Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ADGroup.get_members() failing for some groups #156

Open
Aaeeschylus opened this issue Aug 15, 2022 · 1 comment
Open

ADGroup.get_members() failing for some groups #156

Aaeeschylus opened this issue Aug 15, 2022 · 1 comment

Comments

@Aaeeschylus
Copy link

I have a script which gets run through devops daily and has been running daily for the past 6 months. The point of the script is to monitor group membership for certain groups. Recently however, it is failing but only for some groups.

The relevant part of the code is as follows:

def getMembers(groupName):
    result = []
    try:
        group = adgroup.ADGroup.from_cn(groupName)
        members = group.get_members()

For most groups, this will get a list of all of the members in the group and will do some further processing afterwards. However, for some groups, it throws the following error:

Traceback (most recent call last):
  File "c:\Users\me\Documents\AuditGroups.py", line 273, in <module>
    getMembers("Domain Admins")
  File "c:\Users\me\Documents\AuditGroups.py", line 217, in getMembers
    members = group.get_members()
  File "C:\Users\me\AppData\Local\Programs\Python\Python310\lib\site-packages\pyad\adgroup.py", line 33, in get_members
    return self._get_members(recursive, ignoreGroups, [])
  File "C:\Users\me\AppData\Local\Programs\Python\Python310\lib\site-packages\pyad\adgroup.py", line 43, in _get_members
    pyADobj = ADObject(dn, options=self._make_options())
  File "C:\Users\me\AppData\Local\Programs\Python\Python310\lib\site-packages\pyad\adobject.py", line 88, in __init__
    self.__set_adsi_obj()
  File "C:\Users\me\AppData\Local\Programs\Python\Python310\lib\site-packages\pyad\adobject.py", line 76, in __set_adsi_obj
    self._ldap_adsi_obj = self.adsi_provider.getObject('', self.__ads_path)
  File "<COMObject ADsNameSpaces>", line 2, in getObject
 pywintypes.com_error: (-2147352567, 'Exception occurred.', (0, 'Active Directory', 'There is no such object on the server.\r\n', None, 0, -2147016656), None)

At first I thought there might be something wrong with one of the users that are a part of this group, however using

aduser.ADUser.from_cn(member)

I can successfully retrieve every user that is part of the group on their own, just not through get_members().

I then thought it was an issue with the built-in groups (since Domain Admins is failing), however there are a couple groups that are not built-in that are failing and Domain Admins is the only failing built-in.

I tried looking through and comparing both security permissions and attributes of groups that are failing with groups that are working and nothing appeared out of the ordinary.

I am now at a loss as to what could be causing this. Any assistance would be greatly appreciated.
@Aaeeschylus
Copy link
Author

I found the problem. Someone had changed permissions in a single OU and that prevented the account from viewing the contents.

If possible, an error message that specifies access denied would be much better than "no such object on the server"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Aaeeschylus