Active Directory UDF - Help & Support

[water]

Can you please post the _AD_Open statement?

[tarankov]

Can you please post the _AD_Open statement?

; Open Connection to the Active Directory
_AD_Open('admin','admin_password','DC=ad,DC=pu,DC=ru','dc.ad.pu.ru',"CN=Configuration,DC=ad,DC=pu,DC=ru")
If @error Then Exit MsgBox(16, "Active Directory Example Skript", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)

[tarankov]

Maybe I can provide additional information for analysis?

[water]

At the moment I have no idea what could be wrong - hence I don't know what to ask

[sonicgt]

I'm attempting to join a computer to a domain. Looking through the scripts in the udf it appears I have to first create the computer object using createcomputer then do the join. I am attempting to create a computer. Before I create my own script I'm just testing the demo script but changing the adopen command to open using specific credentials (domain admin)

I am a little confused as to what I need to enter for the example. I am entering the OU as OU=level1,OU=Level2,OU=Level3,DC=my,DC=domain,DC=com

then entering just a pc name as testpc1

and for the time being leaving the user/group blank, not sure if this is required.

I get an error stating my OU does not exist, when I know 100% it does. I even used the demo script of getallou's to copy the full OU structure from there.

I am not an AD guru so forgive me if I'm using the incorrect syntax.im used to thinking of FQDN as mydomain.me.com vs the whole OU= structure.

[Iceman682]

Hi Water

Any ideas why I would get "Unable to Join Computer to ....Domain. ErrorCode:5 Access is Denied" trying to join a machine to the domain?

Many thanks

Edited December 12, 2012 by Iceman682

[water]

sonicgt,

can you post your _AD_Open statement or even the whole script?

[water]

Iceman682,

can you post the value of @extended?

[tarankov]

Hi Water!

Have you any idea how to diagnose running of this function? We could solve the problem together. If you are interested I even consider the feasibility of remote connection to the problem workstation.

[water]

You could add

_AD_ErrorNotify(2)

at the top of your script so every error is displayed in a MsgBox.

[tarankov]

Messages now appears at msgBox, they was shown at console before. And won't get more detailed.

Colleagues from microsoft have an idea that it's nessesary to be authentificated to AD. May be some additional key on domain computer during connecton?

[water]

By running _AD_Open you connect to AD. Authentification is being done using the passed credentials or the credentials of the logged on Windows user.

[water]

Another idea:

_AD_Open allows to specify the userid in 3 different formats:

You now use

_AD_Open('admin','admin_password','DC=ad,DC=pu,DC=ru','dc.ad.pu.ru',"CN=Configuration,DC=ad,DC=pu,DC=ru")

Coult you please try (I assume the domain name is "PU"):

_AD_Open('pu\admin','admin_password','DC=ad,DC=pu,DC=ru','dc.ad.pu.ru',"CN=Configuration,DC=ad,DC=pu,DC=ru")

or even

_AD_Open('admin@pu.ru','admin_password','DC=ad,DC=pu,DC=ru','dc.ad.pu.ru',"CN=Configuration,DC=ad,DC=pu,DC=ru")

[nigthlord]

Hi!

Today I found some time to play with AD UDF again.

If I use _AD_Getusergroups instead of _ad_recursivegetmemberof I get back groups from both domains I am member of but of course some groups are missong as it does no recursion.

So does somebody has an idea why it wokrs with _AD_Getusergroups but not with _ad_recursivegetmemberof?

thanks

PS: @water - thanks a lot for your effort

Edited December 13, 2012 by nigthlord

[water]

I assume you connect to the Global Catalog and run both functions, right?

_AD_GetUserGroups queries the user and displays the content of the (multivalue) property "memberof".

A user is defined in every domain so the user you query can only return the membership of this domain.

_AD_RecursiveGetMemberOf queries all groups and lists all groups where the property "member" is equal to the given user account.

[nigthlord]

yes, I'm connecting to a GC.

A user is defined in every domain so the user you query can only return the membership of this domain.

not sure if I understood this right but I am not just getting results of the domain I am memberof or connected to but of every domain I am member in groups.

But wouldn't it be possible to do it vice versa? So to use _AD_GetUserGroups and to query membership for each received group? so a recursion the other way round?

[water]

_AD_GetUserGroups tells the GC: Give me user A from domain X (that's the domain information you gave in _AD_Open - explicit or implicit)

_AD_RecursiveGetMemberOf tells the GC: Give me a list of all groups

As the AD UDF was written to work with one domain at a time it will need some time and effort to make it multi domain aware (at least for the read operations).

As I'm quite busy at the moment this will not happen before end of January.

[tarankov]

Hi Water!

Those steps didn't worked. Please note, I didn't mention it before. Computer account appears in OU so object is created. Pehaps the problem emerges on rights granting phase

[water]

Hi tarankov,

You mentioned before (I think in your first post) that the account was created but then the function crashed.

We had a similar problem before and it was a problem of missing permissions.

Using ADUC the computer account could be created successfully, when created by _AD_Create Computer it crashed. The difference is that ADUC doesn't set the permissions.

What I don't get (at the moment):

• If you connect to the domain from a computer which is a domain member using the domain admin user - _AD_CreateComputer works
• If you connect to the domain from a computer which is NOT a domain member using the domain admin user - _AD_CreateComputer doesn't work

[water]

I found this VBS which lets you list the permissions of the trustees for teh computer object. Change line

strDistinguishedName = "CN=Computername,OU=???,DC=???,DC=???"

to the distinguishedname of the computer you created.

The list of permissions is created in C:\temp\Report.txt

expandcollapse popup

' DACL.vbs
' VBScript program to document object security.
'
' ----------------------------------------------------------------------
' Copyright (c) 2002-2010 Richard L. Mueller
' Hilltop Lab web site - http://www.rlmueller.net
' Version 1.0 - November 10, 2002
' Version 1.1 - February 19, 2003 - Standardize Hungarian notation.
' Version 1.2 - March 30, 2007 - Document owner of Security Descriptor.
' Version 1.3 - November 6, 2010 - No need to set objects to Nothing.
' Program enumerates the ACE's within an Active Directory ACL for a
' specified object. The DistinguishedName of the object is hardcoded in
' the program. The output is written to a text file.
' Based in part on a program (pg. 425-431) in the text "Windows NT/2000
' ADSI Scripting for System Administration", by Thomas Eck, MacMillan
' Technical Publishing, 2000.
'
' You have a royalty-free right to use, modify, reproduce, and
' distribute this script file in any way you find useful, provided that
' you agree that the copyright owner above has no warranty, obligations,
' or liability for such use.
Option Explicit
Dim objADObject, objACE, objDiscretionaryACL, objSecurityDescriptor
Dim strDistinguishedName, objFSO, objReport
' Define constants.
Const ADS_RIGHT_DELETE = &H10000
Const ADS_RIGHT_READ_CONTROL = &H20000
Const ADS_RIGHT_WRITE_DAC = &H40000
Const ADS_RIGHT_OWNER = &H80000
Const ADS_RIGHT_SYNCHRONIZE = &H100000
Const ADS_RIGHT_ACCESS_SYSTEM_SECURITY = &H1000000
Const ADS_RIGHT_GENERIC_READ = &H80000000
Const ADS_RIGHT_GENERIC_WRITE = &H40000000
Const ADS_RIGHT_GENERIC_EXECUTE = &H20000000
Const ADS_RIGHT_GENERIC_ALL = &H10000000
Const ADS_RIGHT_DS_CREATE_CHILD = &H1
Const ADS_RIGHT_DS_DELETE_CHILD = &H2
Const ADS_RIGHT_ACTRL_DS_LIST = &H4
Const ADS_RIGHT_DS_SELF = &H8
Const ADS_RIGHT_DS_READ_PROP = &H10
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_RIGHT_DS_DELETE_TREE = &H40
Const ADS_RIGHT_DS_LIST_OBJECT = &H80
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
' Open output text file with append access.
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objReport = objFSO.OpenTextFile("c:\temp\Report.txt", _
8, True, 0)
' Specify Distinguished Name of object to be documented.
strDistinguishedName = "CN=Computername,OU=???,DC=???,DC=???"
' Bind to the object in Active Directory with the LDAP provider
Set objADObject = GetObject("LDAP://" & strDistinguishedName)
' Bind to the security objects.
Set objSecurityDescriptor = objADObject.Get("ntSecurityDescriptor")
Set objDiscretionaryACL = objSecurityDescriptor.discretionaryACL
' Write header information to the output file.
objReport.WriteLine "Active Directory Object: " & objADObject.Name
objReport.WriteLine "Security Descriptor Owner: " _
& objSecurityDescriptor.Owner
objReport.WriteLine "---------------------------"
' Enumerate each ACE in the DACL.
For Each objACE In objDiscretionaryACL
objReport.WriteLine "Trustee: " & objACE.Trustee
objReport.WriteLine "    AceFlags : " & objACE.AceFlags
objReport.WriteLine "    AceType : " & objACE.AceType
objReport.WriteLine "    Flags   : " & objACE.Flags
objReport.WriteLine "    ObjectType: " & objACE.objectType
objReport.WriteLine "    AccessMask: " & objACE.AccessMask
' Delete right.
' Grants the right to delete the object.
If ((objACE.AccessMask And ADS_RIGHT_DELETE) <> 0) Then
     Call ListRights(objACE, "ADS_RIGHT_DELETE")
End If
' Read Control right.
' Grants the right to read the object's security descriptor.
If ((objACE.AccessMask And ADS_RIGHT_READ_CONTROL) <> 0) Then
     Call ListRights(objACE, "ADS_RIGHT_READ_CONTROL")
End If
' Write DAC right.
' Grants the right to modify the descretionary access control list.
If ((objACE.AccessMask And ADS_RIGHT_WRITE_DAC) <> 0) Then
     Call ListRights(objACE, "ADS_RIGHT_WRITE_DAC")
End If
' Right owner.
' Grants the right to take ownership of the object.
If ((objACE.AccessMask And ADS_RIGHT_OWNER) <> 0) Then
     Call ListRights(objACE, "ADS_RIGHT_OWNER")
End If
' Synchronize right.
' Enables the object to be used for synchronization.
If ((objACE.AccessMask And ADS_RIGHT_SYNCHRONIZE) <> 0) Then
     Call ListRights(objACE, "ADS_RIGHT_SYNCHRONIZE")
End If
' Access System Security right.
' Grants the right to manipulate the object's SACL.
If ((objACE.AccessMask And ADS_RIGHT_ACCESS_SYSTEM_SECURITY) <> 0) Then
     Call ListRights(objACE, "ADS_RIGHT_ACCESS_SYSTEM_SECURITY")
End If
' Generic Read right.
' Grants the right to read the security descriptor, all properties, and
' any children of the object.
If ((objACE.AccessMask And ADS_RIGHT_GENERIC_READ) <> 0) Then
     Call ListRights(objACE, "ADS_RIGHT_GENERIC_READ")
End If
' Generic write right.
' Grants the right to write to the DACL and all properties, as well as
' to remove the object from the directory.
If ((objACE.AccessMask And ADS_RIGHT_GENERIC_WRITE) <> 0) Then
     Call ListRights(objACE, "ADS_RIGHT_GENERIC_WRITE")
End If
' Generic Execute right.
' Grants the ability to list the object's children.
If ((objACE.AccessMask And ADS_RIGHT_GENERIC_EXECUTE) <> 0) Then
     Call ListRights(objACE, "ADS_RIGHT_GENERIC_EXECUTE")
End If
' Generic All right.
' Grants the right to create or delete child objects and subtrees,
' read and write all properties, and add or remove the object.
If ((objACE.AccessMask And ADS_RIGHT_GENERIC_ALL) <> 0) Then
     Call ListRights(objACE, "ADS_RIGHT_GENERIC_ALL")
End If
' DS Create Child right.
' Grants the ability to create child objects.
' If ObjectType is set to the schemaIDGuid of an object class, the right
' is restricted to that object class.
If ((objACE.AccessMask And ADS_RIGHT_DS_CREATE_CHILD) <> 0) Then
     Call ListRights(objACE, "ADS_RIGHT_DS_CREATE_CHILD")
End If
' DS Delete Child right.
' Grants the ability to delete child objects.
' If ObjectType is set to the schemaIDGuid of an object class, the right
' is restricted to that object class.
If ((objACE.AccessMask And ADS_RIGHT_DS_DELETE_CHILD) <> 0) Then
     Call ListRights(objACE, "ADS_RIGHT_DS_DELETE_CHILD")
End If
' Access Control DS List right.
' Grants the ability to list all child objects.
If ((objACE.AccessMask And ADS_RIGHT_ACTRL_DS_LIST) <> 0) Then
     Call ListRights(objACE, "ADS_RIGHT_ACTRL_DS_LIST")
End If
' DS Self right.
' Grants the ability to list the object itself.
If ((objACE.AccessMask And ADS_RIGHT_DS_SELF) <> 0) Then
     Call ListRights(objACE, "ADS_RIGHT_DS_SELF")
End If
' DS Read Property right.
' Grants the ability to read object properties.
' If ObjectType is set to the GUID of a property or property set, the
' right is restricted to that property or property set.
If ((objACE.AccessMask And ADS_RIGHT_DS_READ_PROP) <> 0) Then
     Call ListRights(objACE, "ADS_RIGHT_DS_READ_PROP")
End If
' DS Write Property right.
' Grants the ability to write object properties.
' If ObjectType is set to the GUID of a property or property set, the
' right is restricted to that property or property set.
If ((objACE.AccessMask And ADS_RIGHT_DS_WRITE_PROP) <> 0) Then
     Call ListRights(objACE, "ADS_RIGHT_DS_WRITE_PROP")
End If
' DS Delete Tree right.
' Grants the ability to delete the object and all associated child
' objects.
If ((objACE.AccessMask And ADS_RIGHT_DS_DELETE_TREE) <> 0) Then
     Call ListRights(objACE, "ADS_RIGHT_DS_DELETE_TREE")
End If
' DS List Object right.
' Used to show or hide an object from user view.
If ((objACE.AccessMask And ADS_RIGHT_DS_LIST_OBJECT) <> 0) Then
     Call ListRights(objACE, "ADS_RIGHT_DS_LIST_OBJECT")
End If
' DS Control Access right.
' Grants the ability to to perform an operation restricted by an
' extended access right. Must specify a rights GUID identifying a
' controlAccessRight object in the Extended-Rights container in the
' configuration partition.
If ((objACE.AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) <> 0) Then
     Call ListRights(objACE, "ADS_RIGHT_DS_CONTROL_ACCESS")
End If
objReport.WriteLine ""
Next
' Clean up.
objReport.Close
Wscript.Echo "Done"
Sub ListRights(objACE_Item, strRight)
' Subroutine to document rights to text file.
' objReport is the output file object, with global scope.
If (objACE_Item.objectType = "") _
         And (objACE_Item.InheritedObjectType = "") Then
     objReport.WriteLine " " & strRight
Else
     If (objACE_Item.InheritedObjectType = "") Then
         objReport.WriteLine " " & strRight & " for SchemaIDGuid: " _
             & objACE_Item.objectType
     Else
         objReport.WriteLine " Inherited " & strRight _
             & " for SchemaIDGuid: " & objACE_Item.InheritedObjectType
     End If
End If
End Sub