有数百篇文章教导我,但我的案例是“独特的”。所以我在下面的行中被拒绝访问:
Set objDomainUser = GetObject("WinNT://" & domainControllerIP & "/" & domainAccount & ",user")
所以我意识到我必须传递用户的凭据。大多数人只传递DomainName,这很好。它将连接到域控制器,通过查看环境变量%LOGONSERVER%可以了解该域控制器。我需要指定域控制器名称(或IP),否则它将不适用于我们。
所以我只是想让这个sintax正确。这是我的代码:
Sub AddAccountToLocalGroup(domainName, domainControllerIP, localGroup, domainAccount)
Dim localComputer : localComputer = GetMachineName()
Dim objLocalGroup
Dim objDomainUser
const ADS_SECURE_AUTHENTICATION = &h0001
const ADS_SERVER_BIND = &h0200
Set objLocalGroup = GetObject("WinNT://" & localComputer & "/" & localGroup & ",group")
'Set objDomainUser = GetObject("WinNT://" & domainControllerIP & "/" & domainAccount & ",user") 'ACCESS DENIED
'Error happens in Set objDomainUser
' Set objDomainUser = GetObject("WinNT:").OpenDSObject("WinNT://" & domainName & "/" & domainControllerIP & "/" & "Bob", "Bob", "Password", ADS_SECURE_AUTHENTICATION or ADS_SERVER_BIND)
' Set objDomainUser = GetObject("WinNT:").OpenDSObject("WinNT://" & domainName & "/" & domainControllerIP & "/" & "Bob", "Bob", "Password", ADS_SECURE_AUTHENTICATION or ADS_SERVER_BIND)
' Set objDomainUser = GetObject("WinNT:").OpenDSObject("WinNT://" & domainName & "/" & domainControllerIP & "/" & ",user", "Bob", "Password", ADS_SECURE_AUTHENTICATION or ADS_SERVER_BIND)
' Set objDomainUser = GetObject("WinNT:").OpenDSObject("WinNT://" & domainName & "/" & "Bob" & ",user", "Bob", "Password", ADS_SECURE_AUTHENTICATION or ADS_SERVER_BIND)
'Add domain user to local group
objLocalGroup.Add(objDomainUser.ADsPath)
If Err.Number <> 0 Then
WScript.Echo Err.Number
Else
WScript.Echo domainAccount & " has been added to local group."
End If
End Sub
谢谢!
答案 0 :(得分:2)
您应该能够使用针对特定DC的显式凭据连接到AD,如下所示:
Const ADS_SECURE_AUTHENTICATION = &h0001
Const ADS_SERVER_BIND = &h0200
server = "..."
username = "DOMAIN\user"
password = "password"
Set rootDSE = GetObject("LDAP:").OpenDSObject("LDAP://" & server & "/RootDSE" _
, username, password, ADS_SERVER_BIND + ADS_SECURE_AUTHENTICATION)
base = "<LDAP://" & server & "/" & rootDSE.Get("defaultNamingContext") & ">"
filter = "(&(objectCategory=person)(objectClass=user))"
attr = "distinguishedName"
scope = "subtree"
Set conn = CreateObject("ADODB.Connection")
conn.Provider = "ADsDSOObject"
conn.Properties("User ID") = username
conn.Properties("Password") = password
conn.Properties("Encrypt Password") = True
conn.Properties("ADSI Flag") = ADS_SERVER_BIND + ADS_SECURE_AUTHENTICATION
conn.Open "Active Directory Provider"
Set cmd = CreateObject("ADODB.Command")
Set cmd.ActiveConnection = conn
cmd.CommandText = base & ";" & filter & ";" & attr & ";" & scope
cmd.Properties("Page Size") = 100
cmd.Properties("Timeout") = 30
cmd.Properties("Cache Results") = False
Set rs = cmd.Execute
Do Until rs.EOF
'enumerate AD records returned by query
rs.MoveNext
Loop
rs.Close
conn.Close
见Richard L. Mueller的this article。
编辑:啊,我的错误。以上是LDAP提供程序,它无法处理本地组。此外,无法将LDAP ADsPath添加到从WinNT提供程序获取的组对象中。您的尝试无效的原因是您尝试了WinNT://DOMAIN/...,但应该使用WinNT://DOMAIN_CONTROLLER/...。这样的事情应该有效:
Const ADS_SECURE_AUTHENTICATION = &h0001
Const ADS_SERVER_BIND = &h0200
dc = "..."
username = "DOMAIN\user"
password = "password"
domainuser = "Bob"
localgroup = "Users"
Set nt = GetObject("WinNT:")
Set user = nt.OpenDSObject("WinNT://" & dc & "/" & domainuser & ",user" _
, username, password, ADS_SERVER_BIND + ADS_SECURE_AUTHENTICATION)
GetObject("WinNT://./" & localgroup & ",group").Add user.ADsPath