Active Directory UDF - Help & Support (II)

[TheBG]

Big picture:

creating a script to check an AD account every 10 min, to see if it is locked. If it is locked, it will automatically unlock it.

so.

no problem, right.. :-)

I can get every function in the AD udf to work except _AD_IsObjectLocked(). 

I'm providing it with a account name. and it always returns 0. I will lock out my test account by inputting bad passwords. but I can never get the example script to tell me the account is locked. it's almost like this function cant open ad. cause it tells me zero on any input I give it. suggestions?

#include <AD.au3>

; Open Connection to the Active Directory
_AD_Open()

Global $account = "accountName"

If @error Then Exit MsgBox(16, "Active Directory Example Skript", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)

; *****************************************************************************
; Example 1
; Checks if the account for the current user is locked.
; *****************************************************************************
If _AD_IsObjectLocked($account) Then
    MsgBox(64, "Active Directory Functions", "User account '" & $account & "' is locked")
Else
    MsgBox(64, "Active Directory Functions", "User account '" & $account & "' is not locked")
EndIf

[water]

Which version of the AD UDF to you run? IIRC there has been a bug in that function.

[TheBG]

autoit 3.3.10 and AD udf 1.4.0.

just upgraded to 1.4.0 and now have bigger problems!, lol

getting winapi errors.

_winapiconstant_format_message_from_system: possbily used before declaratrion

my bad - i thought I updated to 1.4.0. now I truely am on 1.4.0 and not getting that error.

 

so. I'm on autoit 3.3.10.x and AD udf 1.4.0.

no matter what I try to look for with _AD_IsObjectLocked I receive back a 0. I even pout bogus accounts in, it should at least return 1 for that.

Edited January 22, 2014 by TheBG

[water]

What is the value of @error after you called _AD_IsObjectLocked?

[TheBG]

What is the value of @error after you called _AD_IsObjectLocked?

 

the value always returns as 0

[water]

Can you post the result of:

$iValue = _AD_IsObjectLocked(...)
MsgBox(0, "", "Return Value = " & $iValue & ", @error = " & @error)

[lewisg]

Water

A Remote Desktop connetion script I currently have shows a ListView of all the current online computers listing the "ComputerName" and IP address of the computers. That's working great and is speedy. What I want to do is now is include the usernames. I've tried several paths, WMI, WINS stuff, etc., however they all fall short for lack of quickness or a long delay do to waiting for a time out. Question to you is, does your UDF have the ability to grab a username from either the computername or IP out of AD? I've tried a few thoughts but not joy, can you do some magic? Thanks

[water]

AD unfortunately doesn't store the currently logged on users.

How do you collect the information about online computers?

[lewisg]

First using your UDF:

 $aComputers = _AD_GetObjectsInOU("", "(objectclass=computer)", 2, "name"); Get all the Computer Names in Active Directory

Then I feed that to a VERY modified version of cherdeg's modified version of Manadar's  _CheckOnlineStatus. With it's ability to spawn asynchronous lookups it can run through ~1100 machines in under 25 seconds.

My first version parsed the output of "Net View" to grab the names and IPs, very simple and quick enough, however as I learned later it doesn't jump vlans or subnets meaning the script was very localize.
 

[water]

In short: Here we have a login script to collect all this data.

[gonzo070777]

First post on the forum but long time lurker.  Self learning AutoIT on my spare time.  So let me say first and foremost thank you for this awesome UDF.  It's been great!  I have run into an issue with the _AD_CreateComputer.au3  One issue I can work around, the other I can't.  So it appears to log into AD just fine with the AD_open.  Here are the two issues I've run into.  One I made a loose workaround the other I can't figure out a work around.  I searched this thread and couldn't find a resolution so I'm sorry if I missed it.

1)

If I use _AD_CreateComputer.au3 on a machine that is in a workgroup I get a return code of -2147352567 when I create the machine in AD - (If I use the same exact script on a machine that is already on the domain it works just fine without error code) (I've also tried run as the Network user and that didn't help)

Result with error -2147352567:

It does actually create the machine in AD and gives the login used for AD_Open rights to add the machine to the domain.

So I worked around this by using that one error code as a pass. (that is the only modification to the sample script)

2)

The second part I can't workaround is that in the last field "User/group to use this computer (samAccountName or FQDN):" no matter what I enter there it will not add that user entered to the created machine if the machine part of the workgroup - (Again if the machine is already on the domain it works as intended and adds both the login used for _AD_open as well as the name entered there).  

Result with error -2147352567:

It does however continue to add the login used for _AD_Open to the machine.  I haven't found a way to add this user to the AD machine after the machine is on the domain either (this is why I say I haven't found a workaround for this one.  I did try a little to use _AD_AddUserToGroup.au3 but either I don't get it or I'm doing something wrong, I did put $ after the computer name)

Again if this AU3 is run this on a machine that is already part of the domain it works as designed.  So in both cases it seems to be an issue with the machine being part of a workgroup instead of being part of a domain.  Any help or suggestions would be appreciated, AKA what am I missing?   I hope it's something simple I've missed being new to AutoIT.

Edited January 30, 2014 by gonzo070777

[water]

1) Most of the time it is a permission problem. The function not only creates a computer account but sets some permissions for this new user.  If the user who's credentials are used for _AD_Open doesn't have the proper permissions to set the permissions for the new user then you get this error.

BTW: Every user is allowed by AD to create up to 10 computer accounts without having special permissions.

2) How looks your _AD_Open statement if the computer is not yet connected to the domain?

[gonzo070777]

Thank you for the quick reply.  Below is the redacted _AD_open.  The tech account has full rights to create and modify unlimited computers (this is a special technician account setup by the firm to create, edit, delete computer accounts and modify user accounts)

_AD_Open($techusername, $techpassword, "DC=us,DC=XXXX,DC=com", "XXAD_serverXX.us.XXXX.com", "CN=Configuration,DC=XXXX,DC=com")

Edited January 31, 2014 by gonzo070777

[water]

Just had a quick look but I think it should be:

_AD_Open($techusername, $techpassword, "DC=us,DC=XXXX,DC=com", "XXAD_serverXX.us.XXXX.com", "CN=Configuration,DC=us,DC=XXXX,DC=com")

Run _AD_Open.au3 on a PC that is connected to a domain and you will see the proper parameters.

[gonzo070777]

So here are the results and observations:

- running _AD_Open.au3 on the domain computer shows the Configuration without the DC=US.  I did try it with the DC=US and clicked logon and it works the same (So I guess either way will open AD properly).  Clicking logon says logon was successful with the tech credentials with and without the DC=US.

I bring that same _AD_open.au3/EXE script to the workgroup machine and it fails, so I change the _AD_open() line to _AD_Open($techusername, $techpassword, "DC=us,DC=XXXX,DC=com", "XXAD_serverXX.us.XXXX.com", "CN=Configuration,DC=us,DC=XXXX,DC=com") and the script runs on the workgroup machine (also launches if I remove the DC=us, from that line)  I'm able to get the logon successful on the workgroup machine as well with that change.  I've tried using the Windows logon name, Netbios login, as well as the User principal name.  All end with Logon was successful.  I try the Create computer in AD again on the workgroup machine with the DC=US and all three login methods and returns the same dreaded error -2147352567.  If I run the same exe on the machine that is already on the Domain it says successful.

I guess also if there a way to add the user to the machine in AD after the fact?  I can have a second script run once the machine is rebooted on the domain.

To clarify what is being done:

1.  We have a workgroup machine

2. I display a GUI that asks for Technican Credentials, New machine name, user to be local admin from domain users

3. Script creates machine in AD, renames the machine, joins to domain, adds domain users to local admin group and reboots

4.  Machine is now fully joined to domain and end user logs in with their credentials

The sticking point is that they would like the end user to also be able to Join the machine to the domain if needed.  The initial join is done with the tech credentials right now but if there is a way to add the end user to the AD machine after the fact once on the domain I could use that as a workaround if I can't get it to work in the workgroup state.

Edited January 31, 2014 by gonzo070777

[water]

Can you try with

#RequireAdmin

at the top of your script?

[water]

As the Active Directory UDF - Help & Support thread has grown too big, I start a new one.
The new thread can be found here.

Edited June 8, 2016 by Jos