#158256 - 2006-03-03 05:38 PM
Need Help with ADSI
|
Shaun_Hill
Getting the hang of it
Registered: 2004-11-15
Posts: 50
Loc: JHB, South Africa
|
Hi all, I need some assistance please with a script I want to create but am new to ADSI. We have been running a NT4 domain for quit some time and only recently began to migrate to AD 2003 (we now running in mixed mode). We have been migrating users and pc's using the ADMT 2.0 tool. What I am finding is people even after being migrated are still logging on to the old domain! I am sure there could be many reasons but I want to stop it! I was thinking about what would be the best way to achieve this and my curent thinking is to create a script and place it on the NT4 domain that will check when a user logs on if there is a computer and user account existing on the 2003 domain for them and the pc they are loggin on from. If there is then I will display some message and force them to logoff.
Please can I get a sample script which can do one of these checks? I don't want you to write me the whole script just need some asistance to get me started...
Also, will the script work throughout or is it neccessary to have the ADSI sdk installed on every machine to run these queries?
regards Shaun
|
Top
|
|
|
|
#158257 - 2006-03-03 05:47 PM
Re: Need Help with ADSI
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
My suggestion would be to disable the NT4 account of the person that was migrated. If you find that they can not access some resource then you could reanble the NT4 until the problem has been resolved.
|
Top
|
|
|
|
#158259 - 2006-03-03 06:01 PM
Re: Need Help with ADSI
|
Shaun_Hill
Getting the hang of it
Registered: 2004-11-15
Posts: 50
Loc: JHB, South Africa
|
Lol, my head is wrapped around scripting.... should have thought of that simple solution!Thanks Howard, you are correct! I must be loosing my mind
|
Top
|
|
|
|
#158260 - 2006-03-03 06:15 PM
Re: Need Help with ADSI
|
Shaun_Hill
Getting the hang of it
Registered: 2004-11-15
Posts: 50
Loc: JHB, South Africa
|
I think I agreed to soon... Just been thinking a little bit more and the problem is not as easy as just disabling the old user account. The problem is not the user account but the computer accounts. Our users are mostly roaming and all the users accounts have been migrated but not all the computer accounts have... (we doing this is a staged process) And you never know where they might be logging on!
Now we come to what Shawn is saying: with the trust the computer does not need to be migrated to logon to either domain, but when the NT4 domain falls away, then Bam we will have problems...
I also want to identify the computers that are not migrated yet and log this in a file. So if this script can work then this would just be an added procedure. ie. computer account not in AD then computer is not migrated...
Does any of this make any sense? I know I'm struggling myself. I still think a script to do this check would be the best solution
|
Top
|
|
|
|
#158262 - 2006-03-03 06:44 PM
Re: Need Help with ADSI
|
Shaun_Hill
Getting the hang of it
Registered: 2004-11-15
Posts: 50
Loc: JHB, South Africa
|
thank garden we don't have any nt4 or 95/98 stuff around! Its all 2000/XP. I'm busy working right now on a search query using ADO and ADSI. I'm just struggling to figure out what info to get from AD to determine if the object exists. Most likely I might have to say if there is an error then it doesn't exist and if it returns something the it obviously does exist.
|
Top
|
|
|
|
#158265 - 2006-03-03 06:50 PM
Re: Need Help with ADSI
|
Shaun_Hill
Getting the hang of it
Registered: 2004-11-15
Posts: 50
Loc: JHB, South Africa
|
The environment does not allow for it. We have users that walk over us like carpets and it wouldn't be acceptable. I also like things to go smooth and like to know exactly what the status is of this project. You could say Id rather work smart then hard and don't want any surprises. I think I can achieve this, I was hoping somebody out there had a similar need and a could see how they did it. Don't stress too much, I will definately post a final script once i have figured it all out. I like this ADSI though!
|
Top
|
|
|
|
#158266 - 2006-03-03 07:14 PM
Re: Need Help with ADSI
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
Wait a minute here....
What do computer accounts in an NT4 domain have to do with disabling NT4 user accounts in the same domain? Nothing from what I can see. If you migrated all of the NT4 user accounts, then disable the NT4 user accounts. As long as the NT4 domain trusts your new account domain, users can logon using the AD user account from the NT4 domain workstation.
What am I missing???
|
Top
|
|
|
|
#158267 - 2006-03-03 07:34 PM
Re: Need Help with ADSI
|
Shawn
Administrator
Registered: 1999-08-13
Posts: 8611
|
Well, getting back to your original question ... from your NT4 logon scripts could you check against the @DOMAIN and @LDOMAIN macros, or since all your machines are NT5 - could look at Howards ADSI UDF's for:
GetComputerOU()
-and-
GetUserOU()
Not sure what these functions would return when not joined to NT4, but having them returning nothing versus something would prolly tell you something.
|
Top
|
|
|
|
#158268 - 2006-03-03 07:43 PM
Re: Need Help with ADSI
|
Shaun_Hill
Getting the hang of it
Registered: 2004-11-15
Posts: 50
Loc: JHB, South Africa
|
Howard you are correct. The problem occurs when you remove those trusts. Then they will no longer be able to logon to AD because their isn't a computer account in AD. So disabling their old Nt4 account would prevent them from logging on to the old domain but it doesn't tell us that their computer account is migrated. You could check this all manually but i don't like to work hard. Removing the trust would bring chaos which I want to avoid and this should be the last step in the migration process. My reasonning is if I leave their old account active and they attempt to use it I can check if their is a computer account on AD and kick them off if there is and also trap the fact that they are or are not migrated computers. It just makes things neat and tidy for me and our IT staff.
The purpose of the script would be twofold: 1. Prevent migrated computers from logging on to the old domain 2. Trap which computers still need to be migrated. (i don't trust all the completed paper forms and there is bound to be machines that where left out)
make any sense? I might be doing this totally the wrong way but I think it will work
|
Top
|
|
|
|
#158269 - 2006-03-03 07:45 PM
Re: Need Help with ADSI
|
Shaun_Hill
Getting the hang of it
Registered: 2004-11-15
Posts: 50
Loc: JHB, South Africa
|
mmm, interesting. By the sounds of those UDF names it probably is exacly what I need! I will check them out. Thanks Shawn!
|
Top
|
|
|
|
#158270 - 2006-03-03 07:53 PM
Re: Need Help with ADSI
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
The issue then is you want to log the event of a logon from a computer in the NT4 domain. That is trivial.
In you logon script, creat an IF...ENDIF block that checks @domain. If this matches your old NT4 domain then create a file containing what data is important to you and write it to an open share on a server.
You can then see what NT4 domain based computers were used to logon.
You should not be altering your domain trusts until all the computers have been removed from the domain. As a houskeeping measure the computer account in the NT4 domain should be deleted as the final step of the computer migrstion to the new domain.
Oh, disable those migrated user account in the NT4 domain.
Edited by Howard Bullock (2006-03-03 07:54 PM)
|
Top
|
|
|
|
#158271 - 2006-03-04 02:20 PM
Re: Need Help with ADSI
|
Shaun_Hill
Getting the hang of it
Registered: 2004-11-15
Posts: 50
Loc: JHB, South Africa
|
Hi Howard, thanks for that suggestion. I had thought of it but I don't get consistent results with @Domain for some reason. E.g. My PC was one of the first to migrated and @Domain tells me it's the old NT domain? But on some other pc's that have been migrated @domain is correct and tells you it's the new domain. I'm not sure if this has something to do with the ADMT tool because sometimes that process completes but with error, but it usually all still works. I've been led to believe this has something to do with roaming profiles.
Also for the script to be effective it will probably need to verify a user account on the new domain as well, just to ensure I don't kick them off the old domain with out an account to use on the new one.
Has anybody been using the IADSContainer, IADSComputer, or IADSUser in their scripts? I can't find examples of these and am struggling to get the vb version converted. It's like I can't access this from kix??
|
Top
|
|
|
|
Moderator: Shawn, ShaneEP, Ruud van Velsen, Arend_, Jochen, Radimus, Glenn Barnas, Allen, Mart
|
2 registered
(morganw, mole)
and 414 anonymous users online.
|
|
|