Active Directory UDF

[chaoticyeshua]

First off, I want to say thank you for these amazing tools! I know they'll come in extremely handy.

I am by no means a programmer... I'm more of a "scripter" -- and by that I mean I can typically find out how to do what I want, even if it may be a little buggy. That said, I'm working on a project that requires a little more than that. I was hoping someone here could help me.

We have Windows 7 images that we apply in WinPE. Right now, after applying the image, it boots into Windows and runs a Powershell script that requests certain information, such as Computer Name, Customer Name, Customer Location, and credentials for someone who has permission to join the object to the domain. This works well in Windows 7, but for some reason does not work in Windows XP anymore. I'm wanting to port a lot (if not all) of this functionality over to AutoIt since I'm far more familiar with it than Powershell.

What I'd like to do right now is ask a few questions:

1) Is it possible to use these scripts from within WinPE?

2) If so, is it possible to create a custom XML file so that mini-setup will automatically join the computer to the domain instead of requiring a couple of reboots like we have currently (change computer name, reboot, join to domain, reboot)?

3) Can anyone point me in the right direction for determining what OUs a person has write permission to, given their username/password (before joining to the domain), and then listing only those OUs in a tree view similar to the provided example?

Thank you!!

Edit: Sorry, for clarification regarding question number 3... The end result will be to populate the list of OUs the user has write permissions on so that they can select the proper OU for where to create a new computer object (assuming one of the same name doesn't exist already).

Edited January 8, 2013 by chaoticyeshua

[water]

Should be possible. Details will follow after my vacation (next week).

[chaoticyeshua]

Awesome. Thank you!

Edit:

By the way, since my last post, I have created and tested the code necessary to modify Sysprep's unattend.xml file. So now, I mainly just need help with connecting to Active Directory in WinPE after providing the credentials in a simple GUI. Just as an FYI, the GUI will have the following info:

Username (technician's account)

Password (technician's account)

Computer Name

Customer Name

Customer Username

Customer Location (Building / Room #)

Issue # (from our ticket tracking system)

Once you press OK, it should search for the entered computer name in AD. If the object exists, join using that object. If it doesn't, pop up the tree view where they can select the OU to create the object in.I tried to find a command to run to check the permissions on an OU. I couldn't find one just skimming through. Is there one I can use?

Edited January 11, 2013 by chaoticyeshua

[Iceman682]

Msgbox(64,"Please Standby","just checking your logged on credentials against AD")
_AD_Open()
$sFQDN_User = @UserName
$sFQDN_Group = "Domain Admins"
; Check the group membership of the specified user for the specified group
$iResult = _AD_IsMemberOf($sFQDN_Group, $sFQDN_User)
If $iResult = 1 Then
_AD_Close()
_MainGUI()
Else
_AD_Close()
_AuthGUI()
EndIf

Hi Water

Happy New Year

Is there a way to indicate a waiting indicator for AD to Open?

I have a script that checks AD to see if the current logged on user is part of the Domain Admins Group

If they are the Main GUI auto opens, if they arn't it takes them to a login GUI

It works, but there can be a long pause waiting for it to open AD, _AD_Open()

I want to show a simple indicator like a hourglass while it's opening AD and checking, is this possible?

Any help welcome

Iceman682

Edited January 12, 2013 by Iceman682

[water]

It works, but there can be a long pause waiting for it to open AD, _AD_Open()

I want to show a simple indicator like a hourglass while it's opening AD and checking, is this possible?

Iceman682,

_AD_Open shouldn't need more than 1/2 second to run.

Is it _AD_Open, _AD_IsMemberOf or _AD_Close that takes "forever"? You could use TimerInit, TimerDiff to measure run time.

[chaoticyeshua]

Water,

I've found that your example script takes about 10-15 seconds to run in my environment, so it probably depends how large AD is. In your script, I turned off showing computers in the OUs. With that on, it took a whole minute or so. Since I work at a university, our AD is pretty massive. That's not a problem for me (it's much, much quicker than Powershell anyway), but just wanted to point out that it can indeed take much longer than 1/2 second.

[water]

The example scripts always search the whole domain. I wanted the scripts to run out of the box in every environment.

But only processing the domain depends on the AD size. _AD_Open and _AD_Close should run in a split second.

Edited January 14, 2013 by water

[water]

I mainly just need help with connecting to Active Directory in WinPE after providing the credentials in a simple GUI. Just as an FYI, the GUI will have the following info:

Username (technician's account)

Password (technician's account)

Computer Name

Customer Name

Customer Username

Customer Location (Building / Room #)

Issue # (from our ticket tracking system)

Once you press OK, it should search for the entered computer name in AD. If the object exists, join using that object. If it doesn't, pop up the tree view where they can select the OU to create the object in.I tried to find a command to run to check the permissions on an OU. I couldn't find one just skimming through. Is there one I can use?

To connect to AD from WinPE some additional installation is needed. Details can be found

To check for the existance of the computer use: _AD_ObjectExists

To select an OU from a TreeView use:

To join the computer to the domain use: _AD_JoinDomain

To check the permissions for an OU use: _AD_HasRequiredRights

[chaoticyeshua]

Thank you kindly!

I found the post regarding WinPE the other day and have that working already Just need to find the time to take a look at your example script and see how easy it would be to modify it to suit my needs. Thanks again!

[water]

All example scripts should work out of the box - even with WinPE (I hope).

[chaoticyeshua]

Yes, it worked in WinPE just fine. I just need to find where in your example script to put the _AD_HasRequiredRights so that the tree view is only populated by OUs the user has the proper permission to create computer objects (ADS_RIGHT_DS_CREATE_CHILD?). It's a little hard to follow for me

Edited January 15, 2013 by chaoticyeshua

[water]

Details about the ADS_RIGHTS_ENUM can be found here. I'm not firm with AD permissions but I think ADS_RIGHT_DS_CREATE_CHILD should be fine.

[chaoticyeshua]

Okay thanks for the information. It looks like that should work.

Do you have any pointers regarding where to inject the _AD_HasRequiredRights in your example script to have it only populate the tree view with OUs the user has permission on?

[water]

Easiest way:

Function _AD_GetOUTreeView (from the example script) returns the selected OU. After selection check the permission for this OU and display an error message if the user doesn't have proper permission.

[chaoticyeshua]

I can't get _AD_HasRequiredRights to return anything but 0 on objects/OUs that I know I have access to modify. It doesn't matter what permission level I specify to check, even list permissions. In your example script, you converted ADS_RIGHT_DELETE to decimal (65536). I've done so with various other permission levels and it returns 0 every single time for me no matter what object I check. Does it matter than I'm not directly added to the security on the object? That I'm a member of a group that has permission on it? Otherwise, unless I'm doing something wrong, I just simply can't get it to work at all.

Edited January 15, 2013 by chaoticyeshua

[water]

I have to admit that permissions is the area I have absolutely no idea how it works

The functions as you now see them have been copied and modified by me from the original adfunctions UDF written by Jonathan Clelland.

Will have to ask Google if there is an example script on the web that shows how to do this ...

[chaoticyeshua]

Cruddy. Here's an example of what I've got going on:

_AD_Open()
If @error Then Exit MsgBox(16, "Active Directory Example Skript", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)
$test = _AD_HasRequiredRights("ubp_students", 983551, @UserName)
MsgBox(0,"",$test)
_AD_Close()

ubp_students is a group that I created. 983551 is supposed to check for full permission. Just before running the script, I gave myself full permission on the object (not my group, myself directly), and it still returns 0 Sounds like something's not working as it should be. It looks like it detects the object exists, but isn't checking permissions correctly.

Edited January 15, 2013 by chaoticyeshua

[water]

Will have a look at the original function written by Johnathan Clelland. Maybe I made a mistake by converting it.

Stay tuned ...

[Neutro]

Hey water,

Just want to say thank you very much for your amazing work, you saved me a lot of time at work

[water]

Glad the UDF is useful for you