Page 1 of 2 12>
Topic Options
#92400 - 2003-07-10 09:13 PM Connecting to AD using different user credentials
redbird Offline
Fresh Scripter

Registered: 2002-06-26
Posts: 10
Loc: Illinois State University - No...
We are using RIS and kixtart scripts to load machines. When the machine is loaded it performs a GUIRUNONCE section in which we call a script that installs the MSI packages. The issue is the script is running as the local administrator and we would like to query AD to find the machine account and its description. The description contains the user profile name that is used to load all software for that user. The issue is that the local administrator account does not have access to query AD. It needs a valid AD user account credentials to even query it. Of course we do not have access to the administrator account and would not use the AD administrator account for this.

We have a script that will work when logged on to AD on the machine, but during the machine build process it is using the local administrator account.

Top
#92401 - 2003-07-10 09:17 PM Re: Connecting to AD using different user credentials
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
Use a standard AD account and Explore OpenDsObject.

quote:
The IADsOpenDSObject::OpenDSObject method binds to an ADSI object using the given credentials, retrieving an IDispatch pointer on the specified object.


http://www.kixtart.org/board/ultimatebb.php?ubb=get_topic;f=13;t=000616#000001

http://www.kixtart.org/board/ultimatebb.php?ubb=get_topic;f=13;t=000578#000005

[ 10. July 2003, 21:19: Message edited by: Howard Bullock ]
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#92402 - 2003-07-11 06:20 PM Re: Connecting to AD using different user credentials
redbird Offline
Fresh Scripter

Registered: 2002-06-26
Posts: 10
Loc: Illinois State University - No...
Howard, Thank you very much for your reply. I have tried several things in that direction and still no luck. You posted a LDAP query which is similar to what we are doing. I did not know if you may be able to use this as an example...

Break ON

; Create the connection and command object.
$oConnection1 = CreateObject("ADODB.Connection")
? "@error @serror"
$oCommand1 = CreateObject("ADODB.Command")
? "@error @serror"

; Open the connection.
$oConnection1.Provider = "ADsDSOObject" ; This is the ADSI OLE-DB provider name
? "@error @serror"
$oConnection1.Open ("Active Directory Provider")
? "@error @serror"

; Create a command object for this connection.
$oCommand1.ActiveConnection = $oConnection1
? "@error @serror"

; Compose a search string.
$oCommand1.CommandText = "select name, objectClass from 'LDAP://us-tyco-e/DC=us, DC=tycoelectronics, DC=com' " +
"WHERE objectClass='user'" ; and objectClass<>'computer'"

; Execute the query.
$rs = $oCommand1.Execute
? "ex: @error @serror"

;--------------------------------------
; Navigate the record set
;--------------------------------------

While (Not $rs.EOF)
?
for each $item in $rs.Fields
? $item.Name + " = "
$Value = $item.Value
if VarTypeName($Value) = "String"
" " + $Value
else
for each $v in $Value
" " + $v
next
endif
next
;? $rs.Fields("Name")
$rs.MoveNext
Loop

That was your code, but we want to specify credentials for the objects when we query. I was able to modify the connection.open specifying credentials there,

$oConnection1.Open ("Active Directory Provider", $username, $password)

but the .execute of the query fails.

; Execute the query.
$rs = $oCommand1.Execute

Any suggestions?

Top
#92403 - 2003-07-11 06:35 PM Re: Connecting to AD using different user credentials
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
I am presently away for the weekend and will not have much time to be online. Please post your code so that we can see what your trying to do.
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#92404 - 2003-07-11 06:49 PM Re: Connecting to AD using different user credentials
redbird Offline
Fresh Scripter

Registered: 2002-06-26
Posts: 10
Loc: Illinois State University - No...
Howard, again thank you for your prompt reply. I have been reading the bulletin board and looking through much of it and really respect your information. Here is my code:

Dim $mach[1000]
Dim $Filter[0] ;Declare filter for Object
$Filter[0]="Computer" ;Or replace "Group" with "User" or "Computer"
$MyProvider = "LDAP://" ;AD Provider used to search
$IniFile = "c:\winnt\myfile.inf"
; Set the login credential
$sUser = "Domail\user"
$sPassword = "***********"
; Set the domain controler and the proper context
$sDomain = "DC=myad,DC=mydomain,DC=edu"

? @WKSTA ;Print Machine Name
$mach=ADSearch(@WKSTA) ;Search AD for Machine Name

If $ItemFound
$MyPath = $mach[0]

$MyAdsPath = $MyProvider + $MyPath ;Concat for FULL Path to Object

; Connect to ADS with the provided login credential
$oProvider = GetObject("LDAP:")
$rootDSE = $oProvider.OpenDSObject("LDAP://" + $sDomain + "/RootDSE", $sUser, $sPassword, 1)


? $MyAdsPath ;Print FULL Path
$ou = GetObject($MyAdsPath) ;Get Object with full path

$ou.Filter = $Filter

? $ou.Name ;Display Object Name cn
? $ou.description ;Display Object description

$UserID = $ou.description
$CN = SubStr($ou.Name,4)
$Tag = SubStr($CN,4)
If $UserID <> ""
;Write INI File
$result=WriteProfileString($IniFile,'ULID','id',$UserID)
$result=WriteProfileString($IniFile,'ULID','cn',$CN)
$result=WriteProfileString($IniFile,'ULID','Tag',$Tag)
$result=WriteProfileString($IniFile,'ULID','Valid',"True")
$result=WriteProfileString($IniFile,'ULID','AdsPath',$MyAdsPath)
Else

$result=WriteProfileString($IniFile,'ULID','id',"Basic")
$result=WriteProfileString($IniFile,'ULID','cn',$CN)
$result=WriteProfileString($IniFile,'ULID','Tag',$Tag)
$result=WriteProfileString($IniFile,'ULID','Valid',"False")
$result=WriteProfileString($IniFile,'ULID','AdsPath',$MyAdsPath)
EndIf

Else
;Object not found in AD
$result=WriteProfileString($IniFile,'ULID','id',@USERID)
$result=WriteProfileString($IniFile,'ULID','cn',@WKSTA)
$result=WriteProfileString($IniFile,'ULID','Tag',SubStr(@WKSTA,4))
$result=WriteProfileString($IniFile,'ULID','Valid',"False")
$result=WriteProfileString($IniFile,'ULID','AdsPath',"Error - Not Found")

EndIf

Exit

; Function ADSearch()
;
; v1.1
;
; Author: Heitz Alex (HeitzAlexandre@wanadoo.fr)
;
; Action: Search in Active Directory using LDAP
;
; Syntax: ADSearch("Account Name", "Full Name")
;
; Parameters: Full Name (Optional)
; The full name to search in the AD database
;
; Account Name (Optional)
; The account name (or ID name) to search in the AD database
;
; Dependancies: Active Directory client installed (Build-in in 2000 and XP systems)
;
; Remarks: Working on 9x (95, 98, Me) and NTx (4, 2000, XP) systems
; Account name of a computer has a trailing $
; Only * wildcard is supported.
; ADSearch can't be designed to only retreive user and computer (ADODB and LDAP limits)
;
;
; Returns: Array of elements containing the complete following string :
; "CN=full name,...rest of DSN...,DC=Domain,DC=Organization,DC=com or org or...,AccountName=account name,IsContainer=0|1, IsGroup=0|1
; Iscontainer is set to 1 when AccountName is empty
; IsGroup is set to 1 when the current element is a Group
;
; example: ADSearch("Computers") return 1 array with the following value : "CN=Computers,DC=Domain,DC=Organization,DC=com|AccountName=|IsContainer=1|IsGroup=0"
; ADSearch("P*") return X arrays with values like this one : "CN=Username,OU=OU container name,DC=Domain,DC=Organization,DC=com|AccountName=Useraccount|IsContainer=0|IsGroup=0"
; ADSearch(,"*$$") return X arrays with values like this one : "CN=Computer name,CN=Computers,DC=Domain,DC=Organization,DC=com|AccountName=Computer name$|IsContainer=0|IsGroup=0"
Function ADSearch(Optional $ADFullName,Optional $ADAccountName)
Dim $AdoCon
Dim $AdoCommand
Dim $Recordset
Dim $Filter
Dim $i
Select
Case Len($ADFullName)>0 AND Len($ADAccountName)>0
$filter=" where cn='"+$adfullname+"' and samAccountName='"+$ADAccountName+"' "
Case Len($ADFullName)>0
$filter=" where cn='"+$ADFullName+"' "
Case Len($ADAccountName)>0
$filter=" where samAccountName='"+$ADAccountName+"' "
Case 1
; I'm sure you don't want to retreive the complete Active Directory database
Return
EndSelect
$AdoCon = CreateObject("ADODB.Connection")
$AdoCon.Provider = "ADsDSOObject"

; WAS: Current credentials are used, as username and password aren't specified
;$AdoCon.Open("Active Directory Provider")
;Now I tried to specify credentials here since Local Adminstrator does not have
;access to AD
$AdoCon.Open("Active Directory Provider", $sUser, $sPassword)

; Create ADO command object for the connection.
$AdoCommand = CreateObject("ADODB.Command")
$AdoCommand.ActiveConnection = $AdoCon

$MyCommandText = "Select AdsPath from '" + $MyProvider + $sDomain + "'" + $filter

? $MyCommandText
$result=WriteProfileString($IniFile,'ULID','Command',$MyCommandText)
$AdoCommand.CommandText =$MyCommandText

; Execute the query.
$Recordset = $AdoCommand.Execute
If @ERROR=0
; $Recordset is 1 based
If $Recordset.RecordCount>0
? $recordset.recordcount
$ItemFound = $recordset.recordcount
ReDim $ADSearch[$recordset.RecordCount-1]
$Recordset.movefirst
For $i=0 to $recordset.RecordCount-1
; Here we'll parse the fields of the current record
$ADSearch[$i]=SubStr($Recordset.Fields("AdsPath").value,8) ; To get rid of " LDAP://"
; Moving to the next record we have in $Recordset
$Recordset.Movenext
Next
EndIf
Else
? @ERROR
EndIf
EndFunction

Top
#92405 - 2003-07-11 07:01 PM Re: Connecting to AD using different user credentials
redbird Offline
Fresh Scripter

Registered: 2002-06-26
Posts: 10
Loc: Illinois State University - No...
The point of contention seems to be 1. When logged on a computer with AD credentials it works fine. 2. When logged in as a local admininistrator it has an error...

; Execute the query.
$Recordset = $AdoCommand.Execute
If @ERROR=0
; $Recordset is 1 based
...
Else
? @ERROR
EndIf
EndFunction

And that is where it is failing. At the .Execute.

I know your are out of the office and it is a Friday, but I do appreciate your interest.

Top
#92406 - 2003-07-11 07:07 PM Re: Connecting to AD using different user credentials
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11164
Loc: Boston, MA, USA
There's no problem at all. You're just encountering Windows security. You will need to authenticate against AD with a domain account.
_________________________
There are two types of vessels, submarines and targets.

Top
#92407 - 2003-07-11 07:13 PM Re: Connecting to AD using different user credentials
redbird Offline
Fresh Scripter

Registered: 2002-06-26
Posts: 10
Loc: Illinois State University - No...
You mean there is no way to execute this script with AD credentials instead of the local user credentials? So the objects with those credentials will still use the local credentials. Again I need this all to run asyncronously without user intervention. The machine could be network booted to the RIS and install everything. How is MS security causing this?
Top
#92408 - 2003-07-11 07:19 PM Re: Connecting to AD using different user credentials
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11164
Loc: Boston, MA, USA
Please take a look at the FAQ Forum under Installing an Application as an Admin and the UDF Forum under fnWMIAuthentication() - Authenticates against a local or remote WMI provider . They might be of help.

Local users normally do not have any kind of domain rights.
_________________________
There are two types of vessels, submarines and targets.

Top
#92409 - 2003-07-11 07:22 PM Re: Connecting to AD using different user credentials
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Can you provide us with the @ERROR number and @SERROR text from Execute ? (if you haven't done so already). Put this at the top of your script so that the entire message is displayed on your console:

$= SetOption("WrapAtEol","On")

Top
#92410 - 2003-07-11 07:47 PM Re: Connecting to AD using different user credentials
Anonymous
Unregistered


Another idea would be to get the script to work with an adminstrative account then use SU.EXE and KixCrypt to run it. That worked for me when I needed to use an account with Admin rights.
Top
#92411 - 2003-07-11 07:58 PM Re: Connecting to AD using different user credentials
Anonymous
Unregistered


By the way, what machine properties are you looking for? Would you maybe even be better off if you ran something on the server them dumped it all out to a text file then had your script reference a text file with all the parameters that you're looking for?
Top
#92412 - 2003-07-11 08:41 PM Re: Connecting to AD using different user credentials
redbird Offline
Fresh Scripter

Registered: 2002-06-26
Posts: 10
Loc: Illinois State University - No...
Thanks to all that responded. Shawn the @serror is: COM exception error "Execute" (Provider - Table does not exist.) [1/1]... Not sure what that means. the @error is 1
Top
#92413 - 2003-07-11 08:48 PM Re: Connecting to AD using different user credentials
redbird Offline
Fresh Scripter

Registered: 2002-06-26
Posts: 10
Loc: Illinois State University - No...
I also understand local users do not have DOMAIN rights, but is there a way to execute the script with elevated priveledges for instance a valid domain account that can access AD.
Top
#92414 - 2003-07-11 11:43 PM Re: Connecting to AD using different user credentials
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
RedBird, please describe in words what you want to accomplish and why you are trying to execute this from a client using an account that appears not to have sufficient permissions?

If you describe the business problem you are trying to solve then we can assist you in determining if your current approach is optimal or not. Maybe we can suggest alternative methods to achieve your goals.
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#92415 - 2003-07-12 12:10 AM Re: Connecting to AD using different user credentials
redbird Offline
Fresh Scripter

Registered: 2002-06-26
Posts: 10
Loc: Illinois State University - No...
We are trying to automate the process of building workstations (load os, software, etc). We have RIS and in the runonce section we call scripts to load the software. With AD we can pre-populate the computer account information with a description (assign it to a user). When RIS runs it loads the OS and then starts the scripts. The account it is running under is the local administrator account. When the scripts run (remember - no user interaction) they are using the local admin account and they then try to read AD to get the computer account description that we pre-populated earlier. The business logic is we can use AD as a one stop shop and create the accounts ONCE! and then re-assign them in the description. The machine names are static (Tag No) as well as the GUIDS. If we want to give joeuser and diffent machine, we simply change the description in AD. Do a PXE boot (f12) and load the RIS image and it will automatically find joeuser's in the description thus the next script will start loading all of joeuser's software. We simply re-boot a machine and load it and it is ready to be placed in service for joeuser. NICE. If joeuser has trouble on his machine he could perform the boot and re-load his machine and wait and come back and the machine would be ready to go. We have all the scripts to load the software using msi's. All we need to do is tie the machine to the user in one location instead of several different places. That is our goal. The one thing holding us back is this script. It doesn't work under the local admin credentials because it is in the runonce part of the load (from RIS). If that fails then we would intervene and can push the process along, but then it is not automated.

I was able to write a vb.net console ap to do this, but we have to load the .net framework on the machine, and the loads act flaky. We have had inconsistent results with that. We know the scripts are pretty solid and no overhead and were trying to convert the process to scripts particularly kix scripts. I would be willing to use any other script as well, but the ini file tools and other things make kix easier to use.

I am just so close to making this happen, except for the credential issue. I do not understand why the vb ap will allow me to pass the credentials to the ad object and I am not able to in kix.

I really do appreaciate all the help. We would consider running the script from the server to populate a file that would be read from the client, but it is another link in the puzzle, rather than a direct route and we would have to worry about keeping everything in sync.

It is all about consistency and simplicity.

Top
#92416 - 2003-07-12 03:33 AM Re: Connecting to AD using different user credentials
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
I am still looking into the alternate credential thing, but could you just execute the whole process as a domain user (service account with local admin) to avoid this issue?
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#92417 - 2003-07-12 03:56 PM Re: Connecting to AD using different user credentials
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11164
Loc: Boston, MA, USA
The answer is in the FAQ I linked to. Have the script start a second script via SU or Task Scheduler under separate domain admin credentials.
_________________________
There are two types of vessels, submarines and targets.

Top
#92418 - 2003-07-12 06:03 PM Re: Connecting to AD using different user credentials
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
Jens, your solution requires WMI. Should not one be able to accomplish the same thing with the ADO OPEN method?
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#92419 - 2003-07-12 08:22 PM Re: Connecting to AD using different user credentials
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11164
Loc: Boston, MA, USA
Howard, SU & Task Scheduler do not require WMI. The fnWMIAuthentication is WMI-based but I'm sure that the same can be accomplished with ADSI. However, it might even work by authenticating against a DC via the WMI-based UDF then continuing on with an ADSI call.

This might also be of help: INFO: User Authentication Issues with ADSI WinNT Provider
_________________________
There are two types of vessels, submarines and targets.

Top
Page 1 of 2 12>


Moderator:  Shawn, ShaneEP, Ruud van Velsen, Arend_, Jochen, Radimus, Glenn Barnas, Allen, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 262 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.071 seconds in which 0.025 seconds were spent on a total of 13 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org