Jump to content

Active Directory UDF


water
 Share

Recommended Posts

Is it that you want ?

>"C:\Program Files\AutoIt3\SciTE\..\autoit3.exe" /ErrorStdOut "C:\Documents and Settings\xxxx\Desktop\Water_Test.au3"    
$sAD_LockoutTime: 2010/05/04 15:04:03
GetPasswordInfo: 11|180|20|6|8|15372286728.0913|5|30|2010/04/15 10:58:38|2010/10/12 10:58:38|2010/04/15 08:58:38|2010/10/12 08:58:38
$sAD_ResetLockoutTime: 0
$sAD_Now: 2010/05/26 15:38:18
>Exit code: 0    Time: 3.414
Edited by lafafmentvotre
Link to comment
Share on other sites

Is it that you want ?

>"C:\Program Files\AutoIt3\SciTE\..\autoit3.exe" /ErrorStdOut "C:\Documents and Settings\xxxx\Desktop\Water_Test.au3" 
$sAD_LockoutTime: 2010/05/04 15:04:03
GetPasswordInfo: 11|180|20|6|8|15372286728.0913|5|30|2010/04/15 10:58:38|2010/10/12 10:58:38|2010/04/15 08:58:38|2010/10/12 08:58:38
$sAD_ResetLockoutTime: 0
$sAD_Now: 2010/05/26 15:38:18
>Exit code: 0 Time: 3.414

The value "15372286728.0913" returned from _AD_GetPasswordInfo() looks weird. What's your Account Lockout Duration (in minutes)? Edited by water

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

I locked another account and re run the script

>"C:\Program Files\AutoIt3\SciTE\..\autoit3.exe" /ErrorStdOut "C:\Documents and Settings\xxxxxx\Desktop\Water_Test.au3"    
$sAD_LockoutTime: 2010/05/26 15:50:32
GetPasswordInfo: 11|180|20|6|8|15372286728.0913|5|30|2010/03/13 12:40:59|2010/09/09 13:40:59|2010/03/13 11:40:59|2010/09/09 11:40:59
$sAD_ResetLockoutTime: 0
$sAD_Now: 2010/05/26 15:54:14
>Exit code: 0    Time: 2.298

and result is the same : not locked

Edited by lafafmentvotre
Link to comment
Share on other sites

That's the time a user remains in the locked state. It's a group policy thing.

Run "Gpedit.msc", "Computer Configuration", "Windows Settings", "Security Settings", "Account Settings", "Lockout Settings" (I have translated the german text on the fly to enlisch so I'm sure they are named a bit different).

Edited by water

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

If i understand the info correctly your account is locked after 5 invalid logon attempts for exactly 0 minutes.

Could you please verify this?

Lock a user with 5 invalid logon attempts, wait a minute and try to logon again? Can you successfully login?

Another question? What features of the AD2008 do you use? Do you use the "Fine-grained Password Policies" as described here?

I'm leaving for today as well - see you tomorrow!

Edited by water

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

If i understand the info correctly your account is locked after 5 invalid logon attempts for exactly 0 minutes.

Could you please verify this?

True

Lock a user with 5 invalid logon attempts, wait a minute and try to logon again? Can you successfully login?

I can't login

Another question? What features of the AD2008 do you use? Do you use the "Fine-grained Password Policies" as described here?

I don't know, i haven't this information

I'm leaving for today as well - see you tomorrow!

Have a good evening - see you tomorrow

For information, i use this query on ad (Saved Query) to view "locked account" and it works :

(&(&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295)))))
Edited by lafafmentvotre
Link to comment
Share on other sites

For information, i use this query on ad (Saved Query) to view "locked account" and it works :

(&(&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295)))))

This query works - but it can give you "false positive" results.

The lockouttime attribute is reset when the user logs on the next time. So let's say the user is locked out 1:30 PM and the lockout duration is 60 minutes.

When you query the AD at 2:29 PM the user is returned as locked - which is correct.

When you query the AD at 2:31 PM the user is returned as locked - which is wrong. You get this wrong result as long as the user doesn't log on again.

So my function uses your query and calculates the end of the lockouttime for every user. At 2:30 PM the user of the above example is deleted from the result.

This only works when I get the correct lockout duration from the AD. Your lockout duration is set to 0 so I assume you use the "Fine-grained Password Policies".

So far I don't know how to query the AD for this new policies or how to extract the values for each user.

That's how I understand the wrong results you get.

Edited by water

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

Hi Water

Thanks for response.

Damage not to be able to use this function in my case.

Thanks

Is there any change that you can ask your Active Directory administrator if the fine-grained passwort policies feature is used in your domain?

I would like to understand where the problem is and - maybe - provide a solution to this problem.

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

No, it's impossible to change this policy because policies are defined for worldwide, not just for French AD

Sorry, I didn't mean to change the policy. Just ask the AD admin if they use this new feature of Windows Server 2008.

If this feature is used then I can understand the wrong results we get with the AD UDF.

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

As I'm no native speaker I know that the UDF contains many spelling errors etc.

Is anyone of the native speakers willing to scan through the source file (AD.au3), correct all the spelling and grammar errors in the source and send it to me?

I think all users of the AD UDF will benefit from a correct and understandable source file.

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

  • 2 weeks later...

Having an issue with _AD_CreateMailbox

Sorry to threadjack, but I though this might be an appropriate place. I'm trying to use the above function but keep winding up with the errors in the attached images no matter if I use the sample code or my own. I'm attempting to create a mailbox for a user made with _AD_CreateUser (which doesn't automatically create the mailbox on my system).

post-55677-12762865764161_thumb.png

post-55677-1276286681687_thumb.png

Any help would be GREATLY appreciated, as I'm a good portion through an automated user-provisioning script.

Regards,

Larry

Link to comment
Share on other sites

Moved your question and my reply to the "Help and Support" thread.

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

  • 1 month later...

To get the account expiration date in readable form you can use something like this:

$Result = _AD_GetObjectProperties("SamAccountName or FQDN","accountexpires")
_ArrayDisplay($Result)

In the next version I will add code to check if an account has expired and to get a list of all expired accounts (users, computers).

I will post the code for _AD_IsAccountExpired and _AD_GetAccountsExpired here for you to test as soon as possible.

I have an opportunity to use _AD_IsAccountExpired if available.

Thanks,

Tom

Link to comment
Share on other sites

If you like to test here is the code :blink:

; #FUNCTION# ====================================================================================================================
; Name...........: _AD_IsAccountExpired
; Description ...: Returns 1 if the account (user, computer) has expired.
; Syntax.........: _AD_IsAccountExpired([$sAD_Object = @Username])
; Parameters ....: $sAD_Object - Optional: Account (User, computer) to check (default = @Username). Can be specified as Fully Qualified Domain Name (FQDN) or sAMAccountName
; Return values .: Success - 1, The specified account has expired
;   Failure - 0, sets @error to:
;   |0 - Account has not expired
;   |1 - $sAD_Object could not be found
; Author ........: Thomas Rupp
; Modified.......:
; Remarks .......:
; Related .......: _AD_GetAccountsExpired
; Link ..........:
; Example .......: Yes
; ===============================================================================================================================
Func _AD_IsAccountExpired($sAD_Object = @UserName)

    If Not _AD_ObjectExists($sAD_Object) Then Return SetError(1, 0, 0)
    Local $sAD_AccountExpires = _AD_GetObjectAttribute($sAD_Object,"accountexpires")
    If ($sAD_AccountExpires.LowPart = 0 And $sAD_AccountExpires.HighPart = 0) Or _
        ($sAD_AccountExpires.LowPart = 0xFFFFFFFF And $sAD_AccountExpires.HighPart = 0x7FFFFFFF) Then
        Return 0
    Else
        Local $sAD_Temp = DllStructCreate("dword low;dword high")
        DllStructSetData($sAD_Temp, "Low", $sAD_AccountExpires.LowPart)
        DllStructSetData($sAD_Temp, "High", $sAD_AccountExpires.HighPart)
        $sAD_AccountExpires = _Date_Time_FileTimeToSystemTime(DllStructGetPtr($sAD_Temp))
        If $sAD_AccountExpires <= _Date_Time_GetSystemTime() Then Return 1
    EndIf
    Return

EndFunc ;==>_AD_IsAccountExpired

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

Thanks for the wonderful AD UDF - it is proving really useful in the schools I look after. I'm in the process of creating a user management GUI and this is making it dead easy compared to other methods I've looked at.

A possible bug in _AD_Open() is that whatever values I put into the $sAD_UserIdParam and $sAD_PasswordParam parameters, the return is always a success. I had hoped to use this as a way of authenticating whoever was running one of my scripts (e.g. allowing a teacher to reset a pupil password).

e.g. when I try

$value = _AD_Open("NotAUser", "Whatever")

I always get a return of 1 for $value

I say a "possible" bug as I may simply be misunderstanding what is supposed to happen here.

Cheers,

NML

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

×
×
  • Create New...