Active Directory UDF

[water]

Only _AD_GetObjectProperties translate internal formats.

[colombeen]

it looks like there are more values missing. badpasswordtime and lastlogontimestamp are also empty.

[water]

_AD_GetObjectAttribute handles a lot of different data types.

[colombeen]

What is the easiest way to see if a password can't be changed for a specific user? I was looking and I found something about useraccountcontrol but I'm not sure if that is actually what I need.

[water]

How about this:

#include <AD.au3>

_AD_Open()
If @error Then Exit MsgBox(16, "Active Directory", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)

Global Const $PASSWD_CANT_CHANGE = 64
$aProperties = _AD_GetObjectProperties(@UserName, "UserAccountControl")
If BitAND($aProperties[1][1], $PASSWD_CANT_CHANGE) = $PASSWD_CANT_CHANGE Then
    MsgBox(0, "Result", "User can't change password!")
EndIf
_AD_Close()

[colombeen]

awesome water, I'll check that asap!

[colombeen]

it's strange... I checked an account that has the "password can't change" setting but when I run the function it returns 66048 which doesn't include $PASSWD_CANT_CHANGE

[water]

When running _AD_GetObjectProperties for this account you should get

"66048 - DontExpire Password, Normal Account" in field "UserAccountControl"

for this user.

You could unset "password can't change" for this user. Run _AD_GetObjectProperties and export the displayed array to a file.

Then set "password can't change" and do the same to another file.

Compare the file and we will see the difference.

[colombeen]

It returns exactly the same result... I don't get it :-s

EDIT :

found on a forum that it is extracted from the ntsecuritydescriptor.

NT AUTHORITYSELF gets a deny on "change password"

...

pffff

found this page now : http://www.activexperts.com/network-monitor/windowsmanagement/scripts/activedirectory/user/passwords/#PreventUsersChanging.htm

Edited October 3, 2014 by colombeen

[water]

So the last script should answer your question.

translating it to AutoIt should be easy.

Have you already tried?

[colombeen]

i don't get the script at all :-s

also i don't need to change it, only read it so i can show that it is enabled or disabled

autoit is is like one of the only scripting languages that I know. translating other code to autoit sounds like chinese to me

I was happy that I was able to call a cmd prompt and run a command in it from within an autoit script

Edited October 3, 2014 by colombeen

[water]

How about this?

#include <ad.au3>
_AD_Open()
Global $iUserCantChangePWD = _AD_UserRights()
MsgBox(0, "Info", "User can't change password: " & $iUserCantChangePWD)
_AD_Close()

Func _AD_UserRights($sUser = @UserName)
    Const $CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
    If _AD_ObjectExists($sUser) = 0 Then Return SetError(1, 0, 0)
    If StringMid($sUser, 3, 1) <> "=" Then $sUser = _AD_SamAccountNameToFQDN($sUser) ; sAMAccountName provided
    Local $oUser = __AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sUser)
    If IsObj($oUser) Then
        Local $oSecurity = $oUser.Get("ntSecurityDescriptor")
        Local $oDACL = $oSecurity.DiscretionaryAcl
        For $oACE In $oDACL
            If (($oAce.AceType = $ADS_ACETYPE_ACCESS_DENIED_OBJECT) And _
                    (StringLower($oAce.ObjectType) = $CHANGE_PASSWORD_GUID)) Then
                Return 1
            EndIf
        Next
    EndIf
    Return 0

EndFunc   ;==>_AD_UserRights

[colombeen]

I'll give it a try

thx water

EDIT : when I run the function, it always returns 1

water, do you have any idea why this happens?

Edited October 3, 2014 by colombeen

[colombeen]

I found : http://msdn.microsoft.com/en-us/library/aa746448(v=vs.85).aspx

I was able to translate the function to this (in combination with the other function water translated into autoit) :

#include <AD.au3>
Func _AD_IsPasswordChangeDisabled ($sUser = @UserName)
    Const $CHANGE_PASSWORD_GUID     =   "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
    Local $iEveryone, $iSelf        =   0

    If _AD_ObjectExists($sUser) = 0 Then Return SetError(1, 0, 0)

    If StringMid($sUser, 3, 1) <> "=" Then $sUser = _AD_SamAccountNameToFQDN($sUser) ; sAMAccountName provided

    Local $oUser            =   __AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sUser)

    If IsObj($oUser) Then
        Local $oSecurity    =   $oUser.Get("ntSecurityDescriptor")
        Local $oDACL        =   $oSecurity.DiscretionaryAcl

        For $oACE In $oDACL
            If StringUpper ($oACE.ObjectType) = StringUpper ($CHANGE_PASSWORD_GUID) Then
                If $oACE.Trustee = "Everyone" And $oACE.AceType = $ADS_ACETYPE_ACCESS_DENIED_OBJECT Then
                    Local $iEveryone=   1
                EndIf
                If $oACE.Trustee = "NT AUTHORITY\SELF" And $oACE.AceType = $ADS_ACETYPE_ACCESS_DENIED_OBJECT Then
                    Local $iSelf    =   1
                EndIf
            EndIf
        Next
    EndIf

    If $iEveryone = 1 And $iSelf = 1 Then Return 1
    Return 0
EndFunc   ;==>_AD_IsPasswordChangeDisabled

It seems to work. Anyone who can try this out too?

@water ??

Edited October 8, 2014 by colombeen

[water]

I will check next week. But I'm not sure I have users that can not change their passwords.

[water]

I tried for my user and it returns 0 (as expected). Unfortunately I couldn't find any user that can not change their passwords.

[colombeen]

i have a strange problem. in some cases I get an error 4 with the extendederror -2147024843 when running _AD_Open ()

sometimes it happens on 1 machine with a specific account but on another machine it works normally (with the same account).

on the machine that throws the error, it does work for a different user.

is there a way to fix this error?

Edited October 15, 2014 by colombeen

[water]

I had a similar problem when the compiled script was started from a non trusted location.

Copy the exe to another drive and try again.

[colombeen]

even when another account can open it just fine from that same location?

[water]

IIRC it is a security pilocy setting to only allow programs to be executed from defined "secure" locations.