Page 1 of 2 12>
Topic Options
#158256 - 2006-03-03 05:38 PM Need Help with ADSI
Shaun_Hill Offline
Getting the hang of it

Registered: 2004-11-15
Posts: 50
Loc: JHB, South Africa
Hi all, I need some assistance please with a script I want to create but am new to ADSI. We have been running a NT4 domain for quit some time and only recently began to migrate to AD 2003 (we now running in mixed mode). We have been migrating users and pc's using the ADMT 2.0 tool. What I am finding is people even after being migrated are still logging on to the old domain! I am sure there could be many reasons but I want to stop it! I was thinking about what would be the best way to achieve this and my curent thinking is to create a script and place it on the NT4 domain that will check when a user logs on if there is a computer and user account existing on the 2003 domain for them and the pc they are loggin on from. If there is then I will display some message and force them to logoff.

Please can I get a sample script which can do one of these checks? I don't want you to write me the whole script just need some asistance to get me started...

Also, will the script work throughout or is it neccessary to have the ADSI sdk installed on every machine to run these queries?

regards
Shaun

Top
#158257 - 2006-03-03 05:47 PM Re: Need Help with ADSI
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
My suggestion would be to disable the NT4 account of the person that was migrated. If you find that they can not access some resource then you could reanble the NT4 until the problem has been resolved.
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#158258 - 2006-03-03 06:01 PM Re: Need Help with ADSI
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Little out of my bounds here, but assuming the workstations have been migrated to the new domain, why not just blow-away the 2-way trust and make it one-way. Then they wont have the option of logging into the old domain.
Top
#158259 - 2006-03-03 06:01 PM Re: Need Help with ADSI
Shaun_Hill Offline
Getting the hang of it

Registered: 2004-11-15
Posts: 50
Loc: JHB, South Africa
Lol, my head is wrapped around scripting.... should have thought of that simple solution!Thanks Howard, you are correct! I must be loosing my mind
Top
#158260 - 2006-03-03 06:15 PM Re: Need Help with ADSI
Shaun_Hill Offline
Getting the hang of it

Registered: 2004-11-15
Posts: 50
Loc: JHB, South Africa
I think I agreed to soon... Just been thinking a little bit more and the problem is not as easy as just disabling the old user account. The problem is not the user account but the computer accounts. Our users are mostly roaming and all the users accounts have been migrated but not all the computer accounts have... (we doing this is a staged process) And you never know where they might be logging on!

Now we come to what Shawn is saying: with the trust the computer does not need to be migrated to logon to either domain, but when the NT4 domain falls away, then Bam we will have problems...

I also want to identify the computers that are not migrated yet and log this in a file. So if this script can work then this would just be an added procedure. ie. computer account not in AD then computer is not migrated...

Does any of this make any sense? I know I'm struggling myself.
I still think a script to do this check would be the best solution

Top
#158261 - 2006-03-03 06:39 PM Re: Need Help with ADSI
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
What kinda wkstn OS you running ? Windows 2000+ or do you still got lots of old stuff still kicking around ?
Top
#158262 - 2006-03-03 06:44 PM Re: Need Help with ADSI
Shaun_Hill Offline
Getting the hang of it

Registered: 2004-11-15
Posts: 50
Loc: JHB, South Africa
thank garden we don't have any nt4 or 95/98 stuff around! Its all 2000/XP.
I'm busy working right now on a search query using ADO and ADSI. I'm just struggling to figure out what info to get from AD to determine if the object exists. Most likely I might have to say if there is an error then it doesn't exist and if it returns something the it obviously does exist.

Top
#158263 - 2006-03-03 06:44 PM Re: Need Help with ADSI
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
hmmm, I am still a little unclear as to why disabling the old accounts wont work. Your goal is to get everyone using their new accounts - would it really kill your folks if for a time, they couldn't log into un-migrated workstations ? We have roamies too - but find that they usually dont roam too far ...
Top
#158264 - 2006-03-03 06:46 PM Re: Need Help with ADSI
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
just to be clear - obviously you wouldn't disable someones account that hadn't had their home workstation migrated yet ;0)
Top
#158265 - 2006-03-03 06:50 PM Re: Need Help with ADSI
Shaun_Hill Offline
Getting the hang of it

Registered: 2004-11-15
Posts: 50
Loc: JHB, South Africa
The environment does not allow for it. We have users that walk over us like carpets and it wouldn't be acceptable. I also like things to go smooth and like to know exactly what the status is of this project. You could say Id rather work smart then hard and don't want any surprises. I think I can achieve this, I was hoping somebody out there had a similar need and a could see how they did it. Don't stress too much, I will definately post a final script once i have figured it all out. I like this ADSI though!
Top
#158266 - 2006-03-03 07:14 PM Re: Need Help with ADSI
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
Wait a minute here....

What do computer accounts in an NT4 domain have to do with disabling NT4 user accounts in the same domain? Nothing from what I can see. If you migrated all of the NT4 user accounts, then disable the NT4 user accounts. As long as the NT4 domain trusts your new account domain, users can logon using the AD user account from the NT4 domain workstation.

What am I missing???
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#158267 - 2006-03-03 07:34 PM Re: Need Help with ADSI
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Well, getting back to your original question ... from your NT4 logon scripts could you check against the @DOMAIN and @LDOMAIN macros, or since all your machines are NT5 - could look at Howards ADSI UDF's for:

GetComputerOU()

-and-

GetUserOU()

Not sure what these functions would return when not joined to NT4, but having them returning nothing versus something would prolly tell you something.

Top
#158268 - 2006-03-03 07:43 PM Re: Need Help with ADSI
Shaun_Hill Offline
Getting the hang of it

Registered: 2004-11-15
Posts: 50
Loc: JHB, South Africa
Howard you are correct. The problem occurs when you remove those trusts. Then they will no longer be able to logon to AD because their isn't a computer account in AD. So disabling their old Nt4 account would prevent them from logging on to the old domain but it doesn't tell us that their computer account is migrated. You could check this all manually but i don't like to work hard. Removing the trust would bring chaos which I want to avoid and this should be the last step in the migration process. My reasonning is if I leave their old account active and they attempt to use it I can check if their is a computer account on AD and kick them off if there is and also trap the fact that they are or are not migrated computers.
It just makes things neat and tidy for me and our IT staff.

The purpose of the script would be twofold:
1. Prevent migrated computers from logging on to the old domain
2. Trap which computers still need to be migrated. (i don't trust all the completed paper forms and there is bound to be machines that where left out)


make any sense? I might be doing this totally the wrong way but I think it will work

Top
#158269 - 2006-03-03 07:45 PM Re: Need Help with ADSI
Shaun_Hill Offline
Getting the hang of it

Registered: 2004-11-15
Posts: 50
Loc: JHB, South Africa
mmm, interesting. By the sounds of those UDF names it probably is exacly what I need! I will check them out. Thanks Shawn!
Top
#158270 - 2006-03-03 07:53 PM Re: Need Help with ADSI
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
The issue then is you want to log the event of a logon from a computer in the NT4 domain. That is trivial.

In you logon script, creat an IF...ENDIF block that checks @domain. If this matches your old NT4 domain then create a file containing what data is important to you and write it to an open share on a server.

You can then see what NT4 domain based computers were used to logon.

You should not be altering your domain trusts until all the computers have been removed from the domain. As a houskeeping measure the computer account in the NT4 domain should be deleted as the final step of the computer migrstion to the new domain.


Oh, disable those migrated user account in the NT4 domain.


Edited by Howard Bullock (2006-03-03 07:54 PM)
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#158271 - 2006-03-04 02:20 PM Re: Need Help with ADSI
Shaun_Hill Offline
Getting the hang of it

Registered: 2004-11-15
Posts: 50
Loc: JHB, South Africa
Hi Howard, thanks for that suggestion. I had thought of it but I don't get consistent results with @Domain for some reason. E.g. My PC was one of the first to migrated and @Domain tells me it's the old NT domain? But on some other pc's that have been migrated @domain is correct and tells you it's the new domain. I'm not sure if this has something to do with the ADMT tool because sometimes that process completes but with error, but it usually all still works. I've been led to believe this has something to do with roaming profiles.

Also for the script to be effective it will probably need to verify a user account on the new domain as well, just to ensure I don't kick them off the old domain with out an account to use on the new one.

Has anybody been using the IADSContainer, IADSComputer, or IADSUser in their scripts? I can't find examples of these and am struggling to get the vb version converted. It's like I can't access this from kix??

Top
#158272 - 2006-03-04 02:31 PM Re: Need Help with ADSI
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Your right, you cannot access those from Kix. Those are low-level COM interfaces (the standard is that COM Interfaces start with the letter "I") ... the good news is that microsoft (usually) provides scriptable interfaces to these same low-level interfaces - they are called dual-interfaces.

Bottom line: While the low-level interface reference material can be usefull, it is really not meant for scripting. What you need to find is an ADSI scripters reference guide.

Top
#158273 - 2006-03-04 02:36 PM Re: Need Help with ADSI
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
By the way - VBS cannot access those low-level interfaces either ! VB can !
Top
#158274 - 2006-03-04 02:53 PM Re: Need Help with ADSI
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
I may have given you the wrong impression by saying Kixtart doesn't support (for example) IAdsUser - it does - its just that it uses the scriptable flavor of IAdsUser ... example:

$user = GetObject("WinNT://domain/administrator,user")

$user does indeed implement IAdsUser ... its the same if you do a getobject on a Container ... it implements IAdsContainer - the difference is that it implements it at a SCRIPTABLE level - not on a low-level ... and its not guaranteed that ALL low-level objects and members will work at the scriptable level.

Top
#158275 - 2006-03-04 04:16 PM Re: Need Help with ADSI
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
Shawn,
You are talking in circles now.

When a computer is migrated from NT4 to AD, why would the NT4 computer account not be disabled immediately? Same for the user account... why not disable them in NT4 as soon as they are migrated?
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
Page 1 of 2 12>


Moderator:  Shawn, ShaneEP, Ruud van Velsen, Arend_, Jochen, Radimus, Glenn Barnas, Allen, Mart 
Hop to:
Shout Box

Who's Online
2 registered (morganw, mole) and 414 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.064 seconds in which 0.022 seconds were spent on a total of 12 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org