Active Directory UDF - Help & Support (II)

[water]

Thanks a lot. Will add it to the next release of the UDF.

[trhightree]

I have an issue with the _AD_DeleteObject function. I can't delete an object that has already been added to the domain since the bitlocker keys have been stored on the computer object as a sub-object. It has been tested multiple times and if there is a way to delete the sub-object it will then allow me to delete the object itself. So far the only way I've been able to delete computers is to manually delete and then it asks me if I would like to delete subtree groups. Please let me know if there's a function for this.

[water]

Seems like the delete function can only delete leaf objects no container objects. If you first delete the bitlocker object you should then be able to delete the computer account.

[kabar]

I am having trouble writing a "Multi-valued settings in AD". Specifically the "proxyaddresses" attribute.

We are enabling Microsoft Lync for existing exchange users. The below snippet works fine enabling Lync, users can login and communicate via Lync. Not having the sip in the Proxyaddresses prevents users from leading Lync Meetings.

Attached is the attribute we are needing to add the "sip" to.

Any help would be greatly appreciated.

Edited June 18, 2013 by kabar

[water]

To set the proxyaddresses attribute please have a look at function _AD_AddEmailAddress.

[HighlanderSword]

Hello Water,

The UDF is great.

Is their any way to do a recursive lookup against a dg group and get the group name along with its members ?

for example

DG Test1 contains :

DG Test1

User1

User 2

user3

DG Sub Developers

DG Sub Developers Contains:

Special4

Secial5

DG COm Support

DG User Support

 

DG COm Support Contains

More1

more2

DG User Support Contains

Support1

Support2

 

Basically I need to get all the dg groups and members that are subscrbed to the main List , including the Sub DG Groups

Please let me know, I'm in the process of trying to build a function to attempt this but figured I would check and see fi this has already been done.

Thanks

Paul

[water]

There is a function named _AD_RecursiveGetGroupMembers in the next release. I posted a version to test on the German AutoIt forum.

The function isn't yet perfect but I will be happy to add any sensible changes you require.

[HighlanderSword]

Hello,

I took the code from the German page and added it to my AU3 file.

When I run the German version of the recursive Lookup , it onlu returnns 1 row, when I run the regular one that is

not recursive it returns over 200 rows as that is expected as their are over 200 people in the DG.

Cand you please let me know what Im doing wrong ?

$aMembers=_AD_RecursiveGetMemberOfxxx("DG - MSTRRMTBP")   ; The New code from the German Page

;~  $aMembers = _AD_GetGroupMembers("DG - MSTRRMTBP") The non recursive call

 

Below is the code I took from the german Page

 

Func _AD_RecursiveGetMemberOfxxx($sObject, $iDepth = 10, $bListInherited = True, $bFQDN = True)

    If _AD_ObjectExists($sObject) = 0 Then Return SetError(1, 0, "")
    If StringMid($sObject, 3, 1) <> "=" Then $sObject = _AD_SamAccountNameToFQDN($sObject) ; sAMAccountName provided

    $sObject = StringReplace($sObject, "/", "/")

    ;$sObject = _AD_FixSpecialChars($sObject, 1) ; the object needs to be unescaped for the LDAP query but the result might be escaped

    Local $iCount1, $iCount2
    Local $sField = "distinguishedName"
    If Not $bFQDN Then $sField = "samaccountname"

    Local $oRecordSet = $__oAD_Command.Execute
    Local $aGroups[$oRecordSet.RecordCount + 1] = [0]
    If $oRecordSet.RecordCount = 0 Then Return $aGroups
    $oRecordSet.MoveFirst
    $iCount1 = 1
    Local $aTempMemberOf[1]
    Do
        $aGroups[$iCount1] = $oRecordSet.Fields(0).Value
        If $iDepth > 0 Then
            $aTempMemberOf = _AD_RecursiveGetMemberOf($aGroups[$iCount1], $iDepth - 1, $bListInherited, $bFQDN)
            If $bListInherited Then
                For $iCount2 = 1 To $aTempMemberOf[0]
                    $aTempMemberOf[$iCount2] &= "|" & $aGroups[$iCount1]
                Next
            EndIf
            _ArrayDelete($aTempMemberOf, 0)
            _ArrayConcatenate($aGroups, $aTempMemberOf)
        EndIf
        $iCount1 += 1
        $oRecordSet.MoveNext
    Until $oRecordSet.EOF
    $oRecordSet.Close
    If $bListInherited = False Then
        _ArraySort($aGroups, 0, 1)
        $aGroups = _ArrayUnique($aGroups, 1, 1)
    EndIf
    $aGroups[0] = UBound($aGroups) - 1
    Return $aGroups

EndFunc   ;==>_AD_RecursiveGetMemberOf

[water]

Can you please test with the complete UDF from the german site? I changed a lot of things in the new version and don't know if a single function will work well with 1.3.0.0.

[kabar]

Hi water,

I tried added the below func to no avail. Adding the SIP just does not want to play.
Am I missing something?

_ADModifyAttribute($Object, "msRTCSIP-DeploymentLocator", "SRV:", $Append)
_ADModifyAttribute($Object, "msRTCSIP-FederationEnabled", "TRUE", $Append)
_ADModifyAttribute($Object, "msRTCSIP-InternetAccessEnabled", "TRUE", $Append)
_ADModifyAttribute($Object, "msRTCSIP-OptionFlags", "257", $Append) ;385 = enterprise voice ;257 = "PC-to-PC only
_ADModifyAttribute($Object, "msRTCSIP-PrimaryHomeServer", "CN=Lc Services,CN=Microsoft,CN=1:1,CN=Pools,CN=RTC Service,CN=Microsoft,CN=System,DC=AD,DC=$var,DC=com", $Append)
_ADModifyAttribute($Object, "msRTCSIP-PrimaryUserAddress", "sip:" & $UserADMail, 1)
_ADModifyAttribute($Object, "msRTCSIP-UserEnabled", "TRUE", $Append)
_ADModifyAttribute($Object, "msRTCSIP-UserPolicies", "0=1426752696", $Append) ;1=1 enables "default" conferencing policy

[water]

Can you please add "_AD_ErrorNotify(2)" at the top of your script so we see more detailed error messages?

[Tutungzone]

Water,

Wondering if I can use your UDF for a simple function within a much larger script running as a service on laptop computers. The service is running as a user with limited admin rights to the domain. Within the service I am picking up locally logged on user and parsing to variable $CurrentUser1. From here I want to use this variable to query the domain as to if the user account is disabled (not locked). If queried user account is disabled do this, if not do this.

Basically this is part of a service script I have been running to help satisfy PCI requirements regarding network access while connected to the wireless at work. We found a loophole in our authentication process that if the user uses local cached domain creds then attaches to our internal wireless network... they are able to get to any non-windows resources on the network. What this service does is identifies whether the user account is good, if not, delete local cached creds, and force logoff. I have been basing my service off windows resources, and have run into a snag where if the account is locked, the service deletes local cached creds and logs off, which is a burden to users that have active user accounts, but locked for whatever reason.

Your UDF will help separate what is considered locked, and disabled. I would rather base this on an AD attribute, then a simple network query. Any help for this function will be appreciated.

[water]

Functions _AD_IsObjectDisabled and _AD_IsObjectLocked should do what you want. Check the _AD_IsObjectDisabled.au3 and _AD_IsObjectLocked.au3 example scripts to see how they work.

I will be happy to answer further questions.

[water]

@Water Just to check if your link are still working, coz been trying to download the .zip files but im not able to open it

Error : Does not appear to be a valid archive

Please check the size of the downloaded ZIP archive. Most of the time a "few" bytes are missing.

Maybe the firewall or AV software blocks the download.

If the size is OK, try WinRAR to open the archive.

[OwenWatson]

Is there any way you can mail-enable a newly created AD account? Searched for Exchange in this topic, couldn't see anything pertinent.

Client Win 7 Pro, AD on Win2008R2, Exchange 2010 on Win 2008R2.

[water]

Microsoft no longer supports CDOEXM or RUS (Recipient Update Service) to create a mailbox.

The only way I've found is by using Powershell. I can provide an example iof needed.

[harbot]

Hello Im new here, just wondering if anyone can help me provide the code to search a name within AD and display as array.

I want to understand more how autoit calls and connect to AD, as a basis just a simple code that ask for users input on a certain name and calls AD then display

Thank you

[water]

Something like this? Displays a list of users with "George" in their displayname.

#include <AD.au3>
#include <Array.au3>
_AD_Open()
$sDisplayName = "*George*"
Global $aResulöt = _AD_GetObjectsInOU("", "(&(objectcategory=person)(displayname=" & $sDisplaynanem & "))", 2, "sAMAccountName,distinguishedName,displayname", "displayname")
_ArrayDisplay($aResult)
_AD_Close()

[OwenWatson]

Microsoft no longer supports CDOEXM or RUS (Recipient Update Service) to create a mailbox.

The only way I've found is by using Powershell. I can provide an example iof needed.

I know about the Powershell option, but much prefer AutoIt to PS. Thanks anyway.

[harbot]

 

Something like this? Displays a list of users with "George" in their displayname.

#include <AD.au3>
#include <Array.au3>
_AD_Open()
$sDisplayName = "*George*"
Global $aResulöt = _AD_GetObjectsInOU("", "(&(objectcategory=person)(displayname=" & $sDisplaynanem & "))", 2, "sAMAccountName,distinguishedName,displayname", "displayname")
_ArrayDisplay($aResult)
_AD_Close()

Hi Water, i tried the code you just shared with some typo changes but question how come i cant see any result from _ArrayDisplay($aResult) my exit code is >Exit code: 0    Time: 35.389

Did I do something wrong, or do i need to add code to show the result - thanks