Try to seach AD for Computer with Johan´s Pretty Good FrontEnd

Discussion:

(too old to reply)

Dietmar

2008-11-14 12:47:01 UTC

Hallo!

I try to use Johan Arwidmark´s Pretty Good Frontend: When a user inputs a
Computername all Active Directory OUs should be searched for this computer if
it exits to extract the distinguishedName. I added this function to Pretty
Good Frontend but it does´nt work and I really don´t know why. In Windows XP
it works great but it doesn´t in WinPE 2005:

Function ValidateAD

strName = sComputerName.Value

On Error Resume Next

Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Properties("User ID") = "***@domain.local"
objConnection.Properties("Password") = "password"
objConnection.Properties("Encrypt Password") = TRUE
objConnection.Properties("ADSI Flag") = 1
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

objCommand.CommandText = "SELECT distinguishedName FROM
'LDAP://dc=domain,dc=local' WHERE objectCategory='computer'AND Name='" &
strName & "'"
Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst

Do Until objRecordSet.EOF
MsgBox objRecordSet.Fields("distinguishedName").Value
objRecordSet.MoveNext
Loop

On Error Resume Next

End Function

I used a whole day to search for answer in www but nothing to find. I added
ADSI support to WinPE 2005. The Pulldownmenu "Organizational Units" works
fine in WinPE 2005. Thanks Dietmar

Dietmar

2008-11-14 13:59:00 UTC

Permalink

Also this one does not work:

Function ValidateAD
Dim isComputerAccountExists, conn, cmd, rs, strComputer
strComputer = sComputerName.Value

MsgBox strComputer

Set conn = CreateObject("ADODB.Connection")
Set cmd = CreateObject("ADODB.Command")

conn.provider = "ADsDSOObject"
conn.Properties("User ID") = "domain\admin"
conn.Properties("Password") = "password"

conn.open "active directory provider"

cmd.activeconnection = conn
cmd.commandtext =
"<LDAP://domaincontroller/dc=domain,dc=local>;(&(objectcategory=computer)(objectclass=computer)(cn=" & strComputer & "));cn;subtree"

Set rs = cmd.Execute

If rs.recordcount = 0 Then
isComputerAccountExists = False
Else
isComputerAccountExists = True
End If

MsgBox isComputerAccountExists

End Function

The first MsgBox appears so I know the function is called. But then nothing
happens?
Other users in an other forum wrote "this works great?". What do I miss?

Post by Dietmar
Hallo!
I try to use Johan Arwidmark´s Pretty Good Frontend: When a user inputs a
Computername all Active Directory OUs should be searched for this computer if
it exits to extract the distinguishedName. I added this function to Pretty
Good Frontend but it does´nt work and I really don´t know why. In Windows XP
Function ValidateAD
strName = sComputerName.Value
On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Properties("Password") = "password"
objConnection.Properties("Encrypt Password") = TRUE
objConnection.Properties("ADSI Flag") = 1
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = "SELECT distinguishedName FROM
'LDAP://dc=domain,dc=local' WHERE objectCategory='computer'AND Name='" &
strName & "'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
MsgBox objRecordSet.Fields("distinguishedName").Value
objRecordSet.MoveNext
Loop
On Error Resume Next
End Function
I used a whole day to search for answer in www but nothing to find. I added
ADSI support to WinPE 2005. The Pulldownmenu "Organizational Units" works
fine in WinPE 2005. Thanks Dietmar

Dietmar

2008-11-16 18:51:21 UTC

Permalink

Is it right that HTA and this script do not work in WinPE because of
security checks of ie?

unknown

2008-11-17 13:15:55 UTC

Permalink

WinPE ADO implementation internally checks if its running in script
inside a hosting container. When you run the VBS in Windows PE this
condition check is always false. So the rest of the ADO connection
opening code can run and succeed without further IE trusting/scripting
security checks.

When you run the HTA, this internal checking is done which
necessitates the rest of the IE trusting/scripting security checks.
But WinPE doesnt have any of the IE trusting/scripting security
implementation. So the internal security checks fails. As a result,
the code bails and the ADO Connection open() fails.

To workaround this I use a vbscript to get the variable and then pass
it to the HTA.

Anyway, if you want the Frontend Code to list all OU's recursively,
you can change the GetOUs function to the folliowing

Sub GetOUs(strDN)
Const ADS_SECURE_AUTHENTICATION = &H0001
Const ADS_SERVER_BIND = &H0200
Set objDSO = GetObject("LDAP:")

Set objOUComputers = objDSO.OpenDSObject("LDAP://" &
oEnvironment.Item("DOMAINCONTROLLER1") & "/" & strDN,
oEnvironment.Item("LISTADUSERNAME"),
oEnvironment.Item("LISTADPASSWORD"), ADS_SECURE_AUTHENTICATION +
ADS_SERVER_BIND)
objOUComputers.Filter = Array("OrganizationalUnit")

For Each sOU In objOUComputers
RecurseOUs sOU.distinguishedName ' call sub
again
sOU.GetInfoEx Array("canonicalName"), 0
arrCanonicalName = sOU.GetEx("canonicalName")

For Each strValue in arrCanonicalName
sCanonicalName = strValue
Next

Set objOption = Document.createElement("OPTION")
objOption.Text = sCanonicalName
objOption.Value = sOU.distinguishedName
ddAvailableOUs.Add(objOption)

Next
End Sub

Regards

Johan Arwidmark
Microsoft MVP - Setup / Deployment
http://www.deployvista.com

Post by Dietmar
Is it right that HTA and this script do not work in WinPE because of
security checks of ie?

Dietmar

2008-11-17 19:35:09 UTC

Permalink

First of all I have something to say: Thank you very much Johan! I think you
are very important to this and many more communities.
Without your help I think I would never be able to go home and have
sparetime. You are the best! Please stay with us in future.

I solved the problem in the late afternoon today. I use the z-frontend.vbs
to verify the computer´s actual OU membership after z-frontend.hta like you
wrote.

However, there is one more problem: How can I force a failure and stop the
deployment? I tried to set the variable to false, failure, 1 but
the deployment still continue? If the machine has less then
oEnvironment("MEMORY") < 500 then MsgBox "Upgrade your machine". But how
stop?

Dietmar

WinPE ADO implementation internally checks if it's running in script
inside a hosting container. When you run the VBS in Windows PE this
condition check is always false. So the rest of the ADO connection
opening code can run and succeed without further IE trusting/scripting
security checks.
When you run the HTA, this internal checking is done which
necessitates the rest of the IE trusting/scripting security checks.
But WinPE doesn't have any of the IE trusting/scripting security
implementation. So the internal security checks fails. As a result,
the code bails and the ADO Connection open() fails.
To workaround this I use a vbscript to get the variable and then pass
it to the HTA.
Anyway, if you want the Frontend Code to list all OU's recursively,
you can change the GetOUs function to the folliowing
Sub GetOUs(strDN)
Const ADS_SECURE_AUTHENTICATION = &H0001
Const ADS_SERVER_BIND = &H0200
Set objDSO = GetObject("LDAP:")
Set objOUComputers = objDSO.OpenDSObject("LDAP://" &
oEnvironment.Item("DOMAINCONTROLLER1") & "/" & strDN,
oEnvironment.Item("LISTADUSERNAME"),
oEnvironment.Item("LISTADPASSWORD"), ADS_SECURE_AUTHENTICATION +
ADS_SERVER_BIND)
objOUComputers.Filter = Array("OrganizationalUnit")
For Each sOU In objOUComputers
RecurseOUs sOU.distinguishedName ' call sub
again
sOU.GetInfoEx Array("canonicalName"), 0
arrCanonicalName = sOU.GetEx("canonicalName")
For Each strValue in arrCanonicalName
sCanonicalName = strValue
Next
Set objOption = Document.createElement("OPTION")
objOption.Text = sCanonicalName
objOption.Value = sOU.distinguishedName
ddAvailableOUs.Add(objOption)
Next
End Sub
Regards
Johan Arwidmark
Microsoft MVP - Setup / Deployment
http://www.deployvista.com

Post by Dietmar
Is it right that HTA and this script do not work in WinPE because of
security checks of ie?

Post by Dietmar
Hallo!
I try to use Johan Arwidmark´s Pretty Good Frontend: When a user inputs a
Computername all Active Directory OUs should be searched for this
computer
if
it exits to extract the distinguishedName. I added this function to Pretty
Good Frontend but it does´nt work and I really don´t know why. In
Windows
XP
Function ValidateAD
strName = sComputerName.Value
On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Properties("Password") = "password"
objConnection.Properties("Encrypt Password") = TRUE
objConnection.Properties("ADSI Flag") = 1
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = "SELECT distinguishedName FROM
'LDAP://dc=domain,dc=local' WHERE objectCategory='computer'AND Name='" &
strName & "'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
MsgBox objRecordSet.Fields("distinguishedName").Value
objRecordSet.MoveNext
Loop
On Error Resume Next
End Function
I used a whole day to search for answer in www but nothing to find. I added
ADSI support to WinPE 2005. The Pulldownmenu "Organizational Units" works
fine in WinPE 2005. Thanks Dietmar

Dietmar

2008-11-18 10:41:00 UTC

Permalink

Hallo!

How can I prevent to run the script in a refresh scenario?
I think Microsoft should release a white paper how to write a userexit script!

Thanks Didi

WinPE ADO implementation internally checks if it’s running in script
inside a hosting container. When you run the VBS in Windows PE this
condition check is always false. So the rest of the ADO connection
opening code can run and succeed without further IE trusting/scripting
security checks.
When you run the HTA, this internal checking is done which
necessitates the rest of the IE trusting/scripting security checks.
But WinPE doesn’t have any of the IE trusting/scripting security
implementation. So the internal security checks fails. As a result,
the code bails and the ADO Connection open() fails.
To workaround this I use a vbscript to get the variable and then pass
it to the HTA.
Anyway, if you want the Frontend Code to list all OU's recursively,
you can change the GetOUs function to the folliowing
Sub GetOUs(strDN)
Const ADS_SECURE_AUTHENTICATION = &H0001
Const ADS_SERVER_BIND = &H0200
Set objDSO = GetObject("LDAP:")
Set objOUComputers = objDSO.OpenDSObject("LDAP://" &
oEnvironment.Item("DOMAINCONTROLLER1") & "/" & strDN,
oEnvironment.Item("LISTADUSERNAME"),
oEnvironment.Item("LISTADPASSWORD"), ADS_SECURE_AUTHENTICATION +
ADS_SERVER_BIND)
objOUComputers.Filter = Array("OrganizationalUnit")
For Each sOU In objOUComputers
RecurseOUs sOU.distinguishedName ' call sub
again
sOU.GetInfoEx Array("canonicalName"), 0
arrCanonicalName = sOU.GetEx("canonicalName")
For Each strValue in arrCanonicalName
sCanonicalName = strValue
Next
Set objOption = Document.createElement("OPTION")
objOption.Text = sCanonicalName
objOption.Value = sOU.distinguishedName
ddAvailableOUs.Add(objOption)
Next
End Sub
Regards
Johan Arwidmark
Microsoft MVP - Setup / Deployment
http://www.deployvista.com

Post by Dietmar
Is it right that HTA and this script do not work in WinPE because of
security checks of ie?

unknown

2008-11-19 08:32:45 UTC

Permalink

Instead of run it as a userexit, run it from the task sequencer, in
the "Preinstall - New Computer Only" group.

Regards

Johan Arwidmark
Microsoft MVP - Setup / Deployment
http://www.deployvista.com

On Tue, 18 Nov 2008 02:41:00 -0800, Dietmar

Post by Dietmar
Hallo!
How can I prevent to run the script in a refresh scenario?
I think Microsoft should release a white paper how to write a userexit script!
Thanks Didi

Post by unknown
WinPE ADO implementation internally checks if its running in script
inside a hosting container. When you run the VBS in Windows PE this
condition check is always false. So the rest of the ADO connection
opening code can run and succeed without further IE trusting/scripting
security checks.
When you run the HTA, this internal checking is done which
necessitates the rest of the IE trusting/scripting security checks.
But WinPE doesnt have any of the IE trusting/scripting security
implementation. So the internal security checks fails. As a result,
the code bails and the ADO Connection open() fails.
To workaround this I use a vbscript to get the variable and then pass
it to the HTA.
Anyway, if you want the Frontend Code to list all OU's recursively,
you can change the GetOUs function to the folliowing
Sub GetOUs(strDN)
Const ADS_SECURE_AUTHENTICATION = &H0001
Const ADS_SERVER_BIND = &H0200
Set objDSO = GetObject("LDAP:")
Set objOUComputers = objDSO.OpenDSObject("LDAP://" &
oEnvironment.Item("DOMAINCONTROLLER1") & "/" & strDN,
oEnvironment.Item("LISTADUSERNAME"),
oEnvironment.Item("LISTADPASSWORD"), ADS_SECURE_AUTHENTICATION +
ADS_SERVER_BIND)
objOUComputers.Filter = Array("OrganizationalUnit")
For Each sOU In objOUComputers
RecurseOUs sOU.distinguishedName ' call sub
again
sOU.GetInfoEx Array("canonicalName"), 0
arrCanonicalName = sOU.GetEx("canonicalName")
For Each strValue in arrCanonicalName
sCanonicalName = strValue
Next
Set objOption = Document.createElement("OPTION")
objOption.Text = sCanonicalName
objOption.Value = sOU.distinguishedName
ddAvailableOUs.Add(objOption)
Next
End Sub
Regards
Johan Arwidmark
Microsoft MVP - Setup / Deployment
http://www.deployvista.com

Post by Dietmar
Is it right that HTA and this script do not work in WinPE because of
security checks of ie?