Solved

Move user to another OU with different credentials

Posted on 2011-09-21
17
2,195 Views
Last Modified: 2012-05-12
I am writing the script that moves currently logged in user to a different OU

here is the script to do that

Set objSysInfo = CreateObject("ADSystemInfo") 
strUser = objSysInfo.UserName 
Set objUser = GetObject("LDAP://" & strUser) 
objuser.MoveHere("LDAP://OU=MyTestOU,DC=MyDomain,DC=net")

Open in new window


but I need to authenticate using service account first, since regular account would not have permissions to move AD object. So here is my updated code:

 
Set objSysInfo = CreateObject("ADSystemInfo") 
strUser = objSysInfo.UserName 
Set oNamesp = GetObject("LDAP:")
Set objUser = oNamesp.OpenDSObject("LDAP://" & strUser, "TestUser", "TestPwd",1)
objuser.MoveHere("LDAP://OU=MyTestOU,DC=MyDomain,DC=net")

Open in new window


but I am still getting "Access denied" error, even though when I open Active directory logged in as TestUser, I am able to manually move user objects.

Can anyone tell me what is wrong here?
0
Comment
Question by:YZlat
  • 9
  • 7
17 Comments
 
LVL 6

Expert Comment

by:jorgedeoliveiraborges
ID: 36576935
I found this on www. Please, take a look at ...

...
«I tested the script below (with a different target OU) and it moved the
computer the script was run on into the target OU. Watch for line wrapping»
:====================

Option Explicit
Dim objNewOU, objSysInfo, strComputerDN, objMoveComputer

' Bind to target OU, where computer object will be moved.
Set objNewOU = GetObject("LDAP://OU=Sales,dc=MyDomain,dc=com")

' Determine Distinguished Name of local computer.
Set objSysInfo = CreateObject("ADSystemInfo")
strComputerDN = objSysInfo.ComputerName

' Move this computer object to the target OU.
Set objMoveComputer = objNewOU.MoveHere("LDAP://" & strComputerDN, 
vbNullString)

Open in new window


http://www.winserverkb.com/Uwe/Forum.aspx/windows-server-scripting/9358/Move-Computer-from-default-OU-to-another-during
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 36578022
Hi, try this.

Regards,

Rob.
sADDomain = "yourdomain"
sADUser = "adminuser"
sADPassword = "adminpassword"

Const ADS_SECURE_AUTHENTICATION = 1
sDestOU = "LDAP://OU=targetOU,OU=sites,DC=domain,DC=com"
Set objRootDSE = GetObject("LDAP:")
Set objSysInfo = CreateObject("ADSystemInfo")
Set objDestOU = objRootDSE.OpenDSObject(sDestOU, sADDomain & "\" & sADUser, sADPassword, ADS_SECURE_AUTHENTICATION)
Set objUser = objRootDSE.OpenDSObject("LDAP://" & objSysInfo.UserName, sADDomain & "\" & sADUser, sADPassword, ADS_SECURE_AUTHENTICATION)
On Error Resume Next
objDestOU.MoveHere "LDAP://" & objUser.distinguishedName, vbNullString
If Err.Number = 0 Then
	MsgBox "User moved successfully."
Else
	MsgBox "Error " & Err.Number & ": " & Err.Description
	Err.Clear
End If

Open in new window

0
 
LVL 35

Author Comment

by:YZlat
ID: 36580437
jorgedeoliveiraborges, your code is pretty much the same thing I posted saying it does not work for me because the logged in user needs to have permissions to move the object
0
 
LVL 35

Author Comment

by:YZlat
ID: 36580452
RobSampson, if you read my question carefully, you will see that you posted the code identical to the code i used when I got Access denied error
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 36580480
Not quite.  In mine, it uses OpenDSObject to bind to both the OU and the User, while yours only binds to the user.

And, if you read my code carefully, and compare it to yours, you will see that you are performing the move the wrong way around, by trying to move the user into the OU, whereas it is actually done by pulling the user into the OU.

Rob.
0
 
LVL 35

Author Comment

by:YZlat
ID: 36581376
OK, I see.

Rob, I am not sure what does this line do:

objDestOU.MoveHere "LDAP://" & objUser.distinguishedName, vbNullString

0
 
LVL 35

Author Comment

by:YZlat
ID: 36581558
objDestOU.MoveHere "LDAP://" & objUser.distinguishedName, vbNullString

gives me an error "An invalid directory path was passed"

I checked objUser.distinguishedName and it is correct

I think the above statement attempts to do things in the wrong order - trying to move OU to a user as opposed to moving the user to an OU
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 36583829
How can you move an OU to a user?  A user is not a container that can hold other objects.  In ADUC when you drag a user object into an OU, the OU stays where it is, and the user moves into it.

Above this:
objDestOU.MoveHere "LDAP://" & objUser.distinguishedName, vbNullString

if you put this
MsgBox objUser.distinguishedName

if it outputs the distinguished name then you know it binds to the user object correctly.

You could also add
MsgBox objDestOU.distinguishedName

so you know whether the OU bind was successful too.

Regards,

Rob.
0
 
LVL 35

Author Comment

by:YZlat
ID: 36586879
I ckecked both and both are correct, but
objDestOU.MoveHere "LDAP://" & objUser.distinguishedName, vbNullString

gives me an error "An invalid directory path was passed"

objDestOU is an ou LDAP://OU=LDAP://OU=MyTestOU,DC=MyDomain,DC=net

and objUser.distinguishedName if LDAP://CN=MyUser,OU=AnotherOU,DC=MyDomain,DC=net



0
 
LVL 65

Accepted Solution

by:
RobSampson earned 500 total points
ID: 36587022
Did you add the MsgBox statements above the .MoveHere line?  Do the distinguished names show up correctly?

You may need to specify a specific domain controller to bind to, by using something like this.

I can't test it at the moment...

Rob.

sADDomain = "yourdomain"
sADUser = "adminuser"
sADPassword = "adminpassword"
sDC = "192.168.0.100:389"

Const ADS_SECURE_AUTHENTICATION = 1
sDestOU = "LDAP://" & sDC & "/OU=targetOU,OU=sites,DC=domain,DC=com"
Set objRootDSE = GetObject("LDAP:")
Set objSysInfo = CreateObject("ADSystemInfo")
Set objDestOU = objRootDSE.OpenDSObject(sDestOU, sADDomain & "\" & sADUser, sADPassword, ADS_SECURE_AUTHENTICATION)
Set objUser = objRootDSE.OpenDSObject("LDAP://" & sDC & "/" & objSysInfo.UserName, sADDomain & "\" & sADUser, sADPassword, ADS_SECURE_AUTHENTICATION)
MsgBox "User DN: " & objUser.distinguishedName
MsgBox "OU DN: " & objDestOU.distinguishedName
On Error Resume Next
objDestOU.MoveHere "LDAP://" & objUser.distinguishedName, vbNullString
If Err.Number = 0 Then
	MsgBox "User moved successfully."
Else
	MsgBox "Error " & Err.Number & ": " & Err.Description
	Err.Clear
End If

Open in new window

0
 
LVL 35

Author Comment

by:YZlat
ID: 36587110
RobSampson, correct me if I am wrong, but I believe 9and that's what I see when searching the internet as well), but the syntax for MoveHere is

User.MoveHere OU, vbNullString

not

OU.MoveHere User, vbNullString

in your statement

objDestOU.MoveHere "LDAP://" & objUser.distinguishedName, vbNullString

I believe you are reversing the user and OU
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 36587160
0
 
LVL 35

Author Comment

by:YZlat
ID: 36587167
RobSampson, I think your latest code worked!
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 36587193
I hope so  ;-)
0
 
LVL 35

Author Comment

by:YZlat
ID: 36587470
here is a strange occurrence: When I run your VBScript from a separate vbs file, it works, but if I put the code inside my hta, I get in this line:
Set objDestOU = objRootDSE.OpenDSObject(sDestOU, sADDomain & "\" & sADUser, sADPassword, ADS_SECURE_AUTHENTICATION)
 "Unknown username or bad password"
0
 
LVL 35

Author Comment

by:YZlat
ID: 36587528
Trns out it was just a typo.

Thank a lot!
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 36591007
Good to hear. Thanks for the grade.

Checking the MSDN articles on methods is something I do every day to make sure I get the syntax of commands right.  Often they have good examples as well, although sometimes not, which is annoying.

Regards,

Rob.
0

Join & Write a Comment

Over the years I have built up my own little library of code snippets that I refer to when programming or writing a script.  Many of these have come from the web or adaptations from snippets I find on the Web.  Periodically I add to them when I come…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now