Active Directory UDF - Help & Support

[Turkey77]

no errors

#include <AD.au3>
$iAD_Debug = 2
; Open Connection to the Active Directory
_AD_Open()

>"C:\Program Files (x86)\AutoIt3\SciTE\AutoIt3Wrapper\AutoIt3Wrapper.exe" /run /prod /ErrorStdOut /in "L:ApplicationsITAppsfrom_1024-3rn0qd10AutoITv3installScriptsPWDage_AD_GetPasswordInfo.au3" /autoit3dir "C:Program Files (x86)AutoIt3" /UserParams

+>11:05:13 Starting AutoIt3Wrapper v.2.0.3.0 Environment(Language:0409 Keyboard:00000409 OS:WIN_7/Service Pack 1 CPU:X64 OS:X64)

>Running AU3Check (1.54.22.0) params:-d -w 1 -w 2 -w 3 -w 4 -w 5 -w 6 from:C:Program Files (x86)AutoIt3

+>11:05:13 AU3Check ended.rc:0

>Running:(3.3.8.0):C:Program Files (x86)AutoIt3autoit3.exe "L:ApplicationsITAppsfrom_1024-3rn0qd10AutoITv3installScriptsPWDage_AD_GetPasswordInfo.au3"

[water]

Could you please insert this line at the top of your script to make sure you run as 32 bit?

#AutoIt3Wrapper_UseX64=N

[Turkey77]

no errors & same result

[Turkey77]

I tried a different username and it worked?! Could it be that my password hasn't been changed for a long time or that it is not set to expire?

[0]<12<

[1]<Maximum Password Age (days)<180

[2]<Minimum Password Age (days)<-0

[3]<Enforce Password History (# of passwords remembered)<4

[4]<Minimum Password Length<7

[5]<Account Lockout Duration (minutes)<99999

[6]<Account Lockout Threshold (invalid logon attempts)<6

[7]<Reset account lockout counter after (minutes)<99999

[8]<Password last changed (YYYY/MM/DD HH:MM:SS local time)<2011/11/03 12:24:13

[9]<Password expires (YYYY/MM/DD HH:MM:SS local time)<2012/05/01 12:24:13

[10]<Password last changed (YYYY/MM/DD HH:MM:SS UTC)<2011/11/03 16:24:13

[11]<Password expires (YYYY/MM/DD HH:MM:SS UTC)<2012/05/01 16:24:13

[12]<Password properties<0

[Turkey77]

Water - OK, I just changed my password and still did not received pwdlastchanged value. So, I unchecked the box for "Password never expires" on my account and then ran. That did the trick. Bug? Please let me know if you need any further testing done. THANKS!!

[0]<12<

[1]<Maximum Password Age (days)<180

[2]<Minimum Password Age (days)<-0

[3]<Enforce Password History (# of passwords remembered)<4

[4]<Minimum Password Length<7

[5]<Account Lockout Duration (minutes)<99999

[6]<Account Lockout Threshold (invalid logon attempts)<6

[7]<Reset account lockout counter after (minutes)<99999

[8]<Password last changed (YYYY/MM/DD HH:MM:SS local time)<2012/01/25 11:34:53

[9]<Password expires (YYYY/MM/DD HH:MM:SS local time)<2012/07/23 12:34:53

[10]<Password last changed (YYYY/MM/DD HH:MM:SS UTC)<2012/01/25 16:34:53

[11]<Password expires (YYYY/MM/DD HH:MM:SS UTC)<2012/07/23 16:34:53

[12]<Password properties<0

[water]

If the password has never been changed then "1601/01/01 00:00" should be returned.

Could you please change line

If $sAD_PwdLastChanged.LowPart = 0 And $sAD_PwdLastChanged.HighPart = 0 Then

in the UDF to

ConsoleWrite($sAD_PwdLastChanged.LowPart & "-" & $sAD_PwdLastChanged.HighPart & @CRLF)
If $sAD_PwdLastChanged.LowPart = 0 And $sAD_PwdLastChanged.HighPart = 0 Then

and test again with your userid?

Maybe the internal representation of "has never been changed" is not 0.

[water]

Now a remark in the function will explain this behaviour.

Thanks for pointing it out!

[Turkey77]

Note: I had changed my password prior to beginning our thread, it was just 5 years ago.

I added the consolewrite and received this with my userid - 1166770896-30202752. However, I still don't receive this value converted to a date when my password is set to "not expire". Does the "negative zero" in minimum password age have anything to do with this?

I also created a new account and as you suggested, received "1601/01/01 00:00".

[water]

I see. If password is set to "not expire" the date of "password last set" is not calculated.

I changed the example script. It not uses the unchanged function to display the first table (entries 8-11 will be empty).

The changed function then should display a date in entry 8 and 10.

Can you please verify?

expandcollapse popup

#AutoIt3Wrapper_AU3Check_Parameters= -d -w 1 -w 2 -w 3 -w 4 -w 5 -w 6
#AutoIt3Wrapper_AU3Check_Stop_OnWarning=Y
; *****************************************************************************
; Example 1
; Get the domain password policy and the password info for the current user
; *****************************************************************************
#include <AD.au3>
; Open Connection to the Active Directory
_AD_Open()
If @error Then Exit MsgBox(16, "Active Directory Example Skript", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)
; Get the password info
Global $aAD_PwdInfo[13][2] = [[12],["Maximum Password Age (days)"],["Minimum Password Age (days)"],["Enforce Password History (# of passwords remembered)"], _
        ["Minimum Password Length"],["Account Lockout Duration (minutes)"],["Account Lockout Threshold (invalid logon attempts)"],["Reset account lockout counter after (minutes)"], _
        ["Password last changed (YYYY/MM/DD HH:MM:SS local time)"],["Password expires (YYYY/MM/DD HH:MM:SS local time)"],["Password last changed (YYYY/MM/DD HH:MM:SS UTC)"], _
        ["Password expires (YYYY/MM/DD HH:MM:SS UTC)"],["Password properties"]]
Global $aTemp = _AD_GetPasswordInfo()
For $iCount = 1 To $aTemp[0]
    $aAD_PwdInfo[$iCount][1] = $aTemp[$iCount]
Next
$aAD_PwdInfo[0][0] = $aTemp[0]
_ArrayDisplay($aAD_PwdInfo, "Active Directory Functions - Example 1", -1, 0, "<")
; Enhanced version
$aTemp = _AD_GetPasswordInfoEx()
For $iCount = 1 To $aTemp[0]
    $aAD_PwdInfo[$iCount][1] = $aTemp[$iCount]
Next
$aAD_PwdInfo[0][0] = $aTemp[0]
_ArrayDisplay($aAD_PwdInfo, "Active Directory Functions - Example 1", -1, 0, "<")
; Close Connection to the Active Directory
_AD_Close()

Func _AD_GetPasswordInfoEx($sAD_Object = @UserName)

    If _AD_ObjectExists($sAD_Object) = 0 Then Return SetError(1, 0, "")
    If StringMid($sAD_Object, 3, 1) <> "=" Then $sAD_Object = _AD_SamAccountNameToFQDN($sAD_Object) ; sAMAccountName provided
    Local $iAD_Error = 0
    Local $aAD_PwdInfo[13] = [12]
    Local $oAD_Object = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain)
    $aAD_PwdInfo[1] = Int(_AD_Int8ToSec($oAD_Object.Get("maxPwdAge"))) / 86400 ; Convert to Days
    $aAD_PwdInfo[2] = _AD_Int8ToSec($oAD_Object.Get("minPwdAge")) / 86400 ; Convert to Days
    $aAD_PwdInfo[3] = $oAD_Object.Get("pwdHistoryLength")
    $aAD_PwdInfo[4] = $oAD_Object.Get("minPwdLength")
    ; Account lockout duration: http://msdn.microsoft.com/en-us/library/ms813429.aspx
    Local $oAD_Temp = $oAD_Object.Get("lockoutDuration")
    If $oAD_Temp.HighPart = 0x7FFFFFFF And $oAD_Temp.LowPart = 0xFFFFFFFF Then
        $aAD_PwdInfo[5] = 0 ; Account has to be unlocked manually by an admin
    Else
        $aAD_PwdInfo[5] = _AD_Int8ToSec($oAD_Temp) / 60 ; Convert to Minutes
    EndIf
    $aAD_PwdInfo[6] = $oAD_Object.Get("lockoutThreshold")
    $aAD_PwdInfo[7] = _AD_Int8ToSec($oAD_Object.Get("lockoutObservationWindow")) / 60 ; Convert to Minutes
    Local $oAD_User = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_Object)
    Local $sAD_PwdLastChanged = $oAD_User.Get("PwdLastSet")
    Local $iAD_UAC = $oAD_User.userAccountControl
    ; Has user account password been changed before?
    If $sAD_PwdLastChanged.LowPart = 0 And $sAD_PwdLastChanged.HighPart = 0 Then
        $iAD_Error += 3
        $aAD_PwdInfo[8] = "1601/01/01 00:00:00"
        $aAD_PwdInfo[10] = "1601/01/01 00:00:00"
    Else
        Local $sAD_Temp = DllStructCreate("dword low;dword high")
        DllStructSetData($sAD_Temp, "Low", $sAD_PwdLastChanged.LowPart)
        DllStructSetData($sAD_Temp, "High", $sAD_PwdLastChanged.HighPart)
        ; Have to convert to SystemTime because _Date_Time_FileTimeToStr has a bug (#1638)
        Local $sAD_Temp2 = _Date_Time_FileTimeToSystemTime(DllStructGetPtr($sAD_Temp))
        $aAD_PwdInfo[10] = _Date_Time_SystemTimeToDateTimeStr($sAD_Temp2, 1)
        ; Convert PwdlastSet and PasswordExpires from UTC to Local Time
        $sAD_Temp2 = _Date_Time_SystemTimeToTzSpecificLocalTime(DllStructGetPtr($sAD_Temp2))
        $aAD_PwdInfo[8] = _Date_Time_SystemTimeToDateTimeStr($sAD_Temp2, 1)
        ; Is user account password set to expire?
        If BitAND($iAD_UAC, $ADS_UF_DONT_EXPIRE_PASSWD) = $ADS_UF_DONT_EXPIRE_PASSWD Or $aAD_PwdInfo[1] = 0 Then
            If BitAND($iAD_UAC, $ADS_UF_DONT_EXPIRE_PASSWD) = $ADS_UF_DONT_EXPIRE_PASSWD Then $iAD_Error += 2
            If $aAD_PwdInfo[1] = 0 Then $iAD_Error += 4 ; The Maximum Password Age is set to 0 in the domain. Therefore, the password does not expire
        Else
            $aAD_PwdInfo[11] = _DateAdd("d", $aAD_PwdInfo[1], $aAD_PwdInfo[10])
            $sAD_Temp2 = _Date_Time_EncodeSystemTime(StringMid($aAD_PwdInfo[11], 6, 2), StringMid($aAD_PwdInfo[11], 9, 2), StringMid($aAD_PwdInfo[11], 1, 4), StringMid($aAD_PwdInfo[11], 12, 2), StringMid($aAD_PwdInfo[11], 15, 2), StringMid($aAD_PwdInfo[11], 18, 2))
            $sAD_Temp2 = _Date_Time_SystemTimeToTzSpecificLocalTime(DllStructGetPtr($sAD_Temp2))
            $aAD_PwdInfo[9] = _Date_Time_SystemTimeToDateTimeStr($sAD_Temp2, 1)
        EndIf
    EndIf
    $aAD_PwdInfo[12] = $oAD_Object.Get("pwdProperties")
    Return SetError($iAD_Error, 0, $aAD_PwdInfo)

EndFunc   ;==>_AD_GetPasswordInfoEx

[Turkey77]

That did it! Thanks Water!!!

[0]<12<

[1]<Maximum Password Age (days)<180

[2]<Minimum Password Age (days)<-0

[3]<Enforce Password History (# of passwords remembered)<4

[4]<Minimum Password Length<7

[5]<Account Lockout Duration (minutes)<99999

[6]<Account Lockout Threshold (invalid logon attempts)<6

[7]<Reset account lockout counter after (minutes)<99999

[8]<Password last changed (YYYY/MM/DD HH:MM:SS local time)<2012/01/25 13:15:06

[9]<Password expires (YYYY/MM/DD HH:MM:SS local time)<

[10]<Password last changed (YYYY/MM/DD HH:MM:SS UTC)<2012/01/25 18:15:06

[11]<Password expires (YYYY/MM/DD HH:MM:SS UTC)<

[12]<Password properties<0

[water]

I will change the function to handle the "password does not expire" situation.

Thanks for pointing it out.

Edited January 26, 2012 by water

[jazzyjeff]

Water,

I have been running this script for a while on Windows XP without any problems, but now we are migrating to Windows 7 and I will need to join Windows 7 PCs to our Active Directory domain.

Here is my script:

expandcollapse popup

#region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Icon=..\..\..\Icons\icon.ico
#AutoIt3Wrapper_Run_Tidy=y
#AutoIt3Wrapper_Run_Obfuscator=y
#Obfuscator_Parameters=/cs 1 /cn 1 /cf 1 /cv 1 /sf 1 /sv 1
#endregion ;**** Directives created by AutoIt3Wrapper_GUI ****
#include <ButtonConstants.au3>
#include <GUIConstantsEx.au3>
#include <GUIListBox.au3>
#include <GUIListView.au3>
#include <WindowsConstants.au3>
#include <AD.au3>
#include <Array.au3>
#include <ScrollBarConstants.au3>
; Add Computer Description
$CompDesc = InputBox("Computer Description", "Enter: Lastname, Firstname", "")
RegWrite("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters", "srvcomment", "REG_SZ", $CompDesc)
;Choose domain OU
_AD_Open("username", "Password", "DC=domain,DC=net", "server.domain.net", "CN=Configuration,DC=domain,DC=net")
Global $adOU = _AD_GetAllOUs("OU=Workstations,DC=domain,DC=net", "")
For $iCount = 1 To $adOU[0][0]
If $iCount = 1 Then
  $sOU = $adOU[$iCount][0]
Else
  $sOU = $sOU & "|" & $adOU[$iCount][0]
EndIf
Next
#region ### START Koda GUI section ###
$main2 = GUICreate("Active Directory", 780, 344, 150, 124)
$ListOU = GUICtrlCreateList("", 7, 8, 768, 279, BitOR($LBS_SORT, $LBS_STANDARD, $LBS_EXTENDEDSEL, $LBS_DISABLENOSCROLL, $WS_VSCROLL, $WS_HSCROLL, $WS_BORDER))
GUICtrlSetData($ListOU, $sOU)
$btnCont2 = GUICtrlCreateButton("Continue", 7, 291, 768, 41, $WS_GROUP)
GUICtrlSetFont(-1, 20, 400, 0, "Impact")
GUISetState(@SW_SHOW)
#endregion ### END Koda GUI section ###
While 1
$nMsg = GUIGetMsg()
Switch $nMsg
  Case $GUI_EVENT_CLOSE
   Exit
  Case $btnCont2
   ; Check what OU has been selected in the listbox
   $selOU = _GUICtrlListBox_GetSelItems($ListOU)
   Global $selectedItem = $selOU[1] + 1
   ;Create computer account in AD
   Global $iComp = _AD_CreateComputer($adOU[$selectedItem][1], @ComputerName, "Domain\Username")
   If $iComp = 1 Then
    MsgBox(64, "Successful", @ComputerName & " is in the Domain.", 5)
   ElseIf @error = 1 Then
    MsgBox(64, "Fail", "The Computers OU can not be found to create Computer account in AD.")
   ElseIf @error = 2 Then
    MsgBox(64, "Fail", @ComputerName & " already exists in the Domain.")
   ElseIf @error = 3 Then
    MsgBox(64, "Fail", "The user Domain\Username does not exist.")
   Else
    MsgBox(64, "Active Directory Functions", "Creating Computer account - Return code '" & @error & "' from Active Directory")
   EndIf
   _AD_ModifyAttribute(@ComputerName & "$", "description", $CompDesc)
   ;Join computer to AD account
   Global $iDom = _AD_JoinDomain(@ComputerName, "Domain\Username", "Password")
   If $iDom = 1 Then
    MsgBox(64, "Successful", @ComputerName & " has now been joined to the Domain", 5)
   EndIf
   If @error = 1 Then
    MsgBox(64, "Fail", @ComputerName & " does not exist in the Domain.")
   ElseIf @error = 2 Then
    MsgBox(64, "Fail", "The user Domain\Username could not be found in the Domain.")
   ElseIf @error = 3 Then
    MsgBox(64, "Fail", "WMI Object could not be created. Return code - " & @extended)
   ElseIf @error = 4 Then
    MsgBox(64, "Fail", @ComputerName & " is already a member of the Domain.")
   ElseIf @error = 5 Then
    MsgBox(64, "Fail", @ComputerName & " was unable to join the Domain. Return code - " & @extended)
   EndIf
EndSwitch
WEnd
_AD_Close()

The error code I receive is "0" when creating a computer account. I am a domain admin and have rights to join machines to the domain.

I have tried running the script as an administrator locally because of UAC. This didn't help either.

This script does work in Windows XP, but not Windows 7. Any ideas what I can do to fix it?

Thanks,

Jeff

[water]

What do you get if you insert

$iAD_Debug = 2

somewhere after

#include <AD.au3>

[jazzyjeff]

$iAD_Debug = 2

Using this line doesn't give me anything different.

[water]

What AutoIt version do you use?

[jazzyjeff]

AutoIT - 3.3.8.0.

UDF - 1.2.

[water]

Could you eventually compile the script with AutoIt version 3.3.6.1? The changelog tells that there were some changes regarding COM and maybe this is the source of our problem.

[jazzyjeff]

Thanks for getting back to me Water. Sorry, I had to leave work a little early yesterday.

Is there an easy way to revert to a previous autoit version, or will that mean I just have to uninstall the current version and then install the new version?

[water]

Uninstall the old version then install the new one.

[jazzyjeff]

Thanks.

I have done that, and I still get the same error.

I feel like a liar now, because I know I have had this working, but when I just tried it on XP it also didn't work! The problem is the script, but I have no idea what.

I have confirmed my configuration context is correct, and I have used the administrator account to add machines to the domain.

I have also confirmed that the correct OU is being selected from the ListBox by outputting the value to a msgbox.

I have added the following code for debugging, but the errors are 0, which I don't think are problems?.

MsgBox(0, "_AD_Open", "@error: " & @error & ", @extended: " & @extended)

MsgBox(0, "_AD_GetAllOUs", "@error: " & @error & ", @extended: " & @extended)