Announcement

Collapse
No announcement yet.

ADSI scripting not working

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ADSI scripting not working

    Hi Friends,

    http://www.microsoft.com/technet/scr...5/hey1209.mspx

    This seems not working for me. But if I run a script with out those userid/pass entries, it will work. If I include u/p entries the script is running 98% CPU utilization and never ending!! Does any body have idea why it is not working.

    Thank You
    Mohan Mathew[VU3MMU]
    MCITP [AD]

  • #2
    Re: ADSI scripting not working

    The sample from the 'scripting guys' works fine here. Have you added additional code to your script?

    Try also when commented out just the lines,
    objConnection.Properties("Encrypt Password") = TRUE
    objConnection.Properties("ADSI Flag") = 3
    and include the usr/pass entries.
    Enter the user's upn for the name.
    Are there perhaps any unusual signs used in the password?

    try running the script from a dos prompt, and using the cscript host.


    \Rems
    Last edited by Rems; 7th April 2009, 22:39.

    This posting is provided "AS IS" with no warranties, and confers no rights.

    __________________

    ** Remember to give credit where credit's due **
    and leave Reputation Points for meaningful posts

    Comment


    • #3
      Re: ADSI scripting not working

      Hi Rems,

      Thank you soo much, I have disabled it and now it works!! Not sure why it will not work when we enable encyption.

      I need more help from you all. I'm trying to unlock and AD acount using special user credintials using the same script.

      Code:
      On Error Resume Next
      Const ADS_SCOPE_SUBTREE = 2
      Set objConnection = CreateObject("ADODB.Connection")
      Set objCommand =   CreateObject("ADODB.Command")
      objConnection.Provider = "ADsDSOObject"
      objConnection.Properties("User ID") = "domain\usernam"
      objConnection.Properties("Password") = "Password"
      objConnection.Open "Active Directory Provider"
      Set objCommand.ActiveConnection = objConnection
      objCommand.Properties("Page Size") = 10
      objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
      objCommand.CommandText = _
        "SELECT Name FROM 'LDAP://ou=users,dc=domain,dc=net' WHERE objectCategory='user' AND givenName='test11'"
      objRecordSet.MoveFirst
      Do Until objRecordSet.EOF
       oADSObjectLKD = objRecordSet.Fields("Name").value
       wscript.echo oADSObjectLKD
         objRecordSet.MoveNext
      Loop
      This script working perfectly with out any error, the out value is CN of 'test11'.

      How can I include an AD unlock script into this, instead of displaying Name field ?

      I tried to display
      Code:
      objRecordSet.Properties("IsAccountLocked").value
      , but no sucess!!

      Any help would be much appreciated.
      Thank You
      Mohan Mathew[VU3MMU]
      MCITP [AD]

      Comment


      • #4
        Re: ADSI scripting not working

        Originally posted by mohanmathew View Post
        Not sure why it will not work when we enable encyption.
        Remove the 'On Error Resume Next' from your script. Then maybe you'll get an error telling why you can't use save authentication.
        When troubleshooting code try always run it w/out On Error statements first.

        btw
        I would recommend to use 'On Error Resume Next' in a script only when you precisely know were and how you use it for error handling. And disable it again (On Error Goto 0) when you don't longer use error capturing.


        The script you showed is not able to unlock users. The main issue is that you have to use the WinNT provider instead of the LDAP provider to connect to the object in order to change the "IsAccountLocked" status.
        The lockout flag is not stored in Active Directory, the IsAccountLocked property is created when you access Active Directory by using the WinNT provider.

        So you cannot use the filter:
        Code:
        "SELECT Name FROM 'LDAP://ou=users,dc=domain,dc=net' WHERE objectCategory='user' AND givenName='test11'"
        btw the filter only selects the 'Name' attribute from the matching objects, when you would replace that with a wildcard (*) you shoud have got all available attributes.

        Here is a sample of a script that works and will do it some like the way you tried with your script.
        Code:
        Const UF_LOCKOUT = &H0010
        Const ADS_SECURE_AUTHENTICATION = 1
        Const ADS_USE_ENCRYPTION = 2
        
        domainName = "DOMAINNAME"
        strUserName = "USERNAME"
        
        '- Binding to a domain (authenticating DC) with Domain Admin credentials
           AdminName = "Administrator"
           Password = "[email protected]$$W0rd"
           Set dso = GetObject("WinNT:")
           Set dom = dso.OpenDSObject("WinNT://" & domainName, AdminName, _
                 Password, ADS_SECURE_AUTHENTICATION OR ADS_USE_ENCRYPTION)
        '-----------------------------------------------------------------------
        
        '# - Using the WinNT provider -
        '# The IsAccountLocked property is not accessible by using the Lightweight Directory Access Protocol (LDAP) provider.
        '# The lockout flag is not stored in Active Directory, but is created on-the-fly only when you access Active Directory
        '# by using the WinNT provider. 
        '# 
        '# Additionally... User lockout uses the user's lockoutTime property. When you would bind to the user object by using
        '# the LDAP provider, you can use it to determine the lockout status of the user. If it is larger than zero, the user
        '# is currently locked out. To undo the lockout, set the value to zero.
        '# 
        '# LockoutTime is cleared only when the previously locked-out user tries to log on. When the lockout time has expired
        '# but the user has not yet '# tried to log on, lockoutTime may be still set, although the user would be able to
        '# successfully log on at that time.
        '# 
        '# ( http://support.microsoft.com/kb/250873 )
        
        set objUser = GetObject("WinNT://" & domainName & "/" & strUserName & ",User")
        
        On Error Resume Next
        strName = objUser.Get("FullName")
        cUserFlags = objUser.Get("UserFlags")
        
        If (cUserFlags And UF_LOCKOUT) Then
           objUser.Put "UserFlags", objUser.Get("UserFlags") Xor UF_LOCKOUT
           objUser.SetInfo
        
           cUserFlags = objUser.Get("UserFlags")
           If(cUserFlags And UF_LOCKOUT) Then
              WScript.Echo "User: " & strName & vbNewLine & "Unlock FAILED"
           Else
              WScript.Echo "User: " & strName & vbNewLine & "Unlock SUCCESSFUL"
           End If
        Else
           WScript.Echo "User: " & strName & vbNewLine & "was NOT Locked Out."
        End If
        
        Set dom = Nothing : Set dso = Nothing
        wscript.quit
        \Rems

        This posting is provided "AS IS" with no warranties, and confers no rights.

        __________________

        ** Remember to give credit where credit's due **
        and leave Reputation Points for meaningful posts

        Comment


        • #5
          Re: ADSI scripting not working

          Hi Rems,

          I would be very greatful if you can explain what is really happening inside the script.

          Thank you so much
          Mohan Mathew[VU3MMU]
          MCITP [AD]

          Comment

          Working...
          X