New AD user accounts created with UDF _AD - (Moved)

[pfdragon]

Hello,

New to the forum but have been using Autoit for several years.  Hoping someone can help me with this issue.

I have a script that we have been using for years that creates AD accounts based on a file that is generated each night from our HR system.  I use the _AD UDF by water and it has been invaluable to automating some daily AD tasks.  My issue is that we just discovered that the accounts that are created with the _AD_CreateUser function is assigning the "PASSWR_NOTREQD" attribute so the "userAccountControl" attribute is set to 544.  I believe this is a normal AD function when an account is created with no password being initially set.  We do however set a password on the account as part of the script when the account is created.  So, my initial thought was I could use the _AD_ModifyAttribute function and reset the "userAccountControl" attribute to 512, (just normal user).  Unfortunately I keep getting an AD error code -2147352567 when I try and do this.

Anyone know a way around this so that these user account do not have the "PASSWR_NOTREQD" set when the account is created?  Am I doing something incorrectly when I create the account using _AD_CreateUser?

 

; This is the statement I'm using to create the account
$iResult = _AD_CreateUser($sOU, $sUserID, $sDisplayName)

 

; This is the statement I'm using to try and update the userAccountControl Attribute
        $iResult = _AD_ModifyAttribute($sUserID, "userAccountControl", $sUserAccountControl, 2)

TIA,

 

[Jos]

Moved to the appropriate AutoIt General Help and Support forum, as the Developer General Discussion forum very clearly states:

Quote

General development and scripting discussions.

---

Do not create AutoIt-related topics here, use the AutoIt General Help and Support or AutoIt Technical Discussion forums.

Moderation Team

[water]

The UserAccountConrol attribute is a combination of many flags (described here). You can't simply set a single value.
How to manage users is described here.

Neither the _AD_CreateUser function nor any other function of the AD UDF provides an option to change the user account control though a lot of functions do set the UAC.
I have written such a function to solve the problem by using function _AD_DisableObject as a template.
MS provides an example in VB here.

Unfortunately I do no longer have access to an Active Directory. The following code is hence UNTESTED.
Please use this function at your own risk and run it on your Test AD System!
If it works I will be happy to add _AD_ModifyUAC to the AD UDF.

Function _AD_ModifyUAC allows to set or unset UAC flags.

; $iFunction = 1: The $iFlag bits are set in UAC.
; $iFunction = 2: The $iFlag bits are unset in UAC.

EXAMPLE:
  _AD_ModifyUAC(Your_User_Object, $ADS_UF_PASSWD_NOTREQD, 2)  ; Unsets the $ADS_UF_PASSWD_NOTREQD UAC flag.

Func _AD_ModifyUAC($sObject, $iFlag, $iFunction)
    If Not _AD_ObjectExists($sObject) Then Return SetError(1, 0, 0)
    If StringMid($sObject, 3, 1) <> "=" Then $sObject = _AD_SamAccountNameToFQDN($sObject) ; sAMAccountName provided
    Local $oObject = __AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sObject)
    Local $iUAC = $oObject.Get("userAccountControl")
    If $iFunction = 1 Then $oObject.Put("userAccountControl", BitOR($iUAC, $iFlag))
    If $iFunction = 2 Then $oObject.Put("userAccountControl", BitXOR($iUAC, $iFlag))
    $oObject.SetInfo
    If @error Then Return SetError(@error, 0, 0)
    Return 1
EndFunc   ;==>_AD_ModifyUAC

 

[pfdragon]

Water,

Thanks for all the info and the UAC function.  I added the function to my test script and tested it with a test user account.  But still the UAC is not updating.

Below is the code I'm using to call the UAC function.  I'm passing the sAMAccountName as $sUserID.   Do I need to pass the full DN rather than just the sAMAccountName?

the return code error I get is -2147352567

Thanks for your help on this.

 

 

; Update the userAccountControl
        $iResult = _AD_ModifyUAC($sUserID, $ADS_UF_PASSWD_NOTREQD, 2)  ; Unsets the $ADS_UF_PASSWD_NOTREQD UAC flag.
        If $iResult = 1 Then    ; Success
            _FileWriteLog($LogFilePath, "INFO" & @TAB & "First Name:" & @TAB & GUICtrlRead($txtFirstName))
        ElseIf @error = 1 Then
            MsgBox(64, "AD userAccountControl Error", "User '" & $sUserID & "' does not exist")
        Else
            MsgBox(64, "AD userAccountControl Error", "Return code '" & @error & "' from Active Directory")
        EndIf

 

[water]

Could you please add 

_AD_ErrorNotify(1)

at the top of your script?
You should receive more detailed error information on the console.

-2147352567 stands for HResult 0x80020009 which is a "general exception".

[pfdragon]

Ok added that and ran a test.  Console output is below.

 

COM Error Encountered in RMC_UserID_Tool - v7 - RMCSQLAGL.au3
AD UDF version = 1.6.3
@AutoItVersion = 3.3.14.5
@AutoItX64 = 1
@Compiled = 0
@OSArch = X64
@OSVersion = WIN_10
Scriptline = 598
NumberHex = 0x80020009
Number = -2147352567
WinDescription = Exception occurred.
Description = The server is unwilling to process the request.
Source = Active Directory
HelpFile = 
HelpContext = 0
LastDllError = 0
========================================================

[pfdragon]

Line 598 within the UAC function.

line 598 contents:    $oObject.SetInfo

[water]

Never have seen the "unwilling" message before.
I consulted Dr. Google and he came up with the following suggestion: 

Quote

You need to do it in the following order:

• Create the user
• Commit changes
• Set the password
• Commit changes
• Change the attributes
• Commit changes

i.e. Set the password BEFORE doing any attribute CRUD stuff.

Maybe this helps.

[pfdragon]

Well as weird as that is, it worked!!

I adjusted the order to match the above and no errors.

 

[water]

I'm glad that a 12-year-old post is still able to solve today's problems  

[pfdragon]

Yes.  It all makes sense now that you laid it out.

Thank you for all your help on this.  Your AD functions have really saved us a lot of time over the years being able to automate the onboarding and termination of employee accounts in AD.

thanks again.

[water]

automate the onboarding and termination of employee accounts in AD.

That's exactly the reason why I started to brush up Wooltowns AD UDF in the first place.
The UAC function will be added to the next release of the AD UDF