Re: modify AD computer script to run from locally authenticated account on server

"worldzfree" <> wrote in message
news:35b466e3-7bec-46ef-8f77-...
> Hello,
>
> I have a script that I want to modify but am lost in applying the
> correct syntax to move a computer object in Active Directory. Based
> on what I have found in my searches I will need to bind directly to a
> DC with alternate credentials. I have tried multiple iterations but
> can't get it to work. Below is the original un-altered script that I
> am trying improve upon.
>
> ------begin paste-----------
> 'get computer name
> strComputer = "."
> Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root
> \cimv2")
> Set colItems = objWMIService.ExecQuery("Select Name from
> Win32_ComputerSystem",,48)
> For Each objItem in colItems
> strPCName = objItem.Name
> Next
>
> 'move computer object
> Set objNewOU = GetObject("LDAP://OU=New
> Container,DC=sub,DC=root,DC=local")
> Set objMoveComputer = objNewOU.MoveHere _
> ("LDAP://CN=" & strPCName & ",CN=Computers,DC=sub,DC=root,DC=local",
> "CN=" & strPCName)
>
>
> --------end paste-----------

First, you can retrieve the local computer name (the NetBIOS name) from the
wshNetwork object.

' Retrieve local computer name.
Set objNetwork = CreateObject("Wscript.Network")
strPCName = objNetwork.ComputerName

Next, use the OpenDSObject method of the LDAP namespace to bind to an object
with alternate credentials. Also, when moving an object, instead of
specifying the Common Name in the MoveHere method, use vbNullString.
Finally, the NetBIOS name of the computer, whether retrieved using WMI or
wshNetwork, may not match the common name of the computer object (the value
of the cn attribute). Instead, use the ADSystemInfo object to retrieve the
Distinguished Name of the computer. For example:
==========
Const ADS_SECURE_AUTHENTICATION = &H1

' Specify username to connect.
strUser = "MyDomain\JSMith"

' Specify password.
strPassword = "xzy321w

' Specify DN of new OU container.
strOU = "ou=New Container,dc=sub,dc=root,dc=local"

' Retrieve DN of local computer.
Set objSysInfo = CreateObject("ADSystemInfo")
strComputerDN = objSysInfo.ComputerName

' Bind to new OU object in AD with alternate credentials.
Set objNS = GetObject("LDAP:")
Set objNewOU = objNS.OpenDSObject("LDAP://" & strOU, strUser, strPassword,
ADS_SECURE_AUTHENTICATION)

' Move the computer object in AD.
objNewOU.MoveHere "LDAP://" & strComputerDN, vbNullString

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"worldzfree" <> wrote in message
news:9dcceb0e-9ab9-4cb8-ae99-...
On Dec 10, 10:34 am, worldzfree <worldzf...@gmail.com> wrote:
> On Dec 9, 7:34 pm, "Richard Mueller [MVP]" <rlmueller-
>
>
>
> nos...@ameritech.nospam.net> wrote:
> > "worldzfree" <arose...@gmail.com> wrote in message
>
> >news:35b466e3-7bec-46ef-8f77-...
>
> > > Hello,
>
> > > I have a script that I want to modify but am lost in applying the
> > > correct syntax to move a computer object in Active Directory. Based
> > > on what I have found in my searches I will need to bind directly to a
> > > DC with alternate credentials. I have tried multiple iterations but
> > > can't get it to work. Below is the original un-altered script that I
> > > am trying improve upon.
>
> > > ------begin paste-----------
> > > 'get computer name
> > > strComputer = "."
> > > Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root
> > > \cimv2")
> > > Set colItems = objWMIService.ExecQuery("Select Name from
> > > Win32_ComputerSystem",,48)
> > > For Each objItem in colItems
> > > strPCName = objItem.Name
> > > Next
>
> > > 'move computer object
> > > Set objNewOU = GetObject("LDAP://OU=New
> > > Container,DC=sub,DC=root,DC=local")
> > > Set objMoveComputer = objNewOU.MoveHere _
> > > ("LDAP://CN=" & strPCName & ",CN=Computers,DC=sub,DC=root,DC=local",
> > > "CN=" & strPCName)
>
> > > --------end paste-----------
>
> > First, you can retrieve the local computer name (the NetBIOS name) from
> > the
> > wshNetwork object.
>
> > ' Retrieve local computer name.
> > Set objNetwork = CreateObject("Wscript.Network")
> > strPCName = objNetwork.ComputerName
>
> > Next, use the OpenDSObject method of the LDAP namespace to bind to an
> > object
> > with alternate credentials. Also, when moving an object, instead of
> > specifying the Common Name in the MoveHere method, use vbNullString.
> > Finally, the NetBIOS name of the computer, whether retrieved using WMI
> > or
> > wshNetwork, may not match the common name of the computer object (the
> > value
> > of the cn attribute). Instead, use the ADSystemInfo object to retrieve
> > the
> > Distinguished Name of the computer. For example:
> > ==========
> > Const ADS_SECURE_AUTHENTICATION = &H1
>
> > ' Specify username to connect.
> > strUser = "MyDomain\JSMith"
>
> > ' Specify password.
> > strPassword = "xzy321w
>
> > ' Specify DN of new OU container.
> > strOU = "ou=New Container,dc=sub,dc=root,dc=local"
>
> > ' Retrieve DN of local computer.
> > Set objSysInfo = CreateObject("ADSystemInfo")
> > strComputerDN = objSysInfo.ComputerName
>
> > ' Bind to new OU object in AD with alternate credentials.
> > Set objNS = GetObject("LDAP:")
> > Set objNewOU = objNS.OpenDSObject("LDAP://" & strOU, strUser,
> > strPassword,
> > ADS_SECURE_AUTHENTICATION)
>
> > ' Move the computer object in AD.
> > objNewOU.MoveHere "LDAP://" & strComputerDN, vbNullString
>
> > --
> > Richard Mueller
> > MVP Directory Services
> > Hilltop Lab -http://www.rlmueller.net
> > --
>
> Thanks Richard! I have tried that code but I receive the following
> error.
>
> Line: 14
> Char: 1
> Error: Logon failure: account currently disabled
> Code: 80070533
> Source: Null
>
> I have double-verified that the account credentials are entered
> properly and the AD account is not disabled. Any ideas?

Ok, I found references here (http://www.robvanderwoude.com/
vbstech_network_names_computer.php) on how to retrieve a name. I
changed:

Set objSysInfo = CreateObject("ADSystemInfo")

to

Set objSysInfo = CreateObject("WinNTSystemInfo")

and my script got farther along but then I have the same old error
that I was getting before which makes me think I need to do a DC
server bind earlier in the script. Thoughts?


Line: 18
Char: 1
Error: The specified domain either does not exist or could not be
contacted
Code: 8007054B
Source: (null)

The WinNTSystemInfo object returns the NT name (pre-Windows 2000 logon name)
of the user, not the Distinguished Name (DN). This makes sense, but does not
help you, you need the DN. I've heard that a server bind is sometimes
necessary, the only drawback is that you need to specify a server. The
following might help:

' Add the following.
Const ADS_SERVER_BIND = &H200

' Then use:
strServer = "MyServer"
Set objNewOU = objNS.OpenDSObject("LDAP://" & strServer & "/" & strOU,
strUser, strPassword, _
ADS_SECURE_AUTHENTICATION Or ADS_SERVER_BIND)

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"worldzfree" <> wrote in message
news:470d8eee-0dbf-429f-9d1f-...
>
> The WinNTSystemInfo object returns the NT name (pre-Windows 2000 logon
> name)
> of the user, not the Distinguished Name (DN). This makes sense, but does
> not
> help you, you need the DN. I've heard that a server bind is sometimes
> necessary, the only drawback is that you need to specify a server. The
> following might help:
>
> ' Add the following.
> Const ADS_SERVER_BIND = &H200
>
> ' Then use:
> strServer = "MyServer"
> Set objNewOU = objNS.OpenDSObject("LDAP://" & strServer & "/" & strOU,
> strUser, strPassword, _
> ADS_SECURE_AUTHENTICATION Or ADS_SERVER_BIND)
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab -http://www.rlmueller.net
> --

Richard,

I am still stuck. I switched back to the "ADSystemInfo" but I assume
I will need to pass credentials to run ADSystemInfo from AD? Here is
the code as it stands.


------begin paste ---------

Const ADS_SERVER_BIND = &H200
Const ADS_SECURE_AUTHENTICATION = &H1

' DC to bind to
strServer = "domaincontroller"

' Specify username to connect.
strUser = "domain\account"

' Specify password.
strPassword = "password"

' Specify DN of new OU container.
strOU = "OU=New Container,DC=sub,DC=root,DC=local"

' Retrieve DN of local computer.
Set objSysInfo = CreateObject("ADSystemInfo")
strComputerDN = objSysInfo.ComputerName

' Bind to new OU object in AD with alternate credentials.
Set objNS = GetObject("LDAP:")
Set objNewOU = objNS.OpenDSObject("LDAP://" & strServer & "/" & strOU,
strUser, strPassword, _
ADS_SECURE_AUTHENTICATION Or ADS_SERVER_BIND)

' Move the computer object in AD.
objNewOU.MoveHere "LDAP://" & strComputerDN, vbNullString

--------end paste----------


The error I get is:

Line: 18
Char: 1
Error: Logon failure: account currently disabled
Code: 80070533
Source: Null


Frustrating.
===========
Yes, that makes sense. You cannot use ADSystemInfo if you are not
authenticated to the domain.

I would try again, but reversing the steps, so you bind to the OU object
with alternate credentials first, then use ADSystemInfo to retrieve the DN
of the local computer. Hopefully, once you are authenticated, you can do
this.

Otherwise, it becomes difficult to retrieve the DN of the local computer.
The only other reliable solution is to use the NameTranslate object to
convert the NetBIOS name of the computer retrieved from the wshNetwork
object into the DN. You can use alternate credentials with NameTranslate.
This is getting complicated, but that's what happens when you aren't
authenticated. The final solution, if the suggestion above does not work,
would be:
========
Const ADS_SECURE_AUTHENTICATION = &H1
' Constants for the NameTranslate object.
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1

' Specify NetBIOS name of domain.
strDomain = "MyDomain"

' Specify username to connect.
strUser = "JSMith"

' Specify password.
strPassword = "xzy321w

' Retrieve NetBIOS name of local computer.
Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName

' Use NameTranslate to convert NT form of computer name into DN.
Set objTrans = CreateObject("NameTranslate")
' Initialize by locating Global Catalog. Specify credentials.
objTrans.InitEx ADS_NAME_INITTYPE_GC, "", strUser, strDomain, strPassword
' Use the Set method to specify the NT format of the name.
objTrans.Set ADS_NAME_TYPE_NT4, strDomain & "\" & strComputer
' Use the Get method to retrieve the DN.
strComputerDN = objTrans.Get(ADS_NAME_TYPE_1779)

' Specify DN of new OU container.
strOU = "ou=New Container,dc=sub,dc=root,dc=local"

' Bind to new OU object in AD with alternate credentials.
Set objNS = GetObject("LDAP:")
Set objNewOU = objNS.OpenDSObject("LDAP://" & strOU, _
strDomain & "\" & strUser, strPassword, ADS_SECURE_AUTHENTICATION)

' Move the computer object in AD.
objNewOU.MoveHere "LDAP://" & strComputerDN, vbNullString
========
I haven't tested the above, but I've done similar work with alternate
credentials. Notice I've changed the meaning of strUser and added strDomain,
to accomodate the NameTranslate object.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--