Active Directory UDF

[ICANSEEYOU7687]

Woo! thanks!

Got everything working. But always running into new problems.

Everything is set up and working how I need it to. Basically, my company had a name change, and I have 62 service accounts that I need to change the names to. And my script can change some attributes, but not all of them. displayName changes correctly.

but

if I try to change "cn" I get

"Unable to update attribute:

The directory service cannot perform the requested operation on the RDN attribute of an object"

And distrinqushedName attribute returns

"Unable to update attribute:

A contraint violation occurred"

It seems that it does not like me messing with these, and I am unsure of how to get around this. Any ideas?

thanks!

[water]

You can't change this properties! It's like you can't change the tires while driving. You have to use _AD_RenameObject.

[ICANSEEYOU7687]

Sorry to keep the questions rolling in. But maybe you can help with with the createmailbox function.

I have the 2010 exchange management console installed (im assuming thats what you meant by the admin tools), and the exchange shell and whatnot...

But I am unfamiliar with the items needed for this to work.

The user account, is obvious.

Mailbox store name - is this the "Mailbox Database" that the email address will be stored in?

Information store - not quite sure on this one...

Email Server - obvious...

Administrative group - not quite sure what this is for

Exchange Server group - not sure about this one either...

I can, and do frequently create new users mailbox accounts, but I am a bit unfamiliar with the workings and structure with exchange...

Sorry for the silly questions! But I always appreciate yalls help!

[water]

Oh, that's quite easy

Run the _AD_GetObjectProperties sample script. The first example lists all properties of the current user. Check out "homeMDB".

Get the parameters you need from this example.

1: $sAD_Storename, 2: $sAD_Store, 4: $sAD_EMailServer, 6: $sAD_AdminGroup, 8: $sAD_EmailDomain

To list the available mail servers (for parameter 4) you can run _AD_ListExchangeServers.

To list the available mailbox stores (for parameter 2) you can run _AD_ListExchangeMailboxStores (this doesn't return any results here - down't know why)

HTH

[ICANSEEYOU7687]

Oh, that's quite easy

Run the _AD_GetObjectProperties sample script. The first example lists all properties of the current user. Check out "homeMDB".

Get the parameters you need from this example.

1: $sAD_Storename, 2: $sAD_Store, 4: $sAD_EMailServer, 6: $sAD_AdminGroup, 8: $sAD_EmailDomain

To list the available mail servers (for parameter 4) you can run _AD_ListExchangeServers.

To list the available mailbox stores (for parameter 2) you can run _AD_ListExchangeMailboxStores (this doesn't return any results here - down't know why)

HTH

Your amazing... didnt even realize I could pull this information frmo these. _AD_ListExchangeMailboxStores works perfectly. Can I use the short name or the FQDN for the mailbox stores? I will play around with this. If i can get a script to make AD users and Exchange email boxes and link the two, I will be really happy. Haha! Thanks!

[RogFleming]

Mr. Water just to show you how I put your suggestion in practice

This was used to get the users homeDirectory and get their memberOf values to confirm they where part of an AD group.

#include <AD.au3>
#include <Constants.au3>
#include <File.au3>
#include <Array.au3>

; Open Connection to the Active Directory
Global $AD_USER,$OUUserGrps,$foundHMDIR,$homepath,$aProperties,$foundHMGrp1,$foundHMGrp2,$ADDOMAIN="OU=Standard,OU=THR Users,DC=txhealth,DC=org"
_AD_Open()
$OUUserGrps = _AD_GetObjectsInOU($ADDOMAIN, "(objectcategory=user)",2,"sAMAccountName,homeDirectory,memberOf")
_AD_Close()
For $i = 1 to UBound($OUUserGrps) -1
        $AD_User = $OUUserGrps[$i][0]
        $homedir = $OUUserGrps[$i][1]
        $USER_GRPS = $OUUserGrps[$i][2]
        $found_Grps = StringSplit($USER_GRPS,"|")
        $HDU = _ArraySearch($found_Grps,"CN=Home Directory Users,OU=Groups,OU=Users,DC=cpnay,DC=com",0,0,0,1)
        $FHDS = _ArraySearch($found_Grps,"CN=HomeDS02 Users,OU=Groups,OU=Users,DC=company,DC=org",0,0,0,1)
            If $HDU > 0 And $FHDS > 0 Then
                ConsoleWrite($AD_User&","&$homedir&","&","&$found_Grps[$HDU]&","&$found_Grps[$FHDS]&@CRLF)
                _FileWriteLog("userhomedir.log","|"&$AD_User&"|"&$homedir&"|"&$found_Grps[$HDU]&"|"&$found_Grps[$FHDS])

            ElseIf $HDU > 0  And $FHDS < 1 Then
                ConsoleWrite($AD_User&","&$homedir&","&$found_Grps[$HDU]&@CRLF)
                _FileWriteLog("userhomedir.log","|"&$AD_User&"|"&$homedir&"|"&$found_Grps[$HDU])

            ElseIf $FHDS > 0 And $HDU < 1 Then
                ConsoleWrite($AD_User&","&$homedir&","&$HDU&","&$found_Grps[$FHDS]&@CRLF)
                _FileWriteLog("userhomedir.log","|"&$AD_User&"|"&$homedir&"|"&$found_Grps[$FHDS])

            Else
            ConsoleWrite($AD_User&","&$homedir&@CRLF)
            _FileWriteLog("userhomedir.log","|"&$AD_User&"|"&$homedir)
            EndIf
Next
Exit

[water]

Hi RogFleming,

I'm glad the UDF is of use for someone!

If you just want to get a list of users that have no homeDirectory specified or are not a member of any group you could use the following code and let AD do all the work:

#include "H:\tools\autoit3\ad\AD.au3"

_AD_Open()
; list users with no HomeDirectory
$a = _AD_GetObjectsInOU("", "(&(objectcategory=user)(objectclass=user)(!homedirectory=*))",2,"distinguishedname,sAMAccountName,homeDirectory")
_ArrayDisplay($a)
; list users with no group membership
$a = _AD_GetObjectsInOU("", "(&(objectcategory=user)(objectclass=user)(!memberof=*))",2,"distinguishedname,sAMAccountName,memberof")
_ArrayDisplay($a)
_AD_Close()

Edited December 11, 2010 by water

[water]

Your amazing... didnt even realize I could pull this information frmo these. _AD_ListExchangeMailboxStores works perfectly. Can I use the short name or the FQDN for the mailbox stores? I will play around with this. If i can get a script to make AD users and Exchange email boxes and link the two, I will be really happy. Haha! Thanks!

You can use the names returned by the functions (it's the first value for every returned item in the array).

Be sure to read the comments in the _AD_Createmailbox function!

Remarks:

The mailbox is created using CDOEXM. For this function to work the Exchange administration tools have to be installed 
on the computer running the script.
To set rights on the mailbox you have to run at least Exchange 2000 SP2.

If the Exchange administration tools are not installed on the PC running the script you could use an ADSI only solution.
Set the mailNickname and displayName properties of the user and at least one of this: homeMTA, homeMDB or msExchHomeServerName 
and the RUS (Recipient Update Service) of Exchange 2000/2003 will create the mailbox for you.
Be aware that this no longer works for Exchange 2007 and later.

[water]

Version 0.42 has been released.

This version does some major bug fixing in _AD_Open!

Thanks a lot to SpinningCone for taking the time to help me solve this problem!

Now your AD scripts should run noticeably faster (depending on the number of AD requests) and it should no longer be necessary to insert SLEEP statements into your script to avoid some strange COM errors.

Please test before using it in production!

For download please see signature.

[supersonic]

Hi water,

I've tested V0.42. '_AD_Open()' behaves somehow strange!?

When calling it without arguments, it works fine.

When calling it with argements - at least username/password, or more - I get COM errors:

### COM error! Number: 80020009 ScriptLine: 355 Description: Property value is invalid. Make sure the value is typed correctly.

### COM error! Number: 80020009 ScriptLine: 390 Description: The server is not operational.

Changing back to V0.41 everything works fine.

Did I missed some script breaking parameter/syntax changes?

Greets,

-supersonic.

Edited January 5, 2011 by supersonic

[water]

Hi supersonic,

the error on line 355 is caused by the "Encrypt Password" Property. Your AD environment doesn't support this property (as doesn't mine). This is an error you can ignore.

The property "Encrypt Password" ensures that a kerberos authentication with encrypted user name and password is performed against a domain controller with Windows 2000 or above.

Why you get the error on line 390 I don't know.

Could you please uncomment line 355 and check if you still get both errors?

Thanks

water

Edited January 5, 2011 by water

[supersonic]

After uncommenting line 355 in 'AD.au3' I still get the same error:

### COM error! Number: 80020009 ScriptLine: 390 Description: The server is not operational.

[water]

After uncommenting line 355 in 'AD.au3' I still get the same error:

### COM error! Number: 80020009 ScriptLine: 390 Description: The server is not operational.

It might be a problem with the "ADS_Use_Encryption" or "ADS_Server_Bind" flag.

Could you please change line 159 to:

Global Const $ADS_USE_ENCRYPTION = 0x0

and check if you still get the error?

[supersonic]

I modified the line 159 as you described. NO more errors!

Can this behavior be acribed to the particular changes of '_AD_Open()' between V0.41 and V0.42?

Can the flag be set automatically to a "correct" value?

In other words: When to apply "0x0", "0x1" (?) or "0x2"?

Greets,

-supersonic.

[water]

Can this behavior be ascribed to the particular changes of '_AD_Open()' between V0.41 and V0.42?

True. Encryption has been added in version 0.42.

I will have to rethink this security "feature". I have seen some examples using the ADO property and ADSI flag on the internet and I considered it to be a good idea.

I will have to document the different use cases and make it optional to be activated by the user.

What do you think?

Edited January 5, 2011 by water

[SpinningCone]

I'm back. still scripting away. have a new problem though :

COM Error Encountered in test.au3

Scriptline = 3630

NumberHex = 80020006

Number -2147352570

WinDescription = Unknown name.

.

.

.

LastDllError = 14007

the script is basically 3 lines:

_AD_Open("","","yadda","yadda", "yadda")
_AD_DeleteMailbox($user)
_AD_Close()

line 3630 is $oAD_User.DeleteMailbox

if i run the command against an account that doesn't have a mailbox it doesn't crash so its not necessarily the .DeleteMailbox command itself. we run exchange 2007 which removed some integration with AD so i'm not sure if this is an exchange version incompatibility or what.

this is the last little piece of a rather nice cleanup suite i made for our AD any thoughts on getting this to work?

[supersonic]

Hi water,

your suggestion sounds good to me.

But how make the "security feature" useful optional?

It would be good if there could be some kind of fall back routine.

When I erroneously activate the "security feature" (= 0x2) the script should not stop,

but it switches automatically back to '0x0' (or '0x1', if this value should make sense)

and try to authenticate again... Perhaps it is pre-detectable if the AD supports this

property... Is this possible?

The "security feature" acts currently - if it is wrong configured - somehow "script breaking".

Greets,

-supersonic.

Edited January 6, 2011 by supersonic

[water]

Hi supersonic,

I'll have to invest some time to fully understand encryption.

The examples on the internet and the tests on my system didn't give any errors. So I thought it could be activated on any system. If the system doesn't support encryption it would simply ignore the encryption flag.

This assumption doesn't always seem to be true

The next version of the UDF will either remove this feature, make it automatic as you suggested or leave it to the user to activate it using an additional parameter for _AD_Open.

Could you please run the following code and post the result so I can check if there is any difference between your and my system regarding supported features?

#include <AD.au3>
_AD_Open()
Global $aTemp = _AD_ListRootDSEAttributes()
_ArrayDisplay($aTemp, "RootDSEAttributes")
_AD_Close()

Regards

water

Edited January 6, 2011 by water

[water]

Hi SpinningCone,

I think _AD_DeleteMailbox has the same prerequisites as _AD_CreateMailbox: The Exchange administration tools have to be installed on the machine running the AutoIt script.

Is this true for your environment?

Regards

water

Edited January 6, 2011 by water

[supersonic]

Here are the results:

<DELETED>

Edited January 6, 2011 by supersonic