Active Directory UDF - Help & Support

water · April 23, 2010

it gives me an error that says

Line 37 (File
"C:\path\autoit\_AD_CreateMailbox.au3");

$IMailbox = GUICtrlCreatInput($SMailbox,241,40,259,21)
$Mailbox = GUICtrlCreareInput(^ERROR

Error: Variable used without being declared

I tried declaring the variable same error. I think im doing something stupid. Maybe it cant find the exchange server or something

That happens when the current user doesn't have a mailbox - so it's my fault. Bad programming practice :idea:

Could you please insert this line

Global $sMailbox, $sIStore, $sServer, $sGroup, $sServerGroup

before line

; Get the forms data for the current user

Edited April 25, 2010 by water

MattZ · April 27, 2010

Can you please post the code you use? You can strip it down to the _AD_Open and _AD_MoveObject calls.
What do you move? A User or a Computer? If it's a computer you have to append a "$" to the computers name.

Everything I am doing is with Users.

_AD_Open()

Func _TermUser()

    $FQDNUser = _AD_SamAccountNameToFQDN($UsernameValue)

    ;Remove group memberships
    $groups = _AD_GetUserGroups($UsernameValue)
    $i = 1

    If $groups = "" Then
        MsgBox(0, "No Groups", $UsernameValue & " Has no groups associated with it")
    Else
        ProgressOn("Removing Groups", "Getting Groups")
        While $i <= $groups[0]
            $Percent = ($i / $groups[0]) * 100
            ProgressSet($Percent, "Removing Groups", "Removing Group " & $groups[$i])
            _AD_RemoveUserFromGroup($groups[$i], $FQDNUser)
            $i = $i + 1
        WEnd

        $Description = "Term Date " & $TermDate & " Disabled by " & $TermedByValue
        _AD_ModifyAttribute($UsernameValue, "description", $Description, 0)
        $TermReport = FileOpen($Configfiles[1] & "logs\term.csv", 0)
        If $TermReport = -1 Then
            $TermReport = FileOpen($Configfiles[1] & "logs\term.csv", 9)
            FileWriteLine($TermReport, "Username;Display Name;Term Date;Termed By;Date")
            FileWriteLine($TermReport, $UsernameValue & ";" & $Fname & " " & $Lname & ";" & $TermDate & ";" & $TermedByValue & ";" & _NowDate())
            FileClose($TermReport)
        Else
            FileClose($TermReport)
            $TermReport = FileOpen($Configfiles[1] & "logs\term.csv", 1)
            FileWriteLine($TermReport, $UsernameValue & ";" & $Fname & " " & $Lname & ";" & $TermDate & ";" & $TermedByValue & ";" & _NowDate())
            FileClose($TermReport)
        EndIf

    EndIf
    ProgressOff()

    ;Change Password to some fun gibberish
    ;Create the password
    ProgressOn("Setting new Password", "Creating Password")
    _GeneratePass()

    ProgressSet(100, "Setting New Password")
    ;set the password
    _AD_SetPassword($FQDNUser, $Pass)
    ProgressOff()


    $iValue = _AD_MoveObject($newou, $FQDNUser)
    If $iValue = 1 Then
        MsgBox(64, "Active Directory Functions - Example 1", "Object '" & $FQDNUser & "' successfully moved to '" & $newou & "'")
    ElseIf @error = 1 Then
        MsgBox(64, "Active Directory Functions - Example 1", "Target OU '" & $newou & "' does not exist")
    ElseIf @error = 2 Then
        MsgBox(64, "Active Directory Functions - Example 1", "Object '" & $FQDNUser & "' does not exist")
    Else
        MsgBox(64, "Active Directory Functions - Example 1", "Return code '" & @error & "' from Active Directory")
    EndIf
    ;Disable account
    _AD_DisableObject($FQDNUser)

    ;MsgBox(0,"FQDN",$FQDNUser)
    _AD_Close()
EndFunc   ;==>_TermUser

I have tried with both the FQDN and the SAM Account Name and get the same result with both. Removing the User from groups, disabling the account and changing the password all work.

Edited April 27, 2010 by MattZ

water · April 28, 2010

Hi MattZ,

could you please post the values for $newou and $FQDNUser? You can replace the names with wildcards. I'm just interested in the format and any special characters in the strings like commas etc.

E.g. $FQDNUser = "CN=Lastname, Firstname,OU=OrgUnit,DC=microsoft,DC=com"

$newOU = "OU=OrgUnitNew,DC=microsoft,DC=com"

water · April 28, 2010

Hi MattZ,

or could you please try this new version of _AD_MoveObject (enhanced error checking) and post the results?

Func _AD_MoveObject_Test($sAD_OU, $sAD_Object, $sAD_CN = "")

    If Not _AD_ObjectExists($sAD_OU, "distinguishedName") Then Return SetError(1, 0, 0)
    If Not _AD_ObjectExists($sAD_Object) Then Return SetError(2, 0, 0)
    If StringMid($sAD_Object, 3, 1) <> "=" Then $sAD_Object = _AD_SamAccountNameToFQDN($sAD_Object) ; sAMAccountName provided
    If $sAD_CN = "" Then
        $sAD_CN = StringLeft($sAD_Object, StringInStr($sAD_Object, ",") - 1)
    Else
        $sAD_CN = "CN=" & $sAD_CN
    EndIf
    $sAD_CN = _AD_FixSpecialChars($sAD_CN)
    If _AD_ObjectExists($sAD_CN & "," & $sAD_OU, "distinguishedName") Then Return SetError(3, 0, 0)
    Local $oAD_OU = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_OU) ; Pointer to the destination container
    $oAD_OU.MoveHere("LDAP://" & $sAD_HostServer & "/" & $sAD_Object, $sAD_CN)
    If @error <> 0 Then Return SetError(@error, 0, 0)
    Return 1

EndFunc

MattZ · April 28, 2010

Hi MattZ,

or could you please try this new version of _AD_MoveObject (enhanced error checking) and post the results?

Func _AD_MoveObject_Test($sAD_OU, $sAD_Object, $sAD_CN = "")

    If Not _AD_ObjectExists($sAD_OU, "distinguishedName") Then Return SetError(1, 0, 0)
    If Not _AD_ObjectExists($sAD_Object) Then Return SetError(2, 0, 0)
    If StringMid($sAD_Object, 3, 1) <> "=" Then $sAD_Object = _AD_SamAccountNameToFQDN($sAD_Object) ; sAMAccountName provided
    If $sAD_CN = "" Then
        $sAD_CN = StringLeft($sAD_Object, StringInStr($sAD_Object, ",") - 1)
    Else
        $sAD_CN = "CN=" & $sAD_CN
    EndIf
    $sAD_CN = _AD_FixSpecialChars($sAD_CN)
    If _AD_ObjectExists($sAD_CN & "," & $sAD_OU, "distinguishedName") Then Return SetError(3, 0, 0)
    Local $oAD_OU = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_OU) ; Pointer to the destination container
    $oAD_OU.MoveHere("LDAP://" & $sAD_HostServer & "/" & $sAD_Object, $sAD_CN)
    If @error <> 0 Then Return SetError(@error, 0, 0)
    Return 1

EndFunc

Water - Thanks for the responses.

$newou = "ou=Disabled Users,dc=mydomain,dc=com"

$FQDNUser = _AD_SamAccountNameToFQDN($UsernameValue)

I have a validation function earlier in my code that uses _AD_ObjectExists($UsernameValue) to ensure that $Username is an object.

When using the _AD_MoveObeject_Test I get the same error code of -214735256. I have tried changing the "ou=Disabled Users" to an ou without spaces and I get the same result. I have also tried changing the call of _AD_MoveObject to _AD_MoveObject($newou,$UsernameValue)

water · April 29, 2010

Hi MattZ,

I'm soon running out of ideas. But I hope, this test will shed some light on the subject. Could you please run the following script in two ways and post the result? Please only replace the company name in the output. I take some data from the FQDN to form the RDN (Relative Distinguished Name) and there migth be the problem.

First call: _AD_MoveObject_Test($newou, $FQDNUser)

Second call: _AD_MoveObject_Test($newou, $FQDNUser,"Test")

The second call should move the User to the new OU and rename it to "Test".

Func _AD_MoveObject_Test($sAD_OU, $sAD_Object, $sAD_CN = "")

    If Not _AD_ObjectExists($sAD_OU, "distinguishedName") Then Return SetError(1, 0, 0)
    If Not _AD_ObjectExists($sAD_Object) Then Return SetError(2, 0, 0)
    If StringMid($sAD_Object, 3, 1) <> "=" Then $sAD_Object = _AD_SamAccountNameToFQDN($sAD_Object) ; sAMAccountName provided
    If $sAD_CN = "" Then
    $sAD_CN = StringLeft($sAD_Object, StringInStr($sAD_Object, ",") - 1)
    Else
    $sAD_CN = "CN=" & $sAD_CN
    EndIf
    $sAD_CN = _AD_FixSpecialChars($sAD_CN)
    If _AD_ObjectExists($sAD_CN & "," & $sAD_OU, "distinguishedName") Then Return SetError(3, 0, 0)
    Local $oAD_OU = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_OU) ; Pointer to the destination container
    ConsoleWrite("ObjectGet:" & @error & " - " & @extended & @CRLF)
    ConsoleWrite("OU: " & $sAD_OU & @CRLF)
    ConsoleWrite("Object: " & $sAD_Object & @CRLF)
    ConsoleWrite("CN: " & $sAD_CN & @CRLF)
    $oAD_OU.MoveHere("LDAP://" & $sAD_HostServer & "/" & $sAD_Object, $sAD_CN)
    If @error <> 0 Then Return SetError(@error, 0, 0)
    Return 1

EndFunc

MattZ · April 29, 2010

Here is the output you requested:

ObjectGet:0 - 0

OU: ou=Disabled Users,dc=mydomain,dc=com

Object: CN=Me\, Term,OU=BUSOFF,OU=FMC,DC=mydomain,DC=com

CN: CN=Me\

ObjectGet:0 - 0

OU: ou=Disabled Users,dc=mydomain,dc=com

Object: CN=Me\, Term,OU=BUSOFF,OU=FMC,DC=mydomain,DC=com

CN: CN=Test1234

Looks like thats the issue, the function doesn't seem to be handling the escaped space correctly. When I set the new name it works perfectly.

Edited April 29, 2010 by MattZ

water · April 29, 2010

Here is the output you requested:

ObjectGet:0 - 0
OU: ou=Disabled Users,dc=mydomain,dc=com
Object: CN=Me\, Term,OU=BUSOFF,OU=FMC,DC=mydomain,DC=com
CN: CN=Me\

ObjectGet:0 - 0
OU: ou=Disabled Users,dc=mydomain,dc=com
Object: CN=Me\, Term,OU=BUSOFF,OU=FMC,DC=mydomain,DC=com
CN: CN=Test1234

Looks like thats the issue, the function doesn't seem to be handling the escaped space correctly. When I set the new name it works perfectly.

The problem is with the incorrect handling of the escaped comma in "CN=Me\, Term".

At the moment the only solution is to pass the new RDN (Relative Distinguished Name) to the function. In your case this should be:

$newou = "ou=Disabled Users,dc=mydomain,dc=com"
$FQDNUser="CN=Me\, Term,OU=BUSOFF,OU=FMC,DC=mydomain,DC=com"
$aTemp = StringSplit($FQDNUser,"OU=",1)
$RDN = StringReplace(StringTrimRight($aTemp[1],1),"\,",",")
_AD_MoveObject($newou, $FQDNUser,$RDN)

I hope I can provide a better solution with the next release of the UDF.

MattZ · April 29, 2010

Water - That works perfectly - Thank you for this great UDF and all of your help.

MattZ · May 5, 2010

Water

I have found another function that doesn't behave as expected; _AD_DisableObject(). If the object is already disabled it will enable the object. I found that I can use _AD_IsObjectDisabled() test if the object is disabled or not this works fairly well, but some AD functions enable the account temporarily and my script runs quick enough that it will show that the account is still enabled when I hit my check.

I have worked around this by making this section of code the first AD function I call:

$disabled = _AD_IsObjectDisabled($FQDNUser)
    If $disabled = 0 Then
        _AD_DisableObject($FQDNUser)
    EndIf

Edited May 5, 2010 by MattZ

evilertoaster · May 5, 2010

Both _AD_EnableObject and _AD_DisableObject actually toggle the disabled flag instead of setting it. Change the "BitXOR" on lines 2795 and 2824 of AD.au3 to "BitOR".

water · May 6, 2010

Both _AD_EnableObject and _AD_DisableObject actually toggle the disabled flag instead of setting it. Change the "BitXOR" on lines 2795 and 2824 of AD.au3 to "BitOR".

Will be changed in the next version.

water · May 15, 2010

Version 0.39 has been released.

For download please see signature.

supersonic · June 6, 2010

Hi water!

I have some trouble with _AD_GetObjectAttribute() and _AD_GetObjectsInOU().

I wrote a script to perform an user attribute query.

Some of the attributes I query don't exist in all domains, e. g. "extensionAttribute1".

When calling _AD_GetObjectAttribute() like this:

_AD_GetObjectAttribute(@UserName, "extensionAttribute1")

... the function returns 0 for @error.

When calling _AD_GetObjectsInOU() like this:

Local $test = _AD_GetObjectsInOU("OU=TestOU,DC=domain,DC=local", "(&(objectCategory=user))", 2, "samAccountName,extensionAttribute1")

... the function exits without result (= array). It would be very helpful when this function returns "" (blank array entry) when an attribute does not exit.

Is there something I could do to avoid that?

Can you help me to find a solution?

Greets,

-supersonic.

Edited June 7, 2010 by supersonic

water · June 7, 2010

Hi supersonic,

I tested with version 0.39 and here are the results:

_AD_GetObjectattribute with nonexisting property: @error = 2

_AD_GetObjectattribute with empty property: @error = 0, Result = ''

_AD_GetObjectsInOU with nonexisting property: @error = 2

Can you please make sure that the property "extensionAttribute1" does not exist in your AD? You could use the ADExplorer from Sysinternals (now M$). Just download and run the exe. Then check the attributes of your user.

What version of the AD UDF do you use?

Edited June 7, 2010 by water

supersonic · June 7, 2010

Hi water,

I'm using V0.39.

You're right: _AD_GetObjectAttribute() works as it should. :mellow:

But I have still a problem with _AD_GetObjectsInOU(). Here's my test code:

#include <Array.au3>
#include "AD.au3"

Local $attributes = "samAccountName,userPrincipalName,cn,mail,extensionAttribute1"

_AD_Open()

Local $result = _AD_GetObjectsInOU("OU=BENUTZER,OU=WK,DC=domain,DC=local", "(&(objectCategory=user))", 2, $attributes, "samAccountName")
If Not @error Then
    _ArrayDisplay($result)
EndIf
ConsoleWrite(@error & @CRLF)

_AD_Close()

Without the attribute "extensionAttribute1" it works fine.

When querying a larger OU with many subtrees, many users have not all of the attributes. So _AD_GetObjectsInOU() exits with @error = 2.

In order to be able to create an array anyway it would be very helpful when this function could return "" (blank) for each non-existent attribute.

May be it's possible to add another parameter like "$sAD_ReturnBlank"?

Or may be you have another solution?

Any help very appreciated...

Greets,

-supersonic.

Edited June 8, 2010 by supersonic

water · June 8, 2010

Hi supersonic,

I had a quick look at the code. @error = 2 is returned by the LDAP query itself. That means if there is an error with the list of attributes no records are returned at all.

I had a look at the ADO properties and couldn't find a way to change the behaviour.

I wonder how you manage to have users with different attributes in your OUs. As I understand AD the valid properties of an object are defined in the Schema. I had a look at our Schema and I have properties extensionAttribute1 to extensionAttribute15. If I look at my user I only find extensionAttribute1, 2, 3, 6, 7, 8, 9.

I can query all extensionAttribute1 to 15 without error. But when I query extensionAttribute16 I get @error = 2

So my understanding is that you get @error = 2 when you query a property that is not defined in the Schema.

Do you have a single user that returns @error=2 for further testing?

Edited June 8, 2010 by water

supersonic · June 8, 2010

Hi water,

you're right, in cases where the errors occure the attributes "extensionAttribute1" to "extensionAttribute15" are missing.

As far as I have understood these attributes come from a Microsoft Exchange installation.

Some domains have such an installation and some don't...

So, the functions I have "problems" with are working fine, though. :mellow:

Well, is it possible to check the attributes against the schema before querying, and,

if the query will fail, to fetch attribute for attribute to overcome @error = 2?

Greets,

-supersonic.

water · June 8, 2010

Hi supersonic,

a quick and dirty solution would be to query the Exchange Schema version like this:

Func _AD_GetExchangeSchema()

    $sAD_SchemaNamingContext = $oAD_RootDSE.Get("SchemaNamingContext")
    Local $sAD_Query = "<LDAP://" & $sAD_HostServer & "/" & $sAD_SchemaNamingContext & ">;(name=ms-Exch-Schema-Version-Pt);ADsPath;subtree"
    Local $oAD_RecordSet = $oAD_Connection.Execute($sAD_Query) ; Retrieve the FQDN for the object
    If Not IsObj($oAD_RecordSet) Or $oAD_RecordSet.RecordCount = 0 Then Return SetError(2, 0, "")
    Local $sAD_LDAPEntry = $oAD_RecordSet.fields(0).value
    Local $oAD_Object = ObjGet($sAD_LDAPEntry) ; Retrieve the COM Object for the object
    Local $sAD_Result = $oAD_Object.Get("rangeUpper")
    Return $sAD_Result

EndFunc ;==>_AD_GetExchangeSchema

If no Exchange is available for the domain the function will return "" and set @error = 2.

If Exchange is available then the returned value denotes the installed version:

4397 - Exchange 2000 RTM

4406 - Exchange 2000 SP3

6870 - Exchange 2003 RTM

6936 - Exchange 2003 SP3

10628 - Exchange 2007 RTM

11116 - Exchange 2007 SP1

14622 - Exchange 2007 SP2

14622 - Exchange 2010 RTM

Could you please test this function against your AD and post the results? Maybe I will include this function in the "official" AD.

Edited June 8, 2010 by water

supersonic · June 8, 2010

Hi water!

Cool, nice function. :mellow: It's worth to be part of the official UDF.

My result is '11116' (= MS Exchange 2007 SP1). That's correct.

But I'm not very sure if this could help me out...

There are more applications adding attributes to a AD scheme.

Is it possible to read out a AD scheme to figure out which global (user) attributes are available in the target AD?

This would be the best solution for my problem...

Greets,

-supersonic.

Edited June 8, 2010 by supersonic

Active Directory UDF - Help & Support

Recommended Posts

Link to comment

Share on other sites

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

water

Posted Images

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Recently Browsing 0 members