Marc Posted February 5, 2008 Posted February 5, 2008 Hi, I'm writing a small administration tool to check a users account in active directory. The adfunctions.au3 have been a great help to me, and I'm quite happy with it, but... One part of it should be to detect whether a user is allowed to change his password (or not), to display this status - and I want to add a button to simply toggle this state. At first I thought "great, there's a flag PASSWD_CANT_CHANGE 0x0040 64" but that ain't work. Found this vbs code: Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6 Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}" Set objUser = GetObject ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") Set objSD = objUser.Get("nTSecurityDescriptor") Set objDACL = objSD.DiscretionaryAcl arrTrustees = Array("nt authority\self", "everyone") For Each strTrustee In arrTrustees For Each ace In objDACL If(LCase(ace.Trustee) = strTrustee) Then If((ace.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) And (LCase(ace.ObjectType) = CHANGE_PASSWORD_GUID)) Then objDACL.RemoveAce ace End If End If Next Next objUser.Put "nTSecurityDescriptor", objSD objUser.SetInfo and tried to convert it to AutoIt. expandcollapse popupFunc passwort_changeable($user) Local $oUsr Local $oSecDesc $strQuery = "<LDAP://" & $strHostServer & "/" & $strDNSDomain & ">;(sAMAccountName=" & $user & ");ADsPath;subtree" $objRecordSet = $objConnection.Execute($strQuery) ; Retrieve the FQDN for the logged on user $ldap_entry = $objRecordSet.fields(0).value $oUsr = ObjGet($ldap_entry) ; Retrieve the COM Object for the user $oSecDesc = $oUsr.Get("ntSecurityDescriptor") $oACL = $oSecDesc.DiscretionaryACL For $oACE In $oACL $tmp = StringUpper($oACE.Trustee) If ($oACE.ObjectType = $USER_CHANGE_PASSWORD) And (($tmp = "EVERYONE") or ($tmp = "NT AUTHORITY\SELF")) Then If ($oACE.AceType = $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT) Then $oACE.AceType = $ADS_ACETYPE_ACCESS_DENIED_OBJECT ElseIf ($oACE.AceType = $ADS_ACETYPE_ACCESS_DENIED_OBJECT) Then ; $oACL.RemoveAce ($oACE) $oACE.AceType = $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT EndIf EndIf Next $oSecDesc.DiscretionaryACL = $oACL $oUsr.Put("ntSecurityDescriptor", $oSecDesc) $oUsr.SetInfo ; check and display status $oSecDesc = $oUsr.Get("ntSecurityDescriptor") $oACL = $oSecDesc.DiscretionaryACL For $oACE In $oACL If ($oACE.ObjectType = $USER_CHANGE_PASSWORD) And ($oACE.Trustee = "Everyone") Then If ($oACE.AceType = $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT) Then GUICtrlSetData($lbl_change, "erlaubt") GUICtrlSetColor($lbl_change, 0x00aa00) Else GUICtrlSetData($lbl_change, "gesperrt") GUICtrlSetColor($lbl_change, 0xff0000) EndIf EndIf Next EndFunc ;==>passwort_changeable Reading the status works, so it can display whether a user is allowed to change his password or not. However, every time I try to toggle the status, the status changes and after a second the status is automatically set back to the previous one. Tried to convert another vbs example I've found Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6 Const ADS_ACEFLAG_OBJECT_TYPE_PRESENT = &H1 Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}" Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100 Set objUser = GetObject ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") Set objSD = objUser.Get("ntSecurityDescriptor") Set objDACL = objSD.DiscretionaryAcl arrTrustees = array("nt authority\self", "EVERYONE") For Each strTrustee in arrTrustees Set objACE = CreateObject("AccessControlEntry") objACE.Trustee = strTrustee objACE.AceFlags = 0 objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT objACE.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT objACE.ObjectType = CHANGE_PASSWORD_GUID objACE.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS objDACL.AddAce objACE Next objSD.DiscretionaryAcl = objDACL objUser.Put "nTSecurityDescriptor", objSD objUser. SetInfo #ce but the result is the same, except sometimes I get a hangup of the script during the .AddAce command (in my AutoIt conversion). Any suggestions, or even better, a working code to achieve my goal? Best regards, Marc Any of my own codes posted on the forum are free for use by others without any restriction of any kind. (WTFPL)
ptrex Posted February 5, 2008 Posted February 5, 2008 @MArc This runs fine on my side. Maybe you forgot to include the constants values ? #include <array.au3> Const $ADS_ACETYPE_ACCESS_DENIED_OBJECT = 6 Const $CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}" $objUser = ObjGet ("LDAP://cn=Patrick Taels,ou=IT,dc=Plastiflex,dc=be") $objSD = $objUser.Get("nTSecurityDescriptor") $objDACL = $objSD.DiscretionaryAcl $arrTrustees = _ArrayCreate("nt authority\self", "everyone") For $strTrustee In $arrTrustees For $ace In $objDACL If(StringLower($ace.Trustee) = $strTrustee) Then ConsoleWrite(StringLower($ace.Trustee)& " " & $ace.ObjectType & @LF) ConsoleWrite("Type " & $ace.ACETYPE & @LF) ConsoleWrite( @LF) If(($ace.ACETYPE = $ADS_ACETYPE_ACCESS_DENIED_OBJECT) And (StringLower($ace.ObjectType) = $CHANGE_PASSWORD_GUID)) Then ; $objDACL.RemoveAce ($ace) ConsoleWrite($ace.ACETYPE ) EndIf EndIf Next Next ;$objUser.Put ("nTSecurityDescriptor", $objSD) ;$objUser.SetInfo() I did comment out the action lines. regards ptrex Contributions :Firewall Log Analyzer for XP - Creating COM objects without a need of DLL's - UPnP support in AU3Crystal Reports Viewer - PDFCreator in AutoIT - Duplicate File FinderSQLite3 Database functionality - USB Monitoring - Reading Excel using SQLRun Au3 as a Windows Service - File Monitor - Embedded Flash PlayerDynamic Functions - Control Panel Applets - Digital Signing Code - Excel Grid In AutoIT - Constants for Special Folders in WindowsRead data from Any Windows Edit Control - SOAP and Web Services in AutoIT - Barcode Printing Using PS - AU3 on LightTD WebserverMS LogParser SQL Engine in AutoIT - ImageMagick Image Processing - Converter @ Dec - Hex - Bin -Email Address Encoder - MSI Editor - SNMP - MIB ProtocolFinancial Functions UDF - Set ACL Permissions - Syntax HighLighter for AU3ADOR.RecordSet approach - Real OCR - HTTP Disk - PDF Reader Personal Worldclock - MS Indexing Engine - Printing ControlsGuiListView - Navigation (break the 4000 Limit barrier) - Registration Free COM DLL Distribution - Update - WinRM SMART Analysis - COM Object Browser - Excel PivotTable Object - VLC Media Player - Windows LogOnOff Gui -Extract Data from Outlook to Word & Excel - Analyze Event ID 4226 - DotNet Compiler Wrapper - Powershell_COM - New
Marc Posted February 5, 2008 Author Posted February 5, 2008 Hi ptrex, thanks for your help! Integrated your code - same result. If I re-check in AD, the box "cannot change password" is still checked. So I tried to run your code as a standalone script - except the fact I had to use a custom error handler to prevent ==> The requested action with this object has failed.: $objUser.SetInfo() the result is quite the same. Funny. Seems I'll have some fun with this.... ^^ Best regards, Marc Any of my own codes posted on the forum are free for use by others without any restriction of any kind. (WTFPL)
Danp2 Posted February 5, 2008 Posted February 5, 2008 Possible rights issue? What errors are generated when you issue the SetInfo() command? Latest Webdriver UDF Release Webdriver Wiki FAQs
ptrex Posted February 5, 2008 Posted February 5, 2008 @Marc I know that for some functions write bacjk in AD you have to use "PutEx" instead of Put ? Check out if that is the issue. regards ptrex Contributions :Firewall Log Analyzer for XP - Creating COM objects without a need of DLL's - UPnP support in AU3Crystal Reports Viewer - PDFCreator in AutoIT - Duplicate File FinderSQLite3 Database functionality - USB Monitoring - Reading Excel using SQLRun Au3 as a Windows Service - File Monitor - Embedded Flash PlayerDynamic Functions - Control Panel Applets - Digital Signing Code - Excel Grid In AutoIT - Constants for Special Folders in WindowsRead data from Any Windows Edit Control - SOAP and Web Services in AutoIT - Barcode Printing Using PS - AU3 on LightTD WebserverMS LogParser SQL Engine in AutoIT - ImageMagick Image Processing - Converter @ Dec - Hex - Bin -Email Address Encoder - MSI Editor - SNMP - MIB ProtocolFinancial Functions UDF - Set ACL Permissions - Syntax HighLighter for AU3ADOR.RecordSet approach - Real OCR - HTTP Disk - PDF Reader Personal Worldclock - MS Indexing Engine - Printing ControlsGuiListView - Navigation (break the 4000 Limit barrier) - Registration Free COM DLL Distribution - Update - WinRM SMART Analysis - COM Object Browser - Excel PivotTable Object - VLC Media Player - Windows LogOnOff Gui -Extract Data from Outlook to Word & Excel - Analyze Event ID 4226 - DotNet Compiler Wrapper - Powershell_COM - New
Marc Posted February 6, 2008 Author Posted February 6, 2008 Hi all, back to work... Error Number: 80020009 "Es ist eine Beschränkungsverletzung aufgetreten".translation should be "a constraint violation has occured".Hmmm, seems to me like I'd not be allowed to change this attribute. Funny thing, because using the Microsoft Active Directory tool, I can enable/disable the account as I wish.Googled a little and found http://support.microsoft.com/kb/239835/EN-US/but to be honest, I don't get it...Using .PutEx instead of .Put creats an 80020005 Type Conflict Error.So I tested both the .vbs scripts included in my first posting to check if the problem resides in the autoit code, but amazingly the vbs scripts generate a different error: 8007202F "a constraint violation occured". Same Message, but different number... http://prijks.esgeroth.org/log/viewentry.php?id=1435 suggests it could be a invalid value to be inserted into a field. Hmmmmm....Tried it with several accounts, same result.Any suggestions? Marc Any of my own codes posted on the forum are free for use by others without any restriction of any kind. (WTFPL)
guaikahenguai Posted May 11, 2023 Posted May 11, 2023 Excuse me, has the problem been solved yet? I have the same problem and need help!😭
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now