Active Directory UDF

[l4tran]

If you run the current version of the AD UDF (1.3.0.0) could you please add "_AD_ErrorNotify(2)" at the top of your script and post the returned COM error message?

It returns 1. I couldn't get the AD UDF to work with the version 3.3.8.1 of Autoit. I had to download ver. 3.3.6.0. I didn't try the versions in between.

Can you show me your autoit script of executing Powershell?

[water]

I have no problem running the current AD UDF with AutoIt 3.3.8.1. And no one else seems to have a problem. Which problems did you have?

[JLogan3o13]

Hi, Water. I am working on a small A.D. front end for a customer; they would like to give some temp folks the ability to do a very few things in A.D. and would like a front-end that shows them only those options. The only place I am stuck at this point is the ability to look up folks by Display Name. A lot of the employees these temps will be interacting with do not know their A.D. account name (how that can be I still don't get), so they would like the temp to be able to put in the first and last name, and resolve this to the login ID.

I've been looking at _AD_SamAccountNameToFQDN and _AD_FQDNToDisplayName, but am wondering if there is an easier way to do this (_AD_GetObjectProperties, maybe?). Below is a very simple mock-up of what the temp would be seeing.

[water]

You need function _AD_GetObjectsInOU to search for property "displayname". Something like this:

$sDisplayName = "Firstname Lastname"
$aObjects = _AD_GetObjectsInOU($sOU, "(&(objectcategory=person)(objectclass=user)(displayname=" & $sDisplayName & "*))", 2, "sAMAccountName")

Set $sOU to the OU where to start the search for users (better performance).

Be aware that you could get more than 1 user in return.

[JLogan3o13]

Hmm...true. I'm told there are a lot of "John Smith's". Thanks much for the suggestion, I will play around with this today.

[water]

You could query some more properties and pass them to the users so they could select the correct login-Id. Like:

$sDisplayName = "Firstname Lastname"
$aObjects = _AD_GetObjectsInOU($sOU, "(&(objectcategory=person)(objectclass=user)(displayname=" & $sDisplayName & "*))", 2, "sAMAccountName,department,description,info,telephoneNumber,l,streetaddress")

"l" stands for location.

[JLogan3o13]

Ok, I must be doing something incorrectly. The script below exits without displaying the array. I tried drilling down to a lower OU, but that is not working either.

_AD_Open()
Global $aObjects[1][1]
$sDisplayName = "John Smith"
$aObjects = _AD_GetObjectsInOU("", "(&(objectcategory=person)(objectclass=user)(displayname=" & $sDisplayName & "*))", 2, "sAMAccountName")
_ArrayDisplay($aObjects)

Edit: Disregard, I found the mistake. Thank you again for the assistance.

Edited October 29, 2012 by JLogan3o13

[water]

Just for the records: If an AD function does not return the expected result, check @error and @extended. You will find a description of the values on the help file for the function.

[JLogan3o13]

Thanks, I added some error checking. I did find one interesting issue: I would think I could search by either first (given) or last name, but that does not seem to be the case. The first reproducer below works fine for searching by givenname, but returns an @error of 3 if I try by lastname instead of givenname. The second reproducer, which shows a straight query of LDAP, does successfully query by lastname only. Am I doing something wrong in the first script?

Local $aObjects[1][1]
Local $name = "Jim"
$aObjects = _AD_GetObjectsInOU("", "(givenname=" & $name & ")", 2, "DisplayName, sAMAccountName, Description")
 If @error > 0 Then MsgBox(0, @error, @extended)
     _ArrayDelete($aObjects, 0)
  _ArrayDisplay($aObjects, "", -1, 0, "", "", " |DisplayName|Login Name|Position")

$objSysInfo = ObjCreate("ADSystemInfo")
$objCurrentUser = ObjGet("LDAP://" & $objSysInfo.UserName)
 MsgBox(0, "", $objcurrentuser.lastname)

[water]

To query the last name using LDAP you have to query property "sn" (surname).

The second example works because you use LDAP to query the ADSystemInfo object which has a lastname property.

Run the example script _AD_GetObjectProperties and the first example will show all available properties for a user wich can be queried by _AD_GetObjectsInOU.

For a list of available properties check this site.

BTW: Your example should use "(&(objectcategory=person)(objectclass=user)(sn=" & $Name & "))" for performance reasons because AD has an index on category and class. If you just query sn the whole AD is searched.

[JLogan3o13]

Thanks, that worked. I appreciate the help, and the link.

[water]

Glad to be of service

[JKFN]

Bug in _AD_GetObjectProperties()

Example:

_AD_GetObjectProperties($SAM,'objectGUID') where return value objectGUID is ValidSID (example: {70080EA1-9096-4541-8A4A-E86B9127BAB7} )

Func _AD_GetObjectProperties($sAD_Object = @UserName, $sAD_Properties = "")
....
ElseIf $oAD_Item.ADsType = $ADSTYPE_OCTET_STRING Then
     $xAD_Dummy = DllStructCreate("byte[56]")
     DllStructSetData($xAD_Dummy, 1, $vAD_PropertyValue.OctetString)
     ; objectSID etc. See: http://msdn.microsoft.com/en-us/library/aa379597(VS.85).aspx
     ; objectGUID etc. See: http://www.autoitscript.com/forum/index.php?showtopic=106163&view=findpost&p=767558
     If _Security__IsValidSid(DllStructGetPtr($xAD_Dummy)) Then
      $aAD_ObjectProperties[$iCount3][1] = _Security__SidToStringSid(DllStructGetPtr($xAD_Dummy)) ; SID
     Else
      $aAD_ObjectProperties[$iCount3][1] = _WinAPI_StringFromGUID(DllStructGetPtr($xAD_Dummy)) ; GUID
     EndIf
....

[water]

Thanks! Will have a look and come up with a solution.

[water]

I just checked the GUID and SID for a user, computer, group and OU and they are all correct.

Your posted example is a GUID. A SID should look like: S-1-5-21-...

Could you exactly describe what you think is wrong?

[willichan]

I seem to have run into a minor problem when using this UDF. I hope you can help me out.

Here is the simple reproducer code

#include <ad.au3>
_AD_Open()
$FQDN = _AD_SamAccountNameToFQDN(@UserName)
MsgBox(0,"test",$FQDN)
_AD_close()

I am running on a 64 bit Win7 machine, but the script will also need to run on 32 bit WinXP as well, so I intend to compile the script as a 32 bit exe.

The trouble is that on my 64 bit machine, when I run this as a 32 bit, I get an error on line 455 of ad.au3 -- Variable must be of type "Object".

I inserted a test line above that line to check $__oAD_Command to see if it is an object. IsObj() returns False.

If I run the script as 64 bit, it works fine, but I need to be able to run in either environment.

Any thoughts?

Using the AD 1.3.0.0.zip version of the UDF and the 3.3.8.1 version of AutoIt.

[water]

Is _AD_Open successfull? What's the value of @error and @extended after _AD_Open?

[JKFN]

I just checked the GUID and SID for a user, computer, group and OU and they are all correct.

Your posted example is a GUID. A SID should look like: S-1-5-21-...

Could you exactly describe what you think is wrong?

Yes, string "{70080EA1-9096-4541-8A4A-E86B9127BAB7}" is GUID, but function "_Security__IsValidSid(DllStructGetPtr($xAD_Dummy))" return True.

[water]

Seems to be a problem with function _Security__IsValidSid.

The function looks like:

Func _Security__IsValidSid($pSID)
    Local $aCall = DllCall("advapi32.dll", "bool", "IsValidSid", "struct*", $pSID)
    If @error Then Return SetError(1, @extended, False)
    Return Not ($aCall[0] = 0)
EndFunc ;==>_Security__IsValidSid

Do you run your script as 32 or 64 bit? If you run it as 64 bit could you try as 32 bit?

Edited November 2, 2012 by water

[JKFN]

Seems to be a problem with function _Security__IsValidSid.

The function looks like:

Func _Security__IsValidSid($pSID)
Local $aCall = DllCall("advapi32.dll", "bool", "IsValidSid", "struct*", $pSID)
If @error Then Return SetError(1, @extended, False)
Return Not ($aCall[0] = 0)
EndFunc ;==>_Security__IsValidSid

Do you run your script as 32 or 64 bit? If you run it as 64 bit could you try as 32 bit?

64 bit