Active Directory UDF

[RvS]

Hi water, the CreateUser function nor your property suggestion seems to do the trick. The box stating the user must change their password @ next login remains unchecked...

$var = _AD_ModifyAttribute($Username, "pwdLastSet", "-1")

and

$var = _AD_ModifyAttribute($Username, "pwdLastSet", -1)

both don't check the box.

[water]

Sorry, my fault.

-1 stands for: Password has not expired

0 stands for: Password has expired

So please replace -1 with 0.

[RvS]

Brilliant. Works like a charm.

Small question; CreateMailbox script does not work anymore for post-2007 servers? Running Exchange 2010 Server.

It'd be really great if my tool could automate both user account, profile folders AND mailboxes.

[water]

Unfortunately the required API to create mailboxes as used in function _AD_CreateMailbox was dropped after Exchange 2003.

With Exchange 2010 you will have to use another approach.

I'm in the same situation at the moment and I think I will call a powershell script from my AutoIt skript.

Whatever solution you choose, can you please report your experience?

[RvS]

Yeah I was leaning towards PowerShell as well. I'll see what I can setup. All mine has to do is create a User Mailbox.

[water]

I haven't tested it yet but my first try will be something like this:

$sUser = "Domain\User"
$iResult = RunWait(@ComSpec & " /c " & "powershell -Enable-Mailbox -Identity " & $sUser, "", @SW_HIDE)

[Yorn]

Water, here's a bit more info about how I get active directory info on the recovery keys. I used AdFind located here:

http://www.joeware.net/freetools/tools/adfind/index.htm

Then I do a query like this:

adfind -b cn=<WorkstationName>,ou=<SubOU>,ou=Workstations,dc=home,dc=com -f "objectcategory=msFVE-RecoveryInformation" msFVE-RecoveryPassword

And it gives me the Recovery Password that I need.

The comments section here has info as well:

http://blog.powershell.no/2010/10/24/export-bitlocker-information-using-windows-powershell/

I can do this in PowerShell, but not in AutoIt presently. I think I could do it if I grab the msFVE-RecoveryInformation "object" and then pull attributes from that, but I don't know for sure how to make sure I'm getting the right object based on a computername. Basically, I'd like to be able to do something like this:

$RecoveryPass = GetRecoveryInfo("ComputerName","msFVE-RecoveryPassword")

If that makes sense?

[water]

What do you get if you try

#include <ad.au3>
_AD_Open()
$sAD_OU = ""
$aResult = _AD_GetObjectsInOU($sAD_OU, "(objectcategory=msFVE-RecoveryInformation)", 2 , "distinguishedname")
if @error <> 0 Then Exit Msgbox(64, "AD Test", "_AD_GetObjectsInOU @error: " & @error & ", @extended: " & @extended)
_ArrayDisplay($aResult, "Result of _AD_GetObjectsInOU")
$aResult = _AD_GetObjectProperties($aResult[1])
if @error <> 0 Then Exit Msgbox(64, "AD Test", "_AD_GetObjectProperties @error: " & @error & ", @extended: " & @extended)
_ArrayDisplay($aResult, "Result of _AD_GetObjectProperties")
_AD_Close()

[Yorn]

It returned with the list of objects that met that criteria and were Bitlocker PCs, then the second screen was the array that I needed. I see what you're doing now, I can do this to put the right info for sure I think. Thanks!

here's what the first screen looked like:

The second screen had the actual recovery info so I can't paste it, but I get the idea from here.

[water]

Glad you got it working!

I hope you access the Active Directory using an administrator account because this kind of information shouldn't be accessible by ordinary users.

[RvS]

I haven't tested it yet but my first try will be something like this:

$sUser = "Domain\User"
$iResult = RunWait(@ComSpec & " /c " & "powershell -Enable-Mailbox -Identity " & $sUser, "", @SW_HIDE)

This:

New-Mailbox -Name $Name -Alias $Alias -OrganizationalUnit 'domain.domain/Users' -UserPrincipalName $UPN -SamAccountName $SAM -FirstName $FirstName -Initials '' -LastName $LastName -Password $Password -ResetPasswordOnNextLogon $true -Database 'DBNAME'

Has worked like a charm for me.

EDIT: Doesn't work if user already exists. Finding workaround...

Edited July 21, 2011 by RvS

[RvS]

K, now I got it.

Enable-Mailbox -Identity 'domain.domain\rvstest' -Database 'DB01'

Works for existing users.

[water]

Thanks a lot for your reply!

Will be very useful as soon as I have to create a mailbox on Exchange 2010!

[RvS]

Thanks a lot for your reply!

Will be very useful as soon as I have to create a mailbox on Exchange 2010!

Quick question. I'm using PowerGUI for script writing, which allows me to enable PowerShell modules (I ticked on AD + Exchange modules)

My code then works, from PowerGUI. From normal PowerShell started in Win7, it will not. It spits out

The term 'Enable-Mailbox' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct

and try again.

At \\share\createmail.ps1:1 char:15

+ Enable-Mailbox <<<< -Identity 'domain.domain\rvstest' -Database 'DB01'

+ CategoryInfo : ObjectNotFound: (Enable-Mailbox:String) [], CommandNotFoundException

+ FullyQualifiedErrorId : CommandNotFoundException

when I fire Enable-Mailbox -Identity 'domain.domain\rtesting' -Database 'EXDB01' into the command line.

I reproduced this behaviour in the scripting program when I ticked off AD+Exchange modules.

Halp. It needs to run under normal PowerShell.

Edited July 21, 2011 by RvS

[water]

I'm not sure if this helps, but ...

When i searched the Internet a few months ago I've put aside the following links which describe how to connect to an Exchange server to run PS skripts to create a mailbox.

http://technet.microsoft.com/en-us/library/dd297932.aspx

http://technet.microsoft.com/en-us/library/dd297939.aspx

http://technet.microsoft.com/en-us/library/aa998251.aspx (CmdLet)

[RvS]

Calling the Exchange shell from cmd works perfectly.

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command ". 'C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; Enable-Mailbox -Identity 'domain.domain\rvstest' -Database 'DB01'"

Slap @SW_HIDE on it and it won't even be visible.

Edited July 21, 2011 by RvS

[HaeMHuK]

Hi water!

Could you please help me to correct the script.

$oAD_Command.CommandText = "<LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain & ">;(&(objectCategory=person)(objectClass=user));uidNumber;subtree"
Local $oAD_RecordSet = $oAD_Command.Execute
Do 
$oAD_RecordSet.EOF
$strName = $oAD_RecordSet.Fields("uidNumber").Value
_ArrayDisplay($strName, "")
$oAD_RecordSet.MoveNext
Until $strName=50000

It must take the max value of all uidNumber attributes in AD.

[RvS]

RunAsWait("admin", "domain", "password", 0, "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "". 'C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; Enable-Mailbox -Identity 'domain.domain\" & $Username & "' -Alias '" & $Username & "' -Database 'MAILDB'""", "", @SW_HIDE) ;Creates mailbox for specified user
Sleep(6000)
RunAsWait("admin", "domain", "password", 0, "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "". 'C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; Set-Mailbox -Identity 'domain.domain\" & $Username & "' -EmailAddressPolicyEnabled:$True""", "", @SW_HIDE)  ;Enables mail policy

The first line makes the mailbox for an existing user, the second line is a fix to a weird bug. Our policy adds an x400 and some aliases. By default, the box that applies the policies is ticked in the mailbox properties, but it doesn't actually apply them. Only if I untick/tick it by hand and Apply from the Console or run that second line it will actually apply the policy and add the aliases/x400. Not a big hassle. The Sleep() is required, it needs a moment to create the mailbox. Without the Sleep() the 2nd script will tell me the user doesn't exist.

[water]

I would try something like this:

#include <ad.au3>
_AD_open()
$aResult = _AD_GetObjectsInOU("", "(&(objectCategory=person)(objectClass=user))", 2, "uidnumber")
ConsoleWrite(@error & @CRLF)
_Arraydisplay($aResult)
_AD_Close()

I can't find a "uidnumber" in my AD

Edited July 22, 2011 by water

[water]

@RvS

Thanks a lot for posting your findings! They will come in handy in about 6 months.