WNTUSERADD Question

[LAKosin]

I have used WNTUserAdd successfully but I have a question as to how to use it in a cross domain situation.

If I am running it on Domain ABC but want to add a user on Domain XYZ;
what is the syntax of the 'server' [WNTUSERADD(server.domain)]  or [WNTUSERADD(domain.server)] ???

The account I'm using has rights in both domains.

[td]

The documentation states that the function only accepts the UNC server name (\\server).  It states nothing about accepting doted name notation and I have never tried anything other than the UNC name. If dotted notation does work (note the 'if'), I would guess it would be 'server.domain' but  I guess you would have to try it to find out.

[ChuckC]

IIRC, there's nothing coded in the extender to forbid the use of DNS FQDN [fully qualified domain name] values in place of NetBIOS names for the "server" parameter value in a call to wntUserAdd().

Also, the value of the "server" parameter should specify the name of a domain controller for the domain in which the user account is going to be created.  If a member server is targeted by a call to wntUserAdd(), then the a local user account gets created on the member server.  However, since domain controllers don't have local accounts, when you target one of them via wntUserAdd(), the account that gets created by the function is created in the domain that the domain controller belongs to.

All of this is something of a moot point, though, as the wntUser*() functions really shouldn't be used with modern Windows systems running in AD domains in an AD forest.  Yes, the functions still work since the underlying API functions that they depend on are still present, but there are significantly better ways to create objects in AD.  The ADSI extender would be one good choice, and the other choice would be to made direct usage of the ADSI COM interfaces from within a WinBatch script.  Either of these methods will directly interact with Active Directory via LDAP and provide the most flexibility and capability for creating and manipulating objects in an AD domain.

[td]

Was finally able find the time to perform a brief code inspection. ThT inspection reveals that the function should take either a DNS name or NetBIOS name.  And yes the function should create a Domain user when the target is a Domain Controller because of the primary group RID.

[LAKosin]

I was able to get the WNTUserAdd function to work cross domain.
I have 2 related question/problems.

First:
The problem that I have now is when a try to run a DSFINDPATH so that I can place the newly created user in the correct OU,
I ALWAYS get a "1073: Cannot contact the LDAP server" error.
I have no clue as to why.

Secondly:
I then have been trying to use the ADSI functions to create a user and place it in the correct OU but I am TOTALLY confused as to use them.
I've read and re-read  the help file and I quite frankly don't know how to even start to make it work.

Any help would be greatly appreciated.

[td]

I was able to get the WNTUserAdd function to work cross domain.
I have 2 related question/problems.

First:
The problem that I have now is when a try to run a DSFINDPATH so that I can place the newly created user in the correct OU,
I ALWAYS get a "1073: Cannot contact the LDAP server" error.
I have no clue as to why.

Generally, when dsFindPath generates this error it is because you have not specified the path correctly.  Less frequently, it is caused by not having set proper credentials or by the domain server being temporarily unavailable.

You can check your 'wwwbatch.ini' file for system generated error information associated with the ADSI extender.  The file can be found at '<systemdrive>:\Users\<currentuser>\AppData\Roaming\WinBatch\Settings'

Secondly:
I then have been trying to use the ADSI functions to create a user and place it in the correct OU but I am TOTALLY confused as to use them.
I've read and re-read  the help file and I quite frankly don't know how to even start to make it work.

Any help would be greatly appreciated.

Look at the first part of the example for the dsCreateObj function in the  WIL Consolidated Help  file.

[td]

A very basic example using one of our test servers.  The example uses the server's NetBios name so that it will execute from a computer not joined to the domain

Code (winbatch) Select Expand


AddExtender("wwads44i.dll", 0, "wwads64i.dll")

; Container
sAdsiPath = "LDAP://shamrock/CN=Users,DC=jclass,DC=org"

; Credentials
SECURE_AUTHENTICATION = 1
dsSetCredentX("shamrock\guesswho","*topsecret*",SECURE_AUTHENTICATION)

; Create the user object.
sObjectClass = "User"
sUserName    = "CN=Bill Bates" 
sUserPath    = dsCreateObj(sAdsipath, sObjectClass, sUserName)

; Set the manditory properities.
sProperty = "samAccountName"
sValue    = "bbates"
dsSetProperty(sUserPath, sProperty, sValue)

; Always disable account when creating.
UF_ACCOUNTDISABLE = 2
nValue = UF_ACCOUNTDISABLE
dsSetProperty(sUserPath, "userAccountControl", nValue)

; Create the user account on the server.
dsSetObj(sUserPath)

; Must be done after the user object is set.
dsSetPassword(sUserPath, "", "popcorn")

; Finally, enable the account
nValue = dsGetProperty(sUserPath, "userAccountControl")
nValue = nValue ^ UF_ACCOUNTDISABLE  ; Could also use  nValue = nValue | (~UF_ACCOUNTDISABLE)
dsSetProperty(sUserPath, "userAccountControl", nValue)
exit