Solved

Move user to another OU with different credentials

Posted on 2011-09-21
17
2,248 Views
Last Modified: 2012-05-12
I am writing the script that moves currently logged in user to a different OU

here is the script to do that

Set objSysInfo = CreateObject("ADSystemInfo") 
strUser = objSysInfo.UserName 
Set objUser = GetObject("LDAP://" & strUser) 
objuser.MoveHere("LDAP://OU=MyTestOU,DC=MyDomain,DC=net")

Open in new window


but I need to authenticate using service account first, since regular account would not have permissions to move AD object. So here is my updated code:

 
Set objSysInfo = CreateObject("ADSystemInfo") 
strUser = objSysInfo.UserName 
Set oNamesp = GetObject("LDAP:")
Set objUser = oNamesp.OpenDSObject("LDAP://" & strUser, "TestUser", "TestPwd",1)
objuser.MoveHere("LDAP://OU=MyTestOU,DC=MyDomain,DC=net")

Open in new window


but I am still getting "Access denied" error, even though when I open Active directory logged in as TestUser, I am able to manually move user objects.

Can anyone tell me what is wrong here?
0
Comment
Question by:YZlat
  • 9
  • 7
17 Comments
 
LVL 6

Expert Comment

by:jorgedeoliveiraborges
ID: 36576935
I found this on www. Please, take a look at ...

...
«I tested the script below (with a different target OU) and it moved the
computer the script was run on into the target OU. Watch for line wrapping»
:====================

Option Explicit
Dim objNewOU, objSysInfo, strComputerDN, objMoveComputer

' Bind to target OU, where computer object will be moved.
Set objNewOU = GetObject("LDAP://OU=Sales,dc=MyDomain,dc=com")

' Determine Distinguished Name of local computer.
Set objSysInfo = CreateObject("ADSystemInfo")
strComputerDN = objSysInfo.ComputerName

' Move this computer object to the target OU.
Set objMoveComputer = objNewOU.MoveHere("LDAP://" & strComputerDN, 
vbNullString)

Open in new window


http://www.winserverkb.com/Uwe/Forum.aspx/windows-server-scripting/9358/Move-Computer-from-default-OU-to-another-during
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 36578022
Hi, try this.

Regards,

Rob.
sADDomain = "yourdomain"
sADUser = "adminuser"
sADPassword = "adminpassword"

Const ADS_SECURE_AUTHENTICATION = 1
sDestOU = "LDAP://OU=targetOU,OU=sites,DC=domain,DC=com"
Set objRootDSE = GetObject("LDAP:")
Set objSysInfo = CreateObject("ADSystemInfo")
Set objDestOU = objRootDSE.OpenDSObject(sDestOU, sADDomain & "\" & sADUser, sADPassword, ADS_SECURE_AUTHENTICATION)
Set objUser = objRootDSE.OpenDSObject("LDAP://" & objSysInfo.UserName, sADDomain & "\" & sADUser, sADPassword, ADS_SECURE_AUTHENTICATION)
On Error Resume Next
objDestOU.MoveHere "LDAP://" & objUser.distinguishedName, vbNullString
If Err.Number = 0 Then
	MsgBox "User moved successfully."
Else
	MsgBox "Error " & Err.Number & ": " & Err.Description
	Err.Clear
End If

Open in new window

0
 
LVL 35

Author Comment

by:YZlat
ID: 36580437
jorgedeoliveiraborges, your code is pretty much the same thing I posted saying it does not work for me because the logged in user needs to have permissions to move the object
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 35

Author Comment

by:YZlat
ID: 36580452
RobSampson, if you read my question carefully, you will see that you posted the code identical to the code i used when I got Access denied error
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 36580480
Not quite.  In mine, it uses OpenDSObject to bind to both the OU and the User, while yours only binds to the user.

And, if you read my code carefully, and compare it to yours, you will see that you are performing the move the wrong way around, by trying to move the user into the OU, whereas it is actually done by pulling the user into the OU.

Rob.
0
 
LVL 35

Author Comment

by:YZlat
ID: 36581376
OK, I see.

Rob, I am not sure what does this line do:

objDestOU.MoveHere "LDAP://" & objUser.distinguishedName, vbNullString

0
 
LVL 35

Author Comment

by:YZlat
ID: 36581558
objDestOU.MoveHere "LDAP://" & objUser.distinguishedName, vbNullString

gives me an error "An invalid directory path was passed"

I checked objUser.distinguishedName and it is correct

I think the above statement attempts to do things in the wrong order - trying to move OU to a user as opposed to moving the user to an OU
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 36583829
How can you move an OU to a user?  A user is not a container that can hold other objects.  In ADUC when you drag a user object into an OU, the OU stays where it is, and the user moves into it.

Above this:
objDestOU.MoveHere "LDAP://" & objUser.distinguishedName, vbNullString

if you put this
MsgBox objUser.distinguishedName

if it outputs the distinguished name then you know it binds to the user object correctly.

You could also add
MsgBox objDestOU.distinguishedName

so you know whether the OU bind was successful too.

Regards,

Rob.
0
 
LVL 35

Author Comment

by:YZlat
ID: 36586879
I ckecked both and both are correct, but
objDestOU.MoveHere "LDAP://" & objUser.distinguishedName, vbNullString

gives me an error "An invalid directory path was passed"

objDestOU is an ou LDAP://OU=LDAP://OU=MyTestOU,DC=MyDomain,DC=net

and objUser.distinguishedName if LDAP://CN=MyUser,OU=AnotherOU,DC=MyDomain,DC=net



0
 
LVL 65

Accepted Solution

by:
RobSampson earned 500 total points
ID: 36587022
Did you add the MsgBox statements above the .MoveHere line?  Do the distinguished names show up correctly?

You may need to specify a specific domain controller to bind to, by using something like this.

I can't test it at the moment...

Rob.

sADDomain = "yourdomain"
sADUser = "adminuser"
sADPassword = "adminpassword"
sDC = "192.168.0.100:389"

Const ADS_SECURE_AUTHENTICATION = 1
sDestOU = "LDAP://" & sDC & "/OU=targetOU,OU=sites,DC=domain,DC=com"
Set objRootDSE = GetObject("LDAP:")
Set objSysInfo = CreateObject("ADSystemInfo")
Set objDestOU = objRootDSE.OpenDSObject(sDestOU, sADDomain & "\" & sADUser, sADPassword, ADS_SECURE_AUTHENTICATION)
Set objUser = objRootDSE.OpenDSObject("LDAP://" & sDC & "/" & objSysInfo.UserName, sADDomain & "\" & sADUser, sADPassword, ADS_SECURE_AUTHENTICATION)
MsgBox "User DN: " & objUser.distinguishedName
MsgBox "OU DN: " & objDestOU.distinguishedName
On Error Resume Next
objDestOU.MoveHere "LDAP://" & objUser.distinguishedName, vbNullString
If Err.Number = 0 Then
	MsgBox "User moved successfully."
Else
	MsgBox "Error " & Err.Number & ": " & Err.Description
	Err.Clear
End If

Open in new window

0
 
LVL 35

Author Comment

by:YZlat
ID: 36587110
RobSampson, correct me if I am wrong, but I believe 9and that's what I see when searching the internet as well), but the syntax for MoveHere is

User.MoveHere OU, vbNullString

not

OU.MoveHere User, vbNullString

in your statement

objDestOU.MoveHere "LDAP://" & objUser.distinguishedName, vbNullString

I believe you are reversing the user and OU
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 36587160
0
 
LVL 35

Author Comment

by:YZlat
ID: 36587167
RobSampson, I think your latest code worked!
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 36587193
I hope so  ;-)
0
 
LVL 35

Author Comment

by:YZlat
ID: 36587470
here is a strange occurrence: When I run your VBScript from a separate vbs file, it works, but if I put the code inside my hta, I get in this line:
Set objDestOU = objRootDSE.OpenDSObject(sDestOU, sADDomain & "\" & sADUser, sADPassword, ADS_SECURE_AUTHENTICATION)
 "Unknown username or bad password"
0
 
LVL 35

Author Comment

by:YZlat
ID: 36587528
Trns out it was just a typo.

Thank a lot!
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 36591007
Good to hear. Thanks for the grade.

Checking the MSDN articles on methods is something I do every day to make sure I get the syntax of commands right.  Often they have good examples as well, although sometimes not, which is annoying.

Regards,

Rob.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Not long ago I saw a question in the VB Script forum that I thought would not take much time. You can read that question (Question ID  (http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_28455246.html)28455246) Here (http…
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question