0

I am trying to add a domain user account to a local group and everything works fine if I am logged into the computer but if I run the same script under the SYSTEM account it fails with the error: 424 Object Required". Here is the code:

Dim domain          : domain           = "DOMAIN01"
Dim domainController: domainController = "99.139.151.102"
Dim localComputer   : localComputer    = "SERVER001"
Dim localGroup      : localGroup       = "LocalGroup1"
Dim domainAccount   : domainAccount    = "User1"
Dim objLocalGroup
Dim objDomainUser

Set objLocalGroup = GetObject("WinNT://" & localComputer    & "/" & localGroup    & ",group")
Set objDomainUser = GetObject("WinNT:").OpenDSObject("WinNT://" & domain & "/" & domainController & "/" & domainAccount, domainAccount, "Password1234", ADS_SECURE_AUTHENTICATION or ADS_SERVER_BIND)

  'Add domain user to local group.
  objLocalGroup.Add(objDomainUser.ADsPath)

  If Err.Number <> 0 Then
       WScript.Echo Err.Number
       WScript.Echo Err.Description
  Else
       WScript.Echo domainAccount & " has been added to local group " & localGroup
  End If

Thank you

Max
  • 1,289
  • 3
  • 26
  • 50

1 Answers1

0

The SYSTEM account has no business connecting to other hosts. Run the script as a user with local admin privileges.

Ansgar Wiechers
  • 193,178
  • 25
  • 254
  • 328
  • That is why I am passing the credentials. It runs under SYSTEM account but connects with other credentials. See: http://blogs.technet.com/b/heyscriptingguy/archive/2004/12/13/how-can-i-run-a-script-under-alternate-credentials.aspx – Max Feb 21 '13 at 20:29
  • @Max Where in that article do you see anything saying "SYSTEM can access other hosts when explicit credentials are used"? LOCAL SYSTEM account is LOCAL. Don't use it for this kind of task. Instead use either NETWORK SERVICE or create a dedicated local admin account. – Ansgar Wiechers Feb 22 '13 at 09:55
  • I was just saying that it should not matter what account you are running your process under, what matter is the credentials you are passing to the DC so that you can access its AD objects. I am not very familiar with Active Directory/ADSI/LDAP so I will have to take your advice in consideration and test it. – Max Feb 22 '13 at 15:30
  • just realized that the error above was happening to servers which were trying to authenticate with a DC which is in a different AD Site. It has nothing to do with the SYSTEM account. This issue has to do with a RODC I will bet. Doing more tests... – Max Feb 22 '13 at 16:26
  • I think the problem is password replication … actually not a problem but a security feature. We don’t allow the users password to be replicated to an RODC and specifically block it if they are administrator or some other protected account. I think the ZDC actually proxy’s the logon request to the BDC on behalf of the user so in fact the server is reporting correctly that the BDC is ultimately it’s logon server. http://blogs.technet.com/b/askds/archive/2008/01/18/understanding-read-only-domain-controller-authentication.aspx – Max Feb 22 '13 at 16:29