search

zakird / pyad

Python Active Directory Tools | *Not actively maintained*
http://zakird.github.io/pyad/
176 stars 72 forks source link

ADGroup.get_members() failing for some groups #156

Open Aaeeschylus opened 2 years ago

Aaeeschylus commented 2 years ago

I have a script which gets run through devops daily and has been running daily for the past 6 months. The point of the script is to monitor group membership for certain groups. Recently however, it is failing but only for some groups.

The relevant part of the code is as follows:

def getMembers(groupName):
    result = []
    try:
        group = adgroup.ADGroup.from_cn(groupName)
        members = group.get_members()

For most groups, this will get a list of all of the members in the group and will do some further processing afterwards. However, for some groups, it throws the following error:

Traceback (most recent call last):
  File "c:\Users\me\Documents\AuditGroups.py", line 273, in <module>
    getMembers("Domain Admins")
  File "c:\Users\me\Documents\AuditGroups.py", line 217, in getMembers
    members = group.get_members()
  File "C:\Users\me\AppData\Local\Programs\Python\Python310\lib\site-packages\pyad\adgroup.py", line 33, in get_members
    return self._get_members(recursive, ignoreGroups, [])
  File "C:\Users\me\AppData\Local\Programs\Python\Python310\lib\site-packages\pyad\adgroup.py", line 43, in _get_members
    pyADobj = ADObject(dn, options=self._make_options())
  File "C:\Users\me\AppData\Local\Programs\Python\Python310\lib\site-packages\pyad\adobject.py", line 88, in __init__
    self.__set_adsi_obj()
  File "C:\Users\me\AppData\Local\Programs\Python\Python310\lib\site-packages\pyad\adobject.py", line 76, in __set_adsi_obj
    self._ldap_adsi_obj = self.adsi_provider.getObject('', self.__ads_path)
  File "<COMObject ADsNameSpaces>", line 2, in getObject
 pywintypes.com_error: (-2147352567, 'Exception occurred.', (0, 'Active Directory', 'There is no such object on the server.\r\n', None, 0, -2147016656), None)

At first I thought there might be something wrong with one of the users that are a part of this group, however using

aduser.ADUser.from_cn(member)

I can successfully retrieve every user that is part of the group on their own, just not through get_members().

I then thought it was an issue with the built-in groups (since Domain Admins is failing), however there are a couple groups that are not built-in that are failing and Domain Admins is the only failing built-in.

I tried looking through and comparing both security permissions and attributes of groups that are failing with groups that are working and nothing appeared out of the ordinary.

I am now at a loss as to what could be causing this. Any assistance would be greatly appreciated.

Aaeeschylus commented 2 years ago

I found the problem. Someone had changed permissions in a single OU and that prevented the account from viewing the contents.

If possible, an error message that specifies access denied would be much better than "no such object on the server"