Active Directory UDF - Help & Support

water · July 12, 2012

Unfortunately the AD UDF is a "one domain at a time" library. So you have to do it this way:

_AD_Open(...) ; Connect to domain A
_AD_RecursiveGetMemberOf($computers1)
_AD_Close()
_AD_Open(...) ; Connect to domain B
_AD_RecursiveGetMemberOf($computers1)
_AD_Close()

Or if you want to do read only operations you can access the Global Catalog. Edited July 12, 2012 by water

water · July 12, 2012

How to connect to the Global Catalog using the AD UDF is described in the Wiki.

Cyri · July 13, 2012

Would it make sense to add

If IsObj($__oAD_Connection) Then $__oAD_Connection.Close() ; Close Connection

to the _AD_Close() function? The script gives a hard error if _AD_Open() isn't called first. Sounds dumb but I put _AD_Close() into a generic exit function for object cleanup and my script may bail before _AD_Open() has been called.

water · July 13, 2012

Why not do it yourself?

If IsObj($__oAD_Connection) Then _AD_Close()

Makes more sense.

Cyri · July 13, 2012

Good point. I just thought it would make more sense to have that in the UDF since that's what creates the object in the first place. No big deal.

water · July 13, 2012

The UDF is designed to work properly when used properly.

Handling every possible user error would slow down processing significantly for every user.

jp10558 · July 27, 2012

Is there a way to get a list of all users in Domain Users via the UDF? Using your basic example of

$aMemberOf = _AD_GetGroupMembers("Domain Users")

only returns 3 memebers for me, whereas using ADUC shows hundreds ... I'm not sure what I'm doing wrong...

water · July 27, 2012

You are not doing anything wrong. It's AD that works different when it comes to "Domain Users".This is (usually) the primary group of the user. You can't find the members of the primary group by querying the group. You have to query the users for the primary group id.Use _AD_GetObjectsInOU and the following LDAP query:

"(&(objectCategory=person)(objectClass=user)(primaryGroupID=513))"

For details check this article.

Edited July 27, 2012 by water

water · July 27, 2012

The 3 members you get returned when you run _AD_GetGroupMembers("Domain Users") tell you that they have set a different primary group. Use function _AD_GetUserPrimaryGroup to check the primary group of these users.

OwenWatson · July 29, 2012

Just wondering: are there any functions in the UDF that aren't in the dsquery/dsmod etc commandline tool?

water · July 29, 2012

Can't tell you because I don't know. This UDF is based on the adfunctions UDF written by Jonathan Clelland and has been extended over the years with functions user needed.

So I would ask the other way round: Are there any functions you need missing in the UDF?

OwenWatson · July 30, 2012

Not sure. I'd done a bit of work with the ds* suite a while ago, and was about to do a bit more and noticed your stuff. Can it configure much on the Exchange side of AD, if that's not a contradiction?

water · July 30, 2012

It depends on the Exchange version you run.

You can just set a few properties of a user in AD and then let RUS (Recipient Update Service) create the mailbox. Or you use function _AD_CreateMailbox.

Check this to see which solution works depending on the Exchange version.

jp10558 · July 30, 2012

Thanks, that works. Is there a function to set a generic AD property?

water · July 30, 2012

Use function _AD_ModifyAttribute.

jp10558 · July 31, 2012

Ok, maybe I'm not understanding LDAP much, but now I'm trying to query a string attribute under uid in AD like so:

$user = _AD_GetObjectsInOU("","(&(objectCategory=person)(objectClass=user)(uid="&$x&"))")

but this doesn't work.

I've also tested just using $user = _AD_GetObjectsInOU("","(&(objectCategory=person)(objectClass=user)(uid=string))") which also doesn't return. I've verified in ADSI edit that uid attribute exists and has an entry that matches the value I'm attempting to match...

$user = _AD_GetObjectsInOU("","(&(objectCategory=person)(objectClass=user)(uid="&$x&"))")

water · July 31, 2012

Some questions:

What's the value of @error after you call the AD function?

As you search for a user why don't you pass the samaccountname or another attribute?

jp10558 · July 31, 2012

@error = 0. I don't know the samaccountname so that's why I'm using this search.

water · July 31, 2012

What do you mean by "uid"? I checked all properties of my user account and there is no property named "uid"?

Run the _AD_GetObjectProperties.au3 example script. The first displayed array shows all properties of the current user. Which one do you want to search for?

jp10558 · July 31, 2012

Hmmm, interesting - so it doesn't see everything ADSI Edit does. A similar attribute that I could use, uidNumber does show up in the example script I tested with, but when I do

$user = _AD_GetObjectsInOU("","(&(objectCategory=person)(objectClass=user)(uidNumber=1994))")

I get a blank return. @error is still 0.

Active Directory UDF - Help & Support

Recommended Posts

Link to comment

Share on other sites

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

water

Posted Images

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Recently Browsing 0 members