Active Directory UDF

[supersonic]

Hi water,

I'm trying to modify the attribute "cn" with '_AD_ModifyAttribute()' - without luck...

Is "cn" one of those attributes that can't be changed with the UDF?

Changing the attribute e. g. "wWWHomePage" works fine!?

Greets,

-supersonic.

Edited March 14, 2011 by supersonic

[water]

Hi supersonic

Is "cn" one of those attributes that can't be changed with the UDF?

It can't be changed with _AD_ModifyAttribute(). You have to use _AD_RenameObject(). Edited March 14, 2011 by water

[Katharsis]

@water

The new _AD_GetPasswordDontExpire() code works perfectly. The first array value is the number of accounts it found with Password Doesn't Expire, and the rest are the accounts, and only in the OU specified. That's what I was looking for. Thanks!

[water]

The new _AD_GetPasswordDontExpire() code works perfectly.

Glad to hear

I will change all _AD_Getxx functions (_AD_GetObjectsDisabled , _AD_GetObjectsLocked , _AD_GetPasswordExpired , _AD_GetPasswordDontExpire, _AD_GetAccountsExpired) so that you can provide a starting OU.

[Stephane]

@Water,

Good idea! I will also take this solution for my script right now. Thanks.

Sometime I tend to use longer roads... that was so easier this way !

Regards,

Stephane.

[Suba]

Hello

@water : :

I had a problem with the wellknown account used in the functions (SELF and EVERYONE)

=> StringUpper($oAD_ACE.Trustee) = "NT AUTHORITY\SELF"

Depending on the OS language the trustee name may change.

So i had to add this workaround in the UDF to solve my problem :

#Include <Security.au3>

Global $sSelf, $sEveryone

$aTmp = _Security__LookupAccountSid("S-1-5-10")

If IsArray($aTmp) Then $sSelf = $aTmp[1] & "\" & $aTmp[0]

$aTmp = _Security__LookupAccountSid("S-1-1-0")

If IsArray($aTmp) Then $sEveryone = $aTmp[0]

Replace in the functions :

StringUpper($oAD_ACE.Trustee) = "NT AUTHORITY\SELF"

by

StringUpper($oAD_ACE.Trustee) = $sSelf

I dunno if this was allready posted .. if yes sorry

BTW thx for your work

Edited March 23, 2011 by Suba

[Ivo]

Hi

Once again I am using your super UDF.

I am using the function _AD_IsMemberOf: If _AD_IsMemberOf($FQDNgrpName) = 1 Then

It works for a lot of groups but I had one group which gives me an error.

The group name is RSE and is empty. I tried to do it with another empty group but this didn't have the problem.

I can easyly fix it by excluding the group fro my script but that is the dirthy way.

When I use: _AD_IsMemberOf("RSE") = 1 then a windows pops up:

Active Directory Functions

Com Error Encountered in app.exe

Scriptline -1

NumberHex = 80020006

Number = -2147352570

WinDescription = Unknow name

LastDLLError = 14007

any clue what t can be?

Br.

Ivo

[water]

Hi Suba,

thanks for the addition. As soon as I'm at home again I will have a look at it.

[water]

@Ivo,

I see you run the script from an Exe. Could you please run the script from SciTe so we see the exact line number where the error is raised?

[water]

@Ivo,

I ran this little test script here and it works just fine:

#include <ad.au3>
$iAD_Debug = 2
_AD_Open()
Global $R = _AD_IsMemberOf("RSE")
ConsoleWrite($R & "-" & @error & "-" & @extended & @CRLF)
_AD_Close()

[water]

Hi Suba;

I had a problem with the wellknown account used in the functions (SELF and EVERYONE)

Depending on the OS language the trustee name may change.

thanks for the bug report and the solution. I've posted the bug on page one of this thread. Your solution will be part of the next version of this UDF.

Thanks for chasing and solving this bug!

[Suba]

Hi again,

I just had a strange bug with the function "_AD_GetPasswordInfo".

To precise the context, I'm working with a few AD and the script worked fine for each of them and then suddently crashed .

The error handler returned "8007202B - A referral was returned from the server" .. nothing really usefull.

The strange thing is : the function is working fine except for one AD.

After a few research I found this : http://www.computerperformance.co.uk/Logon/code/code_8007202B.htm and tried the solution :

I tried to replace Local $oAD_Object = ObjGet("LDAP://" & $sAD_DNSDomain)

by Local $oAD_Object = ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain) and it worked !

I don't have a clue why it bugged with this particular AD and I dunno if it's worth mentionning it. I'll let you judge

Still for this function, I would recommend to set the returned array at [13] and add this attribute : pwdProperties which represent the password completixy requierement.

(BitOR => DOMAIN_PASSWORD_COMPLEX 1, DOMAIN_PASSWORD_NO_ANON_CHANGE 2, DOMAIN_PASSWORD_NO_CLEAR_CHANGE 4, DOMAIN_LOCKOUT_ADMINS 8, DOMAIN_PASSWORD_STORE_CLEARTEXT 16, DOMAIN_REFUSE_PASSWORD_CHANGE 32)

Again many thanks for your work, it saved me a lot of hours.

[water]

Hi Suba,

you found a bug! That's the only place where I forgot to insert the $sAD_HostServer variable to enhance usage of the bind cache.

here is the "new" _AD_GetPasswordInfo function for you to test. The bug is removed and the pwdProperties will be returned as well:

expandcollapse popup

Func _AD_GetPasswordInfo($sAD_Object = @UserName)

    If _AD_ObjectExists($sAD_Object) = 0 Then Return SetError(1, 0, "")
    If StringMid($sAD_Object, 3, 1) <> "=" Then $sAD_Object = _AD_SamAccountNameToFQDN($sAD_Object) ; sAMAccountName provided
    Local $iAD_Error = 0
    Local $aAD_PwdInfo[13] = [12]
    Local $oAD_Object = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain)
    $aAD_PwdInfo[1] = Int(_AD_Int8ToSec($oAD_Object.Get("maxPwdAge"))) / 86400 ; Convert to Days
    $aAD_PwdInfo[2] = _AD_Int8ToSec($oAD_Object.Get("minPwdAge")) / 86400 ; Convert to Days
    $aAD_PwdInfo[3] = $oAD_Object.Get("pwdHistoryLength")
    $aAD_PwdInfo[4] = $oAD_Object.Get("minPwdLength")
    ; Account lockout duration: http://msdn.microsoft.com/en-us/library/ms813429.aspx
    Local $oAD_Temp = $oAD_Object.Get("lockoutDuration")
    If $oAD_Temp.HighPart = 0x7FFFFFFF And $oAD_Temp.LowPart = 0xFFFFFFFF Then
        $aAD_PwdInfo[5] = 0 ; Account has to be unlocked manually by an admin
    Else
        $aAD_PwdInfo[5] = _AD_Int8ToSec($oAD_Object.Get("lockoutDuration")) / 60 ; Convert to Minutes
    EndIf
    $aAD_PwdInfo[6] = $oAD_Object.Get("lockoutThreshold")
    $aAD_PwdInfo[7] = _AD_Int8ToSec($oAD_Object.Get("lockoutObservationWindow")) / 60 ; Convert to Minutes
    Local $oAD_User = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_Object)
    Local $sAD_PwdLastChanged = $oAD_User.Get("PwdLastSet")
    Local $iAD_UAC = $oAD_User.userAccountControl
    ; Has user account password been changed before?
    If $sAD_PwdLastChanged.LowPart = 0 And $sAD_PwdLastChanged.HighPart = 0 Then
        $iAD_Error = +3
        $aAD_PwdInfo[8] = "1601/01/01 00:00:00"
        $aAD_PwdInfo[10] = "1601/01/01 00:00:00"
    Else
        ; Is user account password set to expire?
        If BitAND($iAD_UAC, $ADS_UF_DONT_EXPIRE_PASSWD) = $ADS_UF_DONT_EXPIRE_PASSWD Or $aAD_PwdInfo[1] = 0 Then
            If BitAND($iAD_UAC, $ADS_UF_DONT_EXPIRE_PASSWD) = $ADS_UF_DONT_EXPIRE_PASSWD Then $iAD_Error += 2
            If $aAD_PwdInfo[1] = 0 Then $iAD_Error += 4 ; The Maximum Password Age is set to 0 in the domain. Therefore, the password does not expire
        Else
            Local $sAD_Temp = DllStructCreate("dword low;dword high")
            DllStructSetData($sAD_Temp, "Low", $sAD_PwdLastChanged.LowPart)
            DllStructSetData($sAD_Temp, "High", $sAD_PwdLastChanged.HighPart)
            ; Have to convert to SystemTime because _Date_Time_FileTimeToStr has a bug (#1638)
            Local $sAD_Temp2 = _Date_Time_FileTimeToSystemTime(DllStructGetPtr($sAD_Temp))
            $aAD_PwdInfo[10] = _Date_Time_SystemTimeToDateTimeStr($sAD_Temp2, 1)
            $aAD_PwdInfo[11] = _DateAdd("d", $aAD_PwdInfo[1], $aAD_PwdInfo[10])
            ; Convert PwdlastSet and PasswordExpires from UTC to Local Time
            $sAD_Temp2 = _Date_Time_SystemTimeToTzSpecificLocalTime(DllStructGetPtr($sAD_Temp2))
            $aAD_PwdInfo[8] = _Date_Time_SystemTimeToDateTimeStr($sAD_Temp2, 1)
            $sAD_Temp2 = _Date_Time_EncodeSystemTime(StringMid($aAD_PwdInfo[11], 6, 2), StringMid($aAD_PwdInfo[11], 9, 2), StringMid($aAD_PwdInfo[11], 1, 4), StringMid($aAD_PwdInfo[11], 12, 2), StringMid($aAD_PwdInfo[11], 15, 2), StringMid($aAD_PwdInfo[11], 18, 2))
            $sAD_Temp2 = _Date_Time_SystemTimeToTzSpecificLocalTime(DllStructGetPtr($sAD_Temp2))
            $aAD_PwdInfo[9] = _Date_Time_SystemTimeToDateTimeStr($sAD_Temp2, 1)
        EndIf
    EndIf
    $aAD_PwdInfo[12] = $oAD_Object.Get("pwdProperties")
    Return SetError($iAD_Error, 0, $aAD_PwdInfo)

EndFunc   ;==>_AD_GetPasswordInfo

Does this work for you?

Edited March 29, 2011 by water

[water]

Hi Suba,

... The error handler returned "0x8007202B - A referral was returned from the server" ...

I've been searching the internet to understand what's going on and I think the following describes it quite well:

Active directory - if it thinks there might be a subdomain that can answer part of the query AND you specify to chase referral chains on your directory search query request - 
will throw an exception telling you that there is more information to process from referral servers and the calling application would need to handle that (which the UDF appearantly doesn't).

More information gives M$ here.

For the moment I think our problem is solved. If it occurres again we will think about how to handle this kind of "problem".

[Suba]

Hi Suba,

you found a bug! That's the only place where I forgot to insert the $sAD_HostServer variable to enhance usage of the bind cache.

here is the "new" _AD_GetPasswordInfo function for you to test. The bug is removed and the pwdProperties will be returned as well:

Does this work for you?

Seems like fine to me.

Hi Suba,

I've been searching the internet to understand what's going on and I think the following describes it quite well:

Active directory - if it thinks there might be a subdomain that can answer part of the query AND you specify to chase referral chains on your directory search query request - 
will throw an exception telling you that there is more information to process from referral servers and the calling application would need to handle that (which the UDF appearantly doesn't).

More information gives M$ here.

For the moment I think our problem is solved. If it occurres again we will think about how to handle this kind of "problem".

You are probably right.

thanks again for your time.

[water]

I did some more research and I think I will implement two new functions:

LDAPGetOptions and LDAPSetOptions. This will allow to query and set LDAP specific options.

It requires playing with DLLs - so it will take some time

Edited March 30, 2011 by water

[HaeMHuK]

Hi water!

Could you tell me please if I can add computer to group with you UDF? I have an issue to add list of PCs to group from txt file.

If yes how!

Thanks.

Edited April 4, 2011 by HaeMHuK

[water]

Sure you can!

Please have a look at function _AD_AddUserToGroup. The function works for users and computers.

If you specify the samaccountname for the computer to be added please remember to append a dollar sign e.g. 'PC001$'

Edited April 4, 2011 by water

[HaeMHuK]

Sure you can!

Please have a look at function _AD_AddUserToGroup. The function works for users and computers.

If you specify the samaccountname for the computer to be added please remember to append a dollar sign e.g. 'PC001$'

Thanks a lot. It works with @.

I have one question else.

How can I use credentials which AD UDF takes?

For example

RunAs ( "$sAD_UserId", "$sAD_DNSDomain", "$sAD_Password", logon_flag, "program" [, "workingdir" [, show_flag [, opt_flag ]]] )

Edited April 5, 2011 by HaeMHuK

[water]

_AD_Open allows to use credentials.

Syntax: _AD_Open($sAD_UserIdParam, $sAD_PasswordParam, $sAD_DNSDomainParam, $sAD_HostServerParam, $sAD_ConfigurationParam, $fAD_Security)

More details can be found in the help file for _AD_Open or in the sourc of the UDF.

Edited April 5, 2011 by water