Active Directory UDF - Help & Support

[scarboni]

Hello there Waters, This is a awsome script I read through it and I wonder if there is a function which i can reach...

Is it possible to get the date when the password will expire on a user? or is that the Array key in the _AD_GetPasswordInfo #9 and #14?

Edited September 19, 2011 by scarboni

[water]

Correct. Password expiration date/time can be found in element #9 and #11 (local time and UTC).

[ICANSEEYOU7687]

Could you please run this test script with your data and post the result?

Global $sAD_Password = $first & $last &"1234"
ConsoleWrite(">>" & $sAD_Password & "<<" & @CRLF)
$iValue = _AD_SetPassword($username, $sAD_Password)
ConsoleWrite(">>SetPassword: " & $iValue & "--" & @error & @CRLF)

So we can check that the variable contains what we expect.

Unfortunately I will not be back at work to work on this until friday. But I have tested the value of iValue for the accounts created after the password is set, and this does, in fact, return a value of "1"...

Thanks for taking time and helping, either way!

[water]

So if you get returncode 1 for EVERY password you set it is even more important to check that we set what we later need to enter as the password.

[scarboni]

Im sorry im kinda new to using others script or my brain just had a blackout.

Lets make a simple example and see if i made it correct I want to make a msg box with the info from the AD user.

#include <AD.au3>
 
$domain = "domain1"
$username = "user1"
$password = "passwd"
$fetchedUsername = "fromADUsername"
 
_AD_Open($domain&"\"&$username, $password)
 
$passwordExpireTime = _AD_GetPasswordInfo($fetchedUsername)
 
msgbox(0,"","Password expire time Local Time: "& $passwordExpireTime[9])
msgbox(0,"","Password expire time UTC: "& $passwordExpireTime[11])
 
_AD_Close()

And does

$ADUsers = _AD_GetGroupMemberOf("Users")
 
 
$maxUsers = $ADUser[0]

$maxUser result in the maximum amount of users in the users group by typing $ADUser[0]?

And while you look this through I wonder if there is a way to be able to get the date of 11 days befor the password expires. So lets say i get the user "Tony" and his passwordExpireTime = 2011-01-20 I would like to be able to get the date 11 days befor that which would result in 2011-01-09 and wonder how i convert the _Date_Time_SystemTimeToDateTimeStr or $sAD_Temp2 to be able to calculate 11 days . If you didnt understand anything of that please tell...

Edited September 20, 2011 by scarboni

[water]

You can try to connect to the AD without using credentials. Just use "_AD_Open()". Here everybody has full read access to the AD.

To subtract 11 days use the following code:

#Include <Date.au3>
$Result = _DateAdd("D", -11, $passwordExpireTime[9])

[scarboni]

Awsome Water thanks! Can I use the $ADUser[0] to get the total of the Array?

Do you think this script would work on a exchange server and AD accessed.

11 days befor the password expires the user will get a email giving them information about the password change.

;=========================== Include ===========================
#include <AD.au3>
#include <OutlookEX.au3>
#include <date.au3>
 
;========================== Parameters ==========================
local $i
local $currentDate = _NowDate()
Global $ADUsers = _AD_GetGroupMemberOf("Users")
 
;========== Connect to Outlook and Active Directory =============
Global $oAD = _AD_Open()
Global $oOL = _OL_Open()
 
;========================== E N D ===============================
 
 
For $i = 1 to $ADUser[0]
$passwordInfo = _AD_GetPasswordInfo($ADUser[$i])
$passwordExpireTime = $passwordInfo[9]
$calcElevenDays = _DateAdd("D", -11, $passwordExpireTime)
 
   If ($currentDate <= $calcElevenDays) Then
      msgbox(0,"","Password expire time: "  & $passwordInfo[9] & @CRLF & "Mail time: " & $calcElevenDays)
      _OL_Wrapper_SendMail($oOL, $ADUser[$i], "", "", "Password Expires in 10 days", "<h2>User account password Expire</h2><br />      <br /><h3>Information</h3><br /><br /><p>Your accounts password will expire in 10 days,</p>", "", $olFormatHTML,     $olImportanceHigh)
   EndIf
 
Next
 
_OL_Close() ;==>_OL_Start
_AD_Close() ;== _AD_Start

Edited September 20, 2011 by scarboni

[water]

Sure. The help file for functions _AD_GetPasswordInfo talks about it:

; Return values .: Success - Returns a one-based array with the following information:

This means that the element with index 1of the array is the first "data element" and the element with index 0 holds the number of rows in the array

[FreakyMonkey]

Hello,

I keep getting this error when running scripts with the UDF:

\\cel-fil-001\qascripts\AD\AD.au3 (505) : ==> Variable must be of type "Object".:

$oAD_Command.CommandText = "<LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain & ">;(sAMAccountName=" & $sAD_SamAccountName & ");distinguishedName;subtree"

$oAD_Command^ ERROR

Now, I'm assuming that means it's not pulling the object correctly. But I'll be darned if I can figure out why.

#include <\\cel-fil-001\qascripts\AD\AD.au3>
MsgBox(0,"X",_AD_SamAccountNameToFQDN(@UserName))

Windows 7 x64 (AutoIT x32)

[water]

Your script has to call _AD_Open first to open a connection to AD. Check any of the example scripts or the help file.

[jazzyjeff]

Hey Water,

I am using the _AD_JoinDomain function and I am getting the error 5. Using the extended error checking gives me an error of 8525. What does error number 8525 generally mean?

FYI. The script successfully created the computer account in AD. I haven't seen this error on other machines yet, so I am at a bit of a loss as to what is wrong.

Thanks,

Jeff

[water]

@extended returned 8525? If yes, this means (according to http://msdn.microsoft.com/en-us/library/ms681390(v=VS.85).aspx):

ERROR_DS_COULDNT_UPDATE_SPNS - 8525 (0x214D)

While processing a change to the DNS Host Name for an object, the Service Principal Name values could not be kept in sync.

Unfortunately, this doesn't tell me anything.

Can you please post the code that gives you the error + how you do the extended error checking?

[jazzyjeff]

Thanks for the quick response Water.

here is my code.

expandcollapse popup

Func _JoinDomain()
;Choose domain OU
Sleep(5000)
;$DC = Random(1, 3, 1)
_AD_Open("username", "password", "DC=domain,DC=net", "server.domain.net", "CN=Configuration,DC=domain,DC=net")
Global $adOU = _AD_GetAllOUs("OU=Workstations,DC=domain,DC=net", "")
For $iCount = 1 To $adOU[0][0]
  If $iCount = 1 Then
   $sOU = $adOU[$iCount][0]
  Else
   $sOU = $sOU & "|" & $adOU[$iCount][0]
  EndIf
Next
#region ### START Koda GUI section ###
$main2 = GUICreate("Active Directory", 780, 344, 150, 124)
$ListOU = GUICtrlCreateList("", 7, 8, 768, 279, BitOR($LBS_SORT, $LBS_STANDARD, $LBS_EXTENDEDSEL, $LBS_DISABLENOSCROLL, $WS_VSCROLL, $WS_HSCROLL, $WS_BORDER))
GUICtrlSetData($ListOU, $sOU)
$btnCont2 = GUICtrlCreateButton("Continue", 7, 291, 768, 41, $WS_GROUP)
GUICtrlSetFont(-1, 20, 400, 0, "Impact")
GUISetState(@SW_SHOW)
#endregion ### END Koda GUI section ###
While 1
  $nMsg = GUIGetMsg()
  Switch $nMsg
   Case $GUI_EVENT_CLOSE
    Exit
   Case $btnCont2
    ; Check what OU has been selected in the listbox
    $selOU = _GUICtrlListBox_GetSelItems($ListOU)
    Global $selectedItem = $selOU[1] + 1
    ;Create computer account in AD
    Global $iComp = _AD_CreateComputer($adOU[$selectedItem][1], @ComputerName, "username")
    If $iComp = 1 Then
     MsgBox(64, "Successful", @ComputerName & " is in the Domain.", 5)
    ElseIf @error = 1 Then
     MsgBox(64, "Fail", "The Computers OU can not be found to create Computer account in AD.")
    ElseIf @error = 2 Then
     MsgBox(64, "Fail", @ComputerName & " already exists in the Domain.")
    ElseIf @error = 3 Then
     MsgBox(64, "Fail", "The user does not exist.")
     ;Else
     ; MsgBox(64, "Active Directory Functions", "Creating Computer account - Return code '" & @error & "' from Active Directory")
    EndIf
    ;Join computer to AD account
    Global $iDom = _AD_JoinDomain(@ComputerName, "domain\username", "password")
    If $iDom = 1 Then
     MsgBox(64, "Successful", @ComputerName & " has now been joined to the Domain", 5)
    EndIf
    If @error = 1 Then
     MsgBox(64, "Fail", @ComputerName & " does not exist in the Domain.")
    ElseIf @error = 2 Then
     MsgBox(64, "Fail", "The user could not be found in the Domain.")
    ElseIf @error = 3 Then
     MsgBox(64, "Fail", "WMI Object could not be created. Return code - " & @extended)
    ElseIf @error = 4 Then
     MsgBox(64, "Fail", @ComputerName & " is already a member of the Domain.")
    ElseIf @error = 5 Then
     MsgBox(64, "Fail", @ComputerName & " was unable to join the Domain. Return code - " & @extended)
    EndIf
    _Final()
  EndSwitch
WEnd
_AD_Close()
EndFunc   ;==>_JoinDomain

We have multiple DNS server running out our school. Maybe we have an issue with the AD sync. I'll check the event logs.

Still doesn't explain why it happened on that particular machine. I ran it on another machine and it worked fine.

I am in the process of reimaging the machine right now, so maybe that will fix the issue. The URL is helpfult though as I can get an idea of what maybe wrong.

Edited October 24, 2011 by jazzyjeff

[jazzyjeff]

So a reimage didn't resolve it. I am looking through logs now on the DNS servers now.

[jazzyjeff]

I am not seeing any errors on the DNS servers related to sysnc issues.

[water]

Could you please run the script with some more error checking?

expandcollapse popup

Func _JoinDomain()
;Choose domain OU
Sleep(5000)
;$DC = Random(1, 3, 1)
$iAD_Debug = 2    ; <== Debugging
_AD_Open("username", "password", "DC=domain,DC=net", "server.domain.net", "CN=Configuration,DC=domain,DC=net")
Msgbox(0, "_AD_Open", "@error: " & @error & ", @extended: " & @extended)    ; <== Debugging
Global $adOU = _AD_GetAllOUs("OU=Workstations,DC=domain,DC=net", "")
Msgbox(0, "_AD_GetAllOUs", "@error: " & @error & ", @extended: " & @extended)    ; <== Debugging
For $iCount = 1 To $adOU[0][0]
  If $iCount = 1 Then
   $sOU = $adOU[$iCount][0]
  Else
   $sOU = $sOU & "|" & $adOU[$iCount][0]
  EndIf
Next
#region ### START Koda GUI section ###
$main2 = GUICreate("Active Directory", 780, 344, 150, 124)
$ListOU = GUICtrlCreateList("", 7, 8, 768, 279, BitOR($LBS_SORT, $LBS_STANDARD, $LBS_EXTENDEDSEL, $LBS_DISABLENOSCROLL, $WS_VSCROLL, $WS_HSCROLL, $WS_BORDER))
GUICtrlSetData($ListOU, $sOU)
$btnCont2 = GUICtrlCreateButton("Continue", 7, 291, 768, 41, $WS_GROUP)
GUICtrlSetFont(-1, 20, 400, 0, "Impact")
GUISetState(@SW_SHOW)
#endregion ### END Koda GUI section ###
While 1
  $nMsg = GUIGetMsg()
  Switch $nMsg
   Case $GUI_EVENT_CLOSE
    Exit
   Case $btnCont2
    ; Check what OU has been selected in the listbox
    $selOU = _GUICtrlListBox_GetSelItems($ListOU)
    Global $selectedItem = $selOU[1] + 1
    ;Create computer account in AD
    Global $iComp = _AD_CreateComputer($adOU[$selectedItem][1], @ComputerName, "username")
    If $iComp = 1 Then
     MsgBox(64, "Successful", @ComputerName & " is in the Domain.", 5)
    ElseIf @error = 1 Then
     MsgBox(64, "Fail", "The Computers OU can not be found to create Computer account in AD.")
    ElseIf @error = 2 Then
     MsgBox(64, "Fail", @ComputerName & " already exists in the Domain.")
    ElseIf @error = 3 Then
     MsgBox(64, "Fail", "The user does not exist.")
    Else
      MsgBox(64, "Active Directory Functions", "Creating Computer account - Return code '" & @error & "' from Active Directory")    ; <== Debugging
    EndIf
    ;Join computer to AD account
    Global $iDom = _AD_JoinDomain(@ComputerName, "domain\username", "password")
    If $iDom = 1 Then
     MsgBox(64, "Successful", @ComputerName & " has now been joined to the Domain", 5)
    EndIf
    If @error = 1 Then
     MsgBox(64, "Fail", @ComputerName & " does not exist in the Domain.")
    ElseIf @error = 2 Then
     MsgBox(64, "Fail", "The user could not be found in the Domain.")
    ElseIf @error = 3 Then
     MsgBox(64, "Fail", "WMI Object could not be created. Return code - " & @extended)
    ElseIf @error = 4 Then
     MsgBox(64, "Fail", @ComputerName & " is already a member of the Domain.")
    ElseIf @error = 5 Then
     MsgBox(64, "Fail", @ComputerName & " was unable to join the Domain. Return code - " & @extended)
    EndIf
    _Final()
  EndSwitch
WEnd
_AD_Close()
EndFunc   ;==>_JoinDomain

[jazzyjeff]

Thanks Water. I have tried this, and here are my results:

@error: 0 @extneded: 1

@error:0 @extended:0

Then I receive the error 8525 again.

I am going to add a different username to the account that opens ad and joins the domain.

[jazzyjeff]

Ok, I changed the account and now it works. I setup a delegated account to join machines to the domain, but obviously something isn't working.

Thanks for your help. I am all set now. Just need to fix my delegated account.

[water]

Glad the problem could be solved

I still don't understand the cryptic extended error code. It looks like being a problem of missing permissions but the error code is quite misleading.

Edited October 25, 2011 by water

[jazzyjeff]

Is it misleading.

I ended up settings the delegation as shown in this URL, as opposed to using the pre-built delegation option of joining a PC to the domain.

http://support.microsoft.com/kb/932455

You're right it is a permission issue.

You're UDF is awesome by the way. It's used daily at our school for a login script and to give select users the ability to reset passwords and unlock accounts.