Active Directory UDF - Help & Support (II)

[CoolDude69]

By reducing the number of calls to _AD_* functions.

Get a list of all computers with description="*Primary*" with the name of the manager. Then compare this list to the list of users.

Can't test at the moment but will provide an example tomorrow.

Great, thank you very much.

Here's what I've got so far:

#include  <AD.au3>
_AD_Open()
$AD_User = _AD_GetObjectAttribute(@UserName, "managedObjects")
If IsArray($AD_User) Then
For $i = 1 To UBound($AD_User) - 1
$AssetP = StringRegExpReplace(StringReplace($AD_User[$i], 'CN=', ''), "(,.*)", "")
$IsPrimary = _AD_GetObjectsInOU("", "(&(objectclass=computer)(sAMAccountName=" & $AssetP & "*)(description=*Primary*))", 2, "sAMAccountName,description")
For $x = 1 To UBound($IsPrimary) - 1
$Primary = $AssetP
Next
Next
Else
$Primary = StringRegExpReplace(StringReplace($AD_User, 'CN=', ''), "(,.*)", "")
EndIf

ConsoleWrite($Primary & @CR)

$Other = ''
If IsArray($AD_User) Then
$Other = '"'
For $i = 1 To UBound($AD_User) - 1
$Asset = StringRegExpReplace(StringReplace($AD_User[$i], 'CN=', ''), "(,.*)", "")
$NotPrimary = _AD_GetObjectsInOU("", "(&(objectclass=computer)(sAMAccountName=" & $Asset & "$)(!(description=*Primary*)))", 2, "sAMAccountName,description")
For $x = 1 To UBound($NotPrimary) - 1
$Other &= $Asset & @LF
Next
Next
$Other = StringTrimRight($Other, 1) & '"'
EndIf
ConsoleWrite($Other & @CR)
_AD_CLose()

[chaoticyeshua]

Water,

Sorry to bring this up again. I started testing my script in WinPE and I ran into another problem. It looks like _AD_HasRequiredRights (and therefore _AD_HasRequiredRights__GivenMembers, too) isn't working properly in WinPE, unfortunately... I've done a bit of testing as to why and here's what I've come up with:

It looks like the problem is on this line...

$aAD_TrusteeArray = StringSplit($oAD_ACE.Trustee, "\")

_ArrayDisplay($aAD_TrusteeArray) outputs the SID of the trustees instead of the actual name, but only from within WinPE. Do you know why this is?

Edited February 28, 2013 by chaoticyeshua

[blumi]

blumi,

add a dollar sign to the computer name (samaccountname):

$test = _AD_IsMemberOf("Computers", @ComputerName & "$")

$test = _AD_IsMemberOf("Workstations", @ComputerName & "$")

MsgBox(0, "", "@error: " & @error & ", @extended: " & @extended)

@error: 1

@extended: 0

Edited March 1, 2013 by blumi

[water]

Blumi,

does it work when you specify the FQDN?

$test = _AD_IsMemberOf("OU=Workstations,DC=emi,DC=fhg,DC=de", @ComputerName & "$")
MsgBox(0, "", "@error: " & @error & ", @extended: " & @extended)

[blumi]

Blumi,

does it work when you specify the FQDN?

$test = _AD_IsMemberOf("OU=Workstations,DC=emi,DC=fhg,DC=de", @ComputerName & "$")
MsgBox(0, "", "@error: " & @error & ", @extended: " & @extended)

This seems to work better.

error: 0

@extended: 0

[water]

That's fine. @error = 1 tells you that the specified group doesn't exist. This means that the samaccountname of the group isn't "Workstations".

[blumi]

That's fine. @error = 1 tells you that the specified group doesn't exist. This means that the samaccountname of the group isn't "Workstations".

I will do some tests with the FQDN, thanks for the help.

[water]

chaoticyeshua,

not the faintest idea. I don't know much about permissions in AD and even less about WinPE.

Sorry I can't help you with this

[water]

Blumi,

Glad to be of service

[chaoticyeshua]

Water,

Since each user/group refers back to a SID anyway, wouldn't it stand to reason that if I convert the username and group names that the user is a member of to their SID, that the rest of it should work normally? It's worth a shot at least. Do you know how I could find the SID of the given user/group?

[water]

Sure. The SID is a property of a user/group. Use function _AD_GetObjectAttribute (undecoded value) or function _AD_GetObjectProperties (decoded value).

Or function _Security__GetAccountSid to retrieve the SID of a user and _Security__SidToStringSid to decode a SID.

[chaoticyeshua]

Thanks for the suggestions, water! I think I may have gotten it working using that method, but more testing is in order when I have some time.

[water]

Sounds good! Will be glad to add the function to the UDF.

[blumi]

I am confused.

Did some tests, all works fine now. When I try to use the code in another script I get an error message.

Error. Variable must be of type "Object".

$dummy = _AD_IsMemberOf($ou, @ComputerName & "$")

If (@error = 0) Then
MsgBox(64, $ScriptName, "Computer " & @ComputerName & " ist in der OU Workstations", 3)
EndIf

If (@error = 1) Then
MsgBox(16, $ScriptName, "Computer " & @ComputerName & " ist NICHT in der OU Workstations")
EndIf

[water]

Most of the time this means that you missed to call _AD_Open.

[blumi]

Most of the time this means that you missed to call _AD_Open.

Thanks again, now it works fine.

I have to do more scripting... ;-)

[water]

I wished all problems would be so easy to solve!

[chaoticyeshua]

Just FYI, Water, running _AD_CreateComputer in WinPE creates the computer object like it's supposed to, but then returns 0 and sets @Error to -2147352567 (invalid permissions).

I assume this is for the same reason _AD_HasRequiredRights doesn't work right... it grabs the user/group account SID instead of the name for permission comparison. So I am instead creating the object then checking if it exists as a workaround.

Edited March 5, 2013 by chaoticyeshua

[water]

Function _AD_CreateComputer does two things: Create the computer account (looks like this alwqys seems to work) and sets permissions on the computer object (this often returns an error - missing permissions).

The user account that creates the computer account needs to have permissions to modify the computer object. Simple users can add up to 10 computers to an OU without having the permission to modify the object - then it crashes.

Unfortunately I don't know how WinPE behaves.

But it's good to have it as a reference for other users!

[chaoticyeshua]

Water,

I'm using my credentials to create the computer object in an OU that I have full permission on. It accurately gives the username specified in the $sAD_User field (user or group that will be allowed to add the computer to the domain; gives read, allowed to authenticate, change password, etc. to that user), and I am allowed to modify the description of the object using _AD_ModifyAttribute using the same credentials in the same session (in this case, mine). So it is working as it should be but returns the error in WinPE (and only WinPE), so I'm not sure why.

Regardless, maybe I'm missing a driver or something needed for this to work right in WinPE... I added everything that was mentioned in another post about getting this to work in WinPE:

1. Copy the following files from a Windows 7 x86 to the same directory as ADSIx86.inf

adsldp.dll

adsmsext.dll

adsnt.dll

mscoree.dll

mscorier.dll

mscories.dll

2. Mount boot.wim

3. Add the driver using:

dism /image:d:mount /add-driver /driver:.ADSIx86.inf /forceunsigned

4. Using DISM, add support for the following FPs

winpe-hta.cab

winpe-mdac.cab

winpe-scripting.cab

winpe-wmi.cab

5. Using DISM, commit/unmount