Active Directory Scripts

[water]

Sorry, my fault.

To get the list of groups where the user is a member of you could use

; _ADGetUserGroups
; the currently logged on user is a member of. Returns an array of Full DNs of the Group names that the user is immediately a member of
; with element 0 containing the number of groups.
; $user - optional -- SamAccountName of a user, defaults to locally logged on user
Func _ADGetUserGroups(ByRef $usergroups, $user = @UserName)

[visler]

Sorry, my fault.

To get the list of groups where the user is a member of you could use

; _ADGetUserGroups
; the currently logged on user is a member of. Returns an array of Full DNs of the Group names that the user is immediately a member of
; with element 0 containing the number of groups.
; $user - optional -- SamAccountName of a user, defaults to locally logged on user
Func _ADGetUserGroups(ByRef $usergroups, $user = @UserName)

I want a list of avaible OU's in the AD, not groups. Is OU treated as groups here ?

[water]

Sorry, don't know how to get this information.

But I think it can be a bit complicated as OUs can be nested.

You could use AD Explorer by Sysinternals (now M$) to get a good view of your ADs structure.

Edited January 14, 2009 by water

[visler]

Sorry, don't know how to get this information.

But I think it can be a bit complicated as OUs can be nested.

You could use AD Explorer by Sysinternals (now M$) to get a good view of your ADs structure.

Properly ou works as groups (which also can nested)...

[dhardy]

Hi there,

I'm having trouble understanding what to feed the _ADGetMailboxPerms function.

The comments above the code are:

; _ADGetMailboxPerms

; Takes a mailbox and an array.

; Returns all SamIDs for non-inherited ACEs on the mailbox (stored in the specified array as SamIds)

; Can be filtered on an accessmask value (default = 1, full permissions)

Please can someone help me with an example of a 'mailbox' in this context. I have tried passing a SamID and a user FQDN to no avail.

Here is my code, which is very much a work in progress.

CODE

#include <adfunctions.au3>

#include <string.au3>

#include <array.au3>

#include <GUIConstants.au3>

#Region ### START Koda GUI section ### Form=c:\program files\autoit3\koda\forms\mailboxperms.kxf

$Form1 = GUICreate("Mailbox Permissions", 662, 546, 193, 115)

$Label1 = GUICtrlCreateLabel("Enter AD username:", 8, 16, 99, 17)

$Input1 = GUICtrlCreateInput("", 112, 16, 365, 21)

$Edit1 = GUICtrlCreateEdit("", 8, 88, 641, 289,$ES_MULTILINE+$WS_VSCROLL+$ES_READONLY)

GUICtrlSetData("$Edit1", "None")

GUICtrlSetData($Input1, "dhardy")

$Label2 = GUICtrlCreateLabel("These users have been granted backend permissions to this mailbox in AD:", 8, 56, 358, 17)

$Button1 = GUICtrlCreateButton("Quit", 536, 512, 121, 25, 0)

$Button2 = GUICtrlCreateButton("Check Mailbox Permissions", 500, 16, 153, 25, 0)

$Label3 = GUICtrlCreateLabel("Add this user with full permissions", 16, 400, 160, 17)

$Input2 = GUICtrlCreateInput("Input2", 184, 396, 249, 21)

$Button3 = GUICtrlCreateButton("Add User to Mailbox", 456, 394, 121, 25, 0)

$Input3 = GUICtrlCreateInput("Input2", 184, 440, 249, 21)

$Button4 = GUICtrlCreateButton("Remove Permissions", 456, 440, 121, 25, 0)

$Label4 = GUICtrlCreateLabel("Remove full permissions from:", 16, 448, 143, 17)

GUISetState(@SW_SHOW)

#EndRegion ### END Koda GUI section ###

While 1

$nMsg = GUIGetMsg()

Switch $nMsg

Case $GUI_EVENT_CLOSE

Exit

Case $Button1

Exit

Case $input1

updategui()

Case $Button2

updategui()

Case $button3

addusertomb()

Case $button4

remuserfrommb()

EndSwitch

WEnd

Func UpdateGUI ()

DIM $data2

$FQDN=_ADSamAccountNameToFQDN(guictrlread($Input1))

;MsgBox(1,"FQDN",$FQDN)

_ADGetMailboxPerms($FQDN,$data2)

_ArrayDisplay($data2)

EndFunc

Func addusertomb()

EndFunc

Func remuserfrommb()

EndFunc

Any thoughts on how to move this forward would be gratefully received ;-)

David

[water]

It doesn't work for me either. Maybe a question of limited Exchange Rights?

The following article shows a VBS example on how to query MailboxRights. If this doesn't work from your PC you could test it from your exchange server (but be careful!).

HTH

Thomas

[dave]

First off thanks to all who have contributed to this UDF as I am finding it to be very useful. I have one small problem that I was hope someone could

point me in the right direction.

If i run the following logged in minimal AD rights it works, but if I am logged in on a machine as local admin does not work. I also have tried setting

the alternate global username and password with no luck.

#include <adfunctions.au3>

$SN = 'v300-vmware'

;Check if computer account exists already

$PCE = _ADComputerExists($SN)

MsgBox(0,"pc was found if #1", $PCE&' '&$SN)

[water]

What version auf adfunctions.au3 do you use? I'm running version 3.1.3 and there is no _ADComputerExists. I would use _ADObjectExists.

Could you post the return code you get?

[dave]

I am running 3.1.6 it is in thread somewhere but def not on the first page.

Can anyone help me out on this,

If i run the following logged in minimal AD rights it works, but if I am logged in on a machine as local admin does not work. I also have tried setting

the alternate global username and password with no luck. I know this has something to do with right to AD just not sure how to fix, if I run this code as well as others like _ADGetObjectsInOU logged into computer with domain account works as should, but if not logged in with domain account does not seem to work. The only one I can get to work this way is _ADCreateComputer.

Error i get when logged in with local admin

We intercepted a COM Error!

Number is : 000000A9

Windesription is: Variable must be of type 'Object''

Script Line 1029

#include <adfunctions.au3>

$SN = 'v300-vmware'

;Check if computer account exists already

$PCE = _ADComputerExists($SN)

MsgBox(0,"pc was found if #1", $PCE&' '&$SN)

Edited February 11, 2009 by dave

[water]

I think your problem is the "Local Admin Account". As it says you'r local - no member of the domain. So therefore you can't access the AD. Please see http://www.autoitscript.com/forum/index.ph...mp;#entry572568 which explains it a bit better.

[dave]

Thanks water, I did not catch that before when I went through the thread. It is as expected authentication and now that I see how to connect to ad using alternate user id and pw I am all set. One thing I am unsure of is why the Alternate userid and pw in the adfunctions v3.1.6 do not seem to work.

[water]

I'm afraid I cant help you with the alternative userid and password because I've never used it myself.

[dave]

I just wanted to say thanks again to everyone who made this UDF possible. It is now one of my must have UDF's.

[visler]

I am trying to make a small script which can reset the user password (AD enviroment) and it is fine. Then i wanted to a test to find out if the user islocked and then unlock the user.

$sam = _ADSamAccountNametoFQDN("username")

msgbox(0,"test", "Result: " & _ADGetObjectAttribute($sam,"IsAccountLocked"))

But the result is always 0 - even using a locked user in username

Then i tried to just unlock the user without testing first.

$sam = _ADSamAccountNametoFQDN("username")

$result = _ADModifyAttribute($sam, "IsAccountLocked", "")

Then i get this error message in a pop-up

We intercepted a COM Error !

Number is:800401e3

Windescription is: event not avaible (translate from danish)

Script line number is: 260 (in adfunctions)

$oObject = ObjGet($ldap_entry) ; Retrieve the COM Object for the object

Why did i go wrong ? is "IsaccountLocked" not the attribute to use ?

[water]

Please search the forum for "isaccountlocked" and you'll find some replies to your question.

Good place to start is link.

[Graywalker]

Just added a little function here.... not sure why it didn't exist already... or I couldn't find it.

Func _ADGetFQDN($object)
local $ADFQDN
    $strQuery = "<LDAP://" & $strHostServer & "/" & $strDNSDomain & ">;(&(objectcategory=computer)(objectclass=computer)(cn="&$object&"));distinguishedName;subtree"
    $objRecordSet = $ObjConnection.Execute ($strQuery); Retrieve the FQDN, if it exists
    
    If $objRecordSet.RecordCount = 1 Then
        $ADFQND = $objRecordSet.fields(0).Value
        $objRecordSet = 0
        Return $ADFQND
    Else
        $objRecordSet = 0
        Return 0
    EndIf
EndFunc;==>_ADGetFQDN

[DrewC45]

Can anyone please show me where to look for Adfunctions.au3, have looked in the downloads section as well but failed to find it. Being new to the group I am not sure if I am missing something very simple. Thanks!

I am unable to get the ADGetUserGroups to work. It compiles fine, then just does nothing. Can someone please look at this?

; _ADGetUserGroups

; the currently logged on user is a member of. Returns an array of Full DNs of the Group names that the user is immediately a member of

; with element 0 containing the number of groups.

; $user - optional -- SamAccountName of a user, defaults to locally logged on user

Func _ADGetUserGroups(ByRef $usergroups, $user = @UserName)

Local $oUsr

$strQuery = "<LDAP://" & $strHostServer & "/" & $strDNSDomain & ">;(sAMAccountName=" & $user & ");ADsPath;subtree"

$objRecordSet = $objConnection.Execute ($strQuery) ; Retrieve the FQDN for the logged on user

$ldap_entry = $objRecordSet.fields (0).value

$oUsr = ObjGet($ldap_entry) ; Retrieve the COM Object for the logged on user

$usergroups = $oUsr.GetEx ("memberof")

$oUsr = 0

$count = UBound($usergroups)

_ArrayInsert($usergroups, 0, $count)

EndFunc ;==>_ADGetUserGroups

[water]

I am unable to get the ADGetUserGroups to work.

Do you use the adfunctions.au3 or have you copied and modified your own version of _ADGetuserGroups?

The line

$oUsr = ObjGet($ldap_entry) ; Retrieve the COM Object for the logged on useroÝ÷ Ú)æÊ÷«²*'¡ö~éܶ*'±«·$²X¤y«­¢+ØÀÌØí½UÍÈô}=©Ð ÀÌØí±Á}¹ÑÉä¤ìIÑÉ¥ÙÑ¡
=4=©Ð½ÈÑ¡±½½¸ÕÍÈ

My adfunctions.au3 is 3.1.6 downloaded from here.

[DrewC45]

Do you use the adfunctions.au3 or have you copied and modified your own version of _ADGetuserGroups?

The line

$oUsr = ObjGet($ldap_entry) ; Retrieve the COM Object for the logged on useroÝ÷ Ú)æÊ÷«²*'¡ö~éܶ*'±«·$²X¤y«­¢+ØÀÌØí½UÍÈô}=©Ð ÀÌØí±Á}¹ÑÉä¤ìIÑÉ¥ÙÑ¡
=4=©Ð½ÈÑ¡±½½¸ÕÍÈ

My adfunctions.au3 is 3.1.6 downloaded from here.

Ok, I changed it to ADObjGet and it still doesn't do anything. I am not familiar enough with it yet to know if I have to have something to output it from the array. When doing the _ArrayInsert at the end of the function should it pop up with the information or do I have to have something to show the data that it pulled? Thanks for the input.

#include <Array.au3>

Func _ADGetUserGroups(ByRef $usergroups, $user = @UserName)

Local $oUsr

$strQuery = "<LDAP://" & $strHostServer & "/" & $strDNSDomain & ">;(sAMAccountName=" & $user & ");ADsPath;subtree"

$objRecordSet = $objConnection.Execute($strQuery); Retrieve the FQDN for the logged on user

$ldap_entry = $objRecordSet.fields(0).value

$oUsr = _ADObjGet($ldap_entry); Retrieve the COM Object for the logged on user

$usergroups = $oUsr.GetEx("memberof")

$oUsr = 0

$count = UBound($usergroups)

_ArrayInsert($usergroups, 0, $count)

EndFunc ;==>_ADGetUserGroups

[water]

Could you please run the following code and post the results?

#include <adfunctions.au3>
Global $asUsergroups
_ADGetUserGroups($asUsergroups)
_ArrayDisplay($asUsergroups)