Active Directory Scripts

[water]

Hi arcker,

thanks for your fast answer!

I searched the web and found a site (http://www.tools4net.de/doc/ad.htm - unfortunately in german) where all the AD attributes are listed. Description is one of these that can have multiple values.

Even when there is only one value for this attribute _ADGetObjectsInOU doesn't return it.

Therefore I'll have to use _ADGetObjectAttribute(<samaccountname>,"description")

Thanks for your help

Thomas

[water]

I have been trying to use the _ADCreateUser() part of ADFunctions.au3, version 3.1.6 ...

Where did you find version 3.1.6? At the download area there seems to be version 3.1.3

[rogerd2u]

This is a tremendous utility!! I've been looking for something like this for a long time!!

I'd really appreciate it if someone would show me how to generate a report (using this utility, of course) that could show: All Computers in AD, All Active User Accounts in AD, All disabled computer accounts, All disabled user accounts, etc.)

[robilev]

Hello,

When I'm running my script I use _ADObjectExists.

I have the following error:

1. If I'm using this function more than ~3900 times, then I get an error (com error 0x000000a9).

2. If' I'm running the function for 3000 times, than close the program and running it again then it's OK.

3. If' I'm running the function for 3000 times, and then running it again without closing the program, then it fails again with the same error.

* This error occurs in several AD environments (Some AD environment are OK)

Please Help

[water]

I'd really appreciate it if someone would show me how to generate a report (using this utility, of course) that could show: All Computers in AD, All Active User Accounts in AD, All disabled computer accounts, All disabled user accounts, etc.)

First you'll have to create the LDAP queries, then use _ADGetObjectsInOU (Returns a filtered list of objects and attributes in a given OU)

_ADGetObjectsInOU($asUser, $sOU, "(&(objectCategory=user)(!department=*))", 2, "department,cn,distinguishedName,sAMAccountName")

This selects all users in $sOU where the field "department" is set. Every line in array $asUser will consist of 4 columns.

For some LDAP examples please see post. A very valuable tool to explore your AD is ADExplorer from Sysinternals (now M$).

Before calling a function from adfunctions.au3 please please have a look at the code because some functions need a sAMAccountName, others need a FQDN - so you might have to translate using _ADDNToSamAccountName or _ADSamAccountNameToFQDN.

If you have further questions, just drop me a note.

Edited December 2, 2008 by water

[water]

Hi robilev,

I noticed the same problem. I had to put a Sleep(100) after each call to AD then the problem went away.

HTH

Thomas

[robilev]

Hi robilev,

I noticed the same problem. I had to put a Sleep(100) after each call to AD then the problem went away.

HTH

Thomas

Thank you very much.

I'll try it and notify you about the results.

[Graywalker]

If anyone has any suggestions of other AD Functions they would like to see, or that they would like to share, then let me know.

I am always having to create scripts to search through AD for all the computers on the domain and then do something with them - usually pull some random information the bosses think is vitally important to know asap.

I mostly do this with VBScript, but I am liking AutoIT a whole lot more. About to begin trying to do it a bit easier in AutoIT, cause my VBScript uses manually input OUs to search through....

[rogerd2u]

Here's what I would like to do (using these functions), but I'm clueless at how to make it happen

- Get a list of all disabled user accounts in AD

- Take that list and check to see if the user is in any security or distribution groups

- If so, remove them from all those groups

Anyone have something like that they would care to share?????

[water]

To get information out of the AD you have to create a LDAP query. When you feed this query to _ADGetObjectsInOU you get an array of all objects.

To get all disabled users I have found the following LDAP query to work.

(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

See this link for further information. This link lists the useraccount enumeration.

So the adfunctions call would look like:

_ADGetObjectsInOU($asUser, $sOU, "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))", 2, "department,cn,distinguishedName,sAMAccountName")oÝ÷ Ù8^jºÚËMújÅ,z¼"W(Ȭ¶íç(駱שj»fz{ج¶)àº+!yÓZæ§vÀÇ(º{Mjg¨}ëÞ¯'b±¦åyÖr§·Mú¢èZ²Úyø¥çpØmë-j»bz
7ê

Please have a look at every function in adfunctions.au3 because there you see the format of the parameters the function requires (sAMAccountname or FQDN)

I always recommend ADExplorer from www.sysinternals.com (now M$). For further sources please search the forum for my older postings (LDAP queries etc.)

[rogerd2u]

Thank you very much, Water. I will go through this information and see if I can make it work to meet my needs.

To get information out of the AD you have to create a LDAP query. When you feed this query to _ADGetObjectsInOU you get an array of all objects.

To get all disabled users I have found the following LDAP query to work.

(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

See this link for further information. This link lists the useraccount enumeration.

So the adfunctions call would look like:

_ADGetObjectsInOU($asUser, $sOU, "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))", 2, "department,cn,distinguishedName,sAMAccountName")oÝ÷ Ù8^jºÚËMújÅ,z¼"W(Ȭ¶íç(駱שj»fz{ج¶)àº+!yÓZæ§vÀÇ(º{Mjg¨}ëÞ¯'b±¦åyÖr§·Mú¢èZ²Úyø¥çpØmë-j»bz
7ê

Please have a look at every function in adfunctions.au3 because there you see the format of the parameters the function requires (sAMAccountname or FQDN)

I always recommend ADExplorer from www.sysinternals.com (now M$). For further sources please search the forum for my older postings (LDAP queries etc.)

[robilev]

Hi robilev,

I noticed the same problem. I had to put a Sleep(100) after each call to AD then the problem went away.

HTH

Thomas

Your solution have solved my problem.

Thank you very much.

[rogerd2u]

WISH LIST FOR ADFUNCTIONS:

1.) I would like to see a function that will force a password change for a specified user -- sets the "User must change password at next login" checkbox.

2.) I would like to see a function that will check if the account is locked out.

3.) I would like to see a function that will allow you to unlock a user account.

Anyone already have these functions and wish to share?!?

Edited December 27, 2008 by rogerd2u

[DenisMunhoz]

Please...

There is a function to reset a computer account (only reset)?

Tks!

[visler]

hi..

I am all new to autoit and is trying to use the adfunctions.au3 and my problem is properly very basic.

When is try to get all user in a group i get an error in line 418 - Error Object referenced outside a "with" statement.

$membersadd = $objrecordset.fields(0).Value

$membersadd = $objrecordset.fields(0)^Error.

I have declared

dim $test[1500]

and is calling _adgetgroupMembers like this and ad_dlh is a group with in our ad (univeral, security)

$group = "ad_dlh"

_ADGetGroupMembers ($test, $group)

[water]

For _ADGetGroupMembers you'll need the Full Qualified Domain Name (FQDN). You provide the sAMAccountName. Use _ADSamAccountNameToFQDN to convert a sAMAccountName to a FQDN. So your call would look like:

_ADGetGroupMembers($test,_ADSamAccountNameToFQDN($group))

[visler]

For _ADGetGroupMembers you'll need the Full Qualified Domain Name (FQDN). You provide the sAMAccountName. Use _ADSamAccountNameToFQDN to convert a sAMAccountName to a FQDN. So your call would look like:

_ADGetGroupMembers($test,_ADSamAccountNameToFQDN($group))

Thx - it works :-)

[visler]

Can i also get a list of all ou's using this ? or ?

I wanna present at list of posible ou's to user to select from before creating a user

[water]

I haven't done it myself but you use try _ADGetGroupMemberOf

[visler]

I haven't done it myself but you use try _ADGetGroupMemberOf

I dont se how, i wanna list avaible ou's for a user when creating a new user. So i have no group or user to retrive from