936 replies to this topic

[lafafmentvotre]

Is it that you want ?

>"C:\Program Files\AutoIt3\SciTE\..\autoit3.exe" /ErrorStdOut "C:\Documents and Settings\xxxx\Desktop\Water_Test.au3"    
$sAD_LockoutTime: 2010/05/04 15:04:03
GetPasswordInfo: 11|180|20|6|8|15372286728.0913|5|30|2010/04/15 10:58:38|2010/10/12 10:58:38|2010/04/15 08:58:38|2010/10/12 08:58:38
$sAD_ResetLockoutTime: 0
$sAD_Now: 2010/05/26 15:38:18
>Exit code: 0    Time: 3.414

Edited by lafafmentvotre, 26 May 2010 - 03:40 PM.

[water]

Is it that you want ?

>"C:\Program Files\AutoIt3\SciTE\..\autoit3.exe" /ErrorStdOut "C:\Documents and Settings\xxxx\Desktop\Water_Test.au3" 
$sAD_LockoutTime: 2010/05/04 15:04:03
GetPasswordInfo: 11|180|20|6|8|15372286728.0913|5|30|2010/04/15 10:58:38|2010/10/12 10:58:38|2010/04/15 08:58:38|2010/10/12 08:58:38
$sAD_ResetLockoutTime: 0
$sAD_Now: 2010/05/26 15:38:18
>Exit code: 0 Time: 3.414

The value "15372286728.0913" returned from _AD_GetPasswordInfo() looks weird. What's your Account Lockout Duration (in minutes)?

Edited by water, 26 May 2010 - 03:50 PM.

[lafafmentvotre]

how can i have this information? (What's Account Lockout Duration (in minutes))

[lafafmentvotre]

I locked another account and re run the script

>"C:\Program Files\AutoIt3\SciTE\..\autoit3.exe" /ErrorStdOut "C:\Documents and Settings\xxxxxx\Desktop\Water_Test.au3"    
$sAD_LockoutTime: 2010/05/26 15:50:32
GetPasswordInfo: 11|180|20|6|8|15372286728.0913|5|30|2010/03/13 12:40:59|2010/09/09 13:40:59|2010/03/13 11:40:59|2010/09/09 11:40:59
$sAD_ResetLockoutTime: 0
$sAD_Now: 2010/05/26 15:54:14
>Exit code: 0    Time: 2.298

and result is the same : not locked

Edited by lafafmentvotre, 26 May 2010 - 03:57 PM.

[water]

That's the time a user remains in the locked state. It's a group policy thing.
Run "Gpedit.msc", "Computer Configuration", "Windows Settings", "Security Settings", "Account Settings", "Lockout Settings" (I have translated the german text on the fly to enlisch so I'm sure they are named a bit different).

Edited by water, 26 May 2010 - 03:59 PM.

[lafafmentvotre]

The result for GPO :



I must go to home (my childrens) and i can testing tomorrow morning.

Thanks for help

Edited by lafafmentvotre, 26 May 2010 - 04:10 PM.

[water]

If i understand the info correctly your account is locked after 5 invalid logon attempts for exactly 0 minutes.
Could you please verify this?
Lock a user with 5 invalid logon attempts, wait a minute and try to logon again? Can you successfully login?

Another question? What features of the AD2008 do you use? Do you use the "Fine-grained Password Policies" as described here?

I'm leaving for today as well - see you tomorrow!

Edited by water, 26 May 2010 - 04:16 PM.

[lafafmentvotre]

If i understand the info correctly your account is locked after 5 invalid logon attempts for exactly 0 minutes.
Could you please verify this?

True

Lock a user with 5 invalid logon attempts, wait a minute and try to logon again? Can you successfully login?

I can't login

Another question? What features of the AD2008 do you use? Do you use the "Fine-grained Password Policies" as described here?

I don't know, i haven't this information

I'm leaving for today as well - see you tomorrow!

Have a good evening - see you tomorrow


For information, i use this query on ad (Saved Query) to view "locked account" and it works :

(&(&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295)))))

Edited by lafafmentvotre, 27 May 2010 - 06:00 AM.

[water]

For information, i use this query on ad (Saved Query) to view "locked account" and it works :

(&(&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295)))))

This query works - but it can give you "false positive" results.
The lockouttime attribute is reset when the user logs on the next time. So let's say the user is locked out 1:30 PM and the lockout duration is 60 minutes.
When you query the AD at 2:29 PM the user is returned as locked - which is correct.
When you query the AD at 2:31 PM the user is returned as locked - which is wrong. You get this wrong result as long as the user doesn't log on again.

So my function uses your query and calculates the end of the lockouttime for every user. At 2:30 PM the user of the above example is deleted from the result.
This only works when I get the correct lockout duration from the AD. Your lockout duration is set to 0 so I assume you use the "Fine-grained Password Policies".
So far I don't know how to query the AD for this new policies or how to extract the values for each user.

That's how I understand the wrong results you get.

Edited by water, 28 May 2010 - 05:56 AM.

[lafafmentvotre]

Hi Water

Thanks for response.
Damage not to be able to use this function in my case.

Thanks

[water]

Hi Water

Thanks for response.
Damage not to be able to use this function in my case.

Thanks

Is there any change that you can ask your Active Directory administrator if the fine-grained passwort policies feature is used in your domain?
I would like to understand where the problem is and - maybe - provide a solution to this problem.

[lafafmentvotre]

No, it's impossible to change this policy because policies are defined for worldwide, not just for French AD

[water]

No, it's impossible to change this policy because policies are defined for worldwide, not just for French AD

Sorry, I didn't mean to change the policy. Just ask the AD admin if they use this new feature of Windows Server 2008.
If this feature is used then I can understand the wrong results we get with the AD UDF.

[lafafmentvotre]

Hi Water

Sorry for my late answer. I will ask an administrator Monday

[water]

As I'm no native speaker I know that the UDF contains many spelling errors etc.
Is anyone of the native speakers willing to scan through the source file (AD.au3), correct all the spelling and grammar errors in the source and send it to me?
I think all users of the AD UDF will benefit from a correct and understandable source file.

[lgwapnitsky]

Having an issue with _AD_CreateMailbox

Sorry to threadjack, but I though this might be an appropriate place. I'm trying to use the above function but keep winding up with the errors in the attached images no matter if I use the sample code or my own. I'm attempting to create a mailbox for a user made with _AD_CreateUser (which doesn't automatically create the mailbox on my system).




Any help would be GREATLY appreciated, as I'm a good portion through an automated user-provisioning script.

Regards,
Larry

[water]

Moved your question and my reply to the "Help and Support" thread.

[tom95521]

To get the account expiration date in readable form you can use something like this:

$Result = _AD_GetObjectProperties("SamAccountName or FQDN","accountexpires")
_ArrayDisplay($Result)

In the next version I will add code to check if an account has expired and to get a list of all expired accounts (users, computers).
I will post the code for _AD_IsAccountExpired and _AD_GetAccountsExpired here for you to test as soon as possible.

I have an opportunity to use _AD_IsAccountExpired if available.

Thanks,
Tom

[water]

If you like to test here is the code

AutoIt        expandcollapse  popup

; #FUNCTION# ====================================================================================================================
; Name...........: _AD_IsAccountExpired
; Description ...: Returns 1 if the account (user, computer) has expired.
; Syntax.........: _AD_IsAccountExpired([$sAD_Object = @Username])
; Parameters ....: $sAD_Object - Optional: Account (User, computer) to check (default = @Username). Can be specified as Fully Qualified Domain Name (FQDN) or sAMAccountName
; Return values .: Success - 1, The specified account has expired
;   Failure - 0, sets @error to:
;   |0 - Account has not expired
;   |1 - $sAD_Object could not be found
; Author ........: Thomas Rupp
; Modified.......:
; Remarks .......:
; Related .......: _AD_GetAccountsExpired
; Link ..........:
; Example .......: Yes
; ===============================================================================================================================
Func _AD_IsAccountExpired($sAD_Object = @UserName)

    If Not _AD_ObjectExists($sAD_Object) Then Return SetError(1, 0, 0)
    Local $sAD_AccountExpires = _AD_GetObjectAttribute($sAD_Object,"accountexpires")
    If ($sAD_AccountExpires.LowPart = 0 And $sAD_AccountExpires.HighPart = 0) Or _
        ($sAD_AccountExpires.LowPart = 0xFFFFFFFF And $sAD_AccountExpires.HighPart = 0x7FFFFFFF) Then
        Return 0
    Else
        Local $sAD_Temp = DllStructCreate("dword low;dword high")
        DllStructSetData($sAD_Temp, "Low", $sAD_AccountExpires.LowPart)
        DllStructSetData($sAD_Temp, "High", $sAD_AccountExpires.HighPart)
        $sAD_AccountExpires = _Date_Time_FileTimeToSystemTime(DllStructGetPtr($sAD_Temp))
        If $sAD_AccountExpires <= _Date_Time_GetSystemTime() Then Return 1
    EndIf
    Return

EndFunc ;==>_AD_IsAccountExpired

[NML]

Thanks for the wonderful AD UDF - it is proving really useful in the schools I look after. I'm in the process of creating a user management GUI and this is making it dead easy compared to other methods I've looked at.

A possible bug in _AD_Open() is that whatever values I put into the $sAD_UserIdParam and $sAD_PasswordParam parameters, the return is always a success. I had hoped to use this as a way of authenticating whoever was running one of my scripts (e.g. allowing a teacher to reset a pupil password).

e.g. when I try
$value = _AD_Open("NotAUser", "Whatever")
I always get a return of 1 for $value

I say a "possible" bug as I may simply be misunderstanding what is supposed to happen here.

Cheers,
NML