YZlat
asked on
Move user to another OU with different credentials
I am writing the script that moves currently logged in user to a different OU
here is the script to do that
but I need to authenticate using service account first, since regular account would not have permissions to move AD object. So here is my updated code:
but I am still getting "Access denied" error, even though when I open Active directory logged in as TestUser, I am able to manually move user objects.
Can anyone tell me what is wrong here?
here is the script to do that
Set objSysInfo = CreateObject("ADSystemInfo")
strUser = objSysInfo.UserName
Set objUser = GetObject("LDAP://" & strUser)
objuser.MoveHere("LDAP://OU=MyTestOU,DC=MyDomain,DC=net")
but I need to authenticate using service account first, since regular account would not have permissions to move AD object. So here is my updated code:
Set objSysInfo = CreateObject("ADSystemInfo")
strUser = objSysInfo.UserName
Set oNamesp = GetObject("LDAP:")
Set objUser = oNamesp.OpenDSObject("LDAP://" & strUser, "TestUser", "TestPwd",1)
objuser.MoveHere("LDAP://OU=MyTestOU,DC=MyDomain,DC=net")
but I am still getting "Access denied" error, even though when I open Active directory logged in as TestUser, I am able to manually move user objects.
Can anyone tell me what is wrong here?
Hi, try this.
Regards,
Rob.
Regards,
Rob.
sADDomain = "yourdomain"
sADUser = "adminuser"
sADPassword = "adminpassword"
Const ADS_SECURE_AUTHENTICATION = 1
sDestOU = "LDAP://OU=targetOU,OU=sites,DC=domain,DC=com"
Set objRootDSE = GetObject("LDAP:")
Set objSysInfo = CreateObject("ADSystemInfo")
Set objDestOU = objRootDSE.OpenDSObject(sDestOU, sADDomain & "\" & sADUser, sADPassword, ADS_SECURE_AUTHENTICATION)
Set objUser = objRootDSE.OpenDSObject("LDAP://" & objSysInfo.UserName, sADDomain & "\" & sADUser, sADPassword, ADS_SECURE_AUTHENTICATION)
On Error Resume Next
objDestOU.MoveHere "LDAP://" & objUser.distinguishedName, vbNullString
If Err.Number = 0 Then
MsgBox "User moved successfully."
Else
MsgBox "Error " & Err.Number & ": " & Err.Description
Err.Clear
End If
ASKER
jorgedeoliveiraborges, your code is pretty much the same thing I posted saying it does not work for me because the logged in user needs to have permissions to move the object
ASKER
RobSampson, if you read my question carefully, you will see that you posted the code identical to the code i used when I got Access denied error
Not quite. In mine, it uses OpenDSObject to bind to both the OU and the User, while yours only binds to the user.
And, if you read my code carefully, and compare it to yours, you will see that you are performing the move the wrong way around, by trying to move the user into the OU, whereas it is actually done by pulling the user into the OU.
Rob.
And, if you read my code carefully, and compare it to yours, you will see that you are performing the move the wrong way around, by trying to move the user into the OU, whereas it is actually done by pulling the user into the OU.
Rob.
ASKER
OK, I see.
Rob, I am not sure what does this line do:
objDestOU.MoveHere "LDAP://" & objUser.distinguishedName, vbNullString
Rob, I am not sure what does this line do:
objDestOU.MoveHere "LDAP://" & objUser.distinguishedName,
ASKER
objDestOU.MoveHere "LDAP://" & objUser.distinguishedName, vbNullString
gives me an error "An invalid directory path was passed"
I checked objUser.distinguishedName and it is correct
I think the above statement attempts to do things in the wrong order - trying to move OU to a user as opposed to moving the user to an OU
gives me an error "An invalid directory path was passed"
I checked objUser.distinguishedName and it is correct
I think the above statement attempts to do things in the wrong order - trying to move OU to a user as opposed to moving the user to an OU
How can you move an OU to a user? A user is not a container that can hold other objects. In ADUC when you drag a user object into an OU, the OU stays where it is, and the user moves into it.
Above this:
objDestOU.MoveHere "LDAP://" & objUser.distinguishedName, vbNullString
if you put this
MsgBox objUser.distinguishedName
if it outputs the distinguished name then you know it binds to the user object correctly.
You could also add
MsgBox objDestOU.distinguishedNam e
so you know whether the OU bind was successful too.
Regards,
Rob.
Above this:
objDestOU.MoveHere "LDAP://" & objUser.distinguishedName,
if you put this
MsgBox objUser.distinguishedName
if it outputs the distinguished name then you know it binds to the user object correctly.
You could also add
MsgBox objDestOU.distinguishedNam
so you know whether the OU bind was successful too.
Regards,
Rob.
ASKER
I ckecked both and both are correct, but
objDestOU.MoveHere "LDAP://" & objUser.distinguishedName, vbNullString
gives me an error "An invalid directory path was passed"
objDestOU is an ou LDAP://OU=LDAP://OU=MyTest OU,DC=MyDo main,DC=ne t
and objUser.distinguishedName if LDAP://CN=MyUser,OU=Anothe rOU,DC=MyD omain,DC=n et
objDestOU.MoveHere "LDAP://" & objUser.distinguishedName,
gives me an error "An invalid directory path was passed"
objDestOU is an ou LDAP://OU=LDAP://OU=MyTest
and objUser.distinguishedName if LDAP://CN=MyUser,OU=Anothe
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
RobSampson, correct me if I am wrong, but I believe 9and that's what I see when searching the internet as well), but the syntax for MoveHere is
User.MoveHere OU, vbNullString
not
OU.MoveHere User, vbNullString
in your statement
objDestOU.MoveHere "LDAP://" & objUser.distinguishedName, vbNullString
I believe you are reversing the user and OU
User.MoveHere OU, vbNullString
not
OU.MoveHere User, vbNullString
in your statement
objDestOU.MoveHere "LDAP://" & objUser.distinguishedName,
I believe you are reversing the user and OU
No, that's not correct. See the MSDN documentation here:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa705991(v=vs.85).aspx
http://technet.microsoft.com/en-us/library/ee156523.aspx
http://blogs.technet.com/b/heyscriptingguy/archive/2005/01/21/how-can-i-find-and-move-an-active-directory-computer-account.aspx
http://blogs.technet.com/b/heyscriptingguy/archive/2004/12/14/how-can-i-rename-an-active-directory-group.aspx
Regards,
Rob.
http://msdn.microsoft.com/en-us/library/windows/desktop/aa705991(v=vs.85).aspx
http://technet.microsoft.com/en-us/library/ee156523.aspx
http://blogs.technet.com/b/heyscriptingguy/archive/2005/01/21/how-can-i-find-and-move-an-active-directory-computer-account.aspx
http://blogs.technet.com/b/heyscriptingguy/archive/2004/12/14/how-can-i-rename-an-active-directory-group.aspx
Regards,
Rob.
ASKER
RobSampson, I think your latest code worked!
I hope so ;-)
ASKER
here is a strange occurrence: When I run your VBScript from a separate vbs file, it works, but if I put the code inside my hta, I get in this line:
Set objDestOU = objRootDSE.OpenDSObject(sD estOU, sADDomain & "\" & sADUser, sADPassword, ADS_SECURE_AUTHENTICATION)
"Unknown username or bad password"
Set objDestOU = objRootDSE.OpenDSObject(sD
"Unknown username or bad password"
ASKER
Trns out it was just a typo.
Thank a lot!
Thank a lot!
Good to hear. Thanks for the grade.
Checking the MSDN articles on methods is something I do every day to make sure I get the syntax of commands right. Often they have good examples as well, although sometimes not, which is annoying.
Regards,
Rob.
Checking the MSDN articles on methods is something I do every day to make sure I get the syntax of commands right. Often they have good examples as well, although sometimes not, which is annoying.
Regards,
Rob.
...
«I tested the script below (with a different target OU) and it moved the
computer the script was run on into the target OU. Watch for line wrapping»
:====================
Open in new window
http://www.winserverkb.com/Uwe/Forum.aspx/windows-server-scripting/9358/Move-Computer-from-default-OU-to-another-during