1

那里有数百篇文章教导这一点,但我的情况是“独特的”。所以我在下面的行中被拒绝访问:

Set objDomainUser = GetObject("WinNT://" & domainControllerIP & "/" & domainAccount & ",user")

所以我意识到我必须传递用户的凭据。大多数人只通过域名,这很好。它将连接到可以通过查看环境变量 %LOGONSERVER% 知道的域控制器。我需要指定域控制器名称(或 IP),否则它对我们不起作用。

所以我只是想让这个sintax正确。这是我的代码:

Sub AddAccountToLocalGroup(domainName, domainControllerIP, localGroup, domainAccount)

  Dim localComputer : localComputer = GetMachineName()
  Dim objLocalGroup
  Dim objDomainUser

  const ADS_SECURE_AUTHENTICATION = &h0001
  const ADS_SERVER_BIND           = &h0200

  Set objLocalGroup = GetObject("WinNT://" & localComputer      & "/" & localGroup    & ",group")
 'Set objDomainUser = GetObject("WinNT://" & domainControllerIP & "/" & domainAccount & ",user")   'ACCESS DENIED

'Error happens in Set objDomainUser
' Set objDomainUser = GetObject("WinNT:").OpenDSObject("WinNT://" & domainName & "/" & domainControllerIP & "/" & "Bob", "Bob", "Password", ADS_SECURE_AUTHENTICATION or ADS_SERVER_BIND)
' Set objDomainUser = GetObject("WinNT:").OpenDSObject("WinNT://" & domainName & "/" & domainControllerIP & "/" & "Bob", "Bob", "Password", ADS_SECURE_AUTHENTICATION or ADS_SERVER_BIND)
' Set objDomainUser = GetObject("WinNT:").OpenDSObject("WinNT://" & domainName & "/" & domainControllerIP & "/" & ",user", "Bob", "Password", ADS_SECURE_AUTHENTICATION or ADS_SERVER_BIND)
' Set objDomainUser = GetObject("WinNT:").OpenDSObject("WinNT://" & domainName & "/" & "Bob" & ",user", "Bob", "Password", ADS_SECURE_AUTHENTICATION or ADS_SERVER_BIND)


  'Add domain user to local group
  objLocalGroup.Add(objDomainUser.ADsPath)

  If Err.Number <> 0 Then
       WScript.Echo Err.Number
  Else
       WScript.Echo domainAccount & " has been added to local group."
  End If
End Sub

谢谢!

4

1 回答 1

2

您应该能够使用针对特定 DC 的显式凭据连接到 AD,如下所示:

Const ADS_SECURE_AUTHENTICATION = &h0001
Const ADS_SERVER_BIND           = &h0200

server   = "..."
username = "DOMAIN\user"
password = "password"

Set rootDSE = GetObject("LDAP:").OpenDSObject("LDAP://" & server & "/RootDSE" _
  , username, password, ADS_SERVER_BIND + ADS_SECURE_AUTHENTICATION)
base   = "<LDAP://" & server & "/" & rootDSE.Get("defaultNamingContext") & ">"
filter = "(&(objectCategory=person)(objectClass=user))"
attr   = "distinguishedName"
scope  = "subtree"

Set conn = CreateObject("ADODB.Connection")
conn.Provider = "ADsDSOObject"
conn.Properties("User ID")   = username
conn.Properties("Password")  = password
conn.Properties("Encrypt Password") = True
conn.Properties("ADSI Flag") = ADS_SERVER_BIND + ADS_SECURE_AUTHENTICATION
conn.Open "Active Directory Provider"

Set cmd = CreateObject("ADODB.Command")
Set cmd.ActiveConnection = conn
cmd.CommandText = base & ";" & filter & ";" & attr & ";" & scope
cmd.Properties("Page Size") = 100
cmd.Properties("Timeout") = 30
cmd.Properties("Cache Results") = False

Set rs = cmd.Execute
Do Until rs.EOF
  'enumerate AD records returned by query
  rs.MoveNext
Loop
rs.Close

conn.Close

请参阅Richard L. Mueller 的这篇文章

编辑:啊,我的错误。以上是针对不能处理本地组的 LDAP 提供者。ADsPath此外,无法将LDAP添加到从 WinNT 提供程序获得的组对象中。你的尝试没有奏效的原因是你尝试了WinNT://DOMAIN/...,但应该使用WinNT://DOMAIN_CONTROLLER/.... 像这样的东西应该工作:

Const ADS_SECURE_AUTHENTICATION = &h0001
Const ADS_SERVER_BIND           = &h0200

dc       = "..."
username = "DOMAIN\user"
password = "password"

domainuser = "Bob"
localgroup = "Users"

Set nt   = GetObject("WinNT:")
Set user = nt.OpenDSObject("WinNT://" & dc & "/" & domainuser & ",user" _
  , username, password, ADS_SERVER_BIND + ADS_SECURE_AUTHENTICATION)

GetObject("WinNT://./" & localgroup & ",group").Add user.ADsPath
于 2013-02-21T10:51:59.917 回答