Active Directory UDF - Help & Support (II)

[kor]

Another user and I once spent a lot of time to find the problem.

I'm glad your script works now

I've given the user "full control" of the network folder where I want them running the compiled EXE from, but I'm still getting errors. What other permissions are needed to run from a network drive?

[water]

It is not related to the permission on the folder but to the "Trust Center".

This site describes what I mean.

[kor]

Also getting lots of these errors in a script that adds/deletes/moves users.

COM Error Encountered in ASABv3.au3

AD UDF version = 1.3.0

@AutoItVersion = 3.3.8.1

@AutoItX64 = 0

@Compiled = 0

@OSArch = X86

@OSVersion = WIN_7

Scriptline = 914

NumberHex = 80020009

Number = -2147352567

WinDescription = 

Description = The directory property cannot be found in the cache.

Source = Active Directory

HelpFile = 

HelpContext = 0

LastDllError = 0

========================================================

 

I wish it would be more specific which directory property.

[kor]

It is not related to the permission on the folder but to the "Trust Center".

This site describes what I mean.

That site speaks specifically to office products (word, excel)

which doesn't come into play here. Is this something I need to add in group policy? My technicians don't have any of these problems but they also have elevated permissions to active directory.

[water]

 

Also getting lots of these errors in a script that adds/deletes/moves users.

COM Error Encountered in ASABv3.au3

AD UDF version = 1.3.0

@AutoItVersion = 3.3.8.1

@AutoItX64 = 0

@Compiled = 0

@OSArch = X86

@OSVersion = WIN_7

Scriptline = 914

NumberHex = 80020009

Number = -2147352567

WinDescription = 

Description = The directory property cannot be found in the cache.

Source = Active Directory

HelpFile = 

HelpContext = 0

LastDllError = 0

========================================================

 

I wish it would be more specific which directory property.

 

Can you please post the statement that returns this errors?

[water]

That site speaks specifically to office products (word, excel)

which doesn't come into play here. Is this something I need to add in group policy? My technicians don't have any of these problems but they also have elevated permissions to active directory.

That link was just to give you an idea. If you copy the exe to C:local or another dir, does it work?

[kor]

That link was just to give you an idea. If you copy the exe to C:local or another dir, does it work?

yes, but I give up all the flexibility of running the compiled script from a network share. It is updated quite often and our users just have a shortcut to the compiled EXE on their desktop. So whenever I update it the next time they run it they are running the updated version.

[water]

I just wanted to make sure that the problem is caused by the "trusted location problem".

You just need to talk to your system administrator and let him add the network share to the list of trusted locations.

[kor]

I just wanted to make sure that the problem is caused by the "trusted location problem".

You just need to talk to your system administrator and let him add the network share to the list of trusted locations.

I am the system administrator. And I am more than capable of adding a network share to a list of trusted locations, however I think you are getting "trusted locations" and "trusted sites" mixed up.

Trusted locations from my googleing seem to be specific to Office.

Trusted Sites are zone assignments you add to Internet Explorer through group policy. Which I've already added *.organization.com to my local intranet zone which means any network share within my domain should be trusted.

Edited August 5, 2013 by kor

[water]

I'm no sysadmin so I might use the wrong technical term. We run Windows 7 and IIRC you can set  "secure locations" from where programs might be executed.

I googled for >windows 7 "secure location" group policy<

This site talks about secure loctions and the default secure locations in Windows Vista. The list of secure locations can be modified.

"When enabled, Windows enforces UIAccess application to run from a secure location. These secure locations include:

• …Program Files... including all sub folders.
• …WindowsSystem32...
• …Program Files (x86)... including all sub folders (64-bit versions)."

[kor]

 

I'm no sysadmin so I might use the wrong technical term. We run Windows 7 and IIRC you can set  "secure locations" from where programs might be executed.

I googled for >windows 7 "secure location" group policy<

This site talks about secure loctions and the default secure locations in Windows Vista. The list of secure locations can be modified.

"When enabled, Windows enforces UIAccess application to run from a secure location. These secure locations include:

• …Program Files... including all sub folders.
• …WindowsSystem32...
• …Program Files (x86)... including all sub folders (64-bit versions)."

 

I needed this working ASAP so I just wrote a little wrapper that copies the EXE locally then runs it and it is transparent to the users.

[water]

Not the most beautiful solution, but as long as it is working

[kor]

Not the most beautiful solution, but as long as it is working

The website linked to seems to focus on UAC which I already have disabled. I imagine you will get more of these same issues in the future. It would be a smart move to find a solution or include better error checking. _AD_Open() reports @error 4 with this problem which isn't very helpful.

[water]

If you activate the COM error handler then you get "The network path was not found" for this problem.

That's all AD provides.

[MpDredd]

Thanks for this UDF, I've been using it for a long time and I love the functionality if gives me.

I am having an issue with "_AD_GetGroupMembers" displaying all members in a particular group.  I've tried using bothe the SamAccountName and the FQDN and have the exact same issue.

My code is pretty straight forward:

 

$FQDN = _AD_SamAccountNameToFQDN('Domain Admins')

$UserName = _AD_GetGroupMembers($FQDN)

_ArrayDisplay($UserName,$FQDN)

 

There are 17 users but it only returns 8.  I also noticed that it skips some users. 

 <scrubbed output>

[0]|8

[1]|CN=User-24,CN=Users,DC=Company,DC=Local

[2]|CN=User-8,CN=Users,DC=Company,DC=Local

[3]|CN=User-13,CN=Users,DC=Company,DC=Local

[4]|CN=User-1,OU=Department,OU=HQ,DC=Company,DC=Local

[5]|CN=User-2,OU=Department,OU=HQ,DC=Company,DC=Local

[6]|CN=User-3,OU=Department,OU=HQ,DC=Company,DC=Local

[7]|CN=USER-15,CN=Users,DC=Company,DC=Local

[8]|CN=User-7,CN=Users,DC=Company,DC=Local

 

Any help would be greatly appreciated. I apologize if this has been addressed but I did not find it win any of the searches I tried.

 

Thanks in advance!
Raymond

 

[water]

Is there anything special with the missing members?
Can you post (or PM) the FQDNs of the missing members?

[MpDredd]

Hi Water, thanks for the reply!

The missing users are locates in the same places that the ones that are listing are located

ex: ,OU=Department,OU=HQ,DC=Company,DC=Local and CN=Users,DC=Company,DC=Local.  All of the domain Admin users are in one place or the other without exception.

Are there any group memberships or account flags that would keep a user from showing up?  I have the same issue when trying to enumerate and display "Domain Users" as well.

[water]

Are there any group memberships or account flags that would keep a user from showing up?  I have the same issue when trying to enumerate and display "Domain Users" as well.

You can't list the members of group "Domain Users" - this group has no members. There would be too many.

AD uses the concept of a "primary group". This means the users are flagged to be members of the primary group (the id of the primary group is stored with the user).

I'm not 100% sure but I think there can be many primary groups.

So it is possible that a user has the primary group "Domain Users" - and hence will not be listed by _AD_GetGroupMembers.

Another user can have a different primary group. If the user then was added to "Domain Users" he will be listed by _AD_GetGroupMembers.

Can you check the primary group of a user that is not listed by running _AD_GetUserPrimaryGroup?

[MpDredd]

Water, thats exactly what it is.  The users that don't show up have "Domain Admins" as their primary group.  I created a separate group with the users I'm interested in monitoring as a work around.  Thanks for the help and better understanding of how the function works!

[water]

Glad to be of service