Active Directory UDF - Help & Support (II)

[Neutro]

Well I didn't know about this ldap thing, and tbh i don't know much about ldap Thanks for enlighting me

Yeah I thought about this too but I liked the idea of having all organised datas in one array if I wanted to do something else later.

But yeah you're right, this is much easier so i'll stick to this right now and will have fun with arrays later

Only thing I'm missing is a way to get users descriptions as well (we use this as full name of people in my company).

Thanks again for your help, i really appreciate it.

[water]

This script should get you started. It writes the group name, description plus the names plus description of all group members to the console. This is done for the first 5 groups. Uncomment the line if you want to see all.

#include <AD.au3>
_AD_Open()
$aGroups = _AD_GetObjectsInOU("", "(&(objectclass=group)(description=*))", 2, "sAMAccountName,description")
For $i = 1 To 5; $aGroups[0][0]
    ConsoleWrite("Group: " & $aGroups[$i][0] & ", Description: " & $aGroups[$i][1] & @LF)
    $aMembers = _AD_GetGroupMembers($aGroups[$i][0])
    For $j = 1 To $aMembers[0]
        $sDescription = _AD_GetObjectAttribute($aMembers[$j], "description")
        ConsoleWrite("  User: " & $aMembers[$j] & ", Description: " & $sDescription & @LF)
    Next

Next
_AD_CLose()

[Iceman682]

Water,

Is it possible to reset a computer account in AD with Autoit instead of deleting and rejoining?

I know you can do it in AD itself by right clicking the computer object and select reset.

(its the same as deleting it from AD and readding it)

Many thanks

Iceman682

Edited January 16, 2013 by Iceman682

[water]

With "resetting" you mean to recreate the computer (set up the OS from scratch) with a new SID and assign it to the same computer account?

[water]

I searched the web a bit and found the following description:

"Resetting the computer account maintains the computer object as is but resets the computer account password.The domain and the computer actually share a password and resetting it makes the password in the domain different, just as if you were to reset a user password without telling the user. The computer must be rejoined to the domain for it to communicate successfully.

The computer can now rejoined to the domain and will use the same computer account object. This means the computer sid will be maintained and in the case of Active Directory utilizing Dynamic Dns this is important since the DNS record will be per-missioned with the computer account SID. Also, group memberships will be maintained and any per-missioning done using the computer object.

Deleting and rejoining creates a completely new object. New SID in default OU without any of the old group memberships or permissions."

So I think calling _AD_SetPassword and passing the SamAccountName of the computer (including the trailing dollar sign) should do what you want.

[Neutro]

This is exactly what I needed water, thank you very much once again

When i'll be done i'll post my script on your "Example scripts" topic

[water]

Glad to be of service

[Iceman682]

Hi Water

I wound not have thought to do it that way, so yes that should work.

I'll let you know the results

Many thanks as always

Iceman682

[water]

I'm very interested in the result of your tests. Another new feature for the AD UDF

[Iceman682]

Hi Water

As promised, yes _AD_SetPassword work to rest a Computer Object.

You should give it the default Password as it would if you used the reset option in AD i.e Computer Name, appending the $ i.e MyComputer$

Many thanks for the guidance.

[water]

Thanks for the feedback. I'm going to update the documentation accordingly.

[water]

Any additional information on what I should try?

I am able to move a computer object just not create one or join the domain to one I created manually with the AD tools from MS?

Now I'm back from vacation and hope to work on your problem again.

Just to be sure: Does the problem still exist?

[minimen456]

I have two questions about _AD_GetLastLoginDate(). This function takes too long. Could you please tell me what should I add to make it takes less time? _AD_ListDomainControllers() returns array with 257 elements but I want to use only this one:

EURSMZ-HUB21|CN=EURSMZ-HUB21,OU=Domain Controllers,DC=eur,DC=XXX,DC=com|EURSMZ-HUB21.eur.XXX.com|Site-SMZ|CN=Site-SMZ,CN=Sites,CN=Configuration,DC=XXX,DC=com

And the second question. _AD_GetLastLoginDate() works fine when I ask user_login but when I ask computer_name It always returns “0”. How can I get the last_login of a computer on an active directory?

Edited January 28, 2013 by minimen456

[water]

Pass "Site-SMZ" as parameter 2. This will limit the list of DCs to query to those who "handle" this site.

The problem is caused by the way a correct last login date is retrieved. This property isn't synchronized between DCs so the script has to query every DC and then takes the latest date. If one/more DCs is/are not operational then the script waits till the timout has expired and then queries the next DC.

Parameter 2 defines the site the user can log on to and hence the script only queries the relevant DCs.

To query the last logindate of a computer you have to pass the SamAccountName or the FQDN. The SamAccountName is always @ComputerName & "$"

; Get last login date for the current computer
$iLLDate = _AD_GetLastLoginDate(@ComputerName & "$")
MsgBox(64, "Active Directory Functions - Example 2", "Last Login Date for Computer '" & @ComputerName & "$'" & @CRLF & $iLLDate)

Edited January 28, 2013 by water

[minimen456]

I think I've found a bug. If you:

#include <IE.au3>
#include <AD.au3>

then _IECreate() stops working properly and starts returning warning:

--> IE.au3 V2.4-0 Warning from function internal function __IEIsObjType, Cannot register internal error handler, cannot trap COM errors (Use _IEErrorHandlerRegister() to register a user error handler)
--> IE.au3 V2.4-0 Warning from function internal function __IEIsObjType, Cannot register internal error handler, cannot trap COM errors (Use _IEErrorHandlerRegister() to register a user error handler)
COM Error Encountered in IE_AD_Test.au3
AD UDF version = 1.3.0
@AutoItVersion = 3.3.8.1
@AutoItX64 = 0
@Compiled = 0
@OSArch = X86
@OSVersion = WIN_XP
Scriptline = 3690
NumberHex = 80020009
Number = -2147352567
WinDescription = Unspecified error
Description =
Source =
HelpFile =
HelpContext = 0
LastDllError = 0
========================================================
--> IE.au3 V2.4-0 Warning from function _IELoadWait, Cannot register internal error handler, cannot trap COM errors (Use _IEErrorHandlerRegister() to register a user error handler)

Edited January 30, 2013 by minimen456

[Iceman682]

MsgBox(64, "Active Directory Error", "Return code '" & @error & "' from Active Directory")

Hi Water

Here is one of the return codes:

i.e Return Code -2147352567 from Active Directory

I get this when moving a computer to another OU or changing its attributes.

As I am logged on as a user with less permissions, I can only guess it means I don't have permissions to move it or change it.

Where can I get a list of the return codes so I know what they all mean?

Edited January 30, 2013 by Iceman682

[water]

@minimen456

This is because every UDF tries to register it's own error handler. But there can be only one error handler at a time. AD registers the COM error handler when _AD_Open is called.

If possible run _AD_Open, do all the AD related stuff, then use _AD_Close. Now you shouldn't see any further error messages by the IE UDF.

Edited January 30, 2013 by water

[Iceman682]

Yes, I understand that, but when a user gets an error like the one I mentioned, or a different one, I need to know why the user is getting the error code so I can point them in the right direction.

These codes must mean something otherwise whats the point in having them.

Edited January 30, 2013 by Iceman682

[water]

@Iceman682

MsgBox(64, "Active Directory Error", "Return code '" & @error & "' from Active Directory")

Hi Water

Here is one of the return codes:

i.e Return Code -2147352567 from Active Directory

I get this when moving a computer to another OU or changing its attributes.

As I am logged on as a user with less permissions, I can only guess it means I don't have permissions to move it or change it.

Where can I get a list of the return codes so I know what they all mean?

This is a general error. -2147352567 (decimal) is 80020009 (hex).

Exception occurred. (Exception from HRESULT: 0x80020009 (DISP_E_EXCEPTION)) is a very generic exception message.

Listing of HRESULT values.

You get more information about the COM error by setting _AD_ErrorNotify to 2 or 3 before using _AD_Open.

Edited January 30, 2013 by water

[water]

Iceman682,

For clarity I prefixed my last messages with the userid I'm referring to.