Jump to content

Active Directory | moving a computer to another OU using Runas


Kovacic
 Share

Recommended Posts

I have been working on this for days with no luck.

I am working on a script to move laptops into the proper OU specified by $sTargetOU while the computer name is $sObject

The situation:

IT people are logged onto laptops using the end user account (to profile them) which apparently does not have permissions to move computer accounts in AD from one OU to another.

The other situation:

When I profile a new laptop for a user, I am logged in as local admin and try to use a script to move the computer into a specified OU. I have credentials that I can use to move the computer account, but I would like to package this into an autoit script. I currently use AD.au3, which does the job as long as I am logged in with an IT AD account with sysadmin abilities.

What I am looking to do:

Simple one stop shop application that lets me runas a function similar to that below:

_AD_Open()
Global $iValue = _AD_MoveObject($sTargetOU, $sObject & "$")
If $iValue = 1 Then
MsgBox(64, "Active Directory Message", "Computer '" & $sObject & "' successfully moved to '" & $sTargetOU & "'")
ElseIf @error = 1 Then
MsgBox(64, "Active Directory Message", "Target OU '" & $sTargetOU & "' does not exist")
ElseIf @error = 2 Then
MsgBox(64, "Active Directory Message", "Computer '" & $sObject & "' does not exist")
ElseIf @error = 3 Then
MsgBox(64, "Active Directory Message", "Computer '" & $sObject & "' is already in the required OU. No change made.")
ElseIf @error = "-2147352567" Then
MsgBox(64, "Active Directory Message", "Could not move '" & $sObject)
Else
MsgBox(64, "Active Directory Message", "Return code '" & @error & "' from Active Directory")
EndIf
_AD_Close()

I appreciate any thoughts anyone might have because I'm at a dead stop.

Thanks in advance

C0d3 is P0etry( ͡° ͜ʖ ͡°)

Link to comment
Share on other sites

Have you tried using _AD_Open with Domain admin credentials?

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Link to comment
Share on other sites

You can either pass the needed credentials with _AD_Open or compile the script and run it as another user. _AD_Open uses the credentials of the current user logged on user.

I haven't tried the latter myself so some testing would be needed.

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2024-07-28 - Version 1.6.3.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

I don't mind testing.. I have a few test laptops and a domain to use. Where I keep getting stuck is passing the credentials on to the process that tries to perform the OU move. If it can be bound to ADOpen, that would be much better!

C0d3 is P0etry( ͡° ͜ʖ ͡°)

Link to comment
Share on other sites

You can either pass the needed credentials with _AD_Open or compile the script and run it as another user. _AD_Open uses the credentials of the current user logged on user.

I haven't tried the latter myself so some testing would be needed.

I thought about using the Runas, but one thing I hope to do is add this to my windows profiler application that will make it a one stop shop to profile laptops. So far, I have it so we can set out a line of laptops, open the app and hit start, and it will rename the computer to the serial captured from the BIOS, then join to the domain using domain credentials I have in the script. I will do some testing using _AD_Open and let you know if I can get it to runas.

C0d3 is P0etry( ͡° ͜ʖ ͡°)

Link to comment
Share on other sites

I don't know if it's possible on your domain, but on the domains that I have direct control over, I have created a user that I use to join computers to the domain. This user is further blocked from logging into any computers by a group policy, so it minimizes access to the domain. It's not 100% foolproof because the user credentials could be used to authenticate to the domain for other reasons, but can't log on. Our limited (non-admin) users don't have access to the C: drive, which is the only place they could look to find these credentials, so that further limits the exposure of the credentials. I only use this user in sysprep'ing the systems so that is another way that limits exposure to the credentials to users that I don't want to have the information.

BTW, even limited users can join computers to a domain as long as there isn't a group policy preventing it. They're limited to (I think) joining only 10 computers in total.

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Link to comment
Share on other sites

Thats what I was told, according to Microsoft, it should only be 10, but with normal credentials, I was able to join more in the past. I create an AD group or just a user with domain user permissions removed and added permission to only join computers to the domain as a service account... This way, even if they are authenticated, they can't log on locally or over the network, and can set up explicit deny permissions on all other resources. It would be a little bit of a pain, but it would be closer to bullet proof.

C0d3 is P0etry( ͡° ͜ʖ ͡°)

Link to comment
Share on other sites

  • Moderators

Kovacic,

Moved to "General Help" section. :)

M23

Public_Domain.png.2d871819fcb9957cf44f4514551a2935.png Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind

Open spoiler to see my UDFs:

Spoiler

ArrayMultiColSort ---- Sort arrays on multiple columns
ChooseFileFolder ---- Single and multiple selections from specified path treeview listing
Date_Time_Convert -- Easily convert date/time formats, including the language used
ExtMsgBox --------- A highly customisable replacement for MsgBox
GUIExtender -------- Extend and retract multiple sections within a GUI
GUIFrame ---------- Subdivide GUIs into many adjustable frames
GUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView items
GUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeView
Marquee ----------- Scrolling tickertape GUIs
NoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxes
Notify ------------- Small notifications on the edge of the display
Scrollbars ----------Automatically sized scrollbars with a single command
StringSize ---------- Automatically size controls to fit text
Toast -------------- Small GUIs which pop out of the notification area

 

Link to comment
Share on other sites

I don't mind testing.. I have a few test laptops and a domain to use. Where I keep getting stuck is passing the credentials on to the process that tries to perform the OU move. If it can be bound to ADOpen, that would be much better!

How to pass credentials to _AD_Open can be found in the help file _AD_Open.html or the wiki (link can be found in my signature).

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2024-07-28 - Version 1.6.3.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

I am also getting the object error (Attached)

This is an example of what this script would be moving, from this OU

"CN=MyCompName,OU=computers,DC=MyDomain,DC=COM"

to this one:

"OU=computers,OU=Updated OUs,DC=MyDomain,DC=com"

This works when being run by someone with elevated permissions, so I am trying to get it to open AD with another AD account, and I get the error in the attachment.

Func SET()
RunWait("net config server /srvcomment:""" & $FullDesc & """",@SW_HIDE)
Msgbox(0, "Description Updated", " Updated local computer and AD descriptions:" & @CRLF & @CRLF & $FullDesc & @CRLF & @CRLF & "The computer should be moved to the following OU:" & @CRLF & @CRLF & $compouV)
Global $SvcUsername = "MyDomainUsername"
Global $SvcPassword = "SomeGoofyPassword"

If $oumove = "yes" then ; Check to see if an error happened earlier i the script that changed this to 'no'
$sTargetOU = $compouV
$sObject = @ComputerName
_AD_Open([$sAD_UserIdParam = $SvcUsername, $sAD_PasswordParam = $SvcPassword[, $sAD_DNSDomainParam = "DC=MyDomain,DC=COM", $sAD_HostServerParam = "", $sAD_ConfigurationParam = ""[, $iAD_Security = 0]]])
Global $iValue = _AD_MoveObject($sTargetOU, $sObject & "$")
If $iValue = 1 Then
MsgBox(64, "Active Directory Message", "Computer '" & $sObject & "' successfully moved to '" & $sTargetOU & "'")
ElseIf @error = 1 Then
MsgBox(64, "Active Directory Message", "Target OU '" & $sTargetOU & "' does not exist")
ElseIf @error = 2 Then
MsgBox(64, "Active Directory Message", "Computer '" & $sObject & "' does not exist")
ElseIf @error = 3 Then
MsgBox(64, "Active Directory Message", "Computer '" & $sObject & "' is already in the required OU. No change made.")
Else
MsgBox(64, "Active Directory Message", "Return code '" & @error & "' from Active Directory")
EndIf
_AD_Close()
Else
MsgBox(64, "Active Directory Message", "No OU moves were performed because the User account is not in a Users OU.")
exit
EndIf

endfunc ;==>SET

I am sure I messed up somewhere, just not sure where

post-63131-0-52965000-1358969718_thumb.p

C0d3 is P0etry( ͡° ͜ʖ ͡°)

Link to comment
Share on other sites

Looks like the stop is happening here

Func _AD_SamAccountNameToFQDN($sAD_SamAccountName = @UserName)

If StringMid($sAD_SamAccountName, 3, 1) = "=" Then Return $sAD_SamAccountName ; already a FQDN. Return unchanged
$__oAD_Command.CommandText = "<LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain & ">;(sAMAccountName=" & $sAD_SamAccountName & ");distinguishedName;subtree"
Local $oAD_RecordSet = $__oAD_Command.Execute
If @error Or Not IsObj($oAD_RecordSet) Or $oAD_RecordSet.RecordCount = 0 Then Return SetError(1, @error, "")
Local $sAD_FQDN = $oAD_RecordSet.fields(0).value
Return _AD_FixSpecialChars($sAD_FQDN, 0, "/#")

EndFunc   ;==>_AD_SamAccountNameToFQDN

This line:

$__oAD_Command.CommandText = "<LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain & ">;(sAMAccountName=" & $sAD_SamAccountName & ");distinguishedName;subtree"

I tried varius naming conventions like myusername@mydomain.com , mydomainmyusername and nothing seemed to help..

C0d3 is P0etry( ͡° ͜ʖ ͡°)

Link to comment
Share on other sites

Your _AD_Open function is written wrong too. This is the correct way.

_AD_Open($SvcUsername, $SvcPassword, "DC=MyDomain,DC=COM",  "", "", 0)

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Link to comment
Share on other sites

BTW: Function _AD_SamAccountNameToFQDN is only needed in rare cases. All functions accept SamAccountName and FQDN as parameters and convert them under the cover if needed.

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2024-07-28 - Version 1.6.3.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...