Active Directory UDF

[Joe2010]

Thanks a lot for the info.

I will incorporate the changes in the next version. The original UDF by John Clelland already has a function _AD_FixSpecialChars to insert or remove special characters. So I will use this in version 0.38.

BTW: Do you think your code will work? I didn't test it but I think it will change "\/" to "/" and in the next statement back to "\/" again.

; added by Joe2010
;AD BUG: In case the bug is fixed declare right given slashs "wrong"
$sAD_FQDN = StringReplace($sAD_FQDN, "\/", "/")
;AD BUG: Declare wrong given slashs "/" from AD as special character "\/"
$sAD_FQDN = StringReplace($sAD_FQDN, "/", "\/")
; added by Joe2010

In the meanwhile I think it's absolutely enough to use the second code line:

;AD BUG: Declare wrong given slashs "/" from AD as special character "\/"
$sAD_FQDN = StringReplace($sAD_FQDN, "/", "\/")

Edited March 30, 2010 by Joe2010

[Erlend]

Hello, is it possible to specify a username and password when connecting to AD?

can AdOpen be used with, $sAD_UserIdParam and $sAD_PasswordParam?

but what is the correct way to use them?

Thanks for any help

Edited March 31, 2010 by Erlend

[water]

Hello, is it possible to specify a username and password when connecting to AD?

can AdOpen be used with, $sAD_UserIdParam and $sAD_PasswordParam?

but what is the correct way to use them?

Thanks for any help

Moved your question to the "help and support thread"

[water]

Version 0.38 has been released.

For download please see signature.

[gromito]

Hi to all, is there a quick way with this UDF to change in AD the computer description?

Thanks to all for your great help.

Gian72

[water]

Hi to all, is there a quick way with this UDF to change in AD the computer description?

Thanks to all for your great help.

Gian72

You can use something like this:

#include AD.au3
$iResult = _AD_Open()
if $iResult <> 1 Then "Your error handling"
$iResult = _AD_ModifyAttribute(@Computername & "$","description","new description")
if $iResult <> 1 Then "Your error handling"
_AD_Close()

If you specify the computer as SamAccountName then you have to append a "$".

[gromito]

Worked perfectly!

Thanks, Gian72

[lafafmentvotre]

Hi everybody and sorry by advance for my bad english

The function _AD_GetObjectsLocked() doesn't work for me.

I have a locked user account on Active Directory (2008) and i test the function with the simple script :

_AD_Open()
$aLocked = _AD_GetObjectsLocked()
If @error > 0 Then
MsgBox(64, "Result", "No locked user accounts have been found")
Else
_ArrayDisplay($aLocked, "Result")
EndIf
_AD_Close()

But script return "No locked user accounts have been found".

I test with an operational user admin account.

I saw in the first post > _AD_GetObjectsLocked(): Doesn't return a correct value when the lockouttime hasn't expired. The function has to be rewritten

is it the reason that the return is wrong ?

Thanks for response

[lafafmentvotre]

Hello

Nobody have tis problem with _AD_GetObjectsLocked() ?

Thanks for response

[water]

I saw in the first post > _AD_GetObjectsLocked(): Doesn't return a correct value when the lockouttime hasn't expired. The function has to be rewritten

is it the reason that the return is wrong ?

That's true. _AD_GetObjectsLocked() uses an approach that doesn't work (it simply checks UAC - user account control). Here you'll find a VBS that does what you need.

I'll have to translate it to AutoIt - as soon as I find some spare time

If you know which user is locked you can use _AD_IsObjectLocked(). If your country uses DST then please insert the lines as specified in the "Known Bugs" section to handle Daylight Savings Time correctly.

[lafafmentvotre]

Ok

Thanks for response.

I wait for the update in autoit (tomorrow ? )

Good luck.

[water]

I wait for the update in autoit (tomorrow ? )

Don't think so. It will take 3-4 weeks because I'm on vacation next week and then - as usual after vacations - I will be very busy.

[lafafmentvotre]

Arrrrgggghhhhhhhhh

i'm dead.....

Ok, i wait, have good holidays....

[ptrex]

@all

Maybe this can get you started.

; List userAccountControl Values for an Active Directory User Account

$objHash = ObjCreate("Scripting.Dictionary")
 
$objHash.Add ("ADS_UF_SMARTCARD_REQUIRED", 0x40000) 
$objHash.Add ("ADS_UF_TRUSTED_FOR_DELEGATION", 0x80000) 
$objHash.Add ("ADS_UF_NOT_DELEGATED", 0x100000) 
$objHash.Add ("ADS_UF_USE_DES_KEY_ONLY", 0x200000) 
$objHash.Add ("ADS_UF_DONT_REQUIRE_PREAUTH", 0x400000) 
 
$objUser = ObjGet ("LDAP://CN=User,OU=Dept,DC=Company,DC=com")
$intUAC = $objUser.Get("userAccountControl")
 
If $objUser.IsAccountLocked = True Then
    ConsoleWrite( "ADS_UF_LOCKOUT is enabled" & @CRLF)
Else
    ConsoleWrite( "ADS_UF_LOCKOUT is disabled" & @CRLF)
EndIf
ConsoleWrite( @CRLF )
 
For $Key In $objHash.Keys
    If $objHash($Key) And $intUAC Then 
        ConsoleWrite( $Key & " is enabled" & @CRLF)
    Else
        ConsoleWrite( $Key & " is disabled" & @CRLF)
  EndIf
Next

Rgds

ptrex

Edited April 13, 2010 by ptrex

[nitekram]

I have a quick question - how long after you unlock an account should you see it unlock?

I have 10 DC - so is it possible to goto the main DC and unlock the account?

[water]

Regarding the problems with _AD_IsObjectLocked and _AD_GetObjectsLocked

I have to admit: I don't fully understand how Windows works in this area!

Let's assume there are two Domain Controllers (A and B. The user tries to logon using DC A and is locked on this DC. Now I have the following questions:

• Does Windows replicate some information to every DC or is there a central role (Domains PDC Emulator?) in the domain that stores this information?

• What information is replicated from DC A to DC B or the central role?

  - BadPasswordTime

  - BadPWDCount

  - IsAccountLocked Property

  - User Account Control (UAC)

  - LockoutTime

• How long does it take for this information to get replicated?

• How can I access this information? What provider (LDAP or WINNT) do I have to use to get correct information?

I will piece together as much information as I can get and put in some links so we can very this.

All the example scripts I've seen on the Internet don't return the correct information as soon as there is more than one DC on the domain.

Here and here I've found the best information so far.

Any additional insight information is greatly appreciated!

Edited April 14, 2010 by water

[ptrex]

@Water

Does Windows replicate some information to every DC or is there a central role (Domains PDC Emulator?) in the domain that stores this information?

-> If the DC's are part of the same Domain, yes this will be replicated. Under the condition that the servers are domain servers and replication partners. If not they have seperate AD structures, and you have to set up trust relationships.

What information is replicated from DC A to DC B or the central role?

- BadPasswordTime

- BadPWDCount

- IsAccountLocked Property

- User Account Control (UAC)

- LockoutTime

-> All of the changes in the User Account information is replicated in the same domain.

How long does it take for this information to get replicated?

->This depends on the AD load of the servers. If they are not heavily used it's nearly instantaniously.

How can I access this information? What provider (LDAP or WINNT) do I have to use to get correct information?

-> The real pro scripts are very hard to find. I am setting up a website where I am publishing a few hundreds of the Admin Script for managing Exchange Servers / MSSQL / AD / Terminal Servers / Virtual Servers, etc.

I will keep you informed.

rgds,

patrick

[water]

This site makes me feel that the PDC emulator should be the one to query: "Account lockout is processed on the PDC emulator."

So if I query the PDC emulator (which can be queried using _AD_ListRoleOwners) I should be able to see which users are locked and calculate the status and the end of the lockout. Right?

After my vacation I'm going to test this and post the results.

[ptrex]

@Water

You have to query the FSMO roles forest wide.

But again when you have a network where there's no overload on AD traffic.

It will be a matter of milliseconds the PDC will replicate the status information.

Fore more information http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm

rgds

ptrex

Edited April 15, 2010 by ptrex

[omikron48]

From what I remember, if I understood correctly, there are tasks which is handled exclusively by the PDC, such as password changes and time synchronization between DCs.

As for logon authentication, a workstation first looks for a DC within its defined site. When a DC receives the authentication request, it finds a Global Catalog within its site which then determines whether the user should be authenticated. A ticket is generated and given to the DC which then passes it on to the workstation. Of course, if no DC or Global Catalog is available in the site, then it gets a list of all the DCs in the domain then tries elsewhere.