Active Directory UDF - Help & Support

[Tjalve]

Hello Water and thank you for this outstanding UDF. Its really great.

I just have one question.

Im making a small program that will allow out users to modify the membership of the security groups that they own. So what i do is that i set the "manager" attibute of the group in AD to the specific user, and when he runs the program, he gets a list of groups that he currently is manager for. Form there he can delete and add new users to that group.

Evereything works perfectly for me. Its just that it wont work for the users. Since im domain-admin i have write-permission to all the groups. But for the users, the list is empty. So i changed the code a bit. First the program checks every group that the user is a member of. From there I use the _AD_HasGroupUpdateRights() on every group and then list every group for witch the condition is true. But yet again, works for me and the list is empty for the users.

So does that mean that even if i check the "manager can update mamber list" for the group in AD, he still doesnt get group update rights?

I tried just to type the simplest script.

_AD_HasGroupUpdateRights($groupname,$user) gives me 0 as result

_AD_HasGroupUpdateRights($groupname,$me) gives me 1 as result

Even if $user1 is manager of the group and the "update member list" is checked. Any Idees?

Thanks.

[water]

What's the value of @error when you get 0 as a result for a user?

[Tjalve]

@error is also 0

[water]

Haven't used those functions coping with permissions myself - nor did I write them.

So it will take some time to find the reason and will be a kind of question - answer - game between you and me.

First question: If a user, for which you get 0 returned by _AD_HasGroupUpdateRights, tries to add a user to the group does he get an error or does this work? So we know if the result by _AD_HasGroupUpdateRights is correct.

[Tjalve]

Sounds good.

First Answer:

I logged on to a PC using a dummy account that i have given "manager can change member list" permission to. I run the script and i got 0 and 0 again for that group. I then open ADUC and found the correct group. There i could add/remove users withaout any problems whatsoever.

[water]

I had another look at the UDF and I think you need to give function _AD_GroupManagerCanModify a try. This function should return the result you want.

[Tjalve]

I tied _AD_GroupManagerCanModify($groupname) and still got 0 as answer.

I checked the @error and i got 2 (The manager can not modify the member list). But clearly (as i tested above) the manager CAN modify the list.

Update: I tried the same thing using my domainadmin account and i still get 2. I guess it checks if the "manger can modify" checkbox. regardless of who is running the command.

Edited July 10, 2012 by Tjalve

[water]

I had a quick look at the functions and I got the impression that they might be buggy.

I need some more time to understand how they work and why they don't return the expected results.

I will come back when I have further questions or a solution.

[xterix]

Hello.

May this has been discuss previously but I didn't find it.

I've an issue renaming Ad object in my case Ad-groups, group is correctly renamed but the Pre-Windows 2000 name continues with the previous name.

Pls, do you know how to fix that? I've renamed several groups and doing that manully is a paintfull.

I use this code:

#include <ad.au3>
_Ad_Open()
$result=_AD_RenameObject($dom[$i], $New_Name)

Thank you

Edited July 11, 2012 by xterix

[water]

The function only renames the RDN (relative distinguished name) of the object. If you need to change other properties of the object you have to call _AD_ModifyAttribute.

[xterix]

The function only renames the RDN (relative distinguished name) of the object. If you need to change other properties of the object you have to call _AD_ModifyAttribute.

Thank you, I'm using _AD_ModifyAttribute to modify the "sAMAccountName"

Regards

[jazzyjeff]

Water,

I have this script and I am trying to read the properties of an AD account. It works for mine (Domain and Enterprise Admin), but for a Domain User it gets an array error, which I am attributing to the fact that it is not pulling anything into the variable/array.

I thought that it's perhaps that the Domain Users can't read AD the same way as I can, so I used the _AD_Open function with my credentials, but this still did not make a difference.

Do you have any idea what could be causing the _AD_GetObjectProperties function to not work for standard users?

Thanks,

#include<AD.au3>

_AD_Open()
$sid = _AD_GetObjectProperties(@UserName, "")
;If IsArray($sid) Then
For $i = 1 To $sid[0][0]
If $sid[$i][0] = "objectSID" Then
$objectSID = $sid[$i][1]
EndIf
Next
RegWrite("HKLM\Software\Application", "SID", "REG_SZ", $objectSID)
;EndIf
_ArrayDisplay($sid)
MsgBox(0,"",$objectSID)
;ConsoleWrite(@CR & @CR & $objectSID & @CR & @CR)
_AD_Close()

[water]

Can you please insert this line after the call to _AD_GetObjectProperties?

ConsoleWrite("Error: " & @error & ", IsArray: " & IsArray($sid) & @CRLF)

[jazzyjeff]

Thanks Water.

Error:1, IsArray: 0

This is what I return.

[water]

@error 1 means: Object not found.

What's the value of @Username?

Is there anything special with your AD environment (Read Only Domain Controllers etc.)?

[jazzyjeff]

I don't think there is anything special with our AD environment.

The username is an active account in AD, and the value was expected.

Should I put "Domain" & @username?

I have never had to do that before, but maybe it'll work... I guess I'll try it.

[water]

Domainusername won't work because the function only accepts SamAccountName or FQDN.

What version of the UDF do you use?

[jazzyjeff]

OK the DOmainUsername didn't work.

[jazzyjeff]

; UDF Version ...: 1.2.0

[water]

Then please add

$iAD_Debug = 2

before calling function _AD_GetObjectProperties.

If an error occurres you should get a MsgBox with debugging information.