Active Directory | moving a computer to another OU using Runas

Kovacic · January 22, 2013

I have been working on this for days with no luck.

I am working on a script to move laptops into the proper OU specified by $sTargetOU while the computer name is $sObject

The situation:

IT people are logged onto laptops using the end user account (to profile them) which apparently does not have permissions to move computer accounts in AD from one OU to another.

The other situation:

When I profile a new laptop for a user, I am logged in as local admin and try to use a script to move the computer into a specified OU. I have credentials that I can use to move the computer account, but I would like to package this into an autoit script. I currently use AD.au3, which does the job as long as I am logged in with an IT AD account with sysadmin abilities.

What I am looking to do:

Simple one stop shop application that lets me runas a function similar to that below:

_AD_Open()
Global $iValue = _AD_MoveObject($sTargetOU, $sObject & "$")
If $iValue = 1 Then
MsgBox(64, "Active Directory Message", "Computer '" & $sObject & "' successfully moved to '" & $sTargetOU & "'")
ElseIf @error = 1 Then
MsgBox(64, "Active Directory Message", "Target OU '" & $sTargetOU & "' does not exist")
ElseIf @error = 2 Then
MsgBox(64, "Active Directory Message", "Computer '" & $sObject & "' does not exist")
ElseIf @error = 3 Then
MsgBox(64, "Active Directory Message", "Computer '" & $sObject & "' is already in the required OU. No change made.")
ElseIf @error = "-2147352567" Then
MsgBox(64, "Active Directory Message", "Could not move '" & $sObject)
Else
MsgBox(64, "Active Directory Message", "Return code '" & @error & "' from Active Directory")
EndIf
_AD_Close()

I appreciate any thoughts anyone might have because I'm at a dead stop.

Thanks in advance

BrewManNH · January 23, 2013

Have you tried using _AD_Open with Domain admin credentials?

Kovacic · January 23, 2013

In all honesty, I did not know I could do that! I will check it out tomorrow!! Thanks!

water · January 23, 2013

You can either pass the needed credentials with _AD_Open or compile the script and run it as another user. _AD_Open uses the credentials of the current user logged on user.

I haven't tried the latter myself so some testing would be needed.

Kovacic · January 23, 2013

I don't mind testing.. I have a few test laptops and a domain to use. Where I keep getting stuck is passing the credentials on to the process that tries to perform the OU move. If it can be bound to ADOpen, that would be much better!

Kovacic · January 23, 2013

You can either pass the needed credentials with _AD_Open or compile the script and run it as another user. _AD_Open uses the credentials of the current user logged on user.
I haven't tried the latter myself so some testing would be needed.

I thought about using the Runas, but one thing I hope to do is add this to my windows profiler application that will make it a one stop shop to profile laptops. So far, I have it so we can set out a line of laptops, open the app and hit start, and it will rename the computer to the serial captured from the BIOS, then join to the domain using domain credentials I have in the script. I will do some testing using _AD_Open and let you know if I can get it to runas.

BrewManNH · January 23, 2013

I don't know if it's possible on your domain, but on the domains that I have direct control over, I have created a user that I use to join computers to the domain. This user is further blocked from logging into any computers by a group policy, so it minimizes access to the domain. It's not 100% foolproof because the user credentials could be used to authenticate to the domain for other reasons, but can't log on. Our limited (non-admin) users don't have access to the C: drive, which is the only place they could look to find these credentials, so that further limits the exposure of the credentials. I only use this user in sysprep'ing the systems so that is another way that limits exposure to the credentials to users that I don't want to have the information.

BTW, even limited users can join computers to a domain as long as there isn't a group policy preventing it. They're limited to (I think) joining only 10 computers in total.

Kovacic · January 23, 2013

Thats what I was told, according to Microsoft, it should only be 10, but with normal credentials, I was able to join more in the past. I create an AD group or just a user with domain user permissions removed and added permission to only join computers to the domain as a service account... This way, even if they are authenticated, they can't log on locally or over the network, and can set up explicit deny permissions on all other resources. It would be a little bit of a pain, but it would be closer to bullet proof.

Melba23 · January 23, 2013

Kovacic,

Moved to "General Help" section.

M23

water · January 23, 2013

I don't mind testing.. I have a few test laptops and a domain to use. Where I keep getting stuck is passing the credentials on to the process that tries to perform the OU move. If it can be bound to ADOpen, that would be much better!

How to pass credentials to _AD_Open can be found in the help file _AD_Open.html or the wiki (link can be found in my signature).

Kovacic · January 23, 2013

I am also getting the object error (Attached)

This is an example of what this script would be moving, from this OU

"CN=MyCompName,OU=computers,DC=MyDomain,DC=COM"

to this one:

"OU=computers,OU=Updated OUs,DC=MyDomain,DC=com"

This works when being run by someone with elevated permissions, so I am trying to get it to open AD with another AD account, and I get the error in the attachment.

Func SET()
RunWait("net config server /srvcomment:""" & $FullDesc & """",@SW_HIDE)
Msgbox(0, "Description Updated", " Updated local computer and AD descriptions:" & @CRLF & @CRLF & $FullDesc & @CRLF & @CRLF & "The computer should be moved to the following OU:" & @CRLF & @CRLF & $compouV)
Global $SvcUsername = "MyDomainUsername"
Global $SvcPassword = "SomeGoofyPassword"

If $oumove = "yes" then ; Check to see if an error happened earlier i the script that changed this to 'no'
$sTargetOU = $compouV
$sObject = @ComputerName
_AD_Open([$sAD_UserIdParam = $SvcUsername, $sAD_PasswordParam = $SvcPassword[, $sAD_DNSDomainParam = "DC=MyDomain,DC=COM", $sAD_HostServerParam = "", $sAD_ConfigurationParam = ""[, $iAD_Security = 0]]])
Global $iValue = _AD_MoveObject($sTargetOU, $sObject & "$")
If $iValue = 1 Then
MsgBox(64, "Active Directory Message", "Computer '" & $sObject & "' successfully moved to '" & $sTargetOU & "'")
ElseIf @error = 1 Then
MsgBox(64, "Active Directory Message", "Target OU '" & $sTargetOU & "' does not exist")
ElseIf @error = 2 Then
MsgBox(64, "Active Directory Message", "Computer '" & $sObject & "' does not exist")
ElseIf @error = 3 Then
MsgBox(64, "Active Directory Message", "Computer '" & $sObject & "' is already in the required OU. No change made.")
Else
MsgBox(64, "Active Directory Message", "Return code '" & @error & "' from Active Directory")
EndIf
_AD_Close()
Else
MsgBox(64, "Active Directory Message", "No OU moves were performed because the User account is not in a Users OU.")
exit
EndIf

endfunc ;==>SET

I am sure I messed up somewhere, just not sure where

Kovacic · January 23, 2013

Looks like the stop is happening here

Func _AD_SamAccountNameToFQDN($sAD_SamAccountName = @UserName)

If StringMid($sAD_SamAccountName, 3, 1) = "=" Then Return $sAD_SamAccountName ; already a FQDN. Return unchanged
$__oAD_Command.CommandText = "<LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain & ">;(sAMAccountName=" & $sAD_SamAccountName & ");distinguishedName;subtree"
Local $oAD_RecordSet = $__oAD_Command.Execute
If @error Or Not IsObj($oAD_RecordSet) Or $oAD_RecordSet.RecordCount = 0 Then Return SetError(1, @error, "")
Local $sAD_FQDN = $oAD_RecordSet.fields(0).value
Return _AD_FixSpecialChars($sAD_FQDN, 0, "/#")

EndFunc   ;==>_AD_SamAccountNameToFQDN

This line:

$__oAD_Command.CommandText = "<LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain & ">;(sAMAccountName=" & $sAD_SamAccountName & ");distinguishedName;subtree"

I tried varius naming conventions like myusername@mydomain.com , mydomainmyusername and nothing seemed to help..

Kovacic · January 23, 2013

Never mind, my fault... I called _AD_SamAccountNameToFQDN earlier in the script, so I had to move _AD_OPEN()

im good now

BrewManNH · January 23, 2013

Your _AD_Open function is written wrong too. This is the correct way.

_AD_Open($SvcUsername, $SvcPassword, "DC=MyDomain,DC=COM",  "", "", 0)

Kovacic · January 23, 2013

I had only moved it out because I thought the error was being generated from that function. Sometimes things that should work perfectly error out for me.

water · January 24, 2013

BTW: Function _AD_SamAccountNameToFQDN is only needed in rare cases. All functions accept SamAccountName and FQDN as parameters and convert them under the cover if needed.

Active Directory | moving a computer to another OU using Runas

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Similar Content