Active Directory UDF

[water]

Sorry, missed that. Too many and too long threads on the forum

When you run function _AD_GetObjectProperties for this user do you see property "pwdlastset" in the list of properties or has it another name like "passwordlastset"?

Maybe the name has changed since Windows 2003?

[colombeen]

when I run the _AD_GetObjectProperties () function with that specific username I don't even get anything password related

On my own account I get 51 rows in an Array but with the one I specified I get 22 rows

[water]

Can you please PM me this 22 rows?

[colombeen]

22 rows in PM :-)

[water]

Could this be caused by the "altSecurityIdentities" property?

So that some properties are not stored in the AD but somewhere else (kerberos ...)?

Do you use any special security features?

[colombeen]

My account has the same property value. so I don't think it's that.

[water]

Strange, strange, strange!
PowerShell shows all properties.
The AD script gets a COM error that the property can not fe found in the domain controller.
 
Could you modify _AD_Open so that ou connect to the Global Catalog?
Example:

$iResult = _AD_Open("", "", "", "DC1.company.com:3268")

[colombeen]

when i do that every account fails.

>ColomJa<
"C:\Program Files\AutoIt3\Include\AD.au3" (4417) : ==> Variable must be of type "Object".:
$lngHigh = $oInt8.HighPart
$lngHigh = $oInt8^ ERROR
->15:40:29 AutoIt3.exe ended.rc:1 

Edited September 25, 2014 by colombeen

[water]

Then I have absolute no idea what is going on :-(

Can you talk to your domain admin and ask if there is something special with your domain?

Do you have another domain which is on level 2008 or 2012 so you can test your script there?

[Kovacic]

By any chance, have you, or any other domain admin made changes to the AD schema?

[colombeen]

what is the fastest way to check if the current account @UserName is a domain admin?

I just found out that the one example that I gave didn't show with my normal user account but with my domainadmin account it did show the info i wanted.

I still have a user that makes it crash but at least i'm a step closer.

EDIT :

appearantly I don't have full read permissions on these accounts that make my script crash. is there a way to check for this so that my script won't fail?

Edited September 26, 2014 by colombeen

[water]

Check if the user is a member of group "Domain Admins".

[water]

Modify function: _AD_GetPasswordInfo.

After line

Local $sPwdLastChanged = $oUser.Get("PwdLastSet")

insert

If @error Then Return SetError(99, @error, "")

This sets @error to 99 and @extended to the COM error if reading the password info failed.

[colombeen]

Check if the user is a member of group "Domain Admins".

This won't work in my case.

I have a specific group that grants me admin rights on the domain but i'm not a member of the domain admins group.

I saw something like "adminCount 1" when i request the properties of my account. is that the same as being a domain admin?

[water]

I'm not sure. Didn't find anything on the web.

Description of AdminCoutn attribute.

[water]

Seems that the attribut isn't being reset when you are no longer member of one of the protected groups.

http://windowsitpro.com/active-directory/advanced-active-directory-security

http://www.shariqsheikh.com/blog/index.php/200908/use-powershell-to-look-up-admincount-from-adminsdholder-and-sdprop/

http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

[colombeen]

OK i was able to catch the error now and show the results (at least the info i can retrieve)

still trying to find some things but that will have to be for next week

thx for all the help 

[colombeen]

Hi I'm back... again...

I'm trying to see if a user must change his/her password at the next logon but when I try that I don't get anything...

In my query I request pwdlastset but when i do a msgbox or consolewrite it just returns nothing.

anyone who knows what I could have done wrong?

The query :

$AD_query   =   _AD_GetObjectsInOU("", "(&(objectcategory=person)(objectclass=user)(sAMAccountName=" & GUICtrlRead ($SearchInput) & "))", 2, _
            "extensionattribute6,displayname,telephoneNumber,mail,description,company,department,title,physicalDeliveryOfficeName," & _
            "sAMAccountName,extensionattribute10,extensionattribute2,homeDirectory,ScriptPath," & _
            "pwdlastset", "displayname")

How i try to show the result :

ConsoleWrite (">" & $AD_query[1][14] & "<" & @CRLF) ; This always returns "><" for some reason
If $AD_query[1][14] = 0 Then
    GUICtrlSetState ($TU_P_Change, $GUI_ENABLE + $GUI_CHECKED)
Else
    GUICtrlSetState ($TU_P_Change, $GUI_ENABLE + $GUI_UNCHECKED)
EndIf

Only $AD_query[1][14] is always empty. If it would have been a wrong property to request, my query would fail completely. I'm lost

EDIT : 

Seems like it only fails with _AD_GetObjectsInOU. when I try _AD_GetObjectProperties it does return the correct value.

Edited September 30, 2014 by colombeen

[water]

You could use _AD_GetPasswordInfo, element 9 of the returned array and subtract the current date. This is the number of dates before the password has to be changed.

[colombeen]

I using _AD_GetObjectProperties already so i'm not really gone change that if it doesn't slow the program to much down.

just think it's strange that the pwdlastset value isn't returned correctly :-s