Active Directory UDF

water · September 25, 2014

Sorry, missed that. Too many and too long threads on the forum

When you run function _AD_GetObjectProperties for this user do you see property "pwdlastset" in the list of properties or has it another name like "passwordlastset"?

Maybe the name has changed since Windows 2003?

colombeen · September 25, 2014

when I run the _AD_GetObjectProperties () function with that specific username I don't even get anything password related

On my own account I get 51 rows in an Array but with the one I specified I get 22 rows

water · September 25, 2014

Can you please PM me this 22 rows?

colombeen · September 25, 2014

22 rows in PM :-)

water · September 25, 2014

Could this be caused by the "altSecurityIdentities" property?

So that some properties are not stored in the AD but somewhere else (kerberos ...)?

Do you use any special security features?

colombeen · September 25, 2014

My account has the same property value. so I don't think it's that.

water · September 25, 2014

Strange, strange, strange!
PowerShell shows all properties.
The AD script gets a COM error that the property can not fe found in the domain controller.

Could you modify _AD_Open so that ou connect to the Global Catalog?
Example:

$iResult = _AD_Open("", "", "", "DC1.company.com:3268")

colombeen · September 25, 2014

when i do that every account fails.

>ColomJa<
"C:\Program Files\AutoIt3\Include\AD.au3" (4417) : ==> Variable must be of type "Object".:
$lngHigh = $oInt8.HighPart
$lngHigh = $oInt8^ ERROR
->15:40:29 AutoIt3.exe ended.rc:1

Edited September 25, 2014 by colombeen

water · September 25, 2014

Then I have absolute no idea what is going on :-(

Can you talk to your domain admin and ask if there is something special with your domain?

Do you have another domain which is on level 2008 or 2012 so you can test your script there?

Kovacic · September 25, 2014

By any chance, have you, or any other domain admin made changes to the AD schema?

colombeen · September 26, 2014

what is the fastest way to check if the current account @UserName is a domain admin?

I just found out that the one example that I gave didn't show with my normal user account but with my domainadmin account it did show the info i wanted.

I still have a user that makes it crash but at least i'm a step closer.

EDIT :

appearantly I don't have full read permissions on these accounts that make my script crash. is there a way to check for this so that my script won't fail?

Edited September 26, 2014 by colombeen

water · September 26, 2014

Check if the user is a member of group "Domain Admins".

water · September 26, 2014

Modify function: _AD_GetPasswordInfo.

After line

Local $sPwdLastChanged = $oUser.Get("PwdLastSet")

insert

If @error Then Return SetError(99, @error, "")

This sets @error to 99 and @extended to the COM error if reading the password info failed.

colombeen · September 26, 2014

Check if the user is a member of group "Domain Admins".

This won't work in my case.

I have a specific group that grants me admin rights on the domain but i'm not a member of the domain admins group.

I saw something like "adminCount 1" when i request the properties of my account. is that the same as being a domain admin?

water · September 26, 2014

I'm not sure. Didn't find anything on the web.

Description of AdminCoutn attribute.

water · September 26, 2014

Seems that the attribut isn't being reset when you are no longer member of one of the protected groups.

http://windowsitpro.com/active-directory/advanced-active-directory-security

http://www.shariqsheikh.com/blog/index.php/200908/use-powershell-to-look-up-admincount-from-adminsdholder-and-sdprop/

http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

colombeen · September 26, 2014

OK i was able to catch the error now and show the results (at least the info i can retrieve)

still trying to find some things but that will have to be for next week

thx for all the help

colombeen · September 29, 2014

Hi I'm back... again...

I'm trying to see if a user must change his/her password at the next logon but when I try that I don't get anything...

In my query I request pwdlastset but when i do a msgbox or consolewrite it just returns nothing.

anyone who knows what I could have done wrong?

The query :

$AD_query   =   _AD_GetObjectsInOU("", "(&(objectcategory=person)(objectclass=user)(sAMAccountName=" & GUICtrlRead ($SearchInput) & "))", 2, _
            "extensionattribute6,displayname,telephoneNumber,mail,description,company,department,title,physicalDeliveryOfficeName," & _
            "sAMAccountName,extensionattribute10,extensionattribute2,homeDirectory,ScriptPath," & _
            "pwdlastset", "displayname")

How i try to show the result :

ConsoleWrite (">" & $AD_query[1][14] & "<" & @CRLF) ; This always returns "><" for some reason
If $AD_query[1][14] = 0 Then
    GUICtrlSetState ($TU_P_Change, $GUI_ENABLE + $GUI_CHECKED)
Else
    GUICtrlSetState ($TU_P_Change, $GUI_ENABLE + $GUI_UNCHECKED)
EndIf

Only $AD_query[1][14] is always empty. If it would have been a wrong property to request, my query would fail completely. I'm lost

EDIT :

Seems like it only fails with _AD_GetObjectsInOU. when I try _AD_GetObjectProperties it does return the correct value.

Edited September 30, 2014 by colombeen

water · September 30, 2014

You could use _AD_GetPasswordInfo, element 9 of the returned array and subtract the current date. This is the number of dates before the password has to be changed.

colombeen · September 30, 2014

I using _AD_GetObjectProperties already so i'm not really gone change that if it doesn't slow the program to much down.

just think it's strange that the pwdlastset value isn't returned correctly :-s

Active Directory UDF

Recommended Posts

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

water

BrewManNH

mnorland

Posted Images

Recently Browsing 0 members

Similar Content