Active Directory UDF (II)

[water]

As the Active Directory UDF thread has grown too big, I start a new one.
The original thread can be found here.

[legend]

Sometimes when unlocking AD users, and only if they are locked out, I will get a error:

http://i.imgur.com/x0EPzwH.png

the function looks like this:

Func user_unlock()
        _AD_Open()
        Local $object1 = InputBox("Brugernavn", "Indtast brugernavn", "")
        if @error Then Exit

        Local $object = StringStripWS($object1, $STR_STRIPALL)

        $is_locked = _AD_IsObjectLocked($object)
        if $is_locked = 1 Then
        $is_locked = "Ja"
        Else
        $is_locked = "Nej"
        EndIf

        Local $displayname = _AD_GetObjectAttribute($object, "displayName")
        Local $ivalue = _ad_unlockobject($object)
        If $ivalue = 1 Then

        _FileWriteToLine($programfilesdir & "\RDTray\log.txt", 1, @MDAY & "-" & @MON & "-" & @YEAR & " - " & @HOUR & ":" & @min & ":" & @SEC & " : " & "Låst op: " & $object, 0)

        ClipPut($object)

            MsgBox(64 + 262144, "Låst op", "Brugeren er blevet låst op: " & $object & @CRLF & @CRLF & "Navn: " & $displayname & @CRLF & @CRLF & "Var          brugeren låst i forvejen: " & $is_locked)
        ElseIf @error = 1 Then
            MsgBox(64 + 262144, "info", "Bruger eksisterer ikke: " & $object,2)
            user_unlock()
        Else
            MsgBox(64 + 262144, "rettigheds problem", "Den bruger du er logget ind med, har ikke rettigheder til at låse brugeren op - Log ind på din admin konto",3)
        EndIf
        _AD_Close()
EndFunc

Can you see why i sometimes might get the error :)? It's not always, but only sometimes, and only if the account is locked out

Edited December 19, 2016 by legend

[water]

This has to be somewhere in your script because the AD UDF only has about 4800 lines.

Use

_AD_ErrorNotify(3)

to write detailed error information into a log file.

[water]

This has to be somewhere in your script because the AD UDF only has about 4800 lines.

Use

_AD_ErrorNotify(3)

to write detailed error information into a log file.

[legend]

The line number is because I have a lot of autoit includes,

I will try to put _AD_ErrorNotify(3, "C:\log.txt") under: Local $ivalue = _ad_unlockobject($object)

 

Thank's for your help water  

[water]

Use

_AD_ErrorNotify(3, "C:\log.txt")
Local $ivalue = _AD_UnlockObject($object)

and make sure that you have write permission on the target directory.

[legend]

43 minutes ago, water said:

Use

_AD_ErrorNotify(3, "C:\log.txt")
Local $ivalue = _AD_UnlockObject($object)

and make sure that you have write permission on the target directory.

hmm i just tried that, i tried writing to a log file on the desktop, and I got a error just now, by unlocking a locked out account,

But it didn't write anything to the log file

[water]

Which version of the AD UDF do you run?
Which version of AutoIt do you run?

[legend]

both the latest one, autoit: 3.3.14.2

and AD UDF: 1.4.6.0

(note: i'm always running the script as another user. We are logged in as users without administrators or domain administrator rights)

So when we need them, we use our admin accounts, can that give any problems regarding this issue :)?

Edited December 19, 2016 by legend

[water]

There is no error checking in your script. You should always check @error after calling an AD function:

Func user_unlock()
        _AD_Open()
        If @error Then Exit MsgBox(0, "Error", "Error calling _AD_Open: @error = " & @error & ",  @extended = " & @extended)
        Local $object1 = InputBox("Brugernavn", "Indtast brugernavn", "")
        If @error Then Exit
        Local $object = StringStripWS($object1, $STR_STRIPALL)
        $is_locked = _AD_IsObjectLocked($object)
        If @error Then Exit MsgBox(0, "Error", "Error calling _AD_IsObjectLocked: @error = " & @error & ",  @extended = " & @extended)
        If $is_locked = 1 Then
            $is_locked = "Ja"
        Else
            $is_locked = "Nej"
        EndIf
        Local $displayname = _AD_GetObjectAttribute($object, "displayName")
        Local $ivalue = _AD_UnlockObject($object)
        If @error Then Exit MsgBox(0, "Error", "Error calling _AD_UnlockObject: @error = " & @error & ",  @extended = " & @extended)
        If $ivalue = 1 Then
        _FileWriteToLine($programfilesdir & "\RDTray\log.txt", 1, @MDAY & "-" & @MON & "-" & @YEAR & " - " & @HOUR & ":" & @min & ":" & @SEC & " : " & "Låst op: " & $object, 0)
        ClipPut($object)
        MsgBox(64 + 262144, "Låst op", "Brugeren er blevet låst op: " & $object & @CRLF & @CRLF & "Navn: " & $displayname & @CRLF & @CRLF & "Var          brugeren låst i forvejen: " & $is_locked)
        ElseIf @error = 1 Then
            MsgBox(64 + 262144, "info", "Bruger eksisterer ikke: " & $object,2)
            user_unlock()
        Else
            MsgBox(64 + 262144, "rettigheds problem", "Den bruger du er logget ind med, har ikke rettigheder til at låse brugeren op - Log ind på din admin konto",3)
        EndIf
        _AD_Close()
EndFunc

 

[legend]

Now I got an error when I tried to unlock a user object, 

 

[spudw2k]

Looking at the _IsObjectLocked source, the only time it should return an error code that is not 1 or -1 is when the object is locked and $sResetLockoutTime >= $sNow (line 1802).
 

Edited December 19, 2016 by spudw2k

[legend]

9 hours ago, spudw2k said:

Looking at the _IsObjectLocked source, the only time it should return an error code that is not 1 or -1 is when the object is locked and $sResetLockoutTime >= $sNow (line 1802).
 

So it seems it's a problem with checking if the object is locked or not,

When I get the error: 

 

It will unlock the user object, no matter if the error above appears or not

[legend]

I'm still looking for what is causing the problem ^^ anyone got an idea what it can be?

[water]

I'm on vacation right now. Will check after 3rd of January. 

[legend]

1 hour ago, water said:

I'm on vacation right now. Will check after 3rd of January. 

Wishing you a nice holiday, enjoy good weather hopefully

[legend]

Hi Water  

Can you think of what my cause it, 

We use the unlock function everyday, but it's very often that it gives and error when the account is locked out.

From what I can see it only happens when checking if the object is locked or not: 

_AD_IsObjectLocked

I will try to remove _AD-IsObjectLocked and simply use _AD_UnlockObject, to see if the problem dissapears, however it would be nice to see

if the user object was locked or not when unlocking it  

 

[water]

Do you use the AD fine grained password policy?

[legend]

18 hours ago, water said:

Do you use the AD fine grained password policy?

Yeah, i am  but how should  that impact checking if it's locked or not? 

[water]

_AD_IsObjectLocked retrieves the LockoutTime from AD. Then it uses function _AD_GetPasswordInfo to retrieve the Lockout Duration to calculate the time when the object gets unlocked again.
The AD UDF does not support fine grained password policy - which means that this causes the current problem.