如何将域帐户用户添加到本地组?
问题描述:
那里有数百篇文章讲授,但我的案例是“独特的”。所以我得到访问被拒绝的行:如何将域帐户用户添加到本地组?
Set objDomainUser = GetObject("WinNT://" & domainControllerIP & "/" & domainAccount & ",user")
所以我意识到我必须通过用户的凭据。大多数人只通过域名,这是很好的。它将连接到通过查看环境变量%LOGONSERVER%可以知道的域控制器。我需要指定域控制器名称(或IP),否则它不适用于我们。
所以我只是试图让这个sintax正确。这里是我的代码:
Sub AddAccountToLocalGroup(domainName, domainControllerIP, localGroup, domainAccount)
Dim localComputer : localComputer = GetMachineName()
Dim objLocalGroup
Dim objDomainUser
const ADS_SECURE_AUTHENTICATION = &h0001
const ADS_SERVER_BIND = &h0200
Set objLocalGroup = GetObject("WinNT://" & localComputer & "/" & localGroup & ",group")
'Set objDomainUser = GetObject("WinNT://" & domainControllerIP & "/" & domainAccount & ",user") 'ACCESS DENIED
'Error happens in Set objDomainUser
' Set objDomainUser = GetObject("WinNT:").OpenDSObject("WinNT://" & domainName & "/" & domainControllerIP & "/" & "Bob", "Bob", "Password", ADS_SECURE_AUTHENTICATION or ADS_SERVER_BIND)
' Set objDomainUser = GetObject("WinNT:").OpenDSObject("WinNT://" & domainName & "/" & domainControllerIP & "/" & "Bob", "Bob", "Password", ADS_SECURE_AUTHENTICATION or ADS_SERVER_BIND)
' Set objDomainUser = GetObject("WinNT:").OpenDSObject("WinNT://" & domainName & "/" & domainControllerIP & "/" & ",user", "Bob", "Password", ADS_SECURE_AUTHENTICATION or ADS_SERVER_BIND)
' Set objDomainUser = GetObject("WinNT:").OpenDSObject("WinNT://" & domainName & "/" & "Bob" & ",user", "Bob", "Password", ADS_SECURE_AUTHENTICATION or ADS_SERVER_BIND)
'Add domain user to local group
objLocalGroup.Add(objDomainUser.ADsPath)
If Err.Number <> 0 Then
WScript.Echo Err.Number
Else
WScript.Echo domainAccount & " has been added to local group."
End If
End Sub
谢谢!
答
您应该能够连接到使用针对特定DC明确凭据如下广告:
Const ADS_SECURE_AUTHENTICATION = &h0001
Const ADS_SERVER_BIND = &h0200
server = "..."
username = "DOMAIN\user"
password = "password"
Set rootDSE = GetObject("LDAP:").OpenDSObject("LDAP://" & server & "/RootDSE" _
, username, password, ADS_SERVER_BIND + ADS_SECURE_AUTHENTICATION)
base = "<LDAP://" & server & "/" & rootDSE.Get("defaultNamingContext") & ">"
filter = "(&(objectCategory=person)(objectClass=user))"
attr = "distinguishedName"
scope = "subtree"
Set conn = CreateObject("ADODB.Connection")
conn.Provider = "ADsDSOObject"
conn.Properties("User ID") = username
conn.Properties("Password") = password
conn.Properties("Encrypt Password") = True
conn.Properties("ADSI Flag") = ADS_SERVER_BIND + ADS_SECURE_AUTHENTICATION
conn.Open "Active Directory Provider"
Set cmd = CreateObject("ADODB.Command")
Set cmd.ActiveConnection = conn
cmd.CommandText = base & ";" & filter & ";" & attr & ";" & scope
cmd.Properties("Page Size") = 100
cmd.Properties("Timeout") = 30
cmd.Properties("Cache Results") = False
Set rs = cmd.Execute
Do Until rs.EOF
'enumerate AD records returned by query
rs.MoveNext
Loop
rs.Close
conn.Close
见this article从理查德L.穆勒。
编辑:啊,我的错。以上是针对无法处理本地组的LDAP提供程序。也不能将LDAP ADsPath添加到从WinNT提供程序获取的组对象。您的尝试失败的原因是因为您试过WinNT://DOMAIN/...,但应该使用WinNT://DOMAIN_CONTROLLER/...。像这样的东西应该工作:
Const ADS_SECURE_AUTHENTICATION = &h0001
Const ADS_SERVER_BIND = &h0200
dc = "..."
username = "DOMAIN\user"
password = "password"
domainuser = "Bob"
localgroup = "Users"
Set nt = GetObject("WinNT:")
Set user = nt.OpenDSObject("WinNT://" & dc & "/" & domainuser & ",user" _
, username, password, ADS_SERVER_BIND + ADS_SECURE_AUTHENTICATION)
GetObject("WinNT://./" & localgroup & ",group").Add user.ADsPath
这帮了我很多。谢谢你,先生! – Max 2013-02-21 17:28:40
现在唯一的问题是如何在循环中获取用户帐户对象? Set objDomainUser = GetObject(“WinNT://”&... – Max 2013-02-21 19:39:52
以前我试过,它给了我“Microsoft VBScript运行时错误:权限被拒绝:'GetObject'” 请记住,VBScript(cmd.exe )在SYSTEM帐户下运行,但如果我传递凭据以访问AD对象,那应该没关系。 注意:如果我在使用MY帐户登录时运行脚本,那么脚本可以工作!但我需要在SYSTEM帐户下完成这项工作并将证书传递给WinNT/LDAP等等...... – Max 2013-02-22 15:33:47