Active Directory UDF - Help & Support (II)

[water]

Glad you like my work

I hope to soon release a new version with a few new functions and some bugs removed.

[lewisg]

Water:

Just found out my Password Changer script doesn't set the "the password has to be changed at next logon"  even though I set the third parameter of  "_AD_SetPassword"  to one (1). A debug to console show a one(1) being passed. It was working at development time on my home sandbox AD Rasara server.............thoughts?

[water]

What's the return code and @error after you called the function?

What's the password policy of your company? Do passwords expire?

[lewisg]

The return code is 1 and both the @error and @extended are 0. 

The student's password policy (this is a k-12 school district) is minimum 3 characters,  never expire.

[water]

This article describes what's going on: You can't have both. Either "Change password at next logon" or "Password never expires".

[lewisg]

Thanks Water that explains it. I'll hide that control.

[gcue]

hello.

an interesting yet annoying issue - and i blame our network admins!

ok so there are several groups im querying for its members.

example group

ARS Support LA

i think the udf looks at what the "group name pre-windows 2000" is called right?

because in the ad tool it lists it as ARS Support LA but the pre-windows 2000 name is ARSSupportLA so my query fails unless i use the pre-windows 2000 name i am also seeing it named ARS_Support_LA

anyway to catch all?

thanks

[water]

Correct. The functions accept either the sAMAccountName (pre-Windows 2000 name) or the FQDN (Fully qualified domain name).

Which property is "ARS Support LA" if you run _AD_GetObjectProperties("ARSSupportLA") and display the resulting array?

[gcue]

cn

displayname

name

they have it

so how can i query the group knowing only the displayname?

[gcue]

ooo  getobjectsinou ?  let me try

Edited November 15, 2013 by gcue

[gcue]

having trouble when i get more than 1 match

ie: ARS Support LA Test

[water]

To directory access a group (fast)  you need a unique identifier: sAMAccountname or FQDN.

To scan through the AD (slower if an index property is used, much slower if no index porperty is used): Use _AD_GetObjectsInOU.

[gcue]

actually i think i got it

 _AD_Open()
 
$member = "John_Smith"
$group = "ARS Support LA"
 
$array = _AD_GetObjectsInOU("", "(ANR=" & $group & ")", 2, "displayName,sAMAccountName")
 
for $x = 1 to UBound($array)-1
if $group = $array[$x][0] Then
$group = $array[$x][1]
EndIf
Next
 
$group_member_check = _AD_IsMemberOf($group, $member)
 
_AD_Close()

[water]

Small enhancement:

_AD_Open()
 
$member = "John_Smith"
$group = "ARS Support LA"
 
$array = _AD_GetObjectsInOU("", "(ANR=" & $group & ")", 2, "displayName,sAMAccountName")
 
for $x = 1 to UBound($array)-1
    if $group = $array[$x][0] Then
        $group = $array[$x][1]
        ExitLoop ; <== Enhances speed
    EndIf
Next
 
$group_member_check = _AD_IsMemberOf($group, $member)
 
_AD_Close()

[gcue]

i think some people like myself assume the displayname is the samaccount

so we are getting false results.  doh

[water]

As you have seen some properties can have the same value. Some others need to be unique to identify the object. It's sensible to set the displayname to the sAMAccountname to not have too many different "names" for the same object.

Edited November 25, 2013 by water

[Kovacic]

Not sure if anyone else has seen this, but I have an application that involves removing people from groups, and I have had 2 accounts crash the app with the following error:

C:Program Files (x86)AutoIt3IncludeAD.au3 (666) : ==> Error in expression.:

Local $iAD_Result = ^ ERROR

 

 

The line of code that was being run was

 

local $worked = _AD_RemoveUserFromGroup("First Level Review R/W", $user)

The actual code goes through multiple groups, and therefore "First Level Review R/W" is one of many specified in a loop. Is there something that I can do with the UDF, or a method to add a line to my code to accept the '/' character? 

Thanks!

[water]

I can't test at the moment but I think if you escape the slash the problem should be solved:

local $worked = _AD_RemoveUserFromGroup("First Level Review R\/W", $user)

The AD UDF provides a function to escape/unescape such characters: _AD_FixSpecialChars

[Kovacic]

I can't test at the moment but I think if you escape the slash the problem should be solved:

local $worked = _AD_RemoveUserFromGroup("First Level Review R\/W", $user)

The AD UDF provides a function to escape/unescape such characters: _AD_FixSpecialChars

 

Excellent! I will give this a try tonight and post the results!

Thanks!

[Kovacic]

Ok so it looks like it still errored out, but heres what I found.. I looked for the line that was supposed to fix the special char in _AD_FixSpecialChars and found this:

If StringInStr($sAD_EscapeChar, '/') Then $sAD_Text = StringReplace($sAD_Text, '\/', '/')

I looked up the StringReplace function and based on what I saw

 StringReplace ( "string", "searchstring/start", "replacestring" [, occurrence [, casesense]] ) 

I changed the line to this:

If StringInStr($groupz[$c], '/') Then $fixedgroupz = StringReplace($groupz[$c], '/','\/')

[ignore the variable changes, the change was the string replace order of slashes]

This time the program did not crash, but the log file from the prog I wrote shows it turned "CN=First Level Review R/W access" into "CN=First Level Review R/W access". the actual group is "First Level Review R/W access", but its being turned into "First Level Review R/W access". 

The reason I cant change the group in the code is because the program goes through a list of usernames and removes all groups except for domain user. It works flawlessly for everyone else, but when it went to process this user, it crashed the entire app.

So all in all, now it doesn't crash, but when trying to process "First Level Review R/W access", the error comes back and says it can not remove the user from "First Level Review R/W access", so I am a step closer.

Edited November 25, 2013 by Kovacic