Constraint Violation --> ADSI writing netbootGUID

[JadeKnight]

The script is going to create a computer account in AD, set wich RIS server to use, and netbootGUID. A part of the script is taken from MS ScriptCenter, wich I've modified to do mentined tasks. However, I'm not able to make it write the netbootGUID.

This is the script :

Option Explicit 
Dim strComputer, strComputerUser,strOU,strRIS
Dim objRootDSE, objContainer, objComputer 
Dim objSecurityDescriptor, objDACL 
Dim objACE1, objACE2, objACE3, objACE4, objACE5 
Dim objACE6, objACE7, objACE8, objACE9,objACE10
strComputer = "TestAccount" 
strComputerUser = "Mydomain\SomeUser"
strOU = "OU=SomeOU,"
strRIS = "fqdn.of.a.server"
' ADS_USER_FLAG_ENUM 
Const ADS_UF_PASSWD_NOTREQD            = &h0020 
Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = &h1000 
' ADS_ACETYPE_ENUM 
Const ADS_ACETYPE_ACCESS_ALLOWED        = &h0 
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5 
' ADS_FLAGTYPE_ENUM 
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1 
' ADS_RIGHTS_ENUM 
Const ADS_RIGHT_GENERIC_READ      = &h80000000 
Const ADS_RIGHT_DS_SELF           = &h8 
Const ADS_RIGHT_DS_WRITE_PROP     = &h20 
Const ADS_RIGHT_DS_CONTROL_ACCESS = &h100 
'controlAccessRight rightsGuid values 
Const ALLOWED_TO_AUTHENTICATE    = "{68B1D179-0D15-4d4f-AB71-46152E79A7BC}" 
Const RECEIVE_AS                 = "{AB721A56-1E2f-11D0-9819-00AA0040529B}" 
Const SEND_AS                    = "{AB721A54-1E2f-11D0-9819-00AA0040529B}" 
Const USER_CHANGE_PASSWORD       = "{AB721A53-1E2f-11D0-9819-00AA0040529b}" 
Const USER_FORCE_CHANGE_PASSWORD = "{00299570-246D-11D0-A768-00AA006E0529}" 
Const USER_ACCOUNT_RESTRICTIONS  = "{4C164200-20C0-11D0-A768-00AA006E0529}" 
Const VALIDATED_DNS_HOST_NAME    = "{72E39547-7B18-11D1-ADEF-00C04FD8D5CD}" 
Const VALIDATED_SPN              = "{F3A64788-5306-11D1-A9C5-0000F80367C1}" 

'Get Domain
Set objRootDSE = GetObject("LDAP://rootDSE")
'Bind to OU
Set objContainer = GetObject("LDAP://" & strOU & objRootDSE.Get("defaultNamingContext")) 
'Creating Object
Set objComputer = objContainer.Create("Computer", "cn=" & strComputer) 
objComputer.Put "sAMAccountName", strComputer & "$" 
objComputer.Put "userAccountControl", _ 
                ADS_UF_PASSWD_NOTREQD Or ADS_UF_WORKSTATION_TRUST_ACCOUNT
objComputer.Put "netbootMachineFilePath", strRIS

'Original netbootGUID --> "99a97241543411d593084e603f1c8e31"
'Converted to HEX, accepted by ADSI Edit --> "0x99 0xa9 0x72 0x41 0x54 0x34 0x11 0xd5 0x93 0x08 0x4e 0x60 0x3f 0x1c 0x8e 0x32"
'Line below fail
objComputer.Put "netbootGUID", "0x99 0xa9 0x72 0x41 0x54 0x34 0x11 0xd5 0x93 0x08 0x4e 0x60 0x3f 0x1c 0x8e 0x32"
objComputer.SetInfo

Set objSecurityDescriptor = objComputer.Get("ntSecurityDescriptor") 
Set objDACL = objSecurityDescriptor.DiscretionaryAcl 
Set objACE1 = CreateObject("AccessControlEntry") 
objACE1.Trustee    = strComputerUser 
objACE1.AccessMask = ADS_RIGHT_GENERIC_READ 
objACE1.AceFlags   = 0 
objACE1.AceType    = ADS_ACETYPE_ACCESS_ALLOWED 
' objACE2 through objACE6: Extended Rights 
Set objACE2 = CreateObject("AccessControlEntry") 
objACE2.Trustee    = strComputerUser 
objACE2.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS 
objACE2.AceFlags   = 0 
objACE2.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT 
objACE2.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT 
objACE2.ObjectType = ALLOWED_TO_AUTHENTICATE 
Set objACE3 = CreateObject("AccessControlEntry") 
objACE3.Trustee    = strComputerUser 
objACE3.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS 
objACE3.AceFlags   = 0 
objACE3.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT 
objACE3.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT 
objACE3.ObjectType = RECEIVE_AS 
Set objACE4 = CreateObject("AccessControlEntry") 
objACE4.Trustee    = strComputerUser 
objACE4.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS 
objACE4.AceFlags   = 0 
objACE4.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT 
objACE4.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT 
objACE4.ObjectType = SEND_AS 
Set objACE5 = CreateObject("AccessControlEntry") 
objACE5.Trustee    = strComputerUser 
objACE5.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS 
objACE5.AceFlags   = 0 
objACE5.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT 
objACE5.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT 
objACE5.ObjectType = USER_CHANGE_PASSWORD 
Set objACE6 = CreateObject("AccessControlEntry") 
objACE6.Trustee    = strComputerUser 
objACE6.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS 
objACE6.AceFlags   = 0 
objACE6.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT 
objACE6.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT 
objACE6.ObjectType = USER_FORCE_CHANGE_PASSWORD 
' objACE7: Property Sets 
Set objACE7 = CreateObject("AccessControlEntry") 
objACE7.Trustee    = strComputerUser 
objACE7.AccessMask = ADS_RIGHT_DS_WRITE_PROP 
objACE7.AceFlags   = 0 
objACE7.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT 
objACE7.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT 
objACE7.ObjectType = USER_ACCOUNT_RESTRICTIONS 
' objACE8 and objACE9: Validated Rights 
Set objACE8 = CreateObject("AccessControlEntry") 
objACE8.Trustee    = strComputerUser 
objACE8.AccessMask = ADS_RIGHT_DS_SELF 
objACE8.AceFlags   = 0 
objACE8.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT 
objACE8.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT 
objACE8.ObjectType = VALIDATED_DNS_HOST_NAME 
Set objACE9 = CreateObject("AccessControlEntry") 
objACE9.Trustee    = strComputerUser 
objACE9.AccessMask = ADS_RIGHT_DS_SELF 
objACE9.AceFlags   = 0 
objACE9.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT 
objACE9.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT 
objACE9.ObjectType = VALIDATED_SPN 
objDACL.AddAce objACE1 
objDACL.AddAce objACE2 
objDACL.AddAce objACE3 
objDACL.AddAce objACE4 
objDACL.AddAce objACE5 
objDACL.AddAce objACE6 
objDACL.AddAce objACE7 
objDACL.AddAce objACE8 
objDACL.AddAce objACE9 
objSecurityDescriptor.DiscretionaryAcl = objDACL 
objComputer.Put "ntSecurityDescriptor", objSecurityDescriptor 
objComputer.SetInfo

The script fail with Error : A constraint violation occurred. ErrorCode : 8007202F.

If I remove this line, the account is created :

objComputer.Put "netbootGUID", "0x99 0xa9 0x72 0x41 0x54 0x34 0x11 0xd5 0x93 0x08 0x4e 0x60 0x3f 0x1c 0x8e 0x32"

The string type in netbootGUID is a Octet String. I don't know if this has anything to do with it. The string used is in the format accepted by ADSI Edit.

Any help would be appreciated

 

[tsuji]

Hello JadeKnight,

If that is what you start with, namely,
[tt] "99a97241543411d593084e603f1c8e31"[/tt]
then you have to do this?
[tt]
const ADS_PROPERTY_UPDATE=2
s="99a97241543411d593084e603f1c8e31"
dim a0xs()
redim a0xs(len(s)\2-1) 's must be of lenght 32 actually
for i=0 to len(s)\2-1
a0xs(i)=cbyte(eval("&h" & mid(s,2*i+1,2)))
next
objComputer.PutEx ADS_PROPERTY_UPDATE,"netbootGUID",a0xs
objComputer.SetInfo
[/tt]
regards - tsuji

 

[JadeKnight]

hmm, did not work correctly. New error message : Unspecified Error. Code 80004005.

 

[JadeKnight]

Found the solution, the key was convert the octetstring properly.

set stream = createobject("adodb.stream")

'set up the stream as text Latin I
'
stream.type = 2 ' text
stream.charset = "windows-1252" ' Latin I
stream.open

'the hex character values to write
'
arhex = array(&hfc, &h1c, &h49, &h26, _
              &h50, &h9e, &h57, &h48, _
              &h86, &h1b, &h0c, &hb8, _
              &hdf, &h22, &hb5, &hd7)

's1 is just to display what hex values are in the array
'to be written to the stream
'
s1 = "" : comma = ""
for i = 0 to ubound(arhex)
  s1 = s1 & comma & right("0" & hex(arhex(i)),2)
  comma = ","
next

'write the hex chars to the stream as text
'
for i = 0 to ubound(arhex)
  stream.writetext chr(arhex(i))
next

'reposition to the start of the stream
'
stream.position = 0

'toggle to binary stream
'
stream.type = 1 ' binary

'read the entire stream as a byte array
'
octetstring = stream.read

'close the stream since we have what we want...
'
stream.close

'prove that we have a byte array

wscript.echo typename(octetstring) ' Byte() = byte array

'build another display string of the bytes in the byte array

s2 = "" : comma = ""
for i = 1 to lenb(octetstring)
    s2 = s2 & comma & right("0" & hex(ascb(midb(octetstring,i,1))),2)
    comma = ","
'next

'display both to prove they match

wscript.echo s1
wscript.echo s2

Proper credit should go to : Michael Harris
Microsoft.MVP.Scripting

Ref :

http://groups.google.com/groups?th=64226713cee3c8f3

 

[tsuji]

JadeKnight,

Thanks for feedback with proper solution to your need. I sure will look up.

- tsuji