Having problems with AD scripts

[kmcferrin]

I have a script that creates two AD security groups based on server names, one a domain local group and the other a global group. After they are created it is supposed to add the global group as a member of the domain local group. We have multiple domains here, and all of the global groups are created in the same domain (we'll call it domain1). The domain local groups are created in the domain where the server is a member (which could be domain2, domain3, etc). I'm told that the domains have full trusts between them.

When I run the script and the server is in domain1, everything works as intended. If I run the script and the server is in any domain other than domain1 I get:

C:\create_groups_test.vbs(88, 2) (null): There is no such object on the server.

The line that is referenced in the error (88) is:

	objGroupDL.Add(objGroupGG.ADsPath)

However, the code that creates the groups does function correctly in all cases. That is, regardless of which domain the server is in the groups are created in the correct domains and OUs. It is only the group membership part that fails, and only when the local and global groups are in different domains.

The relevant part of the code is shown below.

arrComputers = Split(strText, vbCrLf)

For Each strComputer in arrComputers

    '   Create Global group in AD
  	Set objContainer = GetObject("LDAP://" & strGlobalContainer)
	strAdminGlobalName = strComputer & "_Admin_Access_AMR_GG"
	Set objGroupGG = objContainer.Create("group", "cn=" & strAdminGlobalName)
	objGroupGG.Put "sAMAccountName", strAdminGlobalName
	objGroupGG.Put "groupType", ADS_GROUP_TYPE_Global_GROUP Or _
	  ADS_GROUP_TYPE_SECURITY_ENABLED
	objGroupGG.SetInfo
    Wscript.Echo objGroupGG.Name & " was successfully created."
    
    '   Create Domain Local group in AD
  	Set objContainer = GetObject("LDAP://" & strDomainLocalContainer & "," & objRootDSE.DistinguishedName)
	strAdminDomainLocalName = strComputer & "_Admin_Access_AMR_DL"
	Set objGroupDL = objContainer.Create("group", "cn=" & strAdminDomainLocalName)
	objGroupDL.Put "sAMAccountName", strAdminDomainLocalName
	objGroupDL.Put "groupType", ADS_GROUP_TYPE_LOCAL_GROUP Or _
	  ADS_GROUP_TYPE_SECURITY_ENABLED
	objGroupDL.SetInfo
    Wscript.Echo objGroupDL.Name & " was successfully created."

    '   Make Global group a member of the Domain Local group.
	objGroupDL.Add(objGroupGG.ADsPath)
    Wscript.Echo objGroupGG.Name & " was successfully added to " & objGroupDL.Name

If anyone has any idea why this would fail, I'd love to hear suggestions.

 

[markdmac]

Try retrieving the info first for the GlobalGroup.

objGroupGG.GetInfo
objGroupDL.Add(objGroupGG.ADsPath)

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[kmcferrin]

Marc,

That didn't seem to work, I get the same error but I get it 1 line later. It doesn't error out on the GetInfo, but it still errors out on the Add.

I went ahead and put in a ticket with our networking guys to see if they have any necessary ports blocked, because I'm about 99.9% sure that the code is good.

 

[kmcferrin]

OK, I found a post with a similar problem here:

http://www.tek-tips.com/viewthread.cfm?qid=1349161&page=2

I did a little more digging, and it appears that you have to add the account from the foreign forest/domain by using the SID. The SID that the guy in the other post was looking for is probably the SID for the account under the Foreign Security Principals OU in ADUC.

So now all I have to do is figure out how to create the object under Foreign Security Principals. Any ideas?

 

[kmcferrin]

OK, that was easy. I used the functions from the other thread to get the hex value of the groups SID from the remote domain. Then I just used the following:

        intUserSID = fnGet_HexString(objGroupGG.ObjectSID)
        Wscript.Echo strAdminDomainLocalName & " has a SID of " & intUserSID

        '   Make Global group a member of the Domain Local group.
        objGroupDL.Add("LDAP://<SID=" & intUserSID & ">")

And it worked just fine. Apparently the ForeignSecurityPrincipals OU is just a link that is created automatically when the object is referenced, you don't have to create the object there yourself.

 

[kmcferrin]

Now back to this issue...

This method seems to work just fine when you are going between domains that have a trust relationship. However, I'm running into issues when running the script in a scenario with child domains. The error that usually comes up is that the server "refuses" to perform the operation.

I'm not sure if it's an issue of waiting for replication to complete or if it is something else. In my script I know (based on user input) whether the global group and the local group are within the same domain. If they are two different domains with a trust it uses the SID method, and afterwards the group shows up in the Foreign Security Principals OU. If I manually added a group from a different domain, I get the same effect.

However, if the domain of the domain local group is a child domain of the domain where the global group resides, we have issues with the script. When I add the group manually, the global group doesn't end up listed under Foreign Security Principals either.

Any idea why? It would seem to me that you should always be able to use a SID, regardless of what the domain is.