Check UO computers in Active Directory

5 views
Skip to first unread message

John Smith

unread,
Sep 2, 2008, 6:17:02 AM9/2/08
to
Hi all,

I have a IIS server (win 2003) with Active Directory and I create several UO
which contain computers (not users !)
I woulld like to use C win32 API to check if a computer (identified by its
name) is member of an UO (identified by its name).

My search results stopped on CheckTokenMembership, but it is useful for
checking users membership and not computers.

Any help ?
Thanks

Richard Mueller [MVP]

unread,
Sep 2, 2008, 10:47:41 AM9/2/08
to

"John Smith" <John...@discussions.microsoft.com> wrote in message
news:31A77770-62C0-4F8E...@microsoft.com...

I suggest you use the NameTranslate object to convert the NetBIOS name of
the computer to the Distinguished Name. See this link:

http://msdn.microsoft.com/en-us/library/aa706046.aspx

NameTranslate can convert the NT form of the object name to the RPC 1779
Distinguished Name. The NT form of the computer name is <NetBIOS Name of
computer>\<NetBIOS name of domain>. Once you have the Distinguished Name
(DN), you can either parse the DN for the parent container/OU, or you can
bind to the computer object and use the Parent method of the object to
retrieve the ADsPath of the parent container/OU.

Note that computer objects are not "members" of OU's, at least in the sense
that objects are members of groups. Computer objects reside in a parent
container or Organizational Unit. The Distinguished Name (or ADsPath) of any
object indicates where in the heirarchy of AD the object resides. The DN of
the OU identifies it, for example:

ou=Sales,ou=West,dc=MyDomain,dc=com

The "Relative Distinguished Name" (RDN) of this example OU is "Sales". Note
that the RDN does not uniquely identify the OU. There can be several OU's
with RDN equal to "Sales". Only the DN uniquely identifies the OU. There is
no attribute of computer objects (or user or any objects) that indicates
where the object resides in AD except the DN (and ADsPath).

If it helps, I have VBScript examples describing how to use NameTranslate at
this link:

http://www.rlmueller.net/NameTranslateFAQ.htm

The API used under the covers is DsCrackNames. Search for more information
on DsCrackNames if you would rather use this API instead of the
NameTranslate interface.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--


Richard Mueller [MVP]

unread,
Sep 2, 2008, 10:51:49 AM9/2/08
to

"Richard Mueller [MVP]" <rlmuelle...@ameritech.nospam.net> wrote in
message news:%23b05grQ...@TK2MSFTNGP06.phx.gbl...

Link to kb article on DsCrackNames:

http://msdn.microsoft.com/en-us/library/ms675970.aspx

John Smith

unread,
Sep 5, 2008, 5:40:01 AM9/5/08
to
Hi,
Thanks for reply.

In fact, I would like to check if a computer is member of an AD group and
not OU (sorry for my first post).
ChekTokenMembership checks is a user is meber fo a group thanks to an access
token.
How to check if a computer is member of a group ? Is there access token
which identifies a computer ? what function can retrieve it ?

Richard Mueller [MVP]

unread,
Sep 5, 2008, 8:17:08 AM9/5/08
to

"John Smith" <John...@discussions.microsoft.com> wrote in message
news:3CD75815-9DEA-4C64...@microsoft.com...

> Hi,
> Thanks for reply.
>
> In fact, I would like to check if a computer is member of an AD group and
> not OU (sorry for my first post).
> ChekTokenMembership checks is a user is meber fo a group thanks to an
> access
> token.
> How to check if a computer is member of a group ? Is there access token
> which identifies a computer ? what function can retrieve it ?
>

Computer and user objects both have an objectSID attribute, which is the
SID. They also both have a tokenGroups attribute, which is a multi-valued
collection of the SID's of the security groups the object belongs to. I
would expect any method that checks user membership to work equally well for
computers. I'm used to using tokenGroups to check membership (where the
trick is to retrieve the group names from the SID values). If I understand
the documentation on CheckTokenMembership, you need to point TokenHandle to
the objectSID attribute of the computer object.

John Smith

unread,
Sep 8, 2008, 3:28:01 AM9/8/08
to
Okay,

But I don't know how to get a token handle from a computer.
If I retrieve token handle woth NULL (for current computer) it doesn't
match...

Richard Mueller [MVP]

unread,
Sep 9, 2008, 11:50:46 AM9/9/08
to
I'm suggesting that the value of the objectSID attribute of the computer
object is the SID value you need. I've never used the CheckTokenMembership
API, but the TokenHandle argument should point to this SID value. The
objectSID attribute is a byte array.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"John Smith" <John...@discussions.microsoft.com> wrote in message
news:EEFC4CB6-3D4D-46D8...@microsoft.com...

Reply all
Reply to author
Forward
0 new messages