Active Directory UDF - Help & Support

[water]

I'm discussing a similar problem with another user

Could you please fill in the required information in the variables at the top of the script and run it?

So we have a stripped down script that reproduces the error.

[Syed23]

Hi Water,

Greeting! i just have one query on retriving the detail for either machine id or user id from the AD. like i wanted to retrive the detail that who created the user id or the machine id? is that possible to do with our AD function? Please help me!

[water]

Hi Syed,

as far as I know you can't tell from a computer or user account who created this account. Best bet is to extract the owner from the ACL.

More detail can be found here or even better here.

Edited February 13, 2012 by water

[water]

Hi Syed,

a quick and dirty solution to get the owner of an object:

#include <ad.au3>
_AD_Open()
$strComputerDN = "CN=xxxx,OU=Computer_Accounts,DC=microsoft,DC=com"
$objComputer = ObjGet("LDAP://" & $strComputerDN)
$objSecurityDescriptor = $objComputer.Get("ntSecurityDescriptor")
ConsoleWrite($objSecurityDescriptor.Owner & @CRLF)
_AD_Close()
Exit

If you like I can implement such a function in the UDF.

Details can be found here.

[water]

Just for the records.

The owner of an object can already be retrieved by using

_AD_GetObjectproperties($object, "nTSecurityDescriptor")

You will get something like

Control:35844, Group:domain\groupname, Owner:domain\groupname, Revision:1

[sublimnl]

Hi, first of all, thanks for the awesome UDF - its been a real godsend for me! I am having trouble with _AD_SetGroupManagerCanModify. I am able to successfully create a new group, and add a manager, but when I try to set this property I get the error code -2147352567. I believe this is a problem with access rights, but as I just created the group and assigned a manager on the preceding lines this makes no sense. Any ideas?

Here is a snippet of my code. Everything else is successful except the last line. Thanks!

_AD_CreateGroup("OU=Security,DC=domain,DC=local",$projnum & "_" & $suffix)
_AD_ModifyAttribute("CN=" & $projnum & "_" & $suffix& ",OU=Security,DC=domain,DC=local","info", $PM,2)
_AD_ModifyAttribute("CN=" & $projnum & "_" & $suffix& ",OU=Security,DC=domain,DC=local","description", $projname,2)
_AD_GroupAssignManager("CN=" & $projnum & "_" & $suffix& ",OU=Security,DC=domain,DC=local", "CN=" & $projnum & "_PAS,OU=Security,DC=domain,DC=local")
_AD_SetGroupManagerCanModify("CN=" & $projnum & "_" & $suffix & ",OU=Security,DC=domain,DC=local")

[water]

What do you get if you add some error handling to the script?

$iAD_Debug = 2
_AD_SetGroupManagerCanModify("CN=" & $projnum & "_" & $suffix & ",OU=Security,DC=domain,DC=local")
ConsoleWrite(@error & "-" & @extended & @CRLF)

[sublimnl]

Thanks for the reply. I get this:

---------------------------

Active Directory Functions - Debug Info

---------------------------

COM Error Encountered in NewProjectSetup.au3

AD UDF version = 1.2.0

Scriptline = 3438

NumberHex = 80020009

Number = -2147352567

WinDescription = A constraint violation occurred.

Description = A constraint violation occurred.

Source = Active Directory

HelpFile =

HelpContext = 0

LastDllError = 0

---------------------------

OK

---------------------------

...and in the Console: -2147352567-0

[water]

Ok this seems to be somewhere deep in function _AD_SetGroupManagerCanModify.

This is one of the functions where I only "beautified" the code of the original author - Johnathan Clelland - and never used it myself. That's because I only have read access to our AD.

And I fear the function is seldom used.

I will post a function with lot of error checking so we can see what's going on in a few days.

Maybe this is still true?

I will check if we can reduce the needed permissions.

Edited March 7, 2012 by water

[sublimnl]

Thanks. I looked at the link and that should not be the case here. Since I am creating the objects I am already the owner of the object,

[water]

Could you please add this function to your script and call _AD_SetGroupManagerCanModifyEX?

Func _AD_SetGroupManagerCanModifyEX($sAD_Group)

    If _AD_ObjectExists($sAD_Group) = 0 Then Return SetError(1, 0, 0)
    If StringMid($sAD_Group, 3, 1) <> "=" Then $sAD_Group = _AD_SamAccountNameToFQDN($sAD_Group) ; sAMAccountName provided
    If _AD_GroupManagerCanModify($sAD_Group) = 1 Then Return SetError(2, 0, 0)
    Local $oAD_Group = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_Group)
    Local $sAD_ManagedBy = $oAD_Group.Get("managedBy")
ConsoleWrite("$sAD_ManagedBy: " & $sAD_ManagedBy & @CRLF)
    If $sAD_ManagedBy = "" Then Return SetError(3, 0, 0)
    Local $oAD_User = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_ManagedBy)
    Local $aAD_UserFQDN = StringSplit($sAD_ManagedBy, "DC=", 1)
ConsoleWrite("$aAD_UserFQDN: " & $aAD_UserFQDN & @CRLF)
    Local $sAD_Domain = StringTrimRight($aAD_UserFQDN[2], 1)
ConsoleWrite("$sAD_Domain: " & $sAD_Domain & @CRLF)
    Local $sAD_SamAccountName = $oAD_User.Get("sAMAccountName")
ConsoleWrite("$sAD_SamAccountName: " & $sAD_SamAccountName & @CRLF)
    Local $oAD_SD = $oAD_Group.Get("ntSecurityDescriptor")
    $oAD_SD.Owner = $sAD_Domain & "\" & @UserName
    Local $oAD_DACL = $oAD_SD.DiscretionaryAcl
    Local $oAD_ACE = ObjCreate("AccessControlEntry")
    $oAD_ACE.Trustee = $sAD_Domain & "\" & $sAD_SamAccountName
    $oAD_ACE.AccessMask = $ADS_RIGHT_DS_WRITE_PROP
    $oAD_ACE.AceFlags = 0
    $oAD_ACE.AceType = $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
    $oAD_ACE.Flags = $ADS_FLAG_OBJECT_TYPE_PRESENT
    $oAD_ACE.ObjectType = $SELF_MEMBERSHIP
    $oAD_DACL.AddAce($oAD_ACE)
    $oAD_SD.DiscretionaryAcl = _AD_ReorderACE($oAD_DACL)
    $oAD_Group.Put("ntSecurityDescriptor", $oAD_SD)
    $oAD_Group.SetInfo
    If @error <> 0 Then Return SetError(@error, 0, 0)
    Return 1

EndFunc   ;==>_AD_SetGroupManagerCanModify

[sublimnl]

Thanks. I have done this and I get the following popup:

---------------------------

Active Directory Functions - Debug Info

---------------------------

COM Error Encountered in NewProjectSetup.au3

AD UDF version = 1.2.0

Scriptline = 507

NumberHex = 80020009

Number = -2147352567

WinDescription = A constraint violation occurred.

Description = A constraint violation occurred.

Source = Active Directory

HelpFile =

HelpContext = 0

LastDllError = 0

---------------------------

OK

---------------------------

Script Line 507 is the following: "$oAD_Group.SetInfo"

I also get the following in the console:

$sAD_ManagedBy: CN=408024-44444_PAS,OU=security,DC=domain,DC=local

$aAD_UserFQDN:

$sAD_Domain: DOMAINNAME

$sAD_SamAccountName: 408024-44444_PAS

[water]

Doesn't look bad so far.

I wonder why the line number changed from 3438 to 507?

[water]

Could you please change line

$oAD_SD.DiscretionaryAcl = _AD_ReorderACE($oAD_DACL)

to

$oAD_SD.DiscretionaryAcl = $oAD_DACL

and give it a try? Reordering of the ACE is no longer needed for AD > Windows 2000.

[sublimnl]

OK I will give that a shot when I get back home. Line number changed since I just pasted that function into my script, instead of into ad.au3.

[water]

OK I will give that a shot when I get back home. Line number changed since I just pasted that function into my script, instead of into ad.au3.

But you need at least a few other functions of the UDF (_AD_Open, _AD_SamAccountNameToFQDN, _AD_ReorderACE ...) so if you inlcude the whole UDF line number 507 seems to be a bit low.

[sublimnl]

I still include your full udf at the top of my script via an include line. since you renamed the function I just pasted that as another function in my script and updated my call to use the updated function. Even if I did paste your new function into the full udf the line numbers may not have matched since I might not have placed it exactly where you did in ad.au3.

[sublimnl]

I made the change you suggested and still have the same error.

[water]

S...t!

What version of Windows DC do you connect to? Windows 2000, 2003, 2008?

[water]

Another try: Can you please connect as Domain Admin and try again?