Page 1 of 1
COM + USERS
Posted: Thu Oct 30, 2003 6:45 pm
by NoReason
has anyone tried to use the COM support to manage users on active directory servers?
It should be possible, however, I am having issues with authentication when trying to instatiate a new user object via.
COM("
http://domain/Username,user")
Re: COM + USERS
Posted: Thu Oct 30, 2003 11:14 pm
by BDKR
NoReason wrote:has anyone tried to use the COM support to manage users on active directory servers?
It should be possible, however, I am having issues with authentication when trying to instatiate a new user object via.
COM("
http://domain/Username,user")
I think phpbuilder.com had an article on this. You may want to take a look over there some time.
Cheers,
BDKR
Posted: Fri Oct 31, 2003 1:19 pm
by NoReason
Yes, there is an article on COM, but only dealing with word and exel object located on your local system.
As of yet there is nothing about accessing a domain user object....
DCOM is avaiable, but im sure i would have the same issue.. credentials
Posted: Fri Oct 31, 2003 1:35 pm
by volka
do you have an working example of this in any other language?
Posted: Fri Oct 31, 2003 1:40 pm
by NoReason
In VB yes.
But the catch is, the scripts are being trasfered via SSH to the remote server to be executed.
I was hoping to avoid the SSH piece and do direct user account manipulation via COM().
Posted: Fri Oct 31, 2003 1:41 pm
by volka
please post the vb code (the important parts

)
transfered via ssh? you mean scp-ing the code and execute it
there?
Posted: Fri Oct 31, 2003 1:59 pm
by NoReason
yes ..
Using openSSH for windows to do the transerfers.
Here is some of the code .. Its php that creates a vb file which is then scp'd to the remote AD server, then ssh executed.
Code: Select all
<?
mssql_connect($_mssqlї"Hostname"], $_mssqlї"Username"], $_mssqlї"Password"]) or die("Connection Failed To Respond.");
mssql_select_db($_mssqlї"Database"]) or die("DataBase Not Found");
$FP = fopen('C:\Admin Scripts\ActiveDirectory\ScriptToRun\ActiveDirectoryMerge.vbs','w');
fputs($FP,'
set RootDSE = GetObject("LDAP://RootDSE")
set Container = GetObject("LDAP://ou=Imports, ou=Users, ou=Floor, " & RootDSE.Get("defaultNamingContext"))
on Error Resume Next
err.Clear
');
$query_string = "Select * from Query";
$results = mssql_query($query_string);
while( $row = mssql_fetch_assoc($results) )
{
$UserID = $rowї'UserID'];
$Password = $rowї'Password'];
$Username = $rowї'Username'];
$PersonNumber = $rowї'PersonNumber'];
$FirstName = $rowї'FirstName'];
$LastName = $rowї'LastName'];
$DomainName = $rowї'DomainName'];
$Fileserver = $rowї'HostName'];
$AccountInactive = $rowї'AccountInactive'];
$FullName = $FirstName." ".$LastName;
$UserPrincipal = $Username."@cdis.org";
$UserObject = "WinNT://".$DomainName."/".$Username.",user";
$HomeDirectory = "\"e;.$Fileserver.".".$DomainName.""e;.$Username;
$ProfilePath= "\"e;.$Fileserver.".".$DomainName."\profiles"e;.$Username;
fputs($FP,'
set NewUser = Container.Create("User","cn='.$Username.'")
NewUser.Put "sAMAccountName","'.$Username.'"
');
fputs($FP,'
NewUser.Put "homeDirectory","'.$HomeDirectory.'"
NewUser.Put "homeDrive","H:"
NewUser.Put "profilePath","'.$ProfilePath.'"
NewUser.Put "mail","'.$StudentMail.'"
');
fputs($FP,'
NewUser.Put "name","'.$FullName.'"
NewUser.Put "displayName","'.$FullName.'"
NewUser.Put "givenName","'.$FirstName.'"
NewUser.Put "sn","'.$LastName.'"
NewUser.Put "userPrincipalName","'.$UserPrincipal.'"
NewUser.SetInfo
Set User = GetObject("'.$UserObject.'")
Call User.SetPassword("'.$Password.'")
');
if( $AccountInactive == 1 )
{
fputs($FP,'
User.AccountDisabled = True
');
}
else
{
fputs($FP,'
User.AccountDisabled = False
');
}
fputs($FP,'
User.SetInfo
WScript.Sleep 500
');
}
//Modified Accounts
$query_string = "Select * from Query";
$results = mssql_query($query_string);
while( $row = mssql_fetch_assoc($results) )
{
$Password = $rowї'Password'];
$Username = $rowї'Username'];
$DomainName = $rowї'DomainName'];
$AccountInactive= $rowї'AccountInactive'];
$UserObject = "WinNT://".$DomainName."/".$Username.",user";
fputs($FP,'
Set User = GetObject("'.$UserObject.'")
Call User.SetPassword("'.$Password.'")
');
if( $AccountInactive == 1 )
{
fputs($FP,'
User.AccountDisabled = True
User.SetInfo
WScript.Sleep 500
');
}
else
{
fputs($FP,'
User.AccountDisabled = False
User.SetInfo
WScript.Sleep 500
');
}
}
fclose($FP);
Posted: Fri Oct 31, 2003 2:29 pm
by volka
can't you access the remote server directly with
php's ldap functions skipping this com-thing?
Posted: Fri Oct 31, 2003 3:30 pm
by NoReason
Yes... and that is what I am doing... however..
I need to use ADSI in order to access the user passwords.
Com can use ADSI , I just need to figure out how to use it to connect to a remote server with the proper credentials that will allow me to bind to a user object, or create a new one.
Posted: Fri Oct 31, 2003 4:15 pm
by volka
I meant accessing the
ldap server directly, without adsi
On the other hand, if you insist using adsi:
Platform SDK: Directory Services wrote:If Kerberos authentication is required for the successful completion of a specific directory request, the binding string must use either a serverless ADsPath, such as "LDAP://CN=John Doe, CN=admin, DC=Fabrikam, DC=com", or it must use an ADsPath with a fully-qualified DNS server name, such as "LDAP://central3.corp.Fabrikam.com/CN=John Doe, CN=admin, DC=Fabrikam, DC=com". Binding to the server using a flat NETBIOS name or a short DNS name (e.g. using the short name "central3" instead of "central3.corp.Fabrikam.com") may or may not yield Kerberos authentication.
"or it must use an ADsPath with a fully-qualified DNS server name..." that's probably the part you're interested in.
Posted: Sat Nov 01, 2003 2:53 pm
by NoReason
One catch with connecting via ldap, ldap can NOT modify or create new passwords. Adsi is com object that has the proper methods to do that.
Posted: Sat Nov 01, 2003 3:36 pm
by volka
with a ldap/128-bit-ssl connection you can modify the ad-stored password.
Nevertheless, did you try the full qualified name with the credentials in your visual basic application (without transfering it to the remote server)?
With the odbc-bridge you can easily access the mysql-database from vb.
Afaik(!) there is nothing like GetObject (getting a reference of a running instance) in php, the new COM() construct always calls CreateInstance (almost the same as CreateObject in VB)
Posted: Mon Nov 03, 2003 4:26 pm
by NoReason
Hurm , alrighty then ... Do you have a list of instructions on how to create this secure 128 connection ?
Any help would be greatly appreciated
Oh .. and is the GetObject an undocumented function ?
And yes I have tried FQN with proper credentials.