如何將域帳戶用戶添加到本地組？

Question

那裏有數百篇文章講授，但我的案例是「獨特的」。所以我得到訪問被拒絕的行：

Set objDomainUser = GetObject("WinNT://" & domainControllerIP & "/" & domainAccount & ",user") 

所以我意識到我必須通過用戶的憑據。大多數人只通過域名，這是很好的。它將連接到通過查看環境變量％LOGONSERVER％可以知道的域控制器。我需要指定域控制器名稱（或IP），否則它不適用於我們。

所以我只是試圖讓這個sintax正確。這裏是我的代碼：

Sub AddAccountToLocalGroup(domainName, domainControllerIP, localGroup, domainAccount) 

    Dim localComputer : localComputer = GetMachineName() 
    Dim objLocalGroup 
    Dim objDomainUser 

    const ADS_SECURE_AUTHENTICATION = &h0001 
    const ADS_SERVER_BIND   = &h0200 

    Set objLocalGroup = GetObject("WinNT://" & localComputer  & "/" & localGroup & ",group") 
'Set objDomainUser = GetObject("WinNT://" & domainControllerIP & "/" & domainAccount & ",user") 'ACCESS DENIED 

'Error happens in Set objDomainUser 
' Set objDomainUser = GetObject("WinNT:").OpenDSObject("WinNT://" & domainName & "/" & domainControllerIP & "/" & "Bob", "Bob", "Password", ADS_SECURE_AUTHENTICATION or ADS_SERVER_BIND) 
' Set objDomainUser = GetObject("WinNT:").OpenDSObject("WinNT://" & domainName & "/" & domainControllerIP & "/" & "Bob", "Bob", "Password", ADS_SECURE_AUTHENTICATION or ADS_SERVER_BIND) 
' Set objDomainUser = GetObject("WinNT:").OpenDSObject("WinNT://" & domainName & "/" & domainControllerIP & "/" & ",user", "Bob", "Password", ADS_SECURE_AUTHENTICATION or ADS_SERVER_BIND) 
' Set objDomainUser = GetObject("WinNT:").OpenDSObject("WinNT://" & domainName & "/" & "Bob" & ",user", "Bob", "Password", ADS_SECURE_AUTHENTICATION or ADS_SERVER_BIND) 


    'Add domain user to local group 
    objLocalGroup.Add(objDomainUser.ADsPath) 

    If Err.Number <> 0 Then 
     WScript.Echo Err.Number 
    Else 
     WScript.Echo domainAccount & " has been added to local group." 
    End If 
End Sub 

謝謝！

Answer 1

您應該能夠連接到使用針對特定DC明確憑據如下廣告：

Const ADS_SECURE_AUTHENTICATION = &h0001 
Const ADS_SERVER_BIND   = &h0200 

server = "..." 
username = "DOMAIN\user" 
password = "password" 

Set rootDSE = GetObject("LDAP:").OpenDSObject("LDAP://" & server & "/RootDSE" _ 
    , username, password, ADS_SERVER_BIND + ADS_SECURE_AUTHENTICATION) 
base = "<LDAP://" & server & "/" & rootDSE.Get("defaultNamingContext") & ">" 
filter = "(&(objectCategory=person)(objectClass=user))" 
attr = "distinguishedName" 
scope = "subtree" 

Set conn = CreateObject("ADODB.Connection") 
conn.Provider = "ADsDSOObject" 
conn.Properties("User ID") = username 
conn.Properties("Password") = password 
conn.Properties("Encrypt Password") = True 
conn.Properties("ADSI Flag") = ADS_SERVER_BIND + ADS_SECURE_AUTHENTICATION 
conn.Open "Active Directory Provider" 

Set cmd = CreateObject("ADODB.Command") 
Set cmd.ActiveConnection = conn 
cmd.CommandText = base & ";" & filter & ";" & attr & ";" & scope 
cmd.Properties("Page Size") = 100 
cmd.Properties("Timeout") = 30 
cmd.Properties("Cache Results") = False 

Set rs = cmd.Execute 
Do Until rs.EOF 
    'enumerate AD records returned by query 
    rs.MoveNext 
Loop 
rs.Close 

conn.Close 

見this article從理查德L.穆勒。

編輯：啊，我的錯。以上是針對無法處理本地組的LDAP提供程序。也不能將LDAP ADsPath添加到從WinNT提供程序獲取的組對象。您的嘗試失敗的原因是因爲您試過WinNT://DOMAIN/...，但應該使用WinNT://DOMAIN_CONTROLLER/...。像這樣的東西應該工作：

Const ADS_SECURE_AUTHENTICATION = &h0001 
Const ADS_SERVER_BIND   = &h0200 

dc  = "..." 
username = "DOMAIN\user" 
password = "password" 

domainuser = "Bob" 
localgroup = "Users" 

Set nt = GetObject("WinNT:") 
Set user = nt.OpenDSObject("WinNT://" & dc & "/" & domainuser & ",user" _ 
    , username, password, ADS_SERVER_BIND + ADS_SECURE_AUTHENTICATION) 

GetObject("WinNT://./" & localgroup & ",group").Add user.ADsPath