CoolDude69 Posted February 28, 2013 Posted February 28, 2013 By reducing the number of calls to _AD_* functions. Get a list of all computers with description="*Primary*" with the name of the manager. Then compare this list to the list of users. Can't test at the moment but will provide an example tomorrow. Great, thank you very much. Here's what I've got so far: #include <AD.au3> _AD_Open() $AD_User = _AD_GetObjectAttribute(@UserName, "managedObjects") If IsArray($AD_User) Then For $i = 1 To UBound($AD_User) - 1 $AssetP = StringRegExpReplace(StringReplace($AD_User[$i], 'CN=', ''), "(,.*)", "") $IsPrimary = _AD_GetObjectsInOU("", "(&(objectclass=computer)(sAMAccountName=" & $AssetP & "*)(description=*Primary*))", 2, "sAMAccountName,description") For $x = 1 To UBound($IsPrimary) - 1 $Primary = $AssetP Next Next Else $Primary = StringRegExpReplace(StringReplace($AD_User, 'CN=', ''), "(,.*)", "") EndIf ConsoleWrite($Primary & @CR) $Other = '' If IsArray($AD_User) Then $Other = '"' For $i = 1 To UBound($AD_User) - 1 $Asset = StringRegExpReplace(StringReplace($AD_User[$i], 'CN=', ''), "(,.*)", "") $NotPrimary = _AD_GetObjectsInOU("", "(&(objectclass=computer)(sAMAccountName=" & $Asset & "$)(!(description=*Primary*)))", 2, "sAMAccountName,description") For $x = 1 To UBound($NotPrimary) - 1 $Other &= $Asset & @LF Next Next $Other = StringTrimRight($Other, 1) & '"' EndIf ConsoleWrite($Other & @CR) _AD_CLose()
chaoticyeshua Posted February 28, 2013 Posted February 28, 2013 (edited) Water, Sorry to bring this up again. I started testing my script in WinPE and I ran into another problem. It looks like _AD_HasRequiredRights (and therefore _AD_HasRequiredRights__GivenMembers, too) isn't working properly in WinPE, unfortunately... I've done a bit of testing as to why and here's what I've come up with: It looks like the problem is on this line... $aAD_TrusteeArray = StringSplit($oAD_ACE.Trustee, "\") _ArrayDisplay($aAD_TrusteeArray) outputs the SID of the trustees instead of the actual name, but only from within WinPE. Do you know why this is? Edited February 28, 2013 by chaoticyeshua
blumi Posted March 1, 2013 Posted March 1, 2013 (edited) blumi, add a dollar sign to the computer name (samaccountname): $test = _AD_IsMemberOf("Computers", @ComputerName & "$") $test = _AD_IsMemberOf("Workstations", @ComputerName & "$") MsgBox(0, "", "@error: " & @error & ", @extended: " & @extended) @error: 1 @extended: 0 Edited March 1, 2013 by blumi
water Posted March 1, 2013 Author Posted March 1, 2013 Blumi, does it work when you specify the FQDN?$test = _AD_IsMemberOf("OU=Workstations,DC=emi,DC=fhg,DC=de", @ComputerName & "$") MsgBox(0, "", "@error: " & @error & ", @extended: " & @extended) My UDFs and Tutorials: Spoiler UDFs: Active Directory (NEW 2024-07-28 - Version 1.6.3.0) - Download - General Help & Support - Example Scripts - Wiki ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki Task Scheduler (2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki Standard UDFs: Excel - Example Scripts - Wiki Word - Wiki Tutorials: ADO - Wiki WebDriver - Wiki
blumi Posted March 1, 2013 Posted March 1, 2013 Blumi, does it work when you specify the FQDN?$test = _AD_IsMemberOf("OU=Workstations,DC=emi,DC=fhg,DC=de", @ComputerName & "$") MsgBox(0, "", "@error: " & @error & ", @extended: " & @extended) This seems to work better. error: 0 @extended: 0
water Posted March 1, 2013 Author Posted March 1, 2013 That's fine. @error = 1 tells you that the specified group doesn't exist. This means that the samaccountname of the group isn't "Workstations". My UDFs and Tutorials: Spoiler UDFs: Active Directory (NEW 2024-07-28 - Version 1.6.3.0) - Download - General Help & Support - Example Scripts - Wiki ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki Task Scheduler (2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki Standard UDFs: Excel - Example Scripts - Wiki Word - Wiki Tutorials: ADO - Wiki WebDriver - Wiki
blumi Posted March 1, 2013 Posted March 1, 2013 That's fine. @error = 1 tells you that the specified group doesn't exist. This means that the samaccountname of the group isn't "Workstations".I will do some tests with the FQDN, thanks for the help.
water Posted March 1, 2013 Author Posted March 1, 2013 chaoticyeshua, not the faintest idea. I don't know much about permissions in AD and even less about WinPE. Sorry I can't help you with this My UDFs and Tutorials: Spoiler UDFs: Active Directory (NEW 2024-07-28 - Version 1.6.3.0) - Download - General Help & Support - Example Scripts - Wiki ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki Task Scheduler (2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki Standard UDFs: Excel - Example Scripts - Wiki Word - Wiki Tutorials: ADO - Wiki WebDriver - Wiki
water Posted March 1, 2013 Author Posted March 1, 2013 Blumi, Glad to be of service My UDFs and Tutorials: Spoiler UDFs: Active Directory (NEW 2024-07-28 - Version 1.6.3.0) - Download - General Help & Support - Example Scripts - Wiki ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki Task Scheduler (2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki Standard UDFs: Excel - Example Scripts - Wiki Word - Wiki Tutorials: ADO - Wiki WebDriver - Wiki
chaoticyeshua Posted March 1, 2013 Posted March 1, 2013 Water, Since each user/group refers back to a SID anyway, wouldn't it stand to reason that if I convert the username and group names that the user is a member of to their SID, that the rest of it should work normally? It's worth a shot at least. Do you know how I could find the SID of the given user/group?
water Posted March 1, 2013 Author Posted March 1, 2013 Sure. The SID is a property of a user/group. Use function _AD_GetObjectAttribute (undecoded value) or function _AD_GetObjectProperties (decoded value).Or function _Security__GetAccountSid to retrieve the SID of a user and _Security__SidToStringSid to decode a SID. My UDFs and Tutorials: Spoiler UDFs: Active Directory (NEW 2024-07-28 - Version 1.6.3.0) - Download - General Help & Support - Example Scripts - Wiki ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki Task Scheduler (2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki Standard UDFs: Excel - Example Scripts - Wiki Word - Wiki Tutorials: ADO - Wiki WebDriver - Wiki
chaoticyeshua Posted March 1, 2013 Posted March 1, 2013 Thanks for the suggestions, water! I think I may have gotten it working using that method, but more testing is in order when I have some time.
water Posted March 2, 2013 Author Posted March 2, 2013 Sounds good! Will be glad to add the function to the UDF. My UDFs and Tutorials: Spoiler UDFs: Active Directory (NEW 2024-07-28 - Version 1.6.3.0) - Download - General Help & Support - Example Scripts - Wiki ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki Task Scheduler (2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki Standard UDFs: Excel - Example Scripts - Wiki Word - Wiki Tutorials: ADO - Wiki WebDriver - Wiki
blumi Posted March 4, 2013 Posted March 4, 2013 I am confused. Did some tests, all works fine now. When I try to use the code in another script I get an error message. Error. Variable must be of type "Object". $dummy = _AD_IsMemberOf($ou, @ComputerName & "$") If (@error = 0) Then MsgBox(64, $ScriptName, "Computer " & @ComputerName & " ist in der OU Workstations", 3) EndIf If (@error = 1) Then MsgBox(16, $ScriptName, "Computer " & @ComputerName & " ist NICHT in der OU Workstations") EndIf
water Posted March 4, 2013 Author Posted March 4, 2013 Most of the time this means that you missed to call _AD_Open. My UDFs and Tutorials: Spoiler UDFs: Active Directory (NEW 2024-07-28 - Version 1.6.3.0) - Download - General Help & Support - Example Scripts - Wiki ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki Task Scheduler (2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki Standard UDFs: Excel - Example Scripts - Wiki Word - Wiki Tutorials: ADO - Wiki WebDriver - Wiki
blumi Posted March 4, 2013 Posted March 4, 2013 Most of the time this means that you missed to call _AD_Open.Thanks again, now it works fine.I have to do more scripting... ;-)
water Posted March 4, 2013 Author Posted March 4, 2013 I wished all problems would be so easy to solve! My UDFs and Tutorials: Spoiler UDFs: Active Directory (NEW 2024-07-28 - Version 1.6.3.0) - Download - General Help & Support - Example Scripts - Wiki ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki Task Scheduler (2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki Standard UDFs: Excel - Example Scripts - Wiki Word - Wiki Tutorials: ADO - Wiki WebDriver - Wiki
chaoticyeshua Posted March 5, 2013 Posted March 5, 2013 (edited) Just FYI, Water, running _AD_CreateComputer in WinPE creates the computer object like it's supposed to, but then returns 0 and sets @Error to -2147352567 (invalid permissions).I assume this is for the same reason _AD_HasRequiredRights doesn't work right... it grabs the user/group account SID instead of the name for permission comparison. So I am instead creating the object then checking if it exists as a workaround. Edited March 5, 2013 by chaoticyeshua
water Posted March 5, 2013 Author Posted March 5, 2013 Function _AD_CreateComputer does two things: Create the computer account (looks like this alwqys seems to work) and sets permissions on the computer object (this often returns an error - missing permissions). The user account that creates the computer account needs to have permissions to modify the computer object. Simple users can add up to 10 computers to an OU without having the permission to modify the object - then it crashes. Unfortunately I don't know how WinPE behaves. But it's good to have it as a reference for other users! My UDFs and Tutorials: Spoiler UDFs: Active Directory (NEW 2024-07-28 - Version 1.6.3.0) - Download - General Help & Support - Example Scripts - Wiki ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki Task Scheduler (2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki Standard UDFs: Excel - Example Scripts - Wiki Word - Wiki Tutorials: ADO - Wiki WebDriver - Wiki
chaoticyeshua Posted March 5, 2013 Posted March 5, 2013 Water, I'm using my credentials to create the computer object in an OU that I have full permission on. It accurately gives the username specified in the $sAD_User field (user or group that will be allowed to add the computer to the domain; gives read, allowed to authenticate, change password, etc. to that user), and I am allowed to modify the description of the object using _AD_ModifyAttribute using the same credentials in the same session (in this case, mine). So it is working as it should be but returns the error in WinPE (and only WinPE), so I'm not sure why. Regardless, maybe I'm missing a driver or something needed for this to work right in WinPE... I added everything that was mentioned in another post about getting this to work in WinPE: 1. Copy the following files from a Windows 7 x86 to the same directory as ADSIx86.inf adsldp.dll adsmsext.dll adsnt.dll mscoree.dll mscorier.dll mscories.dll 2. Mount boot.wim 3. Add the driver using: dism /image:d:mount /add-driver /driver:.ADSIx86.inf /forceunsigned 4. Using DISM, add support for the following FPs winpe-hta.cab winpe-mdac.cab winpe-scripting.cab winpe-wmi.cab 5. Using DISM, commit/unmount
Recommended Posts