| jdogg |
| (Getting the hang of it) |
| 2005-04-21 08:19 PM |
TranslateName() & InContainer() - What OU am I in?
|
Hi,
I am trying out the excellent UDF's TranslateName() and InContainer() to get away from basing everything off of global group membership.
I am pretty sure I have the OU structure written out right, but InContainer() still reports that my machine is not a member of the OU I am specifying or a child of it... even though I know my machine IS a member.
Using these UDF's, how do I output the name of the OU that it THINKS my machine is in so that I can see where I'm wrong?
Thanks!
Code:
$rc = InContainer ("OU=US-RTP,OU=Admin US-RTP,OU=Clients,DC=na,DC=agrogroup,DC=net", "Computer")
Select
Case $rc[0]=1 $lblThree.text="object is a member of the specified container."
Case $rc[0]=2 $lblThree.text="object is a member of a child container lower in the hierarchy."
Case $rc[0]=0 $lblThree.text="object is NOT a member of this container or a child of this container."
Case $rc[0]=-1 $lblThree.text="InContainer() Error - Invalid input for $NameType "
Case $rc[0]=-2 $lblThree.text="TranslateName() Error"
Case 1 $lblThree.text="Unknown return code"
EndSelect
| Les |
| (KiX Master) |
| 2005-04-21 09:16 PM |
Re: TranslateName() & InContainer() - What OU am I in?
|
It is probably that hyphen in the OU name "US-RTP" that needs to be escaped.
NTDOC
|
| (KiX Master) |
| 2005-04-21 09:20 PM |
|
|
Re: TranslateName() & InContainer() - What OU am I in?
|
Well I'm sure someone will come along with the code to do it, but since I don't have it right off hand and don't feel like searching for it.
Try this cool little KiXform script written by Chris S.
It will allow you to copy the OU as a string needed by KiX.
KiXforms - Active Directory Browser
It could also be that you have some other invalid code somewhere else in your script.
| jdogg |
| (Getting the hang of it) |
| 2005-04-21 09:30 PM |
|
Re: TranslateName() & InContainer() - What OU am I in?
|
Thanks I will try that and let you guys know what happens.
Les... "escaped"? "US-RTP" is the OU name...
Maybe I don't understand. I will try what NTDOC suggested.
You guys are the best!!
-Jdogg
| maciep |
| (Korg Regular) |
| 2005-04-21 09:32 PM |
|
Re: TranslateName() & InContainer() - What OU am I in?
|
I don't think hyphens(-) need to be escaped. What do you get if you run
Code:
break on
? getOU(@wksta)
function getOU($computer)
dim $objRootDSE,$strDomain,$objConnection
dim $objCommand,$objRecordSet,$dn
$getOU = "Not Found"
$objRootDSE = GetObject("LDAP://RootDSE")
$strDomain = $objRootDSE.Get("DefaultNamingContext")
$objConnection = CreateObject("ADODB.Connection")
$objConnection.Open("Provider=ADsDSOObject;")
$objCommand = CreateObject("ADODB.Command")
$objCommand.ActiveConnection = $objConnection
$objCommand.CommandText = "SELECT distinguishedName FROM 'LDAP://" + $strDomain +
"' WHERE objectCategory='computer' and cn='" + $computer + "'"
$objRecordSet = $objCommand.Execute()
While Not $objRecordSet.EOF
$dn = $objRecordSet.Fields("distinguishedName").Value
$getOU = right($dn, len($dn) - instr($dn, ","))
$objRecordSet.MoveNext
loop
endfunction
| Les |
| (KiX Master) |
| 2005-04-21 10:00 PM |
|
Re: TranslateName() & InContainer() - What OU am I in?
|
I get "Not Found"
What is this line supposed to do?
$objCommand.CommandText = " ";distinguishedName,name,distinguishedName;subtree"
| Howard Bullock |
| (KiX Supporter) |
| 2005-04-21 10:02 PM |
|
|
Re: TranslateName() & InContainer() - What OU am I in?
|
If you just use TranslateName() to return your distinguished name what does it return? How does that compare to your string you submit to InContainer()? Please post the DN returned from TRanslateName().
| maciep |
| (Korg Regular) |
| 2005-04-21 10:29 PM |
|
Re: TranslateName() & InContainer() - What OU am I in?
|
That's odd, i can't seem to put the LDAP query part itself in the post. Anyway, it searches AD for the machine and reports back the OU the machines in. But it's no good without that part...
Changed the query structure and updated the original code.
| Les |
| (KiX Master) |
| 2005-04-21 10:44 PM |
|
Re: TranslateName() & InContainer() - What OU am I in?
|
Maybe I should have been more precise... it's just that the line has 3 quotes... sort of an odd number. Wondered if I hade to tweak it or something.
| Les |
| (KiX Master) |
| 2005-04-21 10:47 PM |
|
Re: TranslateName() & InContainer() - What OU am I in?
|
K, got your edit and tried it... returns:
OU=Laptops,OU=Computers,OU=FF,OU=CACC,DC=cacc,DC=local
| maciep |
| (Korg Regular) |
| 2005-04-21 10:51 PM |
|
Re: TranslateName() & InContainer() - What OU am I in?
|
The CommandText property was orginally similar to how it is HERE
But i can't seem to post the less than sign (<) followed by "LDAP" or any letter(s) for that matter.
But that's far enough off topic, back to the subject at hand...
| jdogg |
| (Getting the hang of it) |
| 2005-04-21 10:56 PM |
|
Re: TranslateName() & InContainer() - What OU am I in?
|
Weird!!
It is reporting an OLD OU that I had my machine in some time ago:
CN=AUSRESC0200,OU=Computers,OU=US-RTP-Test,DC=na,DC=agrogroup,DC=net
This OU does not even exist anymore.
When I look at my machine in Active Directory Users and Computers, it shows in the correct OU.
Any quick suggestions? (I know this is not Kix related at this point)
Thanks Howard... that was what I needed!!
|
NTDOC
|
| (KiX Master) |
| 2005-04-21 11:37 PM |
|
|
|
Re: TranslateName() & InContainer() - What OU am I in?
|
Just move your system to a different OU then back to the OU you want it to belong to. That should correct the issue. Troubleshooting why one system is not where you thought it should be could potentially be quite time consuming.
| kholm |
| (Korg Regular) |
| 2005-04-21 11:37 PM |
|
|
Re: TranslateName() & InContainer() - What OU am I in?
|
jdogg,
This could be alarming. As I read it Your DC's are out of sync, so You get the LDAP-information from another DC than the one You made the changes on.
-Erik
| jdogg |
| (Getting the hang of it) |
| 2005-04-22 12:04 AM |
|
Re: TranslateName() & InContainer() - What OU am I in?
|
Erik,
Good point... as you said I was alarmed by this.
Especially since the last time my computer was in that OU was over a month ago when I was test out a group policy (as indicated by the word "test" in the OU name).
I will forward this "item of mention" to the uplevel domain admins.
If I am going to use this awesome script, I will need the LDAP to stay in sync.
Thanks again!
| Howard Bullock |
| (KiX Supporter) |
| 2005-04-22 08:44 PM |
|
|
|
Re: TranslateName() & InContainer() - What OU am I in?
|
When you got the bad data, to which object type was Translatename() binding? Did you try binding to other object types (GC, Domain, Server)? This may also give you more information for the upper level domain admins to trouble shoot with as they will then know where you were getting your data?
|
NTDOC
|
| (KiX Master) |
| 2005-04-22 08:46 PM |
|
|
|
Re: TranslateName() & InContainer() - What OU am I in?
|
Microsoft has a lot of tools to confirm and verify how the AD is operating. I'm suprised other issues have not popped up if there really that far out of sync.
| jdogg |
| (Getting the hang of it) |
| 2005-04-26 10:27 PM |
|
Re: TranslateName() & InContainer() - What OU am I in?
|
Ugh! The uplevel Domain Admins looked at LDAP, and they don't even see the OU that my script is reporting on any of our three DC's.
They cannot find it anywhere in LDAP, and they can't tell where the script is looking for the information.
Is there somewhere specifically they can check that might show the inaccurate info?
This script works GREAT 90% of the time, but sometimes it reports a OU that does not exist anymore (and has not for some time now)
Thanks again!!
-jdogg
| Howard Bullock |
| (KiX Supporter) |
| 2005-04-26 10:32 PM |
|
|
|
Re: TranslateName() & InContainer() - What OU am I in?
|
You have not answered my previous questions? Have you used TranslateName and tried to bind to each object type and tested the results.
| jdogg |
| (Getting the hang of it) |
| 2005-04-26 10:59 PM |
|
Re: TranslateName() & InContainer() - What OU am I in?
|
I hate to do this but I am going to plead n00b here.
I would gladly do what you asked, but I don't know where to begin.
I don't even know what your UDF's do, honestly, but it seems to work for me so I used it.
Perhaps this code would help (to show you exactly how I am using it and what I am looking for)
Thanks!
-jdogg
Code:
Function LANDESK()
If $Client = "Windows 2000 Workstation" OR $Client = "Windows XP Workstation"
If InGroup("\\@wksta\administrators")=0
Return
EndIf
If Exist ("%SYSTEMDRIVE%\NWSUTIL\ldesk81installed.txt")
Return
EndIf
If Exist ("%SYSTEMDRIVE%\NWSUTIL\NoLanDesk.txt")
$JUNK=RedirectOutput("\\ausress0001\groups\workstation list\ExcludedFromLanDesk.log")
?"@WKSTA,@Userid,$Client,@Time,@Day,@Date,@IPaddress0,ExcludedFromLanDesk"
$JUNK=RedirectOutput("")
Return
EndIf
$rc = InContainer ("OU=Clients,OU=Admin US-RTP,OU=US-RTP,DC=na,DC=agrogroup,DC=net", "Computer")
Select
Case $rc[0]=1
$lblThree.ForeColor = 220,20,60
$lblThree.text="LanDesk will now be installed in the background."
Sleep 5
Run "\\AGRVA2.na.agrogroup.net\ldlogon\wscfg32 /IP /STATUS /SCRIPT /F /IP /NOUI /NOREBOOT /CONFIG=BCS_RTPstacfg.ini"
$JUNK=RedirectOutput("%SYSTEMDRIVE%\NWSUTIL\ldesk81installed.txt")
?"----------------------------------"
?"First install of LanDesk 8.1"
?"@Time,@Day,@Date"
? "(@Userid) is logging onto @WKSTA, running $Client."
$JUNK=RedirectOutput("")
$lblThree.text=""
$lblThree.ForeColor = 0,0,0
Case $rc[0]=2
$lblThree.text="object is a member of a child container lower in the hierarchy."
Case $rc[0]=0
$lblThree.text="object is NOT a member of this container or a child of this container."
Case $rc[0]=-1
$lblThree.text="InContainer() Error - Invalid input for $NameType "
Case $rc[0]=-2
$lblThree.text="TranslateName() Error"
Case 1
$lblThree.text="Unknown return code"
EndSelect
EndIf
EndFunction
FUNCTION INCONTAINER($Container, $NameType)
;ACTION Determines if the current NT4 account name type is a member of a specific container (OU, Computers, etc)
; in Active Directory
;PARAMETERS $Container (Required)
; - String value
; Dinstinghished name of the container to check. This must be the fully qualified DN to
; accurately make a determination.
; $NameType (Required)
; - String value
; "Computer" or "User" are currently the only valid values
;REMARKS This function returns true if the object being checked in the the specified container
; or a child container of that specified.
;
;RETURNS An ARRAY of three values:
; InContainer return code
; 1 = object is a member of the exact container specified.
; 2 = object is a member of the container hierarchy.
; 0 = object is not a member of the container hierarchy.
; -1 = Invalid input for $NameType
; -2 = Error in TranslateName
; TranslateName ErrorCode
; TranslateName ErrorText
;
;DEPENDENCIES OS: Active Directory aware client
; Other Functions: TranslateName()
;
;EXAMPLES $rc = InContainer ("OU=test,OU=9826,OU=NCS,OU=Machines,DC=us,DC=tycoelectronics,DC=com", "Computer")
; select
; case $rc[0]=1 ? "object is a member of the specified container."
; case $rc[0]=2 ? "object is a member of a child container lower in the hierarchy."
; case $rc[0]=0 ? "object is NOT a member of this container or a child of this container."
; case $rc[0]=-1 ? "InContainer() Error - Invalid input for $NameType "
; case $rc[0]=-2 ? "TranslateName() Error"
; case 1 ? "Unknown return code"
; endselect
;
;
Dim $CurrentContainer, $Name1, $Name2, $Found, $commaloc
Select
Case $NameType = "Computer" $Name1 = @Domain + "\" + @wksta + "$$"
Case $NameType = "User" $Name1 = @LDomain + "\" + @UserID
Case 1 $Name1 = ""
EndSelect
If $Name1 <> ""
$Name2 = TranslateName (3, "", 3, $Name1, 1)
If $Name2[1] = 0
$Found=0
While $Found=0
$commaloc = instr($Name2[0], ",")
If $commaloc > 1
If substr($Name2[0],$commaloc-1,1) = "\"
$Name2[0] = substr($Name2[0], $commaloc+1)
Else
$Found=1
$CurrentContainer = substr($Name2[0], $commaloc+1)
EndIf
Else
$Found=1
Endif
Loop
Select
Case $CurrentContainer=$Container $InContainer = 1, $Name2[1], $Name2[2]
Case instr($Name2[0], $Container) $InContainer = 2, $Name2[1], $Name2[2]
Case 1 $InContainer = 0, $Name2[1], $Name2[2]
EndSelect
Else
$InContainer = -2, $Name2[1], $Name2[2]
EndIf
Else
$InContainer = -1, 0, ""
Endif
EndFunction
Function TranslateName ($InitType, $BindName, $LookupNameType, $LookupName, $ReturnNameType)
Dim $InitType, $BindName, $LookupNameType, $LookupName, $ReturnNameType
Dim $NameTranslate, $ReturnName, $Error, $ErrorText
$Error = 0
$ErrorText = ""
$ReturnName = ""
$NameTranslate = CREATEOBJECT ("NameTranslate")
$Error = @error
$ErrorText = @serror
If $Error = 0
$NameTranslate.Init ($InitType, $BindName)
$Error = @error
$ErrorText = @serror
If $Error = 0
$NameTranslate.Set ($LookupNameType, $LookupName)
$Error = @error
$ErrorText = @serror
If $Error = 0
$ReturnName = $NameTranslate.Get($ReturnNameType)
$Error = @error
$ErrorText = @serror
Endif
Endif
EndIf
$TranslateName = $ReturnName, $Error, $ErrorText
Endfunction
| Howard Bullock |
| (KiX Supporter) |
| 2005-04-27 02:35 AM |
|
|
|
Re: TranslateName() & InContainer() - What OU am I in?
|
Let's start with what InContainer() actually does. InContainer calls TranslateName() binding to the global catalog (GC:). Notice that the first parameter used in the TranslateName call is '3'. The documentation for the TranslateName() UDF shows that you can use 1, 2, or 3 for the first parameter which controls where the function binds.
Depending on the health of your infrastructure the replication of data from domains to the GC may be compromised.
Try this:
Code:
Break on
$rc = SetOption("Explicit", "ON")
$rc = SetOption("NoVarsInStrings", "ON")
Dim $DN, $start
; This binds to the GC:
$start=@ticks
? "bind to GC"
$DN = TranslateName (3, "", 3, @domain + "\" + @wksta + "$", 1)
? $DN[0]
? "Elapsed Time: " + (@ticks-$start) + " ticks"
?
; This binds to a Logon domain DC:
$start=@ticks
? "bind to server: " + substr(@Lserver, 3)
$DN = TranslateName (2, substr(@Lserver, 3), 3, @domain + "\" + @wksta + "$", 1)
? $DN[0]
? "Elapsed Time: " + (@ticks-$start) + " ticks"
?
; This binds to the domain where the computer account resides.
$start=@ticks
? "bind to " + @domain
$DN = TranslateName (1, @domain, 3, @domain + "\" + @wksta + "$", 1)
? $DN[0]
? "Elapsed Time: " + (@ticks-$start) + " ticks"
?
exit 1
For the server and domain values, try to hard code some specific server names and domain names throughout your environemnt.
Does the script always return the expected DN? Remember to include the TranslateName UDF in the script.
| jdogg |
| (Getting the hang of it) |
| 2005-04-27 04:49 PM |
|
Re: TranslateName() & InContainer() - What OU am I in?
|
You are the MAN Howard!!
That really split it up it useful bits of information that I can show to my upper level Domain Admins. It looks like it IS the GC that is "mucked-up".
Thanks again!!
-jdogg
Oh... here was the result:
Code:
bind to GC
CN=AUSRESC0200,OU=Computers,OU=US-RTP-Test,DC=na,DC=agrogroup,DC=net
Elapsed Time: 7421 ticks
bind to server: AUSPTBDC001
CN=AUSRESC0200,OU=Clients,OU=Admin US-RTP,OU=US-RTP,DC=na,DC=agrogroup,DC=net
Elapsed Time: 6960 ticks
bind to RTP
CN=AUSRESC0200,OU=Clients,OU=Admin US-RTP,OU=US-RTP,DC=na,DC=agrogroup,DC=net
Elapsed Time: 6259 ticks
| Howard Bullock |
| (KiX Supporter) |
| 2005-04-27 08:27 PM |
|
|
|
Re: TranslateName() & InContainer() - What OU am I in?
|
I am really surprise by the long times the script generated for you. My GC: and domain where the computer lives returned data in around 500 ticks over a VPN connection from home. Your 6 seconds times are somewhat concerning to me.
Do you have the Micorosft SITE definitions properly defined? Maybe there is also an issue with the DNS underscore zones. just thinking out loud...
| jdogg |
| (Getting the hang of it) |
| 2005-04-28 04:23 AM |
|
Re: TranslateName() & InContainer() - What OU am I in?
|
Hmm... well to be honest I am not sure about the site definitions. Our domain was set up by the upper level domain admins... I am just a site server admin (as well as other things). The whole domain runs my logon script though because they realized that Kix RULES!!
Anyway, both of those questions you asked would have to be forwarded to the domain guys above me... unfortunately I am not even sure how hard they are working on the FIRST issue that we identified. If I give them something else to do, I might as well pack a lunch for the time it takes them to respond. (in their defense, they are spread really thin).
Thanks again for the help.
-jdogg