Active Directory UDF - Help & Support (II)

[water]

What's the value of @error and @extended after _AD_GetObjectsInOU?

[TheBG]

question:

is there a way to use _AD_RecursiveGetMemberOf, _AD_IsMemberOf, or _AD_GetUserGroups to search only groups that start with a specific string?

ex.

I need to search AD by @username and return only AD groups that start with "Na-0000-Mon"  . I need to know if the user is a member of any group that starts with Na-0000-Mon

[water]

Try :

$sCN = _AD_SamAccountNameToFQDN(@Username)
$aResult = _AD_GetObjectsInOU("", "(&(objectClass=group)(name=Na-0000-Mon*)(member=" & $sCN & "))", 2, "samaccount")

Returns the samaccountnames of the groups starting with "Na-0000-Mon" where the current user is a member of.

[TheBG]

I'm getting a COM error in the console

#include <AD.au3>
#include <Array.au3>

_AD_Open()
$sCN = _AD_SamAccountNameToFQDN(@Username)
Global $aResult = _AD_GetObjectsInOU("", "(&(objectClass=group)(name=*-0000-Mon*)(member=" & $sCN & "))", 2, "samaccount")
_ArrayDisplay($aResult)
_AD_Close()

COM Error Encountered in example2.au3

AD UDF version = 1.3.0

@AutoItVersion = 3.3.8.1

@AutoItX64 = 0

@Compiled = 0

@OSArch = X64

@OSVersion = WIN_7

Scriptline = 1219

NumberHex = 80020009

Number = -2147352567

WinDescription = Unspecified error

Description = Unspecified error

Source = Provider

HelpFile = 

HelpContext = 1240640

LastDllError = 0

========================================================

+>09:19:55 AutoIT3.exe ended.rc:0

>Exit code: 0    Time: 2.219

[water]

My bad. Should be

Global $aResult = _AD_GetObjectsInOU("", "(&(objectClass=group)(name=*-0000-Mon*)(member=" & $sCN & "))", 2, "samaccountname")

[TheBG]

awesome! that works great!! thanks for your help

[water]

[TheBG]

  On 7/26/2013 at 2:49 PM, water said:

 

My bad. Should be

Global $aResult = _AD_GetObjectsInOU("", "(&(objectClass=group)(name=*-0000-Mon*)(member=" & $sCN & "))", 2, "samaccountname")

Is there a way to make this serach across multiple domains? we have 4 domains to search across

[TheBG]

  On 7/26/2013 at 10:19 PM, TheBG said:

Is there a way to make this serach across multiple domains? we have 4 domains to search across

nevermind, I figured it out!! :-) by using the _AD_Open() parameters

[water]

Did you have a look at the wiki? There you find some additional information about the AD UDF.

[TheBG]

  On 7/27/2013 at 7:55 AM, water said:

Did you have a look at the wiki? There you find some additional information about the AD UDF.

actually, I just looked at AD.au3 and got all the info I needed.

so now, Im trying to figure out something.

now, I need to get all security groups with *-0000-MonD-* and list the users/members

I seem to be at a loss on this one.

[water]

Try:

Global $aResult = _AD_GetObjectsInOU("", "(&(objectClass=group)(name=*-0000-MonD-*))", 2, "samaccountname,member")

Returns a 2D array with the samaccountname of the group in the first element and a list of FQDN member names separated by the pipe character (|) in the second element.

[TheBG]

  On 7/30/2013 at 3:19 PM, water said:

Try:

Global $aResult = _AD_GetObjectsInOU("", "(&(objectClass=group)(name=*-0000-MonD-*))", 2, "samaccountname,member")

Returns a 2D array with the samaccountname of the group in the first element and a list of FQDN member names separated by the pipe character (|) in the second element.

 

ok, this rocks... I have it going across all domains and pulling the AD groups with the search string.

it's not listing all the members though.. Also is there a way to display like the user ID and not the full FQDN?

[water]

  On 7/30/2013 at 4:28 PM, TheBG said:

It's not listing all the members though.

How many members are missing? How many members do you have in a group?

 

  Quote

Also is there a way to display like the user ID and not the full FQDN?

You would need to call _AD_FQDNToSamAccountName for each member.

[TheBG]

  On 7/30/2013 at 4:34 PM, water said:

How many members are missing? How many members do you have in a group?

 

You would need to call _AD_FQDNToSamAccountName for each member.

How many members are missing? How many members do you have in a group?

in some cases, all members are missing. and the main group we use only lists 1 user, and I know we have at least 500 members.

[water]

The primary group (you call it "main group") doesn't contain any members - would be too many. The primary group has a group id that is stored with every user.

To get the members of a primary group is a bit more complex.

[kor]

having a problem with our scripts on a new active directory running on server 2012. The forest and domain functional levels are 2012.

The scripts are being run from a Win 7 x86 client joined to the domain.

Trying to run a sample script _AD_ObjectExists() on a user and get an _AD_Open() failure.

Function _AD_Open encountered a problem. @error = 4,

@extended = -2147024843

I'm pretty sure that it's a permissions problem somehow, but @error4 in the _AD_Open example says something about a RootDSE object failure. So not sure what is going on.

When I run the same scripts as user within the IT department (who has elevated permissions in AD) all the scripts work fine and there are no issues.

[water]

-2147024843 means: 0x80070035 The network path was not found

I once had the same problem because the directory where the exe was located wasn't a trusted location.

Copy the exe to a local drive and try again.

[kor]

  On 8/2/2013 at 7:04 AM, water said:

-2147024843 means: 0x80070035 The network path was not found

I once had the same problem because the directory where the exe was located wasn't a trusted location.

Copy the exe to a local drive and try again.

that was the problem. Thank you for helping me narrow the problem. Now I just need to figure out what permissions to give the directory so I don't get the error.

[water]

Another user and I once spent a lot of time to find the problem.

I'm glad your script works now