HOWTO use VBScript to add to an AD Group association

I am investigating...
In studying this code, what is the user syntax for input on line 5 "domain\username" ?

is it the entire DN ? cn=username,ou=context,ou=context,o=domain
like that ?
or rather mydomain\username as asked ? Ill try everything to see what works
thx for clarification

If I do not populate the fields and go thru the flow of the popups I get the login successful pop up :S I think the Error Number = 0 isnt catching somewhere...

maybe nest all of the operations within something like :
If !(strUser > 0) || strUser = "domain\username" Then
          WScript.Echo "Please list your Domain and Username to authenticate to perform operations"
Else
            ... all other code here ...
End If

Rob, I REALLY love your script. Im learning alot studying it... it looks VERY promising .. do you know how we can ****star-out*** user input for them typing in their password ?


Im still testing but not getting the right sequence I guess for authentication of "domain\username" against my LIVE AD

on line 3 should
strDomain = "WinNT://beMyVanity.MyDomain.tld" '''' is this right to type in?
'''' or since its asking for Domain, I should just type o=MyForrest  ?

Im hitting against a Active Directory 2003... Should I do WINNT:// or LDAP:// on line 3 ?

After studying the code perhaps "domain\username" just means ONLY type in your username "handle"?

also for the variables in line 1 and 2 do I merely type in the names as shown? or do they need to be in DN syntax ... e.g cn=myGroup,ou=subcontext,ou=context,o=MyDomain

I did a little more studying...

line 3 strDomain = "WinNT://YourDomain" ' should be my complete AD controller right ?

then in line 5 when promopted "domain\username" equates to
myForrest.website.tld\cn=username,ou=subcontext,ou=context,o=domain

When I try assigning line 3 ::     strSAGroup = "SA"
or in full DN context either do not work I get this error


 

I took contexts out of strSAGroup & strHiddenGroup variable and simply listed names of Groups as if they were merely assigned string char parameters
...
I can ping the target AD server from my local workstation running the vbs script
...
For strDomain stored value Ive tried both just the server name and also the AD Domain
tried 1: "WinNT://myServerName.widener.edu"
tried 2: "WinNT://myServerName.myADDomain.widener.edu"
...
still same error...
...
also if you just click cancel out of the process the login successful prompt appears out of proper workflow... could this unexpected Error handling behavior be an indicator of something else on the connection not flowing as expected ordered procedure for line 17 Set objGroup = objDomain.GetObject("Group", strSAGroup)

maybe its not getting to this even ?

Ill try to echo out this to see if its populated during procedure flow today...

a word on my values for strSAGroup & strHiddenGroup
they are nested in independent subdirectory organization units from one another not flat domain context . that should be anything to do with not finding it right ? ... for instance:

strSAGroup is:
cn=mySAGroup,ou=SA,o=myDomain

&


strHiddenGroup is:
cn=myHiddenGroup,ou=nestedSubDir2,ou=subDir1,o=myDomain

Should I be using LDAP// not WinNT// ?

http://msdn.microsoft.com/en-us/library/aa772352%28v=vs.85%29.aspx

I ran it ON my LIVE AD server and got further !

I got to the line getting the group but errored again :[ code 80070035

line 29:      Set objGroup = objDomain.GetObject("Group", strSAGroup)
all I have for that line is line 1 strSAGroup = "SA"

ok heres what wierd...

If I run "localhost" on the AD Server I am able to Add...
I cannot from my workstation :S

I cannot connect to WinNT://Ad.Widener.Edu
YET it is the ONLY way it seems to connect to get the script to work local on the Server?!

When I try from my workstation WinNT://Ad.Ad.Widener.Edu ,
I can connect but it doesnt find for me the SAGroup....

could this be a required secure connection issue ? thx

I also found could it be anything like a workstation permission thing like the user I am logged into on the local workstation does not have the same permission levels we are trying to bind the SA account with in order to run the process ? could this be some of the issue with the remote procedure call ?

Hmmm, this works for me from any machine within my domain, both while running the script logged in as a domain user, and also logged in as a local user.  I haven't taken a machine off the domain yet for testing, but I can do that if required.

The reason that I have used the WinNT bind is because even after binding to the group using LDAP, it doesn't provide access to the properties and methods of that group, such as .Members (to check group membership) or .Add (to add a user to the group).  Sure you can bind, but you can't do anything more with it, as far as I know just yet.  I might dig something up, but for now, I don't know any other way....

Rob.

>> I haven't taken a machine off the domain

yes our machines will not be on that secure Domain... ever.
maybe thats what it is...

Im researching an ADO try next

np on SA I made it a group... so thats ok some functionality compromise I can flex there but not on the workstation NOT being a member of the Domain.

thanks for looking into this Ill place ADO code on once I work it out more... if thats a direction our minds wanna pursue...

welp one good thing trying the script above tells me I think is that I cannot use LDAP
when I ran it I get this error : Error -2147023541
http://www.novell.com/support/viewContent.do?externalId=7940298&sliceId=1

Root Cause: The user was attempting to extend the AD schema from a workstation, but it can only be extended on a Domain Controller.

Huh? You're using Novell? Thought this was Active Directory.

Chris

Novell???  If you *are* using Novell.....I have no idea I'm afraid.

Im not using Novell Im using AD2003 Domain
hence original WinNT statements were working fine when ran on DomainController Server

Now my colleagues are moving me to an ActiveDirectory2008 server
so well see if that helps Monday

the biggest thing is I wonder why I cant seem to remote Add to a target group...

Ah okay, it's just you looked up the error code on Novell, it's unlikely to help :)

Is the error returned on the objHiddenGroup.Add line above?

And does the ADSPath returned include the server connection string? Or just a string like this:

LDAP://CN=User Name,OU=somewhere,DC=domain,DC=com

Chris

how would I know that to tell you? Im getting path not found running configured remote code from post ID:36015090

thx Chris/Rob

I even went and moved my groups to o=topDomainlevel and also tried DN=topDomainlevel and still get same error :S

>>a long used function of mine to find the groups
used remote or local ?
I get 80040e09 code error on line 129 :[
' Set adoRecordset = adoCommand.Execute'

I just took one of my computers off the domain (but still on the same local network), and the script worked fine for me.

Rob.

ok Ill try these two and report if it makes any difference thx

I tried it and no success I wonder what streamed port this is traveling over... I of course tried installing active ports on Win7 and I get an open memory error.. aggh.

I learned about Netlogon.log
enabled: nltest /dbflag:0x2000ffff

I watched the Netlogon.log on the DomainController Server and nothing about me reports when I try to connect with the script from my local computer... nothing lists not my ip nor anything...

so I disabled netlogon again: Nltest.exe/DBFLAG:0

... so I wonder if Im even able to get to the box ?
I can authenticate against it as a user, I can ping it... just cant seem ta run this script remotely.

good thought Rob, I am an admin see attached image snippet
admin.jpg

It works finally thx...
I had to also add " AD0\ "   infront of my username when I attempt to authenticate, now it works...

very patient with me stressing out.. thx Rob & Chris

No problem.  Glad we got there..... AD0....I assume that's your domain name....didn't you try that already, or was it the combination of the "Run as administrator" as well?

Rob.