Active Directory UDF - Help & Support (II)

water · April 26, 2013

I see. I had the same problem with Windows 7. The exe you run is not on a "trusted location". Means: Windows doesn't allow you to run the application from there. Copy it to a trusted location and try again.

CrazyCarlton · April 26, 2013

Ah, this works! Thank you!

water · April 26, 2013

Ah, this works! Thank you!

Glad you got it working.

water · April 26, 2013

You need something like the following. Make sure the useraccount name is correct. I think "test.account" isn't a valid SamAccountName.

#include <AD.au3>
#include <File.au3>

Global $sJPG = FileRead("D:\testaccount.JPG")
Global $aJPG = StringSplit($sJPG, "", 2)

_AD_Open()
_AD_ModifyAttribute("test","thumbnailPhoto",$aJPG)
_AD_Close()

ScriptingNewbie · April 29, 2013

You need something like the following. Make sure the useraccount name is correct. I think "test.account" isn't a valid SamAccountName.
#include <AD.au3>
#include <File.au3>

Global $sJPG = FileRead("D:\testaccount.JPG")
Global $aJPG = StringSplit($sJPG, "", 2)

_AD_Open()
_AD_ModifyAttribute("test","thumbnailPhoto",$aJPG)
_AD_Close()

The SamAccountName is called test.account. It is a test account I created for this.

When I run it, I get;

COM Error Encountered in Change Photo.au3

AD UDF version = 1.3.0

@AutoItVersion = 3.3.8.1

@AutoItX64 = 0

@Compiled = 0

@OSArch = X86

@OSVersion = WIN_XP

Scriptline = 2479

NumberHex = 80020009

Number = -2147352567

WinDescription = The attribute syntax specified to the directory service is invalid.

Description =

Source =

HelpFile =

HelpContext = 0

LastDllError = 0

========================================================

+>09:09:18 AutoIt3.exe ended.rc:0

>Exit code: 0 Time: 0.887

Edited April 29, 2013 by ScriptingNewbie

water · April 29, 2013

Where did you find the property "thumbnailPhoto"? I only get "jpegPhoto".

ScriptingNewbie · April 29, 2013

Where did you find the property "thumbnailPhoto"? I only get "jpegPhoto".

From the Active Directory Schema.

water · April 29, 2013

I see.

The Schema has to be on level 2008 or later. The JPG is limited to 10K by default with a max value of 100k.

It's a multivalue attribute so more than 1 picture is possible.

Looks like it has to be passed as a string, not a byte array.

Could you try the following code. If it doesn't work could you please set the flag to 16 (binary):

#include <AD.au3>
#include <File.au3>

Global $hJPG = FileOpen("D:\testaccount.JPG", 0) ; ==> If 0 doesn't work set the flag to 16 (binary)
Global $sJPG = FileRead($hJPG)
FileClose($hJPG)

_AD_Open()
_AD_ModifyAttribute("test","thumbnailPhoto",$sJPG)
_AD_Close()

ScriptingNewbie · April 29, 2013

I see.
The Schema has to be on level 2008 or later. The JPG is limited to 10K by default with a max value of 100k.
It's a multivalue attribute so more than 1 picture is possible.
Looks like it has to be passed as a string, not a byte array.
Could you try the following code. If it doesn't work could you please set the flag to 16 (binary):
#include <AD.au3>
#include <File.au3>

Global $hJPG = FileOpen("D:\testaccount.JPG", 0) ; ==> If 0 doesn't work set the flag to 16 (binary)
Global $sJPG = FileRead($hJPG)
FileClose($hJPG)

_AD_Open()
_AD_ModifyAttribute("test","thumbnailPhoto",$sJPG)
_AD_Close()

Thank you that has worked with the 16.

water · April 29, 2013

Glad to hear that the problem could be solved

jp10558 · May 2, 2013

Is it possible to get the RID from AD in Autoit? Unfortunately, doing

$SIDhex = _AD_GetObjectAttribute($user,"objectSid")

returns hexadecimal rather than the usual display SID.

$SID = _HexToString($SIDhex)

doesn't seem to convert to the usual display format...

I was going to take the SID and do

StringRegExpReplace($SID,"-([0-9]*)\Z","\1")

but if I can't get the info in a format I expect, mmm. I could go out to powershell maybe, but I'm not sure if I can capture the output of a powershell snippet.

water · May 2, 2013

_AD_GetObjectAttribute returns a single attribute UNTRANSLATED. Use _AD_GetObjectProperties to get TRANSLATED attributes.

WLZAdmin · May 7, 2013

FYI

Just dropping a note as it might be useful to others/I might have missed something.

I've modified _AD_RecursiveGetMemberOf as it returned an empty array if a cn contained a forward slash, which in turn is escaped by a backslash, ie "name\/noname". It seems the ADODB query doesn't like backslashes. It's therefor probably true for other 'to be escaped' characters as well (didn't test them).

After this line:

If StringMid($sAD_Object, 3, 1) <> "=" Then $sAD_Object = _AD_SamAccountNameToFQDN($sAD_Object) ; sAMAccountName provided

I added this code:

$sAD_Object = StringReplace($sAD_Object, "\", "")

to remove the escaping backslash.

It looks like this is the only function which uses the query with '(member='

$__oAD_Command.CommandText = "<LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain & ">;(member=" & $sAD_Object & ");" & $sAD_Field & ";subtree"

water · May 7, 2013

You mean the result of a call to _AD_RecursiveGetMemberOf is an escaped string (e.g. "name/noname") but _AD_RecursiveGetMemberOf itself needs the $sAD_object parameter unescaped?

In this case I would use

$sAD_Object = _AD_FixSpecialChars($sAD_Object, 1)

to unescape all characters.

WLZAdmin · May 10, 2013

As it turns out, comma's should be escaped, but forward slashes should not. After I had put the modification in production the function didn't work anymore for users who had a comma in their cn. ("Hoover\, J.E."). _AD_FixSpecialChars is therefor too 'aggressive'.

To only remove the escaping backslash for forward slashes I changed the code to:

$sAD_Object = StringReplace($sAD_Object, "\/", "/")

Which seems to work better for our environment (2003 AD BTW with mostly XP clients).

I haven't found any documentation which describe what characters are allowed in the ADO LDAP query CommandText... (yet). Especially when cn is used.

water · May 10, 2013

As it turns out, comma's should be escaped, but forward slashes should not. After I had put the modification in production the function didn't work anymore for users who had a comma in their cn. ("Hoover\, J.E."). _AD_FixSpecialChars is therefor too 'aggressive'.

Modify the call and it will be less "aggressive":

$sAD_Object = _AD_FixSpecialChars($sAD_Object, 1, ",")

I haven't found any documentation which describe what characters are allowed in the ADO LDAP query CommandText... (yet). Especially when cn is used.

Good reading can be found here.

WLZAdmin · May 10, 2013

Better still:

$sAD_Object = _AD_FixSpecialChars($sAD_Object, 1, "/")

which makes _AD_RecursiveGetMemberOf look like this:

Func _AD_RecursiveGetMemberOf($sAD_Object, $iAD_Depth = 10, $bAD_ListInherited = True, $bAD_FQDN = True)

    If _AD_ObjectExists($sAD_Object) = 0 Then Return SetError(1, 0, "")
    If StringMid($sAD_Object, 3, 1) <> "=" Then $sAD_Object = _AD_SamAccountNameToFQDN($sAD_Object) ; sAMAccountName provided
    $sAD_Object = _AD_FixSpecialChars($sAD_Object, 1, "/")   ; <<---- Code added to fix query when cn has a forward slash in it

    Local $iCount1, $iCount2
    Local $sAD_Field = "distinguishedName"
    If Not $bAD_FQDN Then $sAD_Field = "samaccountname"
    $__oAD_Command.CommandText = "<LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain & ">;(member=" & $sAD_Object & ");" & $sAD_Field & ";subtree"
    ; ConsoleWrite("Debug: " & "$__oAD_Command.CommandText=" & $__oAD_Command.CommandText & @CRLF)
    Local $oAD_RecordSet = $__oAD_Command.Execute
    Local $aAD_Groups[$oAD_RecordSet.RecordCount + 1] = [0]
<snip>

I use this line of code to call the function:

Global $GroupMemberOf = _AD_RecursiveGetMemberOf(@UserName, 10, True, False)

_AD_SamAccountNameToFQDN($sAD_Object) returns something like "CN=La\/Dida,OU=TheOther,OU=Or,OU=One,DC=domain,DC=nl" which can't be used as input to the query as it returns 0 records.

Using "CN=La/Dida,OU=TheOther,OU=Or,OU=One,DC=domain,DC=nl" however does return data. Hence the StringReplace.

mkdd · May 10, 2013

Hi,

I'm looking for similar functionality to _AD_DeleteObject but then a _AD_CreateObject.
I want to be able to create custom objects based on a schema class.

Any idea where to start? the basic insert/create functions don't let me do this.

Thanks in advance.

water · May 10, 2013

Welcome to AutoIt and the forum!

Looks like you need to write your own function. _AD_CreateOU is a good starting point. Replace "organizationalUnit" with your class and set the RDN properly.

mkdd · May 13, 2013

Hi,
I'm looking for similar functionality to _AD_DeleteObject but then a _AD_CreateObject.
I want to be able to create custom objects based on a schema class.
Any idea where to start? the basic insert/create functions don't let me do this.
Thanks in advance.

Welcome to AutoIt and the forum!

Looks like you need to write your own function. _AD_CreateOU is a good starting point. Replace "organizationalUnit" with your class and set the RDN properly.

Thanks for helping out water!

Here's the bit of code i used to get it working.

; #FUNCTION# ====================================================================================================================
; Name...........: _AD_CreateOBject
; Description ...: Creates an Object in the specified OU.
; Syntax.........: _AD_CreateObject($sAD_ParentOU, $sAD_Object, $sAD_Class)
; Parameters ....: $sAD_ParentOU - Parent OU where the new OU will be created (FQDN)
;                  $sAD_Ojbect - Object name
;                  $sAD_Class - Class for the new object
; Return values .: Success - 1
;                  Failure - 0, sets @error to:
;                  |1 - $sAD_ParentOU does not exist
;                  |2 - $sAD_Object in $sAD_ParentOU already exists
;                  |3 - $sAD_Object is missing
;                  |x - Error returned by SetInfo function (Missing permission etc.)
; Author ........: Jonathan Clelland 
; Modified.......: mkdd
; Remarks .......: This does not create any attributes for the Object. Use function _AD_ModifyAttribute.
; Related .......: _AD_CreateUser, _AD_CreateGroup, _AD_AddUserToGroup, _AD_RemoveUserFromGroup
; Link ..........:
; Example .......: Yes
; ===============================================================================================================================
Func _AD_CreateObject($sAD_ParentOU, $sAD_Object, $sAD_Class)
    If Not _AD_ObjectExists($sAD_ParentOU, "distinguishedName") Then Return SetError(1, 0, 0)
    If _AD_ObjectExists("CN=" & $sAD_Object & "," & $sAD_ParentOU, $sAD_Class) Then Return SetError(2, 0, 0)
    If $sAD_Object = "" Then Return SetError(3, 0, 0)
    Local $oAD_ParentOU = __AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_ParentOU)
    Local $oAD_Object = $oAD_ParentOU.Create($sAD_Class, "CN=" & $sAD_Object)
    $oAD_Object.SetInfo
    If @error <> 0 Then Return SetError(@error, 0, 0)
    Return 1

EndFunc   ;==>_AD_CreateObject

Edited May 13, 2013 by mkdd

Active Directory UDF - Help & Support (II)

Recommended Posts

Link to comment

Share on other sites

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

water

water

water

Posted Images

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Recently Browsing 0 members