781 replies to this topic

[neric77]

Works fine for me on locked objects.
Did you try the example script for _AD_IsObjectLocked? It first gets a list of locked objects and then uses _AD_IsObjectLocked on the first found object.
Or run _AD_GetObjectsLocked.au3 to get a list of all locked objects and check if your object is included.
Did you test the @error returned by _AD_IsObjectLocked in your script?

; Return values .: Success - 1, Specified object is locked
;   Failure - 0, sets @error to:
;   |0 - $sAD_Object is not locked
;   |1 - $sAD_Object could not be found

If you check a computer remember to append a "$" to the samaccountname - see the remarks in the helpfile for _AD_IsObjectLocked.

Hello water,
yes i tried the expample. It doesn't work.
_AD_GetObjectsLocked.au3 return "no objects locked".
I try this function on user account and it return 0 and @error is always at 0 too whereas the account is really locked.
_AD_UnlockObject works fine.
I don't know where to search.

Thx for your help

[water]

Hello water,
yes i tried the expample. It doesn't work.
_AD_GetObjectsLocked.au3 return "no objects locked".
I try this function on user account and it return 0 and @error is always at 0 too whereas the account is really locked.
_AD_UnlockObject works fine.
I don't know where to search.

Thx for your help

If _AD_GetObjectsLocked doesn't find any locked objects then there are no locked objects in your AD.
What makes you think that the user account is locked?
Could you please try _AD_GetObjectsDisabled? Maybe the user account isn't locked but disabled.

Another try: Download Sysinternals Active Directory Explorer. No installation required, just run the exe. Check if the user account is locked (attribute lockouttime has to be set). If the user account is disabled then the UserAccountControl is set to 514 (= normal account + disabled)

Edited by water, 16 February 2010 - 03:18 PM.

[neric77]

The function _AD_IsObjectLocked always return me that the account is not locked. when i verify with dsa.msc, it's really locked.
When i run _AD_UnlockObject on the same account it's working.

I tried adexplorer and userAccountControl is set to 512 and badpasswdcount is set to 3.

No one, had the same problem?

Edited by neric77, 17 February 2010 - 09:53 AM.

[water]

I tried adexplorer and userAccountControl is set to 512 and badpasswdcount is set to 3.

512 means: Normal account. If it is locked it is BitOred with 0x10. A normal account which is locked hast 512+16 = 528.
If you get 512 as userAccountControl then the user isn't locked.
_AD_UnlockObject doesn't return an error when the object isn't locked before.

What does dsa.msc show (screenshot)? What's the value of userAccountControl? And what is the value of lockouttime?

[neric77]

512 means: Normal account. If it is locked it is BitOred with 0x10. A normal account which is locked hast 512+16 = 528.
If you get 512 as userAccountControl then the user isn't locked.
_AD_UnlockObject doesn't return an error when the object isn't locked before.

What does dsa.msc show (screenshot)? What's the value of userAccountControl? And what is the value of lockouttime?

dsa.msc

adexplorer

Edited by neric77, 17 February 2010 - 01:46 PM.

[water]

Oh, I see. I converted this function from a script I found on the internet - but unfortunately it doesn't seem to be so easy!
Can you please run this vbscript and check if it returns a valid result?

[neric77]

Oh, I see. I converted this function from a script I found on the internet - but unfortunately it doesn't seem to be so easy!
Can you please run this vbscript and check if it returns a valid result?

Water

That works.

[water]

OK, I will have to do some further investigation. The end of the lockout time has to be calculated (and needs a lot more code compared to just query an attribute).
With Windows 2008 it seems to be possible to have more than one password policy. At the moment I'm not sure how to get the correct values to calculate the end of the password time.
I fear you'll have to be patient till I come up with an accurate function

[neric77]

OK, I will have to do some further investigation. The end of the lockout time has to be calculated (and needs a lot more code compared to just query an attribute).
With Windows 2008 it seems to be possible to have more than one password policy. At the moment I'm not sure how to get the correct values to calculate the end of the password time.
I fear you'll have to be patient till I come up with an accurate function

No problem Water.I'll be wait.

Many Thanks.

[chipDE]

Hi,

how do I get with _AD_GetObjectsInOU() only the pc?

[water]

Hi,

how do I get with _AD_GetObjectsInOU() only the pc?

First thing you have to know is that the SamAccountName of a PC (written in Autoit): @Computername & "$".
So the statement should look like:

$sComputer = @ComputerName & "$"
$aObjects = _AD_GetObjectsInOU($sOU, "(&(objectclass=computer)(samaccountname=" & $sComputer & "))" , 2, "sAMAccountName,distinguishedName")

Edited by water, 22 February 2010 - 01:57 PM.

[chipDE]

Not only my pc, i need all objecty from typ PC in the OU but not the usergroups, user, ect..

Edit:

ok, i have it:

$test = _AD_GetObjectsInOU($OU, "(&(objectclass=computer))", 2, "sAMAccountName,distinguishedName")

Edited by chipDE, 22 February 2010 - 02:12 PM.

[water]

$test = _AD_GetObjectsInOU($OU, "(&(objectclass=computer))", 2, "sAMAccountName,distinguishedName")

You can strip it down to:

$test = _AD_GetObjectsInOU($OU, "(objectclass=computer)", 2, "sAMAccountName,distinguishedName")

BTW: A good place to start with LDAP is this M$ article.

Edited by water, 22 February 2010 - 04:36 PM.

[chipDE]

Hi,

how can I activate/disable a GPO in an OU?

[water]

Hi,

how can I activate/disable a GPO in an OU?

With the AD UDF you can't - at the moment. This would be a complete new area for the UDF - and for me.
To start with such a new task

• there should be a need for this by many users
• there should be some users providing examples in visual basic so I can convert them
• there should be some users willing to test the readonly and the update/change functions

At the moment the Email functions - and debugging - have a higher priority.

@Everyone: Please post here if you'd like to see GPO functions in the AD UDF and what you can contribute.

[chipDE]

I have many vbs scripts to manage the GPO, but I can not upload here. Here is the link to the German thread with the examples:

http://autoit.de/index.php?page=Thread&postID=140369#post140369

Edited by chipDE, 23 February 2010 - 09:36 AM.

[water]

Ok, I will have a look at it.

[water]

Hi chipDE,
I had a look at the GPO scripts. Seems rather complex. I have no knowledge of GPO and the VBScript/Javascript code that is used.
Maybe it's a better idea to check the need for GPO functions first. If enough users need them then convert them to AutoIt.

Edited by water, 01 March 2010 - 09:29 AM.

[water]

Version 0.37 has been released. Starting next Monday I will be on vacation for two weeks. Therefore I wanted to release the new version some days in advance.
For download please see signature.

Edited by water, 10 March 2010 - 07:50 AM.

[water]

Function _AD_DisablePasswordExpire doesn't work Can Somebody fix it ???

Could you please check @error and @extended after the function call:

$Result = _AD_DisablePasswordExpire("SamAccountName or FQDN")
MsgBox(0,"","Result: " & $Result & ", error: " & @error & ", extended: " & @extended)

What do you get?

N.B: Starting Monday I will be on vacation for 2 weeks.

Edited by water, 14 March 2010 - 12:48 PM.