Active Directory UDF - Help & Support

water · December 7, 2012

Unfortunately I'm not very firm with AD permissions. I searched the web but couldn't find anything useful.

If the user is able to set the password of another user by using ADUC then it should work with function _AD_SetPassword as well. The function doesn't do anything special.

bartekd · December 7, 2012

We have set permissions to reset password and change password. I am able to reset the password using Active Directory Users and Computers, but when I use the tool, it shows the error 2147352567

water · December 7, 2012

Just to make sure:

You delegated the permission to reset the password of users to user A. You are logged in as user A when you run the AutoIt script.

You call _AD_SetPassword("B", "newpassword") to set the password for user B?

bartekd · December 7, 2012

User = A

Person resetting = B

UserB was delegated to reset the password to a OU that UserA is in. When UserB tries to reset the password for UserA, I get the error. I am logged in as UserB, trying to reset UserA

Works using Active Directory Users and Computers, doesn't work with the script.

water · December 7, 2012

I have absolutely no idea what ADUC does under the covers. Function _AD_SetPassword only sets the password, nothing more.

You can only give UserB all possible permissions, remove one by one and run your script to change the password. As soon as the script crashes you know that the last removed permission was the one needed.

bartekd · December 7, 2012

OK Ill see if I can find what the access is that is needed. If anyone else comes accross this, and knows what rights are needed, please reply in this thread.

Thanks for the help today Water.

nigthlord · December 11, 2012

Hi!

First of all I would like to thank water for the great work. I am using the outlook UDF aswell I am happy with it! :king:

Ok, now Iam trying to write a "small" script using the AD udf. This script should retrieve all groupds a user is memeber of. Therefore I am using the _AD_RecursiveGetMemberOf function whicih is doing its job quite well as long as a user just have grous from one domain.

Unfortunately I have a lot of users who are member in different groups in at least two domains. As a result I just get back groups from the domain the user is created in but I miss the other ones.

Does anybody know how to retrieve all groups from a forrest a user is memeber of.

Thanks a lot!

water · December 11, 2012

Connect to the Global Catalog and run the query again.

How to connect to a GC is described in the wiki.

nigthlord · December 11, 2012

Hey!

Many thanks for your fast reply.

Unfortunately I can get it to work properly. I connected to GC via port 3268(also tried it via 3269 and SSL enabled) but the result was the same as before when I connected to "normal" DC; so it just showed me groups from the domain I belong to.

I determined GC like decribed here. However I tried the _AD_ListDomainControllers function aswell but I got an error but $aDCs = _AD_ListDomainControllers("",true) gives me the following errror.

--> Press Ctrl+Alt+F5 to Restart or Ctrl+Break to Stop
COM Error Encountered in adplayaround.au3
AD UDF version = 1.3.0
@AutoItVersion = 3.3.8.1
@AutoItX64 = 0
@Compiled = 0
@OSArch = X86
@OSVersion = WIN_7
Scriptline = 4376
NumberHex = 8007203A
Number = -2147016646
WinDescription = Der Server ist nicht funktionstüchtig.
Description =
Source =
HelpFile =
HelpContext = 1936278560
LastDllError = 0
========================================================
C:\Program Files\AutoIt3\Include\ad.au3 (1392) : ==> Error in exp[b][/b]ression.:
Local $sAD_DsServiceDN = $oAD_DCRootDSE.Get("dsServiceName")
Local $sAD_DsServiceDN = ^ ERROR
->15:19:49 AutoIT3.exe ended.rc:1
>Exit code: 1    Time: 80.985

Running $aDCs = _AD_ListDomainControllers() works though and lists available DCs as expected.

Any ideas?

Thanks =)

water · December 11, 2012

What do you get when you run this script?

#AutoIt3Wrapper_AU3Check_Parameters= -d -w 1 -w 2 -w 3 -w 4 -w 5 -w 6
#AutoIt3Wrapper_AU3Check_Stop_OnWarning=Y
#include <AD.au3>

; Open Connection to the Active Directory
_AD_Open()
If @error Then Exit MsgBox(16, "Active Directory Example Skript", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)

; *****************************************************************************
; Example 4
; Get a list of all Domain Controllers inlcuding Global Catalogs
; *****************************************************************************
$aDC = _AD_ListDomainControllers(False, True)
If @error <> 0 Then
MsgBox(16, "Active Directory Functions - Example 4 - All Domain Controllers including Global Catalogs", "No DCs found!")
Else
_ArrayDisplay($aDC, "Active Directory Functions - Example 4 - All Domain Controllers, distinguished name, DNS host name, and the site name")
EndIf

; Close Connection to the Active Directory
_AD_Close()

Column 6 shows "True" for all Global Catalogs.

nigthlord · December 11, 2012

This is what I get

params:-d -w 1 -w 2 -w 3 -w 4 -w 5 -w 6 from:C:Program FilesAutoIt3
Q:autoitADadtry.au3(13,46) : WARNING: $aDC possibly not declared/created yet
$aDC = _AD_ListDomainControllers(False, True)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
Q:autoitADadtry.au3 - 0 error(s), 1 warning(s)
->15:59:16 AU3Check ended. Press F4 to jump to next error.rc:1

When I delete

#AutoIt3Wrapper_AU3Check_Parameters= -d -w 1 -w 2 -w 3 -w 4 -w 5 -w 6
#AutoIt3Wrapper_AU3Check_Stop_OnWarning=Y

I get

--> Press Ctrl+Alt+F5 to Restart or Ctrl+Break to Stop
COM Error Encountered in adtry.au3
AD UDF version = 1.3.0
@AutoItVersion = 3.3.8.1
@AutoItX64 = 0
@Compiled = 0
@OSArch = X86
@OSVersion = WIN_7
Scriptline = 4376
NumberHex = 8007203A
Number = -2147016646
WinDescription = Der Server ist nicht funktionstüchtig.
Description =
Source =
HelpFile =
HelpContext = 1936278560
LastDllError = 0
========================================================
C:\Program Files\AutoIt3\Include\AD.au3 (1392) : ==> Error in exp[b][/b]ression.:
Local $sAD_DsServiceDN = $oAD_DCRootDSE.Get("dsServiceName")
Local $sAD_DsServiceDN = ^ ERROR

Setting both parameter to "false" works lists DCs.

I am not an Domain admin in case this ld be necessary for this.

PS: please ignore first part of my reply ... ;/

Edited December 11, 2012 by nigthlord

water · December 11, 2012

Looks like one of the DCs isn't operation at the moment. The script doesn't handle this situation correctly and crashes.

But you got one GC as described in the MSDN article. Can you post the call to _AD_Open to connect to this GC?

nigthlord · December 11, 2012

Hey! The DCs are online and working but for some reason I get those strange results!

I tried to connect to GC aswell but I get unexpected results aswell.

Sometimes I get 121 groups sometimes 17(for the same domain)! 121 would be ok for domain 1 but I am also member of ~70 groups in domain two.

I tried with 7 different DCs which should have GC aswell.

With dsget I get the correct result!

Confused I am

water · December 11, 2012

The AD UDF has rarely been used in a multidomain environment. So it's quite possible that there are still some bugs in the UDF :unsure:

Can you post the line where you call _AD_Open to connect to the GC?

water · December 11, 2012

Forget what I posted before!

You can only query the membership within a domain. _AD_Open takes the domain name you pass or the domain you are currently logged on to.

So you can only get a list of all Domain Controllers, retrieve the domains and connect to each of them to query the group membership.

AD-guru Richard L. Mueller does something similar here.

tarankov · December 12, 2012

Greetings!

I've encountered an error. I have written creating AD computer account

script. Running script on domain computer has positive results.

when running it on non-domain computer the account created but script

dies with following error:

========================================================

OM Error Encountered in JoinDomain.au3

AD UDF version = 1.3.0

@AutoItVersion = 3.3.8.1

@AutoItX64 = 0

@Compiled = 0

@OSArch = X64

@OSVersion = WIN_7

Scriptline = 2430

NumberHex = 80020009

Number = -2147352567

WinDescription = Идентификатор безопасности имеет неверную структуру.

Description =

Source =

HelpFile =

HelpContext = 0

LastDllError = 0

========================================================

Running the same script. Computers' operating systems are equal

Source:

Func create_pc($sComputer)
$sOU = 'OU=Факультет психологии,OU=СПбГУ,DC=ad,DC=pu,DC=ru'
$sUser = 'admins_psy'

local $status = False

; Create a new computer account
Global $iValue = _AD_CreateComputer($sOU, $sComputer, $sUser)
If $iValue = 1 Then
;MsgBox(64, "Active Directory Functions - Example 1", "Computer '" & $sComputer & "' in OU '" & $sOU & "' successfully created")
$status = True
ElseIf @error = 1 Then
;MsgBox(64, "Active Directory Functions - Example 1", "OU '" & $sOU & "' does not exist")
ElseIf @error = 2 Then
;MsgBox(64, "Active Directory Functions - Example 1", "Computer '" & $sComputer & "' already exists")
ElseIf @error = 3 Then
;MsgBox(64, "Active Directory Functions - Example 1", "User/group '" & $sOU & "' does not exist")
Else
;MsgBox(64, "Active Directory Functions - Example 1", "Return code '" & @error & "' from Active Directory")
EndIf
Return $status
EndFunc

Edited December 12, 2012 by tarankov

water · December 12, 2012

Can you please translate the

WinDescription = Идентификатор безопасности имеет неверную структуру.

to English? NumberHex unfortunately is a generic error and so doesn't tell me much.

tarankov · December 12, 2012

Can you please translate the
WinDescription = Идентификатор безопасности имеет неверную структуру.
to English? NumberHex unfortunately is a generic error and so doesn't tell me much.

Security identifier has improper structure.

water · December 12, 2012

Function _AD_CreateComputer does create the computer account and then sets a lot of permissions. Hier is the respective part of the function docu:

; Remarks .......: By default, any authenticated user can create up to 10 computer accounts in the domain (machine account quota).
;                 (see: http://technet.microsoft.com/en-us/library/cc780195(WS.10).aspx)
;                 To create the Access Control List you need certain permissions. If this permissions are missing you might be able to add the
;                 computer to the domain but the function will exit with failure and the ACL is not set.
;+
;                 Creating a computer object in AD does not permit a user to join a computer to the domain.
;                 Certain permissions have to be granted so that the user has rights to modify the computer object.
;                 When you create a computer account using the ADUC snap-in you have the option to select a
;                 user or group to manage the computer object and join a computer to the domain using that object.
;+
;                 When you use that method, the following access control entries (ACEs) are added to the
;                 access control list (ACL) of the computer object:
;                 * List Contents, Read All Properties, Delete, Delete Subtree, Read Permissions, All
;                   Extended Rights (i.e., Allowed to Authenticate, Change Password, Send As, Receive As, Reset Password)
;                 * Write Property for description
;                 * Write Property for sAMAccountName
;                 * Write Property for displayName
;                 * Write Property for Logon Information
;                 * Write Property for Account Restrictions
;                 * Validate write to DNS host name
;                 * Validated write for service principal name

So it looks like the user who calls _AD_CreateComputer doesn't have the proper permissions to set permissions for the computer account.

There was a similar discussion some time ago on the GH&S thread for Active Directrory.

I hope I can find this thread. I will post the link if I'm successfull.

tarankov · December 12, 2012

So it looks like the user who calls _AD_CreateComputer doesn't have the proper permissions to set permissions for the computer account.
There was a similar discussion some time ago on the GH&S thread for Active Directrory.

It's impossible. I call function _AD_Open() as the same user. I create computer account successfully from domain computer and on non-domain I get an error. Using the domain admin account for testing excludes abscence of any permissions.

Edited December 12, 2012 by tarankov

Active Directory UDF - Help & Support

Recommended Posts

Link to comment

Share on other sites

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

water

Posted Images

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Recently Browsing 0 members