Active Directory UDF - Help & Support (II)

[water]

[water]

Speleologist,

I tried it at home (Windows 7 client and Resara as AD server) and get the same error.

I investigate the problem right now.

[Speleologist]

Thanks Water, Much appreciated.

[water]

Think I found the problem. Add "#RequireAdmin" at the top of your script. I then got @extended = 1004 (ERROR_INVALID_FLAGS). I had to change

Local $NETSETUP_ACCT_DELETE = 4

in function _AD_UnJoinDomain to

Local $NETSETUP_ACCT_DELETE = 0

Please let me know if it works for you.

[Speleologist]

Hi Water,

That seems to be the issue. Unjoined the domain a treat, and it's probably put me on the right track for the Join Domain script for joining the new domain. I'll be having a look at that one in the morning, and hopefully all will be good..

Thanks very much for your help

[water]

I will add this to the documentation of _AD_UnJoinDomain and will modify the example script.

Based on your results _AD_JoinDomain will be modified too.

Good luck!

[Speleologist]

Hi Water,

I think we may be there with the _AD_JoinDomain, but I can't be sure because of a problem with that appears to relate to _AD_Open. I will try to explain.

My finished script needs to run on the local machine that will join the domain. At the time it will be in a workgroup after successfully being unjoined from the old domain. The script will be run by the logged in user, which will be the local administrator account. Here is the script exactly as I am testing, but with the variables containing sensitive information redacted.

expandcollapse popup

#RequireAdmin
#include 

Global $HighwaysDNSDomain = 'Redacted'
Global $HighwaysConfigurationNamingContext = 'Redacted'
Global $HighwaysDC = 'Redacted'
Global $HCCDNSDomain = 'Redacted'
Global $HCCConfigurationNamingContext = 'Redacted'
Global $HCCDC = 'Redacted'
Global $ADUser = 'Redacted'
Global $HCCADUser = 'Redacted'
Global $ADPassword = 'Redacted'
Global $Workgroup = 'Redacted'

_AD_ErrorNotify ( 3 , 'c:\highwaystest\AD_Debug.txt' )

HCCADAuthenticate()
HCCCreateComputer()
JoinHCCDomain()
_AD_Close()

Func HCCADAuthenticate()
If _AD_Open($ADUser, $ADPassword, $HCCDNSDomain , $HCCDC , $HCCConfigurationNamingContext ) Then
MsgBox(64, "Authenticate to HCC AD", "Logon was succcessful!" & @CRLF & @CRLF & "@error: " & @error)
ElseIf @error <= 8 Then
MsgBox(16, "Authenticate to HCC AD", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended)
Else
MsgBox(16, "Authenticate to HCC AD", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended & _
@CRLF & @CRLF & "Extended error information will be displayed")
Global $aError = _AD_GetLastADSIError()
_ArrayDisplay($aError)
EndIf
EndFunc ;==>HCCADAuthenticate

Func HCCCreateComputer()
If _AD_CreateComputer("OU=Unmanaged,DC=hertscc,DC=gov,DC=uk", @ComputerName, $ADUser) Then
MsgBox(64, 'Computer Object Creation', 'Computer account for ' & @ComputerName & ' was successfully created')
Else
MsgBox(16, 'Computer Object Creation', 'Failed to create computer account for ' & @ComputerName & @CRLF & @CRLF & @error & @CRLF & @CRLF & @extended )
EndIf

EndFunc ;==>HCCCreateComputer

Func JoinHCCDomain()
If _AD_JoinDomain(@ComputerName) Then
MsgBox(64, 'JoinDomain', 'Successfully joined ' & @ComputerName & ' to the HCC Domain')
Else
MsgBox(16, 'JoinDomain', 'Failed to join ' & @ComputerName & ' to the HCC Domain' & @CRLF & @CRLF & @error & @CRLF & @CRLF & @extended)
EndIf
EndFunc ;==>JoinHCCDomain

In this scenario, the _AD_Open returns a success, but subsequent functions all fail with error 1 and the 80020009 COM errors below:

2013.04.17 11:06:34

-------------------

COM Error Encountered in JoinDomain.exe

AD UDF version = 1.3.0

@AutoItVersion = 3.3.8.1

@AutoItX64 = 0

@Compiled = 1

@OSArch = X86

@OSVersion = WIN_XP

Scriptline = -1

NumberHex = 80020009

Number = -2147352567

WinDescription =

Description = Table does not exist.

Source = Provider

HelpFile =

HelpContext = 1240640

LastDllError = 0

========================================================

2013.04.17 11:06:36

-------------------

COM Error Encountered in JoinDomain.exe

AD UDF version = 1.3.0

@AutoItVersion = 3.3.8.1

@AutoItX64 = 0

@Compiled = 1

@OSArch = X86

@OSVersion = WIN_XP

Scriptline = -1

NumberHex = 80020009

Number = -2147352567

WinDescription =

Description = Table does not exist.

Source = Provider

HelpFile =

HelpContext = 1240640

LastDllError = 0

========================================================

I have run a slightly modified version of the script on my down workstation. IN this case the workstation is a member of the domain, and I am logged in to the Domain. I am still running _AD_Open as my $ADUser, but as we are already aware of the domain I am only specifying $sAD_UserIdParam and $sAD_PasswordParam. I also specify the name of the machine I want to join, rather than use @ComputerName. (See below)

expandcollapse popup

#RequireAdmin
#include <ad.au3>

Global $HighwaysDNSDomain = 'Redacted'
Global $HighwaysConfigurationNamingContext = 'Redacted'
Global $HighwaysDC = 'Redacted'
Global $HCCDNSDomain = 'Redacted'
Global $HCCConfigurationNamingContext = 'Redacted'
Global $HCCDC = 'Redacted'
Global $ADUser = 'Redacted'
Global $HCCADUser = 'Redacted'
Global $ADPassword = 'Redacted'
Global $Workgroup = 'Redacted'

_AD_ErrorNotify ( 3 , 'c:\highwaystest\AD_Debug.txt' )

HCCADAuthenticate()
HCCCreateComputer()
JoinHCCDomain()
_AD_Close()

Func HCCADAuthenticate()
    If _AD_Open($ADUser, $ADPassword ) Then
        MsgBox(64, "Authenticate to HCC AD", "Logon was succcessful!" & @CRLF & @CRLF & "@error: " & @error)
    ElseIf @error <= 8 Then
        MsgBox(16, "Authenticate to HCC AD", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended)
    Else
        MsgBox(16, "Authenticate to HCC AD", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended & _
                @CRLF & @CRLF & "Extended error information will be displayed")
        Global $aError = _AD_GetLastADSIError()
        _ArrayDisplay($aError)
    EndIf
EndFunc   ;==>HCCADAuthenticate

Func HCCCreateComputer()
    If _AD_CreateComputer("OU=Unmanaged,DC=hertscc,DC=gov,DC=uk", 'HCC039662', $ADUser) Then
        MsgBox(64, 'Computer Object Creation', 'Computer account for HCC039662 was successfully created')
    Else
        MsgBox(16, 'Computer Object Creation', 'Failed to create computer account for HCC039662' & @CRLF & @CRLF & @error & @CRLF & @CRLF & @extended )
    EndIf

EndFunc   ;==>HCCCreateComputer

Func JoinHCCDomain()
    If _AD_JoinDomain('HCC039662') Then
        MsgBox(64, 'JoinDomain', 'Successfully joined HCC039662 to the HCC Domain')
    Else
        MsgBox(16, 'JoinDomain', 'Failed to join HCC039662 to the HCC Domain' & @CRLF & @CRLF & @error & @CRLF & @CRLF & @extended)
    EndIf
EndFunc   ;==>JoinHCCDomain

In this scenario, _AD_CreateComputer works without errors and _AD_JoinDomain fails with an 80070005 error. I suspect this may simply be that the user has no access to the local machine that we are joining, and so may not matter if we can solve the _AD_Open issue. Here is the COM error output in case it is relevant:

2013.04.17 11:07:16

-------------------

COM Error Encountered in JoinTest.au3

AD UDF version = 1.3.0

@AutoItVersion = 3.3.8.1

@AutoItX64 = 0

@Compiled = 0

@OSArch = X86

@OSVersion = WIN_XP

Scriptline = 3606

NumberHex = 80070005

Number = -2147024891

WinDescription = Access is denied.

Description =

Source =

HelpFile =

HelpContext = 0

LastDllError = 0

========================================================

[water]

After UnJoining the computer from domain A didi you reboot the machine before trying to join ti domain B?

[Speleologist]

Yes!

[water]

OK, will need to test at home again. Will come back with the results.

[Speleologist]

Thanks Water, Much appreciated.

BTW, if I join the same machine to the domain using NETDOM.EXE and the same user it completes with no errors, but I don't really want to have to call an external RUNAS in the script!

[water]

I got it working here!

The following changes were needed:

• set #RequireAdmin
• Pass all parameters to _AD_Open to connect to the domain
• change function _AD_JoinDomain. Line

  Local $sAD_DomainName = StringReplace(StringReplace($sAD_DNSDomain, "DC=", ""), ",", ".")

  needs to become

  Local $aTemp = StringSplit(StringReplace($sAD_DNSDomain, "DC=", ""), ",")
  Local $sAD_DomainName = $aTemp[1]

Can you please test and report the results? Edited April 17, 2013 by water

[Speleologist]

Hi Water,

just tried that. I'm still getting exactly the same COM errors. Doesn't seem to work for me. I suppose it could be that I'm running on XP, so the #RequireAdmin behaviour will be a little different.

[water]

According to the help file #RequireAdmin works on Windows XP as well.

[water]

Line 3606 is

Local $oAD_Computer = ObjGet("winmgmts:{impersonationLevel=Impersonate}!\\" & $sAD_Computer & "\root\cimv2:Win32_ComputerSystem.Name='" & $sAD_Computer & "'")

I don't understand why you get a "permission denied" with this.

[Baraoic]

I have a question, is there a reason why _AD_GetObjectsInOU doesn't work for some account properties such as lastLogonTimestamp, but _AD_GetObjectProperties does?

[water]

Yes, there is. _AD_GetObjectsInOU returns the properties AS-IS. The properties you mention (plus many more) are encoded in different ways. Only _AD_GetObjectProperties decodes them into a readable format. _AD_GetObjectAttribute doesn't decode them as well.

[water]

Hi Water,

just tried that. I'm still getting exactly the same COM errors. Doesn't seem to work for me. I suppose it could be that I'm running on XP, so the #RequireAdmin behaviour will be a little different.

I just grabbed a version of XP and will install in a VirtualBox today. Let's see how it behaves on my home domain.

[Speleologist]

Thanks, Much appreciated.

[water]

I just joined the Windows XP machine to our domain! I used the domain admin name and password for _AD_Open and _AD_JoinDomain.