Active Directory UDF - Help & Support

[water]

For documentation purpose:

To use the AD UDF with Windows PE a guy who asked on the german forum had to do the following:

I had to add the following to the WIN-PE.WIM:

1. Dism.exe /image:c:\winpe_x86\mount /add-driver /driver:.\ADSI_X86\ADSIx86.inf /forceunsigned

2. Dism /image:C:\winpe_x86\mount /Add-Package /PackagePath:.\PETools\x86\WinPE_FPs\winpe-hta.cab

Dism /image:C:\winpe_x86\mount /Add-Package /PackagePath:.\PETools\x86\WinPE_FPs\winpe-mdac.cab

Some more details can be found here.

HTH

Water

[gcue]

does _AD_IsMemberOf support checking for nested sub groups?

if not, is there a way you can recommend doing it?

thanks for such a great UDF and all the work you've put into this.

Edited July 14, 2011 by gcue

[water]

No.

_AD_IsMemberOf "Returns 1 if the object (user, group, computer) is an immediate member of the group."

But you can recursively query the groups the user is a member of using _AD_RecursiveGetMemberOf and check if the group in question is contained in the result.

[gcue]

i used your example

; Open Connection to the Active Directory
_AD_Open()

; Returns a recursively searched list of groups the currently logged on user is a member of
Global $aUser = _AD_RecursiveGetMemberOf(@UserName, 10, 1)
If @error > 0 Then
    MsgBox(64, "Active Directory Functions - Example 1", "User '" & @UserName & "' has not been assigned to any group")
Else
    ; For groups that are inherited, the return is the FQDN of the group or user, and the FQDN(s) of the group(s) it
    ; was inherited from, seperated by '|'
    _ArrayDisplay($aUser, "Active Directory Functions - Example 1 - Group names user '" & @UserName & "' is a member of")
EndIf

; Close Connection to the Active Directory
_AD_Close()

and after some time i am getting this error, any ideas?

U:\scripts\#Tech#\Dashboard\AD.au3 (1005) : ==> Recursion level has been exceeded - AutoIt will quit to prevent stack overflow.:

If _AD_ObjectExists($sAD_Object) = 0 Then Return SetError(1, 0, "")

Edited July 14, 2011 by gcue

[water]

What version of the UDF do you use? Line 1005 is in the middle of a comments block in the most current version 1.0.0.

[gcue]

sorry i just updated it. still getting the same error

U:\scripts\#Tech#\Dashboard\AD.au3 (1054) : ==> Recursion level has been exceeded - AutoIt will quit to prevent stack overflow.:

If _AD_ObjectExists($sAD_Object) = 0 Then Return SetError(1, 0, "")

Edited July 14, 2011 by gcue

[water]

There might be a loop in your group membership definitions. Let's say group A is a member of group B which is a member of group A. The loop is closed and function _AD_RecursiveGetMemberOf loops and loops and loops because it doesn't correctly check the nesting level (default = 10).

As a quick and dirty solution could you please insert the following line as the first statement in function_AD_RecursiveGetMemberOf and post the results?

Local $aAD_Nested[1] = [0]
If $iAD_Depth = 0 then return $aAD_Nested

[gcue]

that worked! =)

thanks for the quick solution.

Edited July 14, 2011 by gcue

[water]

I will check the solution and update the UDF to remove the bug.

[gcue]

cool thanks again.

[water]

Added a new script to the Example Script thread. Lets you display the OUs in your AD as a TreeView.

Edited July 18, 2011 by water

[gr1fter]

Hello,

What I am looking to do is query all the SubOus of a container. Is _AD_GetObjectsInOU the function im looking for? Most of the examples I see are for user info, I only want to get organizationalUnit list of SubOUs on a given container. Can someone help me out in the right direction?

Thanks,

EDIT: I apologize, I did not see _AD_GetAllOUs. I was able to get what I needed. Thanks,

Edited July 19, 2011 by gr1fter

[water]

I just added a new example script in the Active Directy Example Scripts thread (for download please see my signature).

This lets you display the OU hierarchy in a TreeView.

[gr1fter]

water or anyone

is it possible to exclude the root directory from the _AD_GetAllOUs array?

example script:

[__CODE_PROTECTED]PGJyIC8+CjxiciAvPgo7IE9wZW4gQ29ubmVjdGlvbiB0byB0aGUgQWN0aXZlIERpcmVjdG9yeTxiciAvPgpfQURfT3BlbigpPGJyIC8+CjxiciAvPgpHbG9iYWwgJiMwMzY7c3VPVT0gJnF1b3Q7b3U9Y29tcHV0ZXJzLG91PWRlc3NlcnQsZGM9ZWFzdCxkYz1taWNyb3NvZnQsZGM9Y29tJnF1b3Q7PGJyIC8+Ckdsb2JhbCAmIzAzNjtpSW5kZXg8YnIgLz4KR2xvYmFsICYjMDM2O2FkT1UgPSBfQURfR2V0QWxsT1VzKCYjMDM2O3N1T1UpPGJyIC8+CklmIEBlcnJvciAmZ3Q7IDAgVGhlbjxiciAvPgoJTXNnQm94KDY0LCAmcXVvdDtBY3RpdmUgRGlyZWN0b3J5IEZ1bmN0aW9ucyAtIEV4YW1wbGUgMSZxdW90OywgJnF1b3Q7Tm8gT1VzIGNvdWxkIGJlIGZvdW5kJnF1b3Q7KTxiciAvPgpFbHNlPGJyIC8+CjxiciAvPgoJRm9yICYjMDM2O2lJbmRleCA9IDEgVG8gJiMwMzY7YWRPVVswXVswXTxiciAvPgoJCSYjMDM2O3NPVSA9ICYjMDM2O2FkT1VbJiMwMzY7aUluZGV4XVsxXTxiciAvPgoJCSYjMDM2O3N0cnZhbCA9IFN0cmluZ1JlZ0V4cCgmIzAzNjtzT1UsICZxdW90Oyg/VSkoPzpPVT0pKC4rKSg/OiwpJnF1b3Q7LCAzKTxiciAvPgoJCSYjMDM2O3N1Ym91ID0gJiMwMzY7c3RydmFsWzJdICZhbXA7ICZxdW90OyYjMDkyOyZxdW90OyAmYW1wOyAmIzAzNjtzdHJ2YWxbMV0gJmFtcDsgJnF1b3Q7JiMwOTI7JnF1b3Q7ICZhbXA7ICYjMDM2O3N0cnZhbFswXTxiciAvPgoJCU1zZ0JveCAoNDgsJnF1b3Q7JnF1b3Q7LCYjMDM2O3N1Ym91KTxiciAvPgoJTmV4dDxiciAvPgo8YnIgLz4KRW5kSWY8YnIgLz4KPGJyIC8+CjsgQ2xvc2UgQ29ubmVjdGlvbiB0byB0aGUgQWN0aXZlIERpcmVjdG9yeTxiciAvPgpfQURfQ2xvc2UoKXM=[/__CODE_PROTECTED]

If i cycle through the message boxes, i dont want the first one to be shown which is the root. Thanks,

[BlackHoleSun]

How to check a sub-domain for the computer info?

The way the domain I'm on is setup, the user accounts are on the main level domain (sub.domain.com) and the computers are in a sub-domain of that (sub2.sub.domain.com). When I run _AD_GetObjectProperties(), I get the user account info fine, but the computer gives an error of 1, and doesn't return anything. Any ideas on how to switch to the sub-domain? I've tried the FQDN of "computer$.sub2.sub.domain.com" already.

[water]

If you specify the computername as SamAccountName you have to append a dollar sign.

$aProperties = _AD_GetObjectProperties(@Computername & "$", "..properties...")

Edited July 19, 2011 by water

[BlackHoleSun]

If you specify the computername as SamAccountName you have to append a dollar sign.

$aProperties = _AD_GetObjectProperties(@Computername & "$", "..properties...")

I was doing it with the dollar sign, and didn't have any luck.

[water]

The Active Directory can only connect to one domain at a time.

So if your computers are in a different domain you can either:

• Close the connection to domain sub.domain.com using _AD_Close() and then connect to domain sub2.sub.domain.comspecifying the necessary parameters for _AD_Open
• Connect to the global catalog (GC). So you can query all properties that are replicated to the global catalog. The GC is read-only.

BTW:

I've tried the FQDN of "computer$.sub2.sub.domain.com" already.

This is not a valid FQDN.

Run the _AD_GetObjectProperties.au3 example script and see what you get in example 3 - properties for your computer. distinguishedName the FQDN of your computer.

Can you please post the code you use to query the computer properties?

[water]

@gr1fter

Your example crashes here with error:

H:\tools\AutoIt3\AD\AD_Test.au3 (17) : ==> Array variable has incorrect number of subscripts or subscript dimension range exceeded.:

$subou = $strval[2] & "\" & $strval[1] & "\" & $strval[0]

$subou = ^ ERROR

Can you post an example how the desired result should look like?

[BlackHoleSun]

The Active Directory can only connect to one domain at a time.

So if your computers are in a different domain you can either:

• Close the connection to domain sub.domain.com using _AD_Close() and then connect to domain sub2.sub.domain.comspecifying the necessary parameters for _AD_Open
• Connect to the global catalog (GC). So you can query all properties that are replicated to the global catalog. The GC is read-only.

BTW:

This is not a valid FQDN.

Run the _AD_GetObjectProperties.au3 example script and see what you get in example 3 - properties for your computer. distinguishedName the FQDN of your computer.

Can you please post the code you use to query the computer properties?

After some tweaking, I got it to work now. Below is my code, but why I wanted to do this, is I was looking at grabbing the description. For my test computer the description is 5th in the array, but it might not always be that way, so how can I have the message box show only the description field, instead of hard-coding 5 in it? I tried putting "description" in it, but it errors out. Any way to do that with out loops looking at what each value is?

Func _GetAD($stComp)
    _AD_Open()
    $SConfiguration = $sAD_Configuration
    _AD_Close()
    $SDNSDomain = "DC=sub2,DC=sub1,DC=domain,DC=com"
    $SHostServer = "server.sub2.sub1.domain.com"
    _AD_Open("", "", $SDNSDomain, $SHostServer, $SConfiguration)
    ConsoleWrite("Starting with the computer: '" & $stComp & "$" & "'" & @CRLF)
    $aProperties = _AD_GetObjectProperties($stComp & "$")
    If @error = 0 Then
        ConsoleWrite("Diplaying array" & @CRLF)
        _ArrayDisplay($aProperties, $stComp)
        MsgBox(0, "Description", $aProperties[5][2])
    Else
        ConsoleWrite("Error code: " & @error & @CRLF & "Extended: " & @extended & @CRLF)
    EndIf
    ConsoleWrite("Finished" & @CRLF)
    
    _AD_Close()
EndFunc   ;==> _GetAD