Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
platform
active.directory
adsi
adsi.iis-admin
base
com_ole
complus_mts
component_svcs
database
directx
gdi
graphics_mm
internet.client
internet.server
internet.server.isapi-dev
localization
mapi
messaging
msi
mslayerforunicode
multimedia
networking
networking.ipv6
sdk_install
security
shell
telephony.tapi_2
telephony.tapi_3
telephony.tsp
telephony.wte
tools
ui
ui_shell
win_base_svcs
win16
  
 
date: 11 Apr 2005 05:53:49 -0700,    group: microsoft.public.platformsdk.active.directory        back       


IsAccountLocked-AD User    
Hi All,
I am using a vb script to find the status of Locked accounts in the
win2K- AD domain and then unlock the accounts.
The script which i am using is working fine on XP machines and the same
script is not displaying the correct status of locked accounts, the
result only shows IsAccountLocked = false.

If User.IsAccountLocked Then
	MsgBox User.sAMAccountName & "," & User.IsAccountLocked
	User.IsAccountLocked = False
	User.SetInfo
End If
Thanks in Advance, Any help?
date: 11 Apr 2005 05:53:49 -0700   author:   venu

Re: IsAccountLocked-AD User    
Hi,

Something like this should work, you only must change the code because it is 
VB6 so remove the $ and teh typed data (such as dim xx as string should 
become dim xx)
Sub Main()
Dim oconnection1 As ADODB.Connection
Dim oCommand1 As ADODB.Command
Dim rs As ADODB.Recordset
' Create the connection and command object.
Set oconnection1 = New Connection
Set oCommand1 = New Command
' Open the connection.
oconnection1.Provider = "ADsDSOObject"  ' This is the ADSI OLE-DB provider 
name
oconnection1.Open "Active Directory Provider"
' Create a command object for this connection.
Set oCommand1.ActiveConnection = oconnection1

' Compose a search string.
oCommand1.CommandText = 
"<LDAP://DC=yourdomain,DC=com>;(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2));Name, 
objectSid, objectGuid"

' Execute the query.
Set rs = oCommand1.Execute
'--------------------------------------
' Navigate the record set
'--------------------------------------
Dim Bt() As Byte
Dim oUser As iadsUser
Dim userAccountControl As Long
Dim sSid As String

Do Until rs.EOF
    Debug.Print rs.Fields.Item("Name").Value
    Bt = rs.Fields.Item("objectSid").Value
    sSid = decodeOctet(Bt)
    Set oUser = GetObject("LDAP://<SID=" + sSid + ">")
    userAccountControl = oUser.Get("userAccountControl")
    oUser.Put "userAccountControl", userAccountControl Xor 2
    oUser.SetInfo
    rs.MoveNext
Loop

rs.Close
End Sub
Function decodeOctet(Bt() As Byte) As String
    Dim i As Long
    getGuid = Space$(UBound(Bt) * 2 + 2)
    Dim sp As String
    sp = "  "
    Dim sp2 As String
    Dim btbyte As Byte
    For i = 0 To UBound(Bt)
        btbyte = Bt(i)
        sp2 = Hex$(btbyte)
        If Len(sp2) = 1 Then
            Mid$(sp, 1) = "0"
            Mid$(sp, 2) = sp2
        Else
            Mid$(sp, 1) = sp2
        End If
        Mid$(getGuid, 1 + i * 2) = sp
    Next
End Function


-- 
compatible web farm Session replacement for Asp and Asp.Net
http://www.nieropwebconsult.nl/asp_session_manager.htm

"venu"  wrote in message 
news:1113224029.601404.315390@g14g2000cwa.googlegroups.com...
> Hi All,
> I am using a vb script to find the status of Locked accounts in the
> win2K- AD domain and then unlock the accounts.
> The script which i am using is working fine on XP machines and the same
> script is not displaying the correct status of locked accounts, the
> result only shows IsAccountLocked = false.
>
> If User.IsAccountLocked Then
> MsgBox User.sAMAccountName & "," & User.IsAccountLocked
> User.IsAccountLocked = False
> User.SetInfo
> End If
> Thanks in Advance, Any help?
>
date: Mon, 11 Apr 2005 16:48:03 +0200   author:   Egbert Nierop \(MVP for IIS\) lid

Re: IsAccountLocked-AD User    
That query looks for disabled users, it has nothing to do with locked users.



--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Egbert Nierop (MVP for IIS) wrote:
> Hi,
> 
> Something like this should work, you only must change the code because 
> it is VB6 so remove the $ and teh typed data (such as dim xx as string 
> should become dim xx)
> Sub Main()
> Dim oconnection1 As ADODB.Connection
> Dim oCommand1 As ADODB.Command
> Dim rs As ADODB.Recordset
> ' Create the connection and command object.
> Set oconnection1 = New Connection
> Set oCommand1 = New Command
> ' Open the connection.
> oconnection1.Provider = "ADsDSOObject"  ' This is the ADSI OLE-DB 
> provider name
> oconnection1.Open "Active Directory Provider"
> ' Create a command object for this connection.
> Set oCommand1.ActiveConnection = oconnection1
> 
> ' Compose a search string.
> oCommand1.CommandText = 
> "<LDAP://DC=yourdomain,DC=com>;(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2));Name, 
> objectSid, objectGuid"
> 
> ' Execute the query.
> Set rs = oCommand1.Execute
> '--------------------------------------
> ' Navigate the record set
> '--------------------------------------
> Dim Bt() As Byte
> Dim oUser As iadsUser
> Dim userAccountControl As Long
> Dim sSid As String
> 
> Do Until rs.EOF
>    Debug.Print rs.Fields.Item("Name").Value
>    Bt = rs.Fields.Item("objectSid").Value
>    sSid = decodeOctet(Bt)
>    Set oUser = GetObject("LDAP://<SID=" + sSid + ">")
>    userAccountControl = oUser.Get("userAccountControl")
>    oUser.Put "userAccountControl", userAccountControl Xor 2
>    oUser.SetInfo
>    rs.MoveNext
> Loop
> 
> rs.Close
> End Sub
> Function decodeOctet(Bt() As Byte) As String
>    Dim i As Long
>    getGuid = Space$(UBound(Bt) * 2 + 2)
>    Dim sp As String
>    sp = "  "
>    Dim sp2 As String
>    Dim btbyte As Byte
>    For i = 0 To UBound(Bt)
>        btbyte = Bt(i)
>        sp2 = Hex$(btbyte)
>        If Len(sp2) = 1 Then
>            Mid$(sp, 1) = "0"
>            Mid$(sp, 2) = sp2
>        Else
>            Mid$(sp, 1) = sp2
>        End If
>        Mid$(getGuid, 1 + i * 2) = sp
>    Next
> End Function
> 
>
date: Sun, 17 Apr 2005 11:54:39 -0400   author:   Joe Richards [MVP]

Re: IsAccountLocked-AD User    
This is a much discussed issue. isAccountLocked is not useful against AD with 
the LDAP provider. There are other more difficult mechanisms you need to use. If 
you just need a tool go download unlock at www.joeware.net.



--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


venu wrote:
> Hi All,
> I am using a vb script to find the status of Locked accounts in the
> win2K- AD domain and then unlock the accounts.
> The script which i am using is working fine on XP machines and the same
> script is not displaying the correct status of locked accounts, the
> result only shows IsAccountLocked = false.
> 
> If User.IsAccountLocked Then
> 	MsgBox User.sAMAccountName & "," & User.IsAccountLocked
> 	User.IsAccountLocked = False
> 	User.SetInfo
> End If
> Thanks in Advance, Any help?
>
date: Sun, 17 Apr 2005 11:55:40 -0400   author:   Joe Richards [MVP]

Re: IsAccountLocked-AD User    
"Joe Richards [MVP]"  wrote in message 
news:%23csaEX2QFHA.612@TK2MSFTNGP14.phx.gbl...
> That query looks for disabled users, it has nothing to do with locked 
> users.
>

My fault. Already corrected! See below...

> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>

Sub Main()
Dim oconnection1 As ADODB.Connection
Dim oCommand1 As ADODB.Command
Dim rs As ADODB.Recordset
' Create the connection and command object.
Set oconnection1 = New Connection
Set oCommand1 = New Command
' Open the connection.
oconnection1.Provider = "ADsDSOObject"  ' This is the ADSI OLE-DB provider
name
oconnection1.Open "Active Directory Provider"
' Create a command object for this connection.
Set oCommand1.ActiveConnection = oconnection1

' Compose a search string.
oCommand1.CommandText =
"<LDAP://DC=yourdomain,DC=com>;(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=16));Name,
objectSid, objectGuid"

' Execute the query.
Set rs = oCommand1.Execute
'--------------------------------------
' Navigate the record set
'--------------------------------------
Dim Bt() As Byte
Dim oUser As iadsUser
Dim userAccountControl As Long
Dim sSid As String

Do Until rs.EOF
    Debug.Print rs.Fields.Item("Name").Value
    Bt = rs.Fields.Item("objectSid").Value
    sSid = decodeOctet(Bt)
    Set oUser = GetObject("LDAP://<SID=" + sSid + ">")
    userAccountControl = oUser.Get("userAccountControl")
    oUser.Put "userAccountControl", userAccountControl Xor 16
    oUser.SetInfo
    rs.MoveNext
Loop

rs.Close
End Sub
Function decodeOctet(Bt() As Byte) As String
    Dim i As Long
    getGuid = Space$(UBound(Bt) * 2 + 2)
    Dim sp As String
    sp = "  "
    Dim sp2 As String
    Dim btbyte As Byte
    For i = 0 To UBound(Bt)
        btbyte = Bt(i)
        sp2 = Hex$(btbyte)
        If Len(sp2) = 1 Then
            Mid$(sp, 1) = "0"
            Mid$(sp, 2) = sp2
        Else
            Mid$(sp, 1) = sp2
        End If
        Mid$(getGuid, 1 + i * 2) = sp
    Next
End Function
date: Mon, 18 Apr 2005 16:33:51 +0200   author:   Egbert Nierop \(MVP for IIS\) lid

Re: IsAccountLocked-AD User    
This is still wrong. userAccountControl does not reflect the locked out status 
of an account when you are using LDAP. I.E. No query against userAccountControl 
will show you a locked out account. You need to query in a special way against 
lockoutTime.

    joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Egbert Nierop (MVP for IIS) wrote:
> "Joe Richards [MVP]"  wrote in message 
> news:%23csaEX2QFHA.612@TK2MSFTNGP14.phx.gbl...
> 
>> That query looks for disabled users, it has nothing to do with locked 
>> users.
>>
> 
> My fault. Already corrected! See below...
> 
>> -- 
>> Joe Richards Microsoft MVP Windows Server Directory Services
>> www.joeware.net
>>
>>
> 
> Sub Main()
> Dim oconnection1 As ADODB.Connection
> Dim oCommand1 As ADODB.Command
> Dim rs As ADODB.Recordset
> ' Create the connection and command object.
> Set oconnection1 = New Connection
> Set oCommand1 = New Command
> ' Open the connection.
> oconnection1.Provider = "ADsDSOObject"  ' This is the ADSI OLE-DB provider
> name
> oconnection1.Open "Active Directory Provider"
> ' Create a command object for this connection.
> Set oCommand1.ActiveConnection = oconnection1
> 
> ' Compose a search string.
> oCommand1.CommandText =
> "<LDAP://DC=yourdomain,DC=com>;(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=16));Name, 
> 
> objectSid, objectGuid"
> 
> ' Execute the query.
> Set rs = oCommand1.Execute
> '--------------------------------------
> ' Navigate the record set
> '--------------------------------------
> Dim Bt() As Byte
> Dim oUser As iadsUser
> Dim userAccountControl As Long
> Dim sSid As String
> 
> Do Until rs.EOF
>    Debug.Print rs.Fields.Item("Name").Value
>    Bt = rs.Fields.Item("objectSid").Value
>    sSid = decodeOctet(Bt)
>    Set oUser = GetObject("LDAP://<SID=" + sSid + ">")
>    userAccountControl = oUser.Get("userAccountControl")
>    oUser.Put "userAccountControl", userAccountControl Xor 16
>    oUser.SetInfo
>    rs.MoveNext
> Loop
> 
> rs.Close
> End Sub
> Function decodeOctet(Bt() As Byte) As String
>    Dim i As Long
>    getGuid = Space$(UBound(Bt) * 2 + 2)
>    Dim sp As String
>    sp = "  "
>    Dim sp2 As String
>    Dim btbyte As Byte
>    For i = 0 To UBound(Bt)
>        btbyte = Bt(i)
>        sp2 = Hex$(btbyte)
>        If Len(sp2) = 1 Then
>            Mid$(sp, 1) = "0"
>            Mid$(sp, 2) = sp2
>        Else
>            Mid$(sp, 1) = sp2
>        End If
>        Mid$(getGuid, 1 + i * 2) = sp
>    Next
> End Function
> 
>
date: Mon, 18 Apr 2005 10:54:04 -0400   author:   Joe Richards [MVP]

Re: IsAccountLocked-AD User    
"Joe Richards [MVP]"  wrote in message 
news:O4sC4ZCRFHA.3672@TK2MSFTNGP10.phx.gbl...
> This is still wrong. userAccountControl does not reflect the locked out 
> status of an account when you are using LDAP. I.E. No query against 
> userAccountControl will show you a locked out account. You need to query 
> in a special way against lockoutTime.
>
>    joe

Ok thanks. The MSDN mentions this even in one paragraph :)
date: Mon, 18 Apr 2005 22:32:41 +0200   author:   Egbert Nierop \(MVP for IIS\) lid

Re: IsAccountLocked-AD User    
Joe Richards [MVP] wrote:
> This is a much discussed issue. isAccountLocked is not useful against AD 
> with the LDAP provider. There are other more difficult mechanisms you 
> need to use. If you just need a tool go download unlock at www.joeware.net.
> 

When I need quickly to access account lockout status from the script I 
query user account with WINNT:// provider

-- 
Tomasz Onyszko [MVP]
http://www.w2k.pl
date: Tue, 10 May 2005 13:19:35 +0200   author:   Tomasz Onyszko [MVP]

Re: IsAccountLocked-AD User    
Thanks for the help, it works great.
date: 27 May 2005 07:37:03 -0700   author:   venu

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us