature). There I describe how to connect to another domain.

[RvS]

Dear water,

I'm currently writing some scripts to automate making a new user for our help/support desk.

The script makes the user correctly and assigns homedrives/profile folders I tell it to.

Now there's a problem;

_AD_ModifyAttribute($Username, "homeDir", "\\server\homedrive$\" & $Username)

This works. But then there is no Drive Letter assigned (blank space in the AD) and Windows ignores the drive completely. I cannot seem to find the function to add a drive letter to the home drive.

Thanks in advance!

Edited July 15, 2011 by RvS

[water]

I'm not at my Windows PC at the moment.

But you could run the _AD_GetObjectProperties.au3 example script on a user that is connected to the domain. Example 1 displays the properties of the current user.

IIRC you have to set homedrive and homedirectory. M$ may shed some light on the subject:

"The home directory for the account. If homeDrive is set and specifies a drive letter, homeDirectory must be a UNC path. Otherwise, homeDirectory is a fully qualified local path including the drive letter (e.g. "c:\directory\folder")."

Edited July 15, 2011 by water

[RvS]

I'm not at my Windows PC at the moment.

But you could run the _AD_GetObjectProperties.au3 example script on a user that is connected to the domain. Example 1 displays the properties of the current user.

IIRC you have to set homedrive and homedirectory. M$ may shed some light on the subject:

"The home directory for the account. If homeDrive is set and specifies a drive letter, homeDirectory must be a UNC path. Otherwise, homeDirectory is a fully qualified local path including the drive letter (e.g. "c:\directory\folder")."

Got it. You my day. I was thinking for some reason that HomeDrive = Network and Homedir = Local

;Homedir change
Global $2 = _AD_ModifyAttribute($Username, "homeDrive", "P:")
Global $3 = _AD_ModifyAttribute($Username, "homeDirectory", "\\server\homedir$\" & $Username)

[water]

Glad to be of service

[Yorn]

ms-FVE-RecoveryInformation is, itself, an object within the Computer object.

[water]

Added a new script to the Example Scripts thread. Lets you display the OUs in your AD as a TreeView.

Edited July 17, 2011 by water

[HaeMHuK]

Hi Water!

Could you please help me to convert list of _AD_GetAllOUs($sOU) to GuiCtrlCreateCombo

Thanks.

Edited July 18, 2011 by HaeMHuK

[water]

Why do you want to display the OU structure in a combo?

The OU structure is hierarchical so a TreeView would be best.

[HaeMHuK]

Why do you want to display the OU structure in a combo?

The OU structure is hierarchical so a TreeView would be best.

We have many OUs, so it is really great to have possibility to choose OU you need when creating object. Edited July 18, 2011 by HaeMHuK

[water]

I've changed the example script I mentioned above. It now returns the name and FQDN of the selected OU.

Is this what you need?

[HaeMHuK]

I've changed the example script I mentioned above. It now returns the name and FQDN of the selected OU.

Is this what you need?

Much better than I've asked ))). Thanks a lot.

[water]

[RvS]

Another quick question; I'm using this: http://www.kouti.com/tables/userattributes.htm

As a reference for filling out the right fields/checks. I'm missing something though.

When a user is created, they need to change their password upon first login, how do I tick this box with AutoIt?

[water]

Set property pwdLastSet to -1.

This is done automatically by function _AD_CreateUser.