如何将域帐户用户添加到本地组？

Question

那里有数百篇文章讲授，但我的案例是“独特的”。所以我得到访问被拒绝的行：

Set objDomainUser = GetObject("WinNT://" & domainControllerIP & "/" & domainAccount & ",user") 

所以我意识到我必须通过用户的凭据。大多数人只通过域名，这是很好的。它将连接到通过查看环境变量％LOGONSERVER％可以知道的域控制器。我需要指定域控制器名称（或IP），否则它不适用于我们。

所以我只是试图让这个sintax正确。这里是我的代码：

Sub AddAccountToLocalGroup(domainName, domainControllerIP, localGroup, domainAccount) 

    Dim localComputer : localComputer = GetMachineName() 
    Dim objLocalGroup 
    Dim objDomainUser 

    const ADS_SECURE_AUTHENTICATION = &h0001 
    const ADS_SERVER_BIND   = &h0200 

    Set objLocalGroup = GetObject("WinNT://" & localComputer  & "/" & localGroup & ",group") 
'Set objDomainUser = GetObject("WinNT://" & domainControllerIP & "/" & domainAccount & ",user") 'ACCESS DENIED 

'Error happens in Set objDomainUser 
' Set objDomainUser = GetObject("WinNT:").OpenDSObject("WinNT://" & domainName & "/" & domainControllerIP & "/" & "Bob", "Bob", "Password", ADS_SECURE_AUTHENTICATION or ADS_SERVER_BIND) 
' Set objDomainUser = GetObject("WinNT:").OpenDSObject("WinNT://" & domainName & "/" & domainControllerIP & "/" & "Bob", "Bob", "Password", ADS_SECURE_AUTHENTICATION or ADS_SERVER_BIND) 
' Set objDomainUser = GetObject("WinNT:").OpenDSObject("WinNT://" & domainName & "/" & domainControllerIP & "/" & ",user", "Bob", "Password", ADS_SECURE_AUTHENTICATION or ADS_SERVER_BIND) 
' Set objDomainUser = GetObject("WinNT:").OpenDSObject("WinNT://" & domainName & "/" & "Bob" & ",user", "Bob", "Password", ADS_SECURE_AUTHENTICATION or ADS_SERVER_BIND) 


    'Add domain user to local group 
    objLocalGroup.Add(objDomainUser.ADsPath) 

    If Err.Number <> 0 Then 
     WScript.Echo Err.Number 
    Else 
     WScript.Echo domainAccount & " has been added to local group." 
    End If 
End Sub 

谢谢！

Answer 1

您应该能够连接到使用针对特定DC明确凭据如下广告：

Const ADS_SECURE_AUTHENTICATION = &h0001 
Const ADS_SERVER_BIND   = &h0200 

server = "..." 
username = "DOMAIN\user" 
password = "password" 

Set rootDSE = GetObject("LDAP:").OpenDSObject("LDAP://" & server & "/RootDSE" _ 
    , username, password, ADS_SERVER_BIND + ADS_SECURE_AUTHENTICATION) 
base = "<LDAP://" & server & "/" & rootDSE.Get("defaultNamingContext") & ">" 
filter = "(&(objectCategory=person)(objectClass=user))" 
attr = "distinguishedName" 
scope = "subtree" 

Set conn = CreateObject("ADODB.Connection") 
conn.Provider = "ADsDSOObject" 
conn.Properties("User ID") = username 
conn.Properties("Password") = password 
conn.Properties("Encrypt Password") = True 
conn.Properties("ADSI Flag") = ADS_SERVER_BIND + ADS_SECURE_AUTHENTICATION 
conn.Open "Active Directory Provider" 

Set cmd = CreateObject("ADODB.Command") 
Set cmd.ActiveConnection = conn 
cmd.CommandText = base & ";" & filter & ";" & attr & ";" & scope 
cmd.Properties("Page Size") = 100 
cmd.Properties("Timeout") = 30 
cmd.Properties("Cache Results") = False 

Set rs = cmd.Execute 
Do Until rs.EOF 
    'enumerate AD records returned by query 
    rs.MoveNext 
Loop 
rs.Close 

conn.Close 

见this article从理查德L.穆勒。

编辑：啊，我的错。以上是针对无法处理本地组的LDAP提供程序。也不能将LDAP ADsPath添加到从WinNT提供程序获取的组对象。您的尝试失败的原因是因为您试过WinNT://DOMAIN/...，但应该使用WinNT://DOMAIN_CONTROLLER/...。像这样的东西应该工作：

Const ADS_SECURE_AUTHENTICATION = &h0001 
Const ADS_SERVER_BIND   = &h0200 

dc  = "..." 
username = "DOMAIN\user" 
password = "password" 

domainuser = "Bob" 
localgroup = "Users" 

Set nt = GetObject("WinNT:") 
Set user = nt.OpenDSObject("WinNT://" & dc & "/" & domainuser & ",user" _ 
    , username, password, ADS_SERVER_BIND + ADS_SECURE_AUTHENTICATION) 

GetObject("WinNT://./" & localgroup & ",group").Add user.ADsPath