JAaron Anderson
asked on
HOWTO use VBScript to add to an AD Group association
I am trying to piece together VBScripts but its not working...
please help ! Id like to do the following:
1) user clicks on batch file on their desktop
2) user is prompted to "login" his/her un/pw that remote binds to AD
3) AD context is matched for submitted username for authentication "authorization"
4) if in target SA group authenticate password else drop BIND
5) if right password state MsgBox they are in now prompt a field for username to add
6) authenticated user enters the target username and clicks [ADD]
7) the username is then added to the static perpetual hidden group
8) MsgBox confirmation to authrised user the user has been successfully added
9) authenticated user click [exit] button under confirmation text
10) dump session / housekeeping... etc.
please help ! Id like to do the following:
1) user clicks on batch file on their desktop
2) user is prompted to "login" his/her un/pw that remote binds to AD
3) AD context is matched for submitted username for authentication "authorization"
4) if in target SA group authenticate password else drop BIND
5) if right password state MsgBox they are in now prompt a field for username to add
6) authenticated user enters the target username and clicks [ADD]
7) the username is then added to the static perpetual hidden group
8) MsgBox confirmation to authrised user the user has been successfully added
9) authenticated user click [exit] button under confirmation text
10) dump session / housekeeping... etc.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
If I do not populate the fields and go thru the flow of the popups I get the login successful pop up :S I think the Error Number = 0 isnt catching somewhere...
maybe nest all of the operations within something like :
If !(strUser > 0) || strUser = "domain\username" Then
WScript.Echo "Please list your Domain and Username to authenticate to perform operations"
Else
... all other code here ...
End If
maybe nest all of the operations within something like :
If !(strUser > 0) || strUser = "domain\username" Then
WScript.Echo "Please list your Domain and Username to authenticate to perform operations"
Else
... all other code here ...
End If
ASKER
Rob, I REALLY love your script. Im learning alot studying it... it looks VERY promising .. do you know how we can ****star-out*** user input for them typing in their password ?
Im still testing but not getting the right sequence I guess for authentication of "domain\username" against my LIVE AD
Im still testing but not getting the right sequence I guess for authentication of "domain\username" against my LIVE AD
ASKER
on line 3 should
strDomain = "WinNT://beMyVanity.MyDoma in.tld" '''' is this right to type in?
'''' or since its asking for Domain, I should just type o=MyForrest ?
strDomain = "WinNT://beMyVanity.MyDoma
'''' or since its asking for Domain, I should just type o=MyForrest ?
ASKER
Im hitting against a Active Directory 2003... Should I do WINNT:// or LDAP:// on line 3 ?
ASKER
After studying the code perhaps "domain\username" just means ONLY type in your username "handle"?
also for the variables in line 1 and 2 do I merely type in the names as shown? or do they need to be in DN syntax ... e.g cn=myGroup,ou=subcontext,o u=context, o=MyDomain
also for the variables in line 1 and 2 do I merely type in the names as shown? or do they need to be in DN syntax ... e.g cn=myGroup,ou=subcontext,o
ASKER
I did a little more studying...
line 3 strDomain = "WinNT://YourDomain" ' should be my complete AD controller right ?
then in line 5 when promopted "domain\username" equates to
myForrest.website.tld\cn=u sername,ou =subcontex t,ou=conte xt,o=domai n
line 3 strDomain = "WinNT://YourDomain" ' should be my complete AD controller right ?
then in line 5 when promopted "domain\username" equates to
myForrest.website.tld\cn=u
ASKER
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I took contexts out of strSAGroup & strHiddenGroup variable and simply listed names of Groups as if they were merely assigned string char parameters
...
I can ping the target AD server from my local workstation running the vbs script
...
For strDomain stored value Ive tried both just the server name and also the AD Domain
tried 1: "WinNT://myServerName.wide ner.edu"
tried 2: "WinNT://myServerName.myAD Domain.wid ener.edu"
...
still same error...
...
also if you just click cancel out of the process the login successful prompt appears out of proper workflow... could this unexpected Error handling behavior be an indicator of something else on the connection not flowing as expected ordered procedure for line 17 Set objGroup = objDomain.GetObject("Group ", strSAGroup)
maybe its not getting to this even ?
Ill try to echo out this to see if its populated during procedure flow today...
...
I can ping the target AD server from my local workstation running the vbs script
...
For strDomain stored value Ive tried both just the server name and also the AD Domain
tried 1: "WinNT://myServerName.wide
tried 2: "WinNT://myServerName.myAD
...
still same error...
...
also if you just click cancel out of the process the login successful prompt appears out of proper workflow... could this unexpected Error handling behavior be an indicator of something else on the connection not flowing as expected ordered procedure for line 17 Set objGroup = objDomain.GetObject("Group
maybe its not getting to this even ?
Ill try to echo out this to see if its populated during procedure flow today...
ASKER
a word on my values for strSAGroup & strHiddenGroup
they are nested in independent subdirectory organization units from one another not flat domain context . that should be anything to do with not finding it right ? ... for instance:
strSAGroup is:
cn=mySAGroup,ou=SA,o=myDom ain
&
strHiddenGroup is:
cn=myHiddenGroup,ou=nested SubDir2,ou =subDir1,o =myDomain
they are nested in independent subdirectory organization units from one another not flat domain context . that should be anything to do with not finding it right ? ... for instance:
strSAGroup is:
cn=mySAGroup,ou=SA,o=myDom
&
strHiddenGroup is:
cn=myHiddenGroup,ou=nested
ASKER
Should I be using LDAP// not WinNT// ?
http://msdn.microsoft.com/en-us/library/aa772352%28v=vs.85%29.aspx
http://msdn.microsoft.com/en-us/library/aa772352%28v=vs.85%29.aspx
ASKER
ASKER
ok heres what wierd...
If I run "localhost" on the AD Server I am able to Add...
I cannot from my workstation :S
I cannot connect to WinNT://Ad.Widener.Edu
YET it is the ONLY way it seems to connect to get the script to work local on the Server?!
When I try from my workstation WinNT://Ad.Ad.Widener.Edu ,
I can connect but it doesnt find for me the SAGroup....
could this be a required secure connection issue ? thx
If I run "localhost" on the AD Server I am able to Add...
I cannot from my workstation :S
I cannot connect to WinNT://Ad.Widener.Edu
YET it is the ONLY way it seems to connect to get the script to work local on the Server?!
When I try from my workstation WinNT://Ad.Ad.Widener.Edu ,
I can connect but it doesnt find for me the SAGroup....
could this be a required secure connection issue ? thx
ASKER
I also found could it be anything like a workstation permission thing like the user I am logged into on the local workstation does not have the same permission levels we are trying to bind the SA account with in order to run the process ? could this be some of the issue with the remote procedure call ?
Hmmm, this works for me from any machine within my domain, both while running the script logged in as a domain user, and also logged in as a local user. I haven't taken a machine off the domain yet for testing, but I can do that if required.
The reason that I have used the WinNT bind is because even after binding to the group using LDAP, it doesn't provide access to the properties and methods of that group, such as .Members (to check group membership) or .Add (to add a user to the group). Sure you can bind, but you can't do anything more with it, as far as I know just yet. I might dig something up, but for now, I don't know any other way....
Rob.
The reason that I have used the WinNT bind is because even after binding to the group using LDAP, it doesn't provide access to the properties and methods of that group, such as .Members (to check group membership) or .Add (to add a user to the group). Sure you can bind, but you can't do anything more with it, as far as I know just yet. I might dig something up, but for now, I don't know any other way....
Rob.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>> I haven't taken a machine off the domain
yes our machines will not be on that secure Domain... ever.
maybe thats what it is...
Im researching an ADO try next
np on SA I made it a group... so thats ok some functionality compromise I can flex there but not on the workstation NOT being a member of the Domain.
thanks for looking into this Ill place ADO code on once I work it out more... if thats a direction our minds wanna pursue...
yes our machines will not be on that secure Domain... ever.
maybe thats what it is...
Im researching an ADO try next
np on SA I made it a group... so thats ok some functionality compromise I can flex there but not on the workstation NOT being a member of the Domain.
thanks for looking into this Ill place ADO code on once I work it out more... if thats a direction our minds wanna pursue...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
welp one good thing trying the script above tells me I think is that I cannot use LDAP
when I ran it I get this error : Error -2147023541
http://www.novell.com/support/viewContent.do?externalId=7940298&sliceId=1
Root Cause: The user was attempting to extend the AD schema from a workstation, but it can only be extended on a Domain Controller.
when I ran it I get this error : Error -2147023541
http://www.novell.com/support/viewContent.do?externalId=7940298&sliceId=1
Root Cause: The user was attempting to extend the AD schema from a workstation, but it can only be extended on a Domain Controller.
Huh? You're using Novell? Thought this was Active Directory.
Chris
Chris
Novell??? If you *are* using Novell.....I have no idea I'm afraid.
ASKER
Im not using Novell Im using AD2003 Domain
hence original WinNT statements were working fine when ran on DomainController Server
Now my colleagues are moving me to an ActiveDirectory2008 server
so well see if that helps Monday
the biggest thing is I wonder why I cant seem to remote Add to a target group...
hence original WinNT statements were working fine when ran on DomainController Server
Now my colleagues are moving me to an ActiveDirectory2008 server
so well see if that helps Monday
the biggest thing is I wonder why I cant seem to remote Add to a target group...
Ah okay, it's just you looked up the error code on Novell, it's unlikely to help :)
Is the error returned on the objHiddenGroup.Add line above?
And does the ADSPath returned include the server connection string? Or just a string like this:
LDAP://CN=User Name,OU=somewhere,DC=domai n,DC=com
Chris
Is the error returned on the objHiddenGroup.Add line above?
And does the ADSPath returned include the server connection string? Or just a string like this:
LDAP://CN=User Name,OU=somewhere,DC=domai
Chris
ASKER
how would I know that to tell you? Im getting path not found running configured remote code from post ID:36015090
thx Chris/Rob
thx Chris/Rob
ASKER
I even went and moved my groups to o=topDomainlevel and also tried DN=topDomainlevel and still get same error :S
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>>a long used function of mine to find the groups
used remote or local ?
I get 80040e09 code error on line 129 :[
' Set adoRecordset = adoCommand.Execute'
used remote or local ?
I get 80040e09 code error on line 129 :[
' Set adoRecordset = adoCommand.Execute'
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I just took one of my computers off the domain (but still on the same local network), and the script worked fine for me.
Rob.
Rob.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok Ill try these two and report if it makes any difference thx
ASKER
I tried it and no success I wonder what streamed port this is traveling over... I of course tried installing active ports on Win7 and I get an open memory error.. aggh.
ASKER
I learned about Netlogon.log
enabled: nltest /dbflag:0x2000ffff
I watched the Netlogon.log on the DomainController Server and nothing about me reports when I try to connect with the script from my local computer... nothing lists not my ip nor anything...
so I disabled netlogon again: Nltest.exe/DBFLAG:0
enabled: nltest /dbflag:0x2000ffff
I watched the Netlogon.log on the DomainController Server and nothing about me reports when I try to connect with the script from my local computer... nothing lists not my ip nor anything...
so I disabled netlogon again: Nltest.exe/DBFLAG:0
ASKER
... so I wonder if Im even able to get to the box ?
I can authenticate against it as a user, I can ping it... just cant seem ta run this script remotely.
I can authenticate against it as a user, I can ping it... just cant seem ta run this script remotely.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
good thought Rob, I am an admin see attached image snippet
admin.jpg
admin.jpg
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It works finally thx...
I had to also add " AD0\ " infront of my username when I attempt to authenticate, now it works...
I had to also add " AD0\ " infront of my username when I attempt to authenticate, now it works...
ASKER
very patient with me stressing out.. thx Rob & Chris
No problem. Glad we got there..... AD0....I assume that's your domain name....didn't you try that already, or was it the combination of the "Run as administrator" as well?
Rob.
Rob.
ASKER
In studying this code, what is the user syntax for input on line 5 "domain\username" ?
is it the entire DN ? cn=username,ou=context,ou=
like that ?
or rather mydomain\username as asked ? Ill try everything to see what works
thx for clarification