|
|
|||||||
I would like to query an OU for objects and create security groups. OU=Printers The objects are printers that are published in AD. I would like to create two groups for each printer, one for default printer, one for additional printer. Printer object names: MRH-01-q-mis Group names to be created: DefPrinter_mrh-01_q-mis AddlPrinter_mrh-01_q-mis I found a CreateADGroup by Howard, but am unsure of how to query the Printers OU and enumerate the objects and create a script that I can use with CreateADGroup to add the groups for the printers. I used this syntax to obtain computer group membership for the purpose of adding printers based upon group membership. I'd like to now create the groups for the corresponding printers, checking for the existence of each group BEFORE creating them. code:No idea what I'm doing, but going to start here:$WS = GetObject("WinNT://" + @domain + "/" + @wksta + "$$") code:Any direction is appreciated.$logfile=c:\printers.xls tjcarst [ 14. October 2003, 19:42: Message edited by: tjcarst ] |
||||||||
|
|
|||||||
Hmmm... Howard and I are working on an update to his EnumOUs() code offline. Well, Howard is doing all the work, I just provide the dumb looks. You can look at some of the effort Howard put into the following UDF. Topic: EnumOUs() - Enumerates OUs containing Users or Computers |
||||||||
|
|
|||||||
Checkout this thread and related links. It will give you a way to enumerate objects. then for each printer object, get the name and call my CreateADgroup() two times, once for each group to create. |
||||||||
|
|
|||||||
Thanks, I'll get started on that. |
||||||||
|
|
|||||||
Okay, using this code, I am able to get the printer names from the Printers OU and trim off the CN=. I just need to now create the variables for the new groups I want to create using CreateADGroup.udf code:;********** Beginning of group creation ********* [ 14. October 2003, 19:56: Message edited by: tjcarst ] |
||||||||
|
|
|||||||
I guess that would be code:$rc=CreateADGroup('DefPrinter_'+$printgroup) |
||||||||
|
|
|||||||
This is what I have now. I had to strip off the leading server portion and add back in for the group names in order to match the syntax of my script that I am using. The printers in AD are preceded by the server name with a dash and not an underscore and the server is in uppercase. MRH-01-q-mis not mrh-01_q-mis. code:;********** Beginning of group creation ********* [ 14. October 2003, 20:26: Message edited by: tjcarst ] |
||||||||
|
|
|||||||
I also need to specify the Printer Groups OU for the creation. |
||||||||
|
|
|||||||
Okay, I think this should work. Thanks for your great assistance!! About 200 groups will be created when I hit enter. I'd better test just a bit more.... code:;http://www.kixtart.org/board/ultimatebb.php?ubb=get_topic;f=1;t=007920 [ 14. October 2003, 20:39: Message edited by: tjcarst ] |
||||||||
|
|
|||||||
I receive an error when running my script with the CreateAdGroup.udf. ERROR : unknown command [Then]! Script: CreateAdGroup.udf Line : 74 |
||||||||
|
|
|||||||
Crap!!! Don't know how that got in there. Delete the word "Then" on line 74 or 75 of the UDF. Sorry. I will clean up the UDF post on Korg. I know this was tested by Doc and myself. |
||||||||
|
|
|||||||
Thanks! |
||||||||
|
|
|||||||
Okay - now I get CreateAdGroup Failed with Error: -2147352567 code:;http://www.kixtart.org/board/ultimatebb.php?ubb=get_topic;f=1;t=007920 [ 14. October 2003, 22:38: Message edited by: tjcarst ] |
||||||||
|
|
|||||||
Well, searchign the boards for that error yielded a few hits. However, I am still unable to fix. I'll work on this tomorrow. I also noted that the printers I've created with a script I found here using AddDefaultPrinter and SetDefaultPrinter are not recognized by Acrobat Reader. So, it looks like I'm further from my solution than I thought. I can say this is fun to troubleshoot. I must be a crazy person tjcarst |
||||||||
|
|
|||||||
Well, today Acrobat sees the printers. Nothing changed on XP machine, I didn't even logout. Another mystery. Oh, well, they are working. Still haven't figured out the error when running script to create the groups in AD, though.... |
||||||||
|
|
|||||||
I think there is a problem with creating the groups from the script due to the way they are created using for each $printer in $printers. I can get the script to return the correct name of the group I want to create for $defprinter, but I cannot create multiple computer groups based upon the printer names. Using CreateADGroup.udf, I can create a script that creates one group successfully, just not the whole listing retrieved by 'for each' Somehow I need to store the results of the printer names and then create the group names based on my variables. To a text or ini file? How do I modify the script to do this? |
||||||||
|
|
|||||||
I do not understand what your problem actually is. If you are referring to my CreateADGroup() udf, it should be quite capable of creating a group with each call to it. Could you please post the KiXtart code you are using to loop through you name and call createADGroup()? [ 16. October 2003, 20:55: Message edited by: Howard Bullock ] |
||||||||
|
|
|||||||
If I disable the portion that creates the groups, I can see that I am retrieving the printer names and generating the correct group name I want to create. If I enable the portion that creates the groups, I get the error after every group: A_mrh-01_q-therapy CreateAdGroup Failed with Error: -2147352567 A-mrh-01_q-therapy2 CreateAdGroup Failed with Error: -2147352567 However, if I don't generate the group names using my script and just type into the script the name of the group I want to create, it is successfully created. I don't think I am correctly passing the group names to CreateAdGroup in my script and am not clever enough to figure out what needs to be changed. Thanks for any direction you can give. tjcarst code:;http://www.kixtart.org/board/ultimatebb.php?ubb=get_topic;f=1;t=007920 [ 17. October 2003, 18:29: Message edited by: tjcarst ] |
||||||||
|
|
|||||||
The only suggestion I can offer is to add additional debugging code into the CreateADGroups udf. Add Cerror() udf to your script. Output the variables values enclosed in quotes or other delimiter so that you can see where the value starts and stops. This is incase you have spaces or other characters that would be not seen. Output the values and results for each ADSI call, get, put, and setinfo line. Please give some more info regarding your test where if you supply the text name the function works and in the script the function fails. This would lead me to belive that you are passing the function invalid data even though it may look correct. |
||||||||
|
|
|||||||
This successfully creates the D_mrh-01_q-therapy print group in AD. And I can see when I run the other part of the script without the CreateADGroup function, that the group names are returned correctly to screen or file as specified. code:call @ScriptDir+'\CreateAdGroup.udf' [ 18. October 2003, 20:04: Message edited by: tjcarst ] |
||||||||
|
|
|||||||
What you are demonstrating is that the function works. You will have to put the debugging code in place and in order to track all the values and success/failure of each ADSI I stated above. The data in your last post provide little value except for proving the createadgroup function works. |
||||||||
|
|
|||||||
I know it wasn't very helpful. I don't know why it isn't working, I just know it isn't. Sorry. I can post my script and post the output. Post the existing printers and the groups created. Beyond that, I'm stuck. I thought I was passing my group names incorrectly to the CreateADGroup function. I know that by itself the CreateADGroup works and by itself the creation of the default and additional groups work. When I put the scripts together into one, it doesn't work. I thought maybe I was missing a simple step to store the default and additional group names before passing to CreateAdGroup and was hoping someone would be able to help me get it to work. I'll mess with this some more this weekend and see if I can get it to work. It is so close to working. |
||||||||
|
|
|||||||
Well, I've spent more time on getting this script to work than the time it would have taken to actually create the groups manually. I can see the group names are returned correctly, and the createadgroup can create a single ad group correctly. Getting the two to work together isn't possible by me. I am going to give up and do just that. Thanks for trying to help me out. tjcarst |
||||||||
|
|
|||||||
Sorry to hear that. If you are still interested in honing your scripting skills, you could break the script in parts. First part woulf enumerate and write a file of the records to be processed lateer. Then open the file and read the line then send it to CreateADGroup(). There has to be a logical reason why thid ids not working in your current script. |
||||||||
|
|
|||||||
That is an option. I could write it to c:\printers.txt and then try to call the info for use with CreateADGroup.udf. That will take me two more hours to figure out. My problem is that I am stubborn and like to figure things out, so even though I have to give in and do this manually, I will figure this out. |
||||||||
|
|
|||||||
I may have found something. I was in the process of breaking down my script as you suggested. I received the following error: ERROR : unknown command [WriteLog2]! Script: W:\CreateAdGroup.udf Line : 60 I do not have the WriteLog2.udf. Initial searching of the UDF did not yield any results. I will search for this later tonight. Maybe my initial script will work. I just don't know why it could create a single group .... |
||||||||
|
|
|||||||
Found it at http://www.kixtart.org/board/ultimatebb.php?ubb=get_topic;f=12;t=000188#000000 I'll give it a try again tomorrow. |
||||||||
|
|
|||||||
That wasn't it. I couldn't get that lucky. |
||||||||
|
|
|||||||
Interesting. I used the first part of my original script to write the names of the printers to a file (c:\printers.txt). Each line contains the name of a printer. contents of c:\printers.txt q-115hall q-123hall q-130hall q-210hall q-220hall (etc.) code:Then I created this script to read the file.; Creates printers.txt code:I get the same error message.;http://www.kixtart.org/board/ultimatebb.php?ubb=get_topic;f=1;t=007920 Results returned to screen: Create ADGroup D_mrh_01_q-115hall Failed with Error: -2147352567 Create ADGroup D_mrh_01_q-123hall Failed with Error: -2147352567 Create ADGroup D_mrh_01_q-130hall Failed with Error: -2147352567 Create ADGroup D_mrh_01_q-210hall Failed with Error: -2147352567 Create ADGroup D_mrh_01_q-220hall Failed with Error: -2147352567 and continues on for each printer. tjcarst [ 22. October 2003, 23:59: Message edited by: tjcarst ] |
||||||||
|
|
|||||||
$DN_of_OU is not specified in your script. Also use the CError() UDF to translate the COM error into plain text. |
||||||||
|
|
|||||||
Thanks for the reply. In my actual script th $DN_of_OU is specified. I forgot to include that line in my copy and paste. I'll try getting the COM error and post what I discover. tjcarst |
||||||||
|
|
|||||||
tjcarst, I have reproduced you error in my AD environment. I have tested quite a bit and could not find a reason for the behavior. What I found is that, always on the second creation of a group, the SetInfo method failed with error 9 (The storage control block address is invalid). It did not matter in which order the groups were created. That ruled out any name issues. quote:This led me to believe that KiXtart or ADSI is not properly destroying the OU or group object and the Setinfo is trying to recreate the previous group. I added $oOU=0 and $oNewGrp=0 before the end of the UDF to force the issue, but this did not help. In short the UDF seem to work only once per script execution. This has me very concerned. Can anyone offer any other testing scenarios or theories on what may be happening here? [ 23. October 2003, 04:51: Message edited by: Howard Bullock ] |
||||||||
|
|
|||||||
One quick test suggestion, in your UDF, instead of using reflected property references (fe. $obj.Put("property-name","value") just use the simple hard-coded variety ($obj.property = value) ... we built our entire domain many times over using ADSI and LDAP and $OU.Create in loops ... no issues found ... |
||||||||
|
|
|||||||
Shawn, I am just perplexed by this behavior. I made the change you suggested (changing the $obj.Put(property, value) to just $obj.proerty = value) but the problem persists. |
||||||||
|
|
|||||||
Then your only option Howard, is to strip your UDF down to the bare essentials, maybe a simple one or two line Group create with default properties, then build it back up until it breaks. I would like to lend a hand for testing tomorrow when I'm back in the office ... |
||||||||
|
|
|||||||
Well I am headed to bed now but greatly welcome your assistance with this issue. When will you be back in the office? |
||||||||
|
|
|||||||
I am going to fire-up your UDF against our AD first thing in the morning, around 8am my time. Your about an hour behind or same time ja ? |
||||||||
|
|
|||||||
U.S. East Coast time. NY City etc. [ 23. October 2003, 05:40: Message edited by: Howard Bullock ] |
||||||||
|
|
|||||||
Are you using that test harness script you posted earlier, where your creating two groups with each iteration - or does it break even when creating a single group per iteration ? |
||||||||
|
|
|||||||
I am reading five root names from a file and pre-pending just like the example. In a loop the script fails on the second create if it is the second create using the altered name within the same loop. It also fails if I comment out the second call to the UDF within the loop and attempt to run through the five names. Do you have a post rc1 custom build of 4.22 to try? I know there were some ADSI related fixes in it. [ 23. October 2003, 13:13: Message edited by: Howard Bullock ] |
||||||||
|
|
|||||||
I have looked at this UDF several times and can not see anything I did incorrectly. That said, I hope someone finds a small proggie error so that this can be concluded for everyone wanting to use this UDF. But I am going to write this up in Perl today to see if the behavior is different. [ 23. October 2003, 13:20: Message edited by: Howard Bullock ] |
||||||||
|
|
|||||||
Howard, think we might have it ... you have a typo in your function prototype: Function CreateADGroup ($Container, $GrpName, $GrpType, $SecurityEnabled, optional $Description, optional $sSAMAcctName) specifically this parm: $sSAMAcctName think you have an extra "s" at the beginning, ja ? |
||||||||
|
|
|||||||
Thank you very much Shawn. The extra set of eyes was definitely needed. Tested with the example code and ALL groups are properly created. With the invalid $SamAccountName variable each group was trying to set the same SamAccountName "Null" which must be unique. I will immediatley correct this in the UDF Library. Thank again!. [edit] This makes me feel a little sheepish. [/edit] [ 23. October 2003, 14:43: Message edited by: Howard Bullock ] |
||||||||
|
|
|||||||
What makes you feel a little sheepish - making a simple typo and not being able to see it ? We have all been there before my brother. |
||||||||
|
|
|||||||
Hallelujah! Hallelujah! Halleluuuuuuuujah! Sorry, I'm not even a religious person, but this warranted something. The original script worked. Very slick, very cool. Thanks for the effort, it truly is appreciated. (Even though I could have manually created these groups three times over, I am thrilled to get this to work!!) Now I have another project I'll be pestering you with related to these groups. Thanks everyone! Script used: code:tjcarst;http://www.kixtart.org/board/ultimatebb.php?ubb=get_topic;f=1;t=007920 [edited to clean up code spacing a little] [ 23. October 2003, 17:15: Message edited by: tjcarst ] |
||||||||
|
|
|||||||
Now I'll use this script to check for the existence of the workstations in the newly created printer groups and install the printers if needed. So cool. code:tjcarst;http://www.kixtart.org/board/ultimatebb.php?ubb=get_topic;f=1;t=007920 [ 23. October 2003, 17:12: Message edited by: tjcarst ] |
||||||||
|
|
|||||||
Sorry that you lost so much time, but I am happy that you now have working code and a greater understanding KiXtart. |
||||||||
|
|
|||||||
One small flaw. The group names that are longer than 15 characters fail for the mappings. I know it was indicated in the createad.udf that SAM account names could only contain 15 characters, but if I go into AD and find the longer names, I can modify the Pre-Windows 2000 name to be longer. Then the mappings occur correctly. Even stranger is that I am using XP and it should be using the AD name, not the SAM name. I don't have many long group names, so this will take no time at all to fix the names in AD. |
||||||||
|
|
|||||||
Please see the FAQ Forum under Limits in NetBIOS, computer/printer names, share names/comments |
||||||||
|
|
|||||||
A lesson for us all. If SETOPTION ("Explicit","ON") was used, this problem would have been seen at the first execution of the script. We all should be using SETOPTION ("Explicit","ON") in ALL of our code to help prevent such problems. [ 23. October 2003, 17:29: Message edited by: Howard Bullock ] |
||||||||
|
|
|||||||
code:Even in NT4, you can make group names longer than 20 characters with code, but the supporting interface in User Manager can not process them. The tool has the limitation not the under lying data store. So you have to be cautious to build your names to the least common denominator for everything to work.If Len($SAMAcctName) > 20 quote: [ 23. October 2003, 18:52: Message edited by: Howard Bullock ] |
||||||||
|
|
|||||||
Thanks, Howard. One last question on this topic for me: I am using a bit of code that checks to see if the default printer is set (after adding printers). I want it to set the default printer if it isn't correctly set, but already installed - wrong printer set default. If it is not mapped, it does correctly add and set as default. I am using PriMapstate.udf for this and thought that it used to work, but I must have changed something. Any idea what I have wrong with this bit? code:if PriMapState("\\" + $defprinter)<>2 |
||||||||
|
|
|||||||
Thanks also for the explanation on th 15 character and 20 character limits. I am no longer using User Manager as I am in Native Mode AD. This should not be an issue. tjcarst |
||||||||
|
|
|||||||
Well, I'm not sure it's the correct way to check for the status of the default printer (if already mapped buy not default), but this seems to work. Get the status of PriMapState and if not equal to 2, SetDefaultPrinter. code:tjcarst;if PriMapState("\\" + $defprinter)<>2 ;does not work [ 23. October 2003, 20:40: Message edited by: tjcarst ] |
||||||||
|
|
|||||||
Posted too soon. It sets the default printer EVERY time now. |
||||||||
|
|
|||||||
I still don't have it. I have verified that the value returned is in fact 2, but can't get it to change the default printer if already installed. code:tjcarst$rc=PriMapState("\\" + $defprinter) [edited to fix =<>] [ 23. October 2003, 21:09: Message edited by: tjcarst ] |
||||||||
|
|
|||||||
quote:Now, that is an interesting construct that I haven't yet seen |
||||||||
|
|
|||||||
Yep. Caught that. Sorry I didn't update here. Still doesn't work, but shows my own inability to make up my mind |
||||||||
|
|
|||||||
Was this a training session, or is it trying to compete with the Golf series for the most posts on one subject? |
||||||||
|
|
|||||||
Training session. Review my posts. I'm struggling. But persistent. I am going to get this to work. (Most likely not without help) [ 23. October 2003, 21:16: Message edited by: tjcarst ] |
||||||||
|
|
|||||||
My computer has the following printers: q-mis2-color on MRH-01 (set as default) q-mis2 on MRH-01 My groups indicate that q-mis2 on MRH-01 is actually the default. This script should change the q-mis2 printer to be default but does not. I return the status to the screen and q-mis2 is the default printer returned based upon group membership and 2 is returned as the PriMapState. This $rc<>2 should return a 1 as q-mis2 is installed, but not as default q-mis2-color is default. It should then set q-mis2 as default. code:$rc=PriMapState("\\" + $defprinter) [ 23. October 2003, 21:34: Message edited by: tjcarst ] |
||||||||
|
|
|||||||
Found it. I was bitten by the 21 character lenght of the printer group name. Now I will have to figure out a new naming scheme for printer groups and redo my scripts. D = default MRH-01 = server name q-mis2-color = printer share D_MRH-01_q-mis2-color tjcarst |
||||||||
|
|
|||||||
Considering following print group names. This is the longest printer name I have: D01_q-research-color D = Default printer 01 = First print server, in my case MRH-01 q-research-color = printer share tjcarst |
||||||||
|
|
|||||||
Okay I have re-created the printer groups after modifying the script. I now have updated the script that maps the printers based upon the printer groups. I would like to know if there is a way to map the printer group name code to a server name without re-writing this code for each combination. An Array? This would remove the hard coded A01, PS1, in my script. For example print server names PS1=MRH-01 PS2=MRH-02 Printer group names D01=Default printer on PS1 D02=Default printer on PS2 A01=Default printer on PS1 A02=Default printer on PS2 etc. code:call @ScriptDir+'\PriMapState.udf' [ 27. October 2003, 18:28: Message edited by: tjcarst ] |
||||||||
|
|
|||||||
Another problem arose. I have the following printers \\mrh-01\q-mis2 \\mrh-01\q-mis2-color \\mrh-01\q-research-color Assigned to the following printer groups D01_q-mis2 A01_q-mis2-color A01_q-research-color Using the script posted above, if I set the color printer to default in my computer to test if the script correctly catches the wrong printer is default and changes to q-mis2, it fails to do so. However, if I set it in my computer to q-research-color, it correctly sets the default back to q-mis2. Is there a problem because the two mis2 printers start with the same name and have another dash in them? It isn't the length. q-mis2 q-mis2-color tjcarst [ 27. October 2003, 18:03: Message edited by: tjcarst ] |
||||||||
|
|
|||||||
I am still stuck on this one. Any ideas? Default printer group D01_q-mis2-color Actual printer set as default on pc q-mis2-color (to test if script detects and sets to q-mis2) When I return the value of Primapstate, it returns a value of 2. Even though the default printer is not set correctly. I have q-mis2-color set as the default, yet my group membership sets q-mis2 as the default printer. If I change the default printer in control panel, printers, to q-mis1, the group membership correctly sets q-mis2 as the default printer. What's up with q-mis2-color? |
||||||||
|
|
|||||||
PriMapState returns incorrect value if based upon registry entry for default printer. Script I am running: code:Results of above script at command prompt:;********** Prevent script from running for administrator on a server or Win95********* ---------------------------------- W:\>kix32 printers Default Printer from computer group membership: \\mrh-01\q-mis2 Default printer in registry: \\mrh-01\q-mis2-color,winspool,Ne03: Value returned by PriMapState: 2 Additional Printer(s): \\mrh-01\q-research Additional Printer(s): \\mrh-01\q-research-color Additional Printer(s): \\mrh-01\q-mis1 Additional Printer(s): \\mrh-01\q-mis2-color W:\> ---------------------------------- tjcarst |