Active Directory UDF - Help & Support (III)

[water]

It works like it does by design. Function _AD_RenameObject uses the MoveHere method to rename the object. It doesn't change any properties of the object.

If you want to change property Displayname then you need to use function _AD_ModifyAttribute.

Edited July 16, 2014 by water

[kor]

It works like it does by design. Function _AD_RenameObject uses the MoveHere method to rename the object. It doesn#t change any properties of the object.

If you want to change property Displayname then you need to use function _AD_ModifyAttribute.

did it with powershell instead.

get-adgroup -identity "<oldname>" | rename-adobject -newname "<newname>" -passthru | set-adgroup -displayname "<newname>" -samaccountname "<newname>"

Edited July 6, 2014 by kor

[water]

PS is fine but it takes ages to execute simple commands and it eats up a lot of ressources.

_AD_RenameObject plus _AD_ModifyAttribute should be much faster

[water]

Version 1.4.1.1 (Bug fix) of the UDF has been released.

Only runs with AutoIt 3.3.12.0 and later.

Please test before using in production!

For download please see my signature.

Edited July 21, 2014 by water

[PaddyStar]

I would like to get from firstname and lastname the @UserName / logon name via ad scritp

I didn't find a solution so maybe you could help me

[water]

Something like this?

#include <AD.au3>

; Open Connection to the Active Directory
_AD_Open()
If @error Then Exit MsgBox(16, "Active Directory Example Skript", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)

Global $sGivenName = "Jon"
Global $sSN = "Doe"
Global $aObjects[1][1]
Global $sOU = "" ; Search all OUs

$aObjects = _AD_GetObjectsInOU($sOU, "(&(SN=" & $sSN & ")(Givenname=" & $sGivenName & "))", 2, "sAMAccountName")
If @error > 0 Then
    MsgBox(64, "Active Directory Functions - Example 1", "No OUs could be found")
Else
    _ArrayDisplay($aObjects, "Active Directory Functions")
EndIf

; Close Connection to the Active Directory
_AD_Close()

[Tim33]

Hello, again in the new version 1.4.1.1 the function _AD_IsObjectLocked does always return 0
 
For all who need the function, this code is working:

Func _IsObjectLocked($sFQDN)
    $objuser = ObjGet("LDAP://" & $sFQDN)
    $objLockout = $objuser.get("lockouttime")

    If Not IsObj($objLockout) Then Return ;not locked

    If $objLockout.lowpart = 0 And $objLockout.highpart = 0 Then
        Return ;not locked
    Else
        Return 1 ;locked
    EndIf
EndFunc   ;==>_IsObjectLocked

Edited August 14, 2014 by Tim33

[water]

Do you have a source on the web that describes that your calculation is valid for all releases of AD?

According to my source it seems to be much more complex.

[water]

This site describes how to calculate if the user is locked.

[water]

I just checked the old versions of the UDF and nothing has changed in this function since October 2011.

Do you use the fine grained password policy?

[Tim33]

I just checked the old versions of the UDF and nothing has changed in this function since October 2011.

Do you use the fine grained password policy?

 

So you have not integrated the results from our test sesssion 3 months ago?

'?do=embed' frameborder='0' data-embedContent>>

[water]

Ops. Seems I missed that.

Will be part of the next release. Sorry.

[water]

Done.

In the meantime replace function _AD_GetPasswordInfo in the AD UDF with this code:

expandcollapse popup

Func _AD_GetPasswordInfo($sObject = @UserName)

    If _AD_ObjectExists($sObject) = 0 Then Return SetError(1, 0, "")
    If StringMid($sObject, 3, 1) <> "=" Then $sObject = _AD_SamAccountNameToFQDN($sObject) ; sAMAccountName provided
    Local $iError = 0
    Local $aPwdInfo[13] = [12]
    Local $oObject = __AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain)
    $aPwdInfo[1] = Int(__AD_Int8ToSec($oObject.Get("maxPwdAge"))) / 86400 ; Convert to Days
    $aPwdInfo[2] = __AD_Int8ToSec($oObject.Get("minPwdAge")) / 86400 ; Convert to Days
    $aPwdInfo[3] = $oObject.Get("pwdHistoryLength")
    $aPwdInfo[4] = $oObject.Get("minPwdLength")
    ; Account lockout duration: http://msdn.microsoft.com/en-us/library/ms813429.aspx
    ; http://www.autoitscript.com/forum/topic/158419-active-directory-udf-help-support-iii/page-5#entry1173322
    $aPwdInfo[5] = __AD_Int8ToSec($oObject.Get("lockoutDuration")) / 60 ; Convert to Minutes
    If $aPwdInfo[5] < 0 Or $aPwdInfo[5] > 99999 Then $aPwdInfo[5] = 0
    $aPwdInfo[6] = $oObject.Get("lockoutThreshold")
    $aPwdInfo[7] = __AD_Int8ToSec($oObject.Get("lockoutObservationWindow")) / 60 ; Convert to Minutes
    Local $oUser = __AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sObject)
    Local $sPwdLastChanged = $oUser.Get("PwdLastSet")
    Local $iUAC = $oUser.userAccountControl
    ; Has user account password been changed before?
    If $sPwdLastChanged.LowPart = 0 And $sPwdLastChanged.HighPart = 0 Then
        $iError += 3
        $aPwdInfo[8] = "1601/01/01 00:00:00"
        $aPwdInfo[10] = "1601/01/01 00:00:00"
    Else
        Local $sTemp = DllStructCreate("dword low;dword high")
        DllStructSetData($sTemp, "Low", $sPwdLastChanged.LowPart)
        DllStructSetData($sTemp, "High", $sPwdLastChanged.HighPart)
        ; Have to convert to SystemTime because _Date_Time_FileTimeToStr has a bug (#1638)
        Local $sTemp2 = _Date_Time_FileTimeToSystemTime(DllStructGetPtr($sTemp))
        $aPwdInfo[10] = _Date_Time_SystemTimeToDateTimeStr($sTemp2, 1)
        ; Convert PwdlastSet from UTC to Local Time
        $sTemp2 = _Date_Time_SystemTimeToTzSpecificLocalTime(DllStructGetPtr($sTemp2))
        $aPwdInfo[8] = _Date_Time_SystemTimeToDateTimeStr($sTemp2, 1)
        ; Is user account password set to expire?
        If BitAND($iUAC, $ADS_UF_DONT_EXPIRE_PASSWD) = $ADS_UF_DONT_EXPIRE_PASSWD Or $aPwdInfo[1] = 0 Then
            If BitAND($iUAC, $ADS_UF_DONT_EXPIRE_PASSWD) = $ADS_UF_DONT_EXPIRE_PASSWD Then $iError += 2
            If $aPwdInfo[1] = 0 Then $iError += 4 ; The Maximum Password Age is set to 0 in the domain. Therefore, the password does not expire
        Else
            $aPwdInfo[11] = _DateAdd("d", $aPwdInfo[1], $aPwdInfo[10])
            $sTemp2 = _Date_Time_EncodeSystemTime(StringMid($aPwdInfo[11], 6, 2), StringMid($aPwdInfo[11], 9, 2), StringMid($aPwdInfo[11], 1, 4), StringMid($aPwdInfo[11], 12, 2), StringMid($aPwdInfo[11], 15, 2), StringMid($aPwdInfo[11], 18, 2))
            ; Convert PasswordExpires from UTC to Local Time
            $sTemp2 = _Date_Time_SystemTimeToTzSpecificLocalTime(DllStructGetPtr($sTemp2))
            $aPwdInfo[9] = _Date_Time_SystemTimeToDateTimeStr($sTemp2, 1)
        EndIf
    EndIf
    $aPwdInfo[12] = $oObject.Get("pwdProperties")
    Return SetError($iError, 0, $aPwdInfo)

EndFunc   ;==>_AD_GetPasswordInfo

[Tim33]

THX..just tested and it works!

Edited August 18, 2014 by Tim33

[water]

It is still a bit strange how MS calculates this values. Didn't find anything useful on the web.

[beast]

I try to use   _AD_GetObjectsInOU from exempel but need help.

 

This work but I try to get it in a listbox

$aObjects = _AD_GetObjectsInOU("", "(ANR=" & $sGivenName & ")", 2, "sAMAccountName,displayname", "displayname")
_ArrayDisplay($aObjects, "User find '" & $sGivenName & "'")

My try to get this user list in a listbox

GU$aObjects = _AD_GetObjectsInOU("", "(ANR=" & $sGivenName & ")", 2, "sAMAccountName,displayname", "displayname")
;_GUICtrlListBox_InsertString($List1x, _ArrayToString($aObjects), 4)
GUICtrlSetData($List1x, _ArrayToString($aObjects))
_GUICtrlListBox_UpdateHScroll($List1x)
_GUICtrlListBox_EndUpdate($List1x)

But listbox stay empty

[water]

You ask for two properties ("sAMAccountName,displayname"). That returns a 2D array which I'm not sure _ArrayToString handles the way GUICtrlSetData expects the data for a ListBox.

IIRC a ListBox can only handle a single "column".

[Endot]

I might have posted in the wrong thread :/

Here's the post:

 

Hello!

I'm trying to create a script to reset all users in a targeted OU to a preset password. 

I seem to be having issues in the loop section.

AutoIt        expand  popup

#AutoIt3Wrapper_AU3Check_Parameters= -d -w 1 -w 2 -w 3 -w 4 -w 5 -w 6
#AutoIt3Wrapper_AU3Check_Stop_OnWarning=Y
; *****************************************************************************
; Sets the password for all users
; *****************************************************************************
#include <AD.au3>
#include <ButtonConstants.au3>
#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>

; Open Connection to the Active Directory
_AD_Open("Administrator", "password")
If @error Then Exit MsgBox(16, "Active Directory Master Password Reset", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)

Global $iReply = MsgBox(308, "Active Directory Master Password Reset", "This script changes the password for all Users in the 'Quality' OU." & @CRLF & @CRLF & _
        "Are you sure you want to change the Active Directory?")
If $iReply <> 6 Then Exit

Global $aUsers
Global $sOU = "OU=Users,OU=Quality,OU=Engineering,DC=dev,DC=fbf"
$aUsers = _AD_GetObjectsInOU($sOU, "(objectclass=user)", 2, "name,samaccountname")
_ArraySort($aUsers, 0, 1)

For $i = 1 to $aUsers[0]
    Global $iValue = _AD_SetPassword( _AD_FQDNToSamAccountName($aUsers[$i]) & , "demo")
   If $iValue = 1 Then
    MsgBox(64, "Active Directory Functions - Set Password", "Password for user '" & $sUser & "' successfully changed")
   Else
    MsgBox(64, "Active Directory Functions - Set Password", "Return code '" & @error & "' from Active Directory")
   EndIf
Next
_AD_Close()

The error I'm receiving:

 

Any idea where I went wrong?

[Endot]

Got it worked out. There was a number of things I was doing incorrectly actually, mainly how I was attempting to target users using _AD_FQDNToSamAccountName when I'd already gotten their SamAccountname.

Finished script:

; Open Connection to the Active Directory
_AD_Open("Administrator", "password")
If @error Then Exit MsgBox(16, "Active Directory Master Password Reset", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)

Global $iReply = MsgBox(308, "Active Directory Master Password Reset", "This script changes the password for all Users in the 'Quality' OU." & @CRLF & @CRLF & _
        "Are you sure you want to change the Active Directory?")
If $iReply <> 6 Then Exit

Global $aUsers[30]
Global $sOU = "OU=Users,OU=Quality,OU=Engineering,DC=dev,DC=fbf"
$aUsers = _AD_GetObjectsInOU($sOU, "(objectclass=user)", 2, "samaccountname")

FileWriteLine("log.txt", @Hour & ":" & @Min & ":" & @Sec & " - " & "Beginning Password Reset..." )
For $i = 1 to $aUsers[0]
    Global $iValue = _AD_SetPassword($aUsers[$i], "demo")
    If @error Then Exit FileWriteLine("log.txt", @Hour & ":" & @Min & ":" & @Sec & " - " "There was an issue changing the password for " & $aUsers[$i] & " - @error = " & @error & ", @extended = " & @extended)
    FileWriteLine("log.txt", @Hour & ":" & @Min & ":" & @Sec & " - " & $aUsers[$i] & "'s password changed to 'demo'" )
Next
FileWriteLine("log.txt", @Hour & ":" & @Min & ":" & @Sec & " - " & "Ending Password Reset" )
_AD_Close()

[beast]

You ask for two properties ("sAMAccountName,displayname"). That returns a 2D array which I'm not sure _ArrayToString handles the way GUICtrlSetData expects the data for a ListBox.

IIRC a ListBox can only handle a single "column".

 

THX i did some reading and this works for me.

$List1x = _GUICtrlListView_Create($Form2x, "", 16, 56, 593, 266)
   _GUICtrlListView_AddColumn($List1x, "User Name", 100)
    _GUICtrlListView_AddColumn($List1x, "Full Name", 100)
  $aObjects = _AD_GetObjectsInOU("", "(ANR=" & $sGivenName & ")", 2, "sAMAccountName,displayname", "displayname")
    _GUICtrlListView_AddArray($List1x, $aObjects)

Edited August 28, 2014 by beast