Active Directory UDF

[jcpetu]

Ah, cristal clear. I'll implement it.

Thanks a lot Willxing and regard.

[willxing]

Hi Water

would you add a script for put "userWorkstation" into LDAP object?

for make user to log on specify desktop and laptop. 

I don't know these code will works or not, need test in office tomorrow.

$FQNM = _AD_SamAccountNameToFQDN()

$objUser = ObjGet("LDAP://"&$FQNM)

$objUser.put("userWorkstations","desktopA,laptopB,vmC")

$objUser.setinfo

 

Thank you and best regards.

[willxing]

Ah, cristal clear. I'll implement it.

Thanks a lot Willxing and regard.

 

Glad to share with you.

[water]

 

Hi Water

would you add a script for put "userWorkstation" into LDAP object?

for make user to log on specify desktop and laptop. 

I don't know these code will works or not, need test in office tomorrow.

$FQNM = _AD_SamAccountNameToFQDN()

$objUser = ObjGet("LDAP://"&$FQNM)

$objUser.put("userWorkstations","desktopA,laptopB,vmC")

$objUser.setinfo

 

Thank you and best regards.

 

Couldn't this be done using function _AD_ModifyAttribute?

[willxing]

o, yeah, that works.

next script, allow user to bind 2 workstation only by themselves.

[Kovacic]

Hi Water, I have a quick simple question about _AD_OPEN() and _AD_CLOSE()  

Can I use _AD_Open, then perform some tasks, then use _AD_CLOSE, then change just the credentials like shown below:

global $sUserIdParam = "MyNewUsername"

global $sPasswordParam = "MyNewPassword"

 

Then use _AD_Open again, and perform new tasks using the changed credentials?

 

I haven't gotten this to work so far.

 

Thanks!

[water]

If I haven't coded anything stupid then this should work.

_AD_Close should reset everything back to start.

[Kovacic]

Im going to make up a quick simple test script outside of my normal script to try it without all my other shenanigans.. be right back.

[Kovacic]

Ok I ran a super simple test and it still doesnt seem to work, if you are in an AD Environment, then you should be able to test this.. I created a user called demo10 and tried changing his password with a normal account (which does not have the ability to change a password) and tried to change the password. That failed like I expected it to.. Then half way through, I tried changing the creds to admin creds, and reopen AD and change the password, but that failed too..

This is not my best work, but works as a quick sample for testing...

expandcollapse popup

#include "ad.au3"
$useracc = "demo10"
$AdminUsername = ""
$AdminPassword = ""

; Open AD as normal user
Msgbox(0,"_AD_Open","About to _AD_Open")
_AD_Open()
If @Error then Msgbox(0,"_AD_Open","It didnt work!")

; Try to set password as normal user
Msgbox(0,"_AD_SetPassword","About to _AD_SetPassword")
_AD_SetPassword($useracc, "Password1")
If @Error then Msgbox(0,"_AD_SetPassword","It didnt work!")

; Close AD as normal user
Msgbox(0,"_AD_Close","About to _AD_Close")
_AD_Close()
If @Error then Msgbox(0,"_AD_Close","It didnt work!")

; Change to admin user
Msgbox(0,"---","Changing Credentials!")
global  $sUserIdParam = $AdminUsername 
global  $sPasswordParam = $AdminPassword 

; Open AD as admin user
Msgbox(0,"_AD_Open","About to _AD_Open")
_AD_Open()
If @Error then Msgbox(0,"_AD_Open","It didnt work!")

; Try to set AD password as admin user
Msgbox(0,"_AD_SetPassword","About to _AD_SetPassword")
_AD_SetPassword($useracc, "Password1")
If @Error then Msgbox(0,"_AD_SetPassword","It didnt work!")

; Close AD as admin user
Msgbox(0,"_AD_Close","About to _AD_Close")
_AD_Close()
If @Error then Msgbox(0,"_AD_Close","It didnt work!")

If you get a sec, let me know if this works for you

[water]

Unfortunately I can't test because I only have read only access to our AD.

But I think the error is with the second _AD_Open. The function only accepts parameters and ignores global variables. So you need to pass the credentials in the _AD_Open call.

[Kovacic]

Unfortunately I can't test because I only have read only access to our AD.

But I think the error is with the second _AD_Open. The function only accepts parameters and ignores global variables. So you need to pass the credentials in the _AD_Open call.

 

hmm. Ill give it a whirl..

[Kovacic]

Sorry it took me so long to reply, it worked like a charm!

Thanks!!

expandcollapse popup

#include "ad.au3"
$useracc = "demo10"
$AdminUsername = ""
$AdminPassword = ""


; Open AD as normal user
Msgbox(0,"_AD_Open","About to _AD_Open")
_AD_Open()
If @Error then Msgbox(0,"_AD_Open","It didnt work!")

; Try to set password as normal user
Msgbox(0,"_AD_SetPassword","About to _AD_SetPassword")
_AD_SetPassword($useracc, "Password1")
If @Error then Msgbox(0,"_AD_SetPassword","It didnt work!")

; Close AD as normal user
Msgbox(0,"_AD_Close","About to _AD_Close")
_AD_Close()
If @Error then Msgbox(0,"_AD_Close","It didnt work!")

; Change to admin user
Msgbox(0,"---","Changing Credentials!")
; Open AD as admin user
Msgbox(0,"_AD_Open","About to _AD_Open")
_AD_Open($AdminUsername,$AdminPassword)
If @Error then Msgbox(0,"_AD_Open","It didnt work!")

; Try to set AD password as admin user
Msgbox(0,"_AD_SetPassword","About to _AD_SetPassword")
_AD_SetPassword($useracc, "Password1")
If @Error then Msgbox(0,"_AD_SetPassword","It didnt work!")

; Close AD as admin user
Msgbox(0,"_AD_Close","About to _AD_Close")
_AD_Close()
If @Error then Msgbox(0,"_AD_Close","It didnt work!")

Thanks again!!!

Edited November 4, 2014 by Kovacic

[water]

[willxing]

Find:    

Func _AD_Open in AD.au3

it has detailed usage for this function.

you can use _AD_Open when you are not in the domain, only need network access to DC. just fill up all the parameters.  

Edited November 5, 2014 by willxing

[Kovacic]

Find:    

Func _AD_Open in AD.au3

it has detailed usage for this function.

you can use _AD_Open when you are not in the domain, only need network access to DC. just fill up all the parameters.  

 

My question was already resolved but thanks anyway.

[Kovacic]

Hi Water, me again... I am working on a tool that includes the functionality of the AD lockout tool. One of my functions tries to open AD with a specified domain controller, and if needed, a separate user account...

Func Define($Host = stringreplace(@logonserver,"\",""))
    _AD_Close()
    If $UNPWIsDefined = 1 Then
        _AD_Open($AltUN, $AltPW,"",$Host)
    Else
        _AD_OPEN("","","",$Host)
    EndIf
EndFunc   ;==>Define

$UNPWIsDefined is a global variable set to either 0 or 1 depending on if the user set alt credentials...

The problem I am having is, It does not seem to be opening other domain controllers on the same domain. Is my syntax messed up?

Thank in advance!!

[water]

What is the value of @error after _AD_Open when connecting to a specific DC?

Edited November 8, 2014 by water

[water]

BTW: Did you have a look at the wiki (for the link please see my signature)? There you'll find how to connect to a specific DC.

[jazzyjeff]

Water,

This may be out of the realm of what you offer on support here, but we had a number of Active Directory contacts that had numerous addresses in the "proxyAddresses" attribute. I used the UDF to go through these contacts and remove legacy mail addresses. Sadly what has happened is that now in the Microsoft Exchange console I receive this error message when I open up a contact.

If I click on the "Email addresses" tab I see all the content that I should except the SMTP and X400 addresses now have a "Strike through" and a message appears saying:

x400 was out of range of valid values isn't a valid x.400 address space

or

the address is not valid smtp address exchange

So the SMTP address now looks something like this:

username@domain.com

This is the command I used to modify the proxyAddresses attribute. I had it populate the attribute with data from an Array.

_AD_ModifyAttribute($aObj[$b], "proxyAddresses", $proxyAddresses, 1)

If you can offer any advice on how to proceed I'd appreciate it.

Thanks,

Jeff

[water]

Never seen this problem. I only know that you need a primary SMTP address. This primary address is distinguished from all other SMTP adresses because it is all in upper case. To see what goes wrong I would extract the current data by using the AD function _AD_GetObjectProperties, then write the correct data using the MS admin interface, then repeat AD_GetObjectProperties and check the differences. Maybe Google will return some results when searching for the error message.