Active Directory UDF - Help & Support

[BrewManNH]

Far too many install locations is my problem, including on several thumb drives that I have to update everytime I find a new version of some UDF.

[water]

So you might need an AutoIt script to synchronize them

[kor]

@water, I'm having a heck of a time getting the _AD_Open to open a connection to active directory when the computer is not on the domain. I've tried both manually defining the various variables needed, and also tried your AD_Open example script with the gui and plugging in the vars and I keep getting Error 8.

Here are my vars.

$username = "eos"
$password = "password"
$domain = "DC=ad,DC=example,DC=com"
$controller = "dom-dc1.ad.example.com"
$config = "CN=Configuration,DC=ad,DC=example,DC=com"

_AD_Open($user, $pass, $domain, $controller, $config)

Global $aOUs = _AD_GetAllOUs()
If @error > 0 Then
    MsgBox(64, "Active Directory Functions - Example 1", "No OUs could be found")
Else
    _ArrayDisplay($aOUs, "Active Directory Functions - Example 1 - All OUs found in the Active Directory")
EndIf


_AD_Close()

When using the above example I get this error, then of course the msgbox of No OU's can be found.

When using your _AD_Open example gui I get this

The client workstation is Windows XP SP3, and the domain controller is Server 2008 R2. The functional level of the domain is 2008R2 is that makes any difference. The workstation is receiving proper DHCP IP from the domain controller and I can ping dom-dc1.ad.example.com from the workstation and it resolves and replies correctly.

Edited March 27, 2011 by kor

[water]

$username = "eos"
$password = "password"
$domain = "DC=ad,DC=example,DC=com"
$controller = "dom-dc1.ad.example.com"
$config = "CN=Configuration,DC=ad,DC=example,DC=com"
$iAD_Debug = 2
_AD_Open($user, $pass, $domain, $controller, $config)
Msgbox(0,"","error: " & @error & ", @extended: " & @extended)

Could you please change your script so we get maximum debugging information?

Edited March 27, 2011 by water

[kor]

error: 8, @extended: -2147352567

[water]

Could you please specify ther userid ($username = "eos") as NetBIOS login name "<domain>\eos" or user principal name "eos@<domain>.<com>"?

<...> denotes a value to be replaced with actual data.

[kor]

I've already tried all 3 before I even posted.

Same error.

[water]

Do you have by chance a Windows Vista or Windows 7 PC available that is no member of the domain?

Because we would get more detailed error information.

Edit:

Did you verify the parameters running a script like this on a PC connected to the domain?

#include <ad.au3>
$iAD_Debug = 2
_AD_Open()
ConsoleWrite($sAD_DNSDomain & @CRLF)
ConsoleWrite($sAD_HostServer & @CRLF)
ConsoleWrite($sAD_Configuration & @CRLF)
_AD_Close()

Edited March 27, 2011 by water

[kor]

Yes, I have verified the information is correct by running your test. What I am typing in is exactly what the consolewrite's spit out.

when running your debug msgbox from a Server 2008 R2 VM not connected to the domain I get

error: 0, @extended: 0

EDIT: sorry, I missed your $iAD_debug = 2 on the XP machine. Here is the debug info from adding that var and running the test again.

Edited March 27, 2011 by kor

[water]

Mmm ...

Are there any limitations regarding site, IP-adress, login-time or whatever on the domain controller you specified?

[kor]

Mmm ...

Are there any limitations regarding site, IP-adress, login-time or whatever on the domain controller you specified?

None that I am aware of. I've tried opening a connection even with the "domain" Administrator account and get the same errors.

[water]

If you try your script (with all 5 parameters) from a PC that is a member of the domain, does it run?

[water]

From the screenshots you provided I see that you run an "old" version (0.42) that had a bug in _AD_Open using Password Encryption and SSL.

Couldy ou please download the latest and greatest version 0.43 and test again?

[kor]

If you try your script (with all 5 parameters) from a PC that is a member of the domain, does it run?

sort of.

If I run it from an XP machine already on the domain I still Get the first error box

However I get an error: 0, @extended: 0

And the group OU's display.

EDIT

From the screenshots you provided I see that you run an "old" version (0.42) that had a bug in _AD_Open using Password Encryption and SSL.

Couldy ou please download the latest and greatest version 0.43 and test again?

HAHA!! That fixed it!

Yes, I encrypt all traffic between clients and domain controllers and run certificate services so maybe that was the problem. Thank you so much!

Edited March 27, 2011 by kor

[water]

Glad the problem could be solved!

Version 0.43 has an additional parameter to activate security:

;               $fAD_Security - Optional: Specifies the security settings to be used. Can be a combination of the following:
;               |0: No security settings are used
;               |1: Sets the connection property "Encrypt Password" to True to encrypt userid and password
;               |2: The channel is encrypted using Secure Sockets Layer (SSL). AD requires that the Certificate Server be installed to support SSL

[kor]

Do I need to define that variable? What is the default?

[water]

Do I need to define that variable? What is the default?

Default = 0 = no additional security. No encryption is used and all LDAP queries are sent to port 389.

If you want to use LDAP/SSL please read the remarks in _AD_Open.

Unfortunately I don't fully understand when to encrypt userid/password. Neither M$ nor google gave me useful information when and how to use.

[kor]

@water, just as an FYI. I've noticed that the AD_CreateComputer function does not work as expected. It might be my combination of XP with a 2008R2 domain, not sure.

But when creating a computer (even when using ADOpen with domain admin credentials) I get a return code of 4 from the function, but a return code of 0 from active directory.

The computer is indeed created, but return 1 for success isn't given.

I've also noticed that if the AD user does not have permission to create objects in AD, I get the same return code 4 with a return 0 from AD... but the account isn't created.

so it looks like I can't trust the return code from the createcomputer function. I'll have to workaround it by doing a ObjectExist check after CreateComputer.

[water]

Please check the remarks:

By default, any authenticated user can create up to 10 computer accounts in the domain (see: http://technet.microsoft.com/en-us/library/cc780195(WS.10).aspx)

To create the Access Control List you need further permissions. If this permission is missing you might be able to add the computer to the domain but the function will exit with failure and the ACL is not set.

So every user can add up to 10 computers to a domain but not every user can change the access permissions - that's what the return code tells.

I don't know which return code you get if you try to add 11 computer accounts to the domain.

Edit:

A detailed description can be found here - last post: http://social.technet.microsoft.com/Foru...ead/0b95e29c-0140-43d1-9804-b2

Edit 2:

If you want to make sure that a user has the required permissions before calling _AD_CreateComputer you can use _AD_HasRequiredRights to check the users permissions.

Edited June 7, 2011 by water

[zac]

fair warning that I am new to autoit so probably don't use correct programming language.

I want to

1. enumerate all groups in an OU

then for each of those groups

2. enumerate the groups said group is a member of

3. carry out an action against each group

I have tried what I think is creating nested array but it fails after the initial round of step 3.

#notrayicon
#include <adfunctions.au3>
#include <file.au3>
#include <array.au3>

$OU = "ou=Yellow,ou=Groups,dc=net,dc=local"
Dim $var
Dim $var2

_ADGetObjectsInOU($var, $ou)
ConsoleWrite("--- Found " & $var[0] & " groups to process" & @CRLF)

;alphabetically sort array
    _ArraySort( $var ,0,2 )

For $i = 2 to $var[0] step 1; start at 2 to avoid blank
    ;do stuff against each
        ;get group group membership
            _ADGetGroupMemberOf($var2, _ADSamAccountNameToFQDN($var[$i]))
;           _ArrayDisplay($var2)
            ConsoleWrite("----- found: " & $var2[0] & " groups" & @CRLF)
        ;do stuff against each
            For $d = 1 to $var2[0]
                ConsoleWrite("------ check:" & $var2[$d] & @CRLF)
            Next
;       _ArrayDisplay($var)
Next

output:

>Running:(3.3.6.1):C:\Program Files\AutoIt3\autoit3.exe "C:\Support\Scripts\test.au3"

--- Found 237 groups to process

----- found: 6 groups

-- check:CN=DB07Group,OU=Servers,OU=Groups,DC=net,DC=local

------ check:CN=PrimaryGroup,OU=UserTypes,OU=Groups,DC=net,DC=local

------ check:CN=CommsGroup,OU=Applications,OU=Groups,DC=net,DC=local

------ check:CN=NoGroup,OU=UserTypes,OU=Groups,DC=net,DC=local

------ check:CN=DCUsers,OU=Groups,DC=net,DC=local

------ check:CN=PLCGroup,OU=UserTypes,OU=Groups,DC=net,DC=local

C:\Program Files\AutoIt3\Include\adfunctions.au3 (755) : ==> Object referenced outside a "With" statement.:

$membersadd = $objRecordSet.fields(0).Value

$membersadd = $objRecordSet.fields(0)^ ERROR

->18:12:45 AutoIT3.exe ended.rc:1

>Exit code: 1 Time: 1.871

I expect it to loop through 2/3 237 times?