Active Directory UDF - Help & Support

[water]

Hi jazzyjeff,

thanks a lot for the clarification. So if anyone has the same problem in the future he can find the solution here.

I'm glad the UDF is of use to you. Johny Clelland started the AD UDF long time ago - I just brushed it up and added some functionality over time based on user demand.

[jazzyjeff]

Hey Water,

I'm trying something new for in your UDF and I am not able to get it working. I would like the _AD_IsObjectDisabled() function to change a label if the object is locked. The trouble is the function will say that the account is not disabled if I set it to 1, and I know that it is.

Here is the code:

Func _LockOutStatus()
Local $LockoutStatus = _AD_IsObjectLocked($vUsername2)
Local $DisabledStatus = _AD_IsObjectDisabled($vUsername2)
If $LockoutStatus = 1 Then
  $lblLockoutStatus = GUICtrlCreateLabel("Locked", 120, 85, 81, 20)
  GUICtrlSetFont(-1, 10, 800, 0, "Arial")
  GUICtrlSetColor(-1, 0xff0000)
  GUICtrlSetBkColor(-1, 0xffffff)
ElseIf $LockoutStatus = 0 And $DisabledStatus = 1 Then
  MsgBox(0, "", @error)
  $lblLockoutStatus = GUICtrlCreateLabel("Disabled", 120, 85, 81, 20)
  GUICtrlSetFont(-1, 10, 800, 0, "Arial")
  GUICtrlSetColor(-1, 0xFF8000)
  GUICtrlSetBkColor(-1, 0xffffff)
ElseIf $LockoutStatus = 0 Then
  $lblLockoutStatus = GUICtrlCreateLabel("Unlocked", 120, 85, 81, 20)
  GUICtrlSetFont(-1, 10, 800, 0, "Arial")
  GUICtrlSetColor(-1, 0x33cc00)
  GUICtrlSetBkColor(-1, 0xffffff)
EndIf
EndFunc   ;==>_LockOutStatus

The lockout part seems to be working great, so I am confident that the username variable is being read correctly.

The error I receive from the @error macro is, 1. This suggests that AD is unable to find the account, but I don't understand why it can't find it, when it obviously can for the Lockout function.

Any ideas are appreciated.

Thanks,

Jeff

[jazzyjeff]

What do you know, I made a mistake! Sorry for the post peeps. The code was fine in this function. It turns out I did have a typo when looking up a combobox for the username. When I used a msgbox to verify the username, it wasn't correct. So I guess the unlock feature wasn't working as it should have been.

[water]

The function can be stripped down a bit. I'm going to test the AD functions tomorrow. I see you already solved the problem.

Func _LockOutStatus()
  $lblLockoutStatus = GUICtrlCreateLabel("Unlocked", 120, 85, 81, 20)
  GUICtrlSetFont(-1, 10, 800, 0, "Arial")
  GUICtrlSetColor(-1, 0x33cc00)
  GUICtrlSetBkColor(-1, 0xffffff)
  Local $LockoutStatus = _AD_IsObjectLocked($vUsername2)
  Local $DisabledStatus = _AD_IsObjectDisabled($vUsername2)
  If $LockoutStatus = 1 Then
    GUICtrlSetData($lblLockoutStatus, "Locked")
    GUICtrlSetColor($lblLockoutStatus, 0xff0000)
    GUICtrlSetBkColor($lblLockoutStatus, 0xffffff)
  ElseIf $DisabledStatus = 1 Then
    GUICtrlSetData($lblLockoutStatus, "Disabled")
    GUICtrlSetColor($lblLockoutStatus, 0xFF8000)
    GUICtrlSetBkColor($lblLockoutStatus, 0xffffff)
  EndIf
EndFunc ;==>_LockOutStatus

Edited November 15, 2011 by water

[water]

Version 1.2.0 has been released.

Please test before using in production!

For download please see my signature.

[Syed23]

Hi Water,

How are you? i need a help to enhance my tool! i have a tool which will collect the entire details of a particular machine from AD. Now i wanted to collect BitLocker Recovery Key from AD. Can we do that ? i am using _AD_GetObjectProperties() function. What i have to do or what i have to add to make work that? please help me!

[water]

Hi Syed,

fine so far. I hope you are well too!

If you start reading with this I'm sure you get the information you need.

[Syed23]

Thanks a lot water! I am fine too! This post has the information i needed. I got the script below from that post.. but hope this retrives the entire details from the complete OU. can we do it for a single machine? like if i give the machine account it should get the Bitlocker Recover Key detail for that machine. Sorry for being poor to fulfil myself

#include <ad.au3>
_AD_Open()
$sAD_OU = ""
$aResult = _AD_GetObjectsInOU($sAD_OU, "(objectcategory=msFVE-RecoveryInformation)", 2 , "distinguishedname")
if @error <> 0 Then Exit Msgbox(64, "AD Test", "_AD_GetObjectsInOU @error: " & @error & ", @extended: " & @extended)
_ArrayDisplay($aResult, "Result of _AD_GetObjectsInOU")
$aResult = _AD_GetObjectProperties($aResult[1])
if @error <> 0 Then Exit Msgbox(64, "AD Test", "_AD_GetObjectProperties @error: " & @error & ", @extended: " & @extended)
_ArrayDisplay($aResult, "Result of _AD_GetObjectProperties")
_AD_Close()

[Syed23]

Hi Water,

i collected my OU details by using the function _AD_GetObjectProperties() and tired but i am getting the Error value 3 which returns "3 - No records returned from Active Directory. $sAD_Filter didn't return a record" what can be the possiblity ? Access issue ?

[water]

Hi Syed,

as suggests use the cn of the computer as starting point (first parameter for _AD_GetObjectsInOU) and then search for the BitLocker information.

[Syed23]

Hi Syed,

as suggests use the cn of the computer as starting point (first parameter for _AD_GetObjectsInOU) and then search for the BitLocker information.

The below is the script i am using but it does not works for me. Am i doing any mistake ?

#include <ad.au3>
_AD_Open()
$sAD_OU = "CN=HostName,OU=SubOU,OU=MainOU,OU=Country,OU=Region,OU=GD2000,OU=Workstations,DC=Domain,DC=com"
$aResult = _AD_GetObjectsInOU($sAD_OU, "(objectcategory=msFVE-RecoveryInformation)", 2 , "distinguishedname")
if @error <> 0 Then Exit Msgbox(64, "AD Test", "_AD_GetObjectsInOU @error: " & @error & ", @extended: " & @extended)
_ArrayDisplay($aResult, "Result of _AD_GetObjectsInOU")
$aResult = _AD_GetObjectProperties($aResult[1])
if @error <> 0 Then Exit Msgbox(64, "AD Test", "_AD_GetObjectProperties @error: " & @error & ", @extended: " & @extended)
_ArrayDisplay($aResult, "Result of _AD_GetObjectProperties")
_AD_Close()

Edited January 24, 2012 by Syed23

[water]

I think yo have to run the query with special permissions as this kind of information shouldn't be available to everyone!

[Syed23]

I think yo have to run the query with special permissions as this kind of information shouldn't be available to everyone!

I think that's make sense... i used one of out team membes admin id and it worked. But what i noticed is before getting the result i am getting the same error message if i click on ok then it prompts me the result successfully.

[water]

Unfortunately I can't test because I don't use BitLocker.

What error messages when running what command?

[Syed23]

after compiling the below code if i run the exe i am getting an error mesage"_AD_GetObjectsInOU @error:3,@exended:0" without stopping. The error message prompts continiously without stopping

#include <ad.au3>
RunAs("Admin","Domai","Password",2,@ScriptFullPath)
_AD_Open()
$sAD_OU = "CN=HostName,OU=SubOU,OU=MainOU,OU=Country,OU=Region,OU=GD2000,OU=Workstations,DC=Domain,DC=com"

$aResult = _AD_GetObjectsInOU($sAD_OU, "(Objectcategory=msFVE-RecoveryPassword)", 2 , "distinguishedname")
if @error <> 0 Then Exit Msgbox(64, "AD Test", "_AD_GetObjectsInOU @error: " & @error & ", @extended: " & @extended)
_ArrayDisplay($aResult, "Result of _AD_GetObjectsInOU")
$aResult = _AD_GetObjectProperties($aResult[1])
if @error <> 0 Then Exit Msgbox(64, "AD Test", "_AD_GetObjectProperties @error: " & @error & ", @extended: " & @extended)
_ArrayDisplay($aResult, "Result of _AD_GetObjectProperties")
_AD_Close()

Edited January 24, 2012 by Syed23

[Turkey77]

Water - I am not getting any value returned for pwdLastSet. Thoughts on this one? I did not modify your script. Using ASDIedit, I do see a value for my pwdLastSet.

#AutoIt3Wrapper_AU3Check_Parameters= -d -w 1 -w 2 -w 3 -w 4 -w 5 -w 6
#AutoIt3Wrapper_AU3Check_Stop_OnWarning=Y
; *****************************************************************************
; Example 1
; Get the domain password policy and the password info for the current user
; *****************************************************************************
#include <AD.au3>
; Open Connection to the Active Directory
_AD_Open()
If @error Then Exit MsgBox(16, "Active Directory Example Skript", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)
; Get the password info
Global $aAD_PwdInfo[13][2] = [[12],["Maximum Password Age (days)"],["Minimum Password Age (days)"],["Enforce Password History (# of passwords remembered)"], _
  ["Minimum Password Length"],["Account Lockout Duration (minutes)"],["Account Lockout Threshold (invalid logon attempts)"],["Reset account lockout counter after (minutes)"], _
  ["Password last changed (YYYY/MM/DD HH:MM:SS local time)"],["Password expires (YYYY/MM/DD HH:MM:SS local time)"],["Password last changed (YYYY/MM/DD HH:MM:SS UTC)"], _
  ["Password expires (YYYY/MM/DD HH:MM:SS UTC)"],["Password properties"]]
Global $aTemp = _AD_GetPasswordInfo()
For $iCount = 1 To $aTemp[0]
$aAD_PwdInfo[$iCount][1] = $aTemp[$iCount]
Next
$aAD_PwdInfo[0][0] = $aTemp[0]
_ArrayDisplay($aAD_PwdInfo, "Active Directory Functions - Example 1", -1, 0, "<")
; Close Connection to the Active Directory
_AD_Close()

here's the result from running the above, I just copied the result of _arraydisplay - I do not receive any errors.

I am running from a win7 x64 against a 2003 server - I also forced the use of PCD, but same result

[0]<12<

[1]<Maximum Password Age (days)<180

[2]<Minimum Password Age (days)<-0

[3]<Enforce Password History (# of passwords remembered)<4

[4]<Minimum Password Length<7

[5]<Account Lockout Duration (minutes)<99999

[6]<Account Lockout Threshold (invalid logon attempts)<6

[7]<Reset account lockout counter after (minutes)<99999

[8]<Password last changed (YYYY/MM/DD HH:MM:SS local time)<

[9]<Password expires (YYYY/MM/DD HH:MM:SS local time)<

[10]<Password last changed (YYYY/MM/DD HH:MM:SS UTC)<

[11]<Password expires (YYYY/MM/DD HH:MM:SS UTC)<

[12]<Password properties<0

[water]

@Syed

You are calling the same script over and over again using "Run" as you do. You should compile the script and then use Windows to start the exe as the required user.

Or you change your script so that if started with no parameters it starts iself again with the proper user and passes a parameter so when run again it knows that it has the proper privileges and can keep on processing.

[water]

@Turkey77

I get proper results with the latest version of the UDF.

What version of AutoIt do you run?

What version of the Active Directory UDF do you run (check the UDF file for string "; UDF Version ...:"

[Turkey77]

1.2.0 with 3.3.6.1

[water]

Could you please insert this line after "#include <ad.au3>"?

$iAD_Debug = 2

So we can see if there are any COM errors.</ad.au3>