Jump to content

Should the Active Directory UDF support fine grained password policies?

Should the Active Directory UDF support fine grained password policies?  

6 members have voted

  1. 1. Please select one of the following:

    • Yes - I need it now
    • Yes - not needed at the moment but (maybe) in the future
    • No - don't need it now (or in the future)
    • What the hell are you talking about?

Recommended Posts


Should the AD UDF support the fine grained password policy available since Windows Server 2012?

What do fine-grained password policies do?
You can use fine-grained password policies to specify multiple password policies in a single domain and apply different restrictions for password and account lockout policies to different sets of users in a domain.

My UDFs and Tutorials:


Active Directory (NEW 2017-04-18 - Version - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version - Download - General Help & Support

ADO - Wiki


Share this post

Link to post
Share on other sites

From a support perspective I can say that of the 50 or so networks I encountered over the last 12 months only a handful were using this. That being said, I believe (like all UDF additions) it comes down to the level of effort for you to add it. If it is something you can add without tearing your hair out I think it has value; even if it will only serve 10% of users.

  • Like 1

√-1 2^3 ∑ π, and it was delicious!

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • 31290
      By 31290
      Hi guys, 
      I'd like to write a piece of tool that would allow me to update a certain field in our Active Directory from a comma separated csv file composed like this:

      This file, automatically generated, can hold more than 10k lines.
      Thus, I need column A to be in one variable, column B in a second one and column C in a third one.
      I'm really missing this part as updating the AD is fairly easy once the 3 variable are populated. 
      I see things like this:
      Here's my attempts at the moment:
      #include <File.au3> #include <Array.au3> Global $csv_file = @DesktopDir & "\Book1.csv" Global $aRecords If Not _FileReadToArray($csv_file,$aRecords) Then MsgBox(4096,"Error", " Error reading log to Array error:" & @error) Exit EndIf For $x = 1 to $aRecords[0] Msgbox(0,'Record:' & $x, $aRecords[$x]) ; Shows the line that was read from file $csv_line_values = StringSplit($aRecords[$x], ",",1) ; Splits the line into 2 or more variables and puts them in an array ; _ArrayDisplay($csv_line_values) ; Shows what's in the array you just created. ; $csv_line_values[0] holds the number of elements in array ; $csv_line_values[1] holds the value ; $csv_line_values[2] holds the value ; etc Msgbox(0, 0, $csv_line_values[1]) Next Any help on this please? 
      Thanks in advance
    • DavidLago
      By DavidLago
      I have 5 DCs, and I need to create a scheduled task to run a script that will test the authentication time for each one of them, once every minute. (Then I'll use it within a log analyser to create graphics).
      I came up with a script using the great AD UDF (by water). First I tried using "for" and an array, but something was messing up the results, then I went for the dumb old fashioned way:
      #Include <ad.au3> #include <MsgBoxConstants.au3> Global $AdTestTime = "" Global $Timer1, $Timer2, $Timer3, $Timer4, $Timer5 = "" Global $sAD1 = "MYSERVER109" Global $sAD2 = "MYSERVER110" Global $sAD3 = "MYSERVER111" Global $sAD4 = "MYSERVER112" Global $sAD5 = "MYSERVER113" $Timer1 = Timerinit() _AD_Open("", "", $sAD1) _AD_Close() Local $fDiff1 = TimerDiff($Timer1) $Timer2 = Timerinit() _AD_Open("", "", $sAD2) _AD_Close() Local $fDiff2 = TimerDiff($Timer2) $Timer3 = Timerinit() _AD_Open("", "", $sAD3) _AD_Close() Local $fDiff3 = TimerDiff($Timer3) $Timer4 = Timerinit() _AD_Open("", "", $sAD4) _AD_Close() Local $fDiff4 = TimerDiff($Timer4) $Timer5 = Timerinit() _AD_Open("", "", $sAD5) _AD_Close() Local $fDiff5 = TimerDiff($Timer5) MsgBox(0,"", "MYSERVER109=" & $fDiff1) MsgBox(0,"", "MYSERVER110=" & $fDiff2) MsgBox(0,"", "MYSERVER111=" & $fDiff3) MsgBox(0,"", "MYSERVER112=" & $fDiff4) MsgBox(0,"", "MYSERVER113=" & $fDiff5) Still, something is off here. 
      The first AD to be tested is always the slowest one, by far, like 20 times slower. Then I started to suspect that the first one starts the "negotiation", and the following ones ride the gravy train.
      If I repeat the first code twice, All servers seem to have a similar result.
      $Timer1 = Timerinit() _AD_Open("", "", $sAD1) _AD_Close() Local $fDiff1 = TimerDiff($Timer1) $Timer1 = Timerinit() _AD_Open("", "", $sAD1) _AD_Close() Local $fDiff1 = TimerDiff($Timer1) $Timer2.... Am I right?
      Also, is there a better way to test the authentication time?
      Thanks for the help.
      - Dave
    • water
      By water
      As the Active Directory UDF - Help & Support thread has grown too big, I start a new one.
      The original thread can be found here.
    • Jewtus
      By Jewtus
      I've been playing with the AD UDF (by water) and I'm really not sure how it works (even after playing for several hours) and I'm hoping that someone can point me in the right direction on this.
      What I want to do is make it so if I give a network username, it returns back the information about said user (IE name, org, dept, etc). I know the info is in AD, I just don't know how to pull it using the UDF. Anyone have suggestions?
    • Quantumation
      By Quantumation
      #RequireAdmin #include <ButtonConstants.au3> #include <EditConstants.au3> #include <GUIConstantsEx.au3> #include <StaticConstants.au3> #include <WindowsConstants.au3> #include <AD.au3> #include <Array.au3> #include <GuiButton.au3> #include <String.au3> #Region ### START Koda GUI section ### Form= Global $Form1_1 = GUICreate("Get User Groups", 419, 501, -1, -1) Global $Username = GUICtrlCreateInput("", 176, 80, 121, 21) Global $Button1 = GUICtrlCreateButton("GetGroups", 24, 120, 75, 25) Global $Groups = GUICtrlCreateEdit("", 24, 168, 369, 313, BitOR($ES_AUTOVSCROLL,$ES_AUTOHSCROLL,$ES_WANTRETURN,$WS_VSCROLL)) GUICtrlSetData(-1, "") GUICtrlSetData(-1, "") Global $Label2 = GUICtrlCreateLabel("Copy and paste the text below and add it to the onboarding ticket.", 80, 40, 318, 17) Global $Cancel = GUICtrlCreateButton("Cancel", 312, 120, 75, 25) Global $Disable = GUICtrlCreateButton("Copy", 120, 120, 75, 25) Global $Expire = GUICtrlCreateButton("Expire", 216, 120, 75, 25) Global $Unique = GUICtrlCreateLabel("Unique Username", 56, 80, 89, 25) GUISetState(@SW_SHOW) WinActivate($Form1_1) _GUICtrlButton_Enable($Username) #EndRegion ### END Koda GUI section ### While 1 $nMsg = GUIGetMsg() Switch $nMsg Case $GUI_EVENT_CLOSE Exit Case $Button1 GroupArray() Case $Disable Copy() Case $Cancel Exit EndSwitch WEnd ;~ Functions Func GroupArray() _AD_Open() Global $Inputbox = GUICtrlRead($Username) If @error Then Exit MsgBox(16, "Active Directory", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended) ; Get a sorted array of group names (FQDN) that the user is immediately a member of Global $aUser = _AD_GetUserGroups($Inputbox) If @error > 0 Then MsgBox(64, "Active Directory Function", "User '" & $Inputbox & "' has not been assigned to any group or cannot be found.") Else _ArraySort($aUser, 0, 1) $sString = _ArrayToString($aUser, "; ") Global $sorted = _StringBetween($sString, "CN=", ",") Global $Format = _ArrayToString($sorted, "; ") Guictrlsetdata($Groups, $Format) EndIf ; Close Connection to the Active Directory _AD_Close() EndFunc ;==>GroupArray Func Copy() $copy = GUICtrlRead($groups) ClipPut($copy) EndFunc I've found this to be very useful but It only shows the names of the groups in FDQN format.
      In order to import multiple groups back into AD The have to be formatted like so:
      Domain users; Finance; Domain Admins;
      This allows you to copy and paste that back into an AD account where you need add multiple groups to one user.
      I've written something to clean it up a bit but i'm new to autoit. I just started like 2 weeks ago and i'm not sure how to sort info. The script i've written allows you to take the appropriate info out but it take a little too much info out. I'm using string between and I'd like to know if there is a way to extract info better from the array used in _AD_GetUserGroups
      I've attached my script and GUI but it pulls too much info due to the _stringbetween function. I just need to know if there is a better way?

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.