none
How do I validate an Active Directory setting using a vbscript and DCM?

    Question

  • Does anyone have a good blog article on either (DC with AD/vbscript).  So we have a third-party password policy enforcement tool in our enterprise and i want to validate that the policy is uniform across each domain.  I could manually run it against each domain but I'd like to see if I can get this to report for each domain with DCM.

    The password policy is stored in a multi-byte string in the System container within AD.  It's a hideous format but I should be able to compare for exact string matches using the following script:

    Set objSystemInfo = CreateObject("ADSystemInfo")
    strNBDomainName = Left(objSystemInfo.DomainShortName, 4)

    Set objUser = GetObject("LDAP://cn=Password Policy Enforcer 6.0,cn=System,dc=" & strNBDomainName & ",dc=company,dc=com")

    objUser.GetInfoEx Array("url"), 0

    For Each strValue in objUser.GetEx("url")
     If Left(strValue, 3) = "POL" Then
      Wscript.Echo strValue
     End If
    Next

    So, if this script echo's out the policy in AD based off of the domain it's ran against, does anyone have a doc/blog/or could explain themselves how to set this up with DCM to track the password policy settings?

    TIA!

    Friday, April 29, 2011 2:44 PM

All replies

  • Hello - I think, you can use "Microsoft Security Compliance Manager" to do this work very easly....

    Like, if you have some sample domain controller with all the policies set as per your corp std then you can install this tool on that system and export those setting into DCM....

    http://technet.microsoft.com/en-us/library/cc677002.aspx


    Anoop C Nair - This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, April 29, 2011 4:32 PM
  • So I figured out how to create this as a DCM CI -- however, whenever I paste the output of the above script (our password policy in AD) into the Validation portion of the object, the SCCM gui crashes.  I'm guessing the string is either too long or it doesn't like the Unicode characters in the string.  Regardless, it appears SCCM won't work for tracking this setting.

    Friday, April 29, 2011 5:53 PM
  • You have selected DCM Option to Export from your sample DC system?


    Anoop C Nair - This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Saturday, April 30, 2011 4:08 AM