none
VBS modify account status in AD RRS feed

  • Question

  • hello

    here is a part of a script in a procedure where I try to modify the status of an account in the AD. I just try to unlock it. But as you will remark, the system doesn't allow me this task read/write because of the accounts. Can someone tell me how to proceed ? Again this a only a part of a script.


      'name is the path access to the concerned account
    'name = "CN=" &user &",OU=" &access &",OU=USERS,OU=HOME,DC=domain,DC=pri"
    Sub unlock(name) 
        Const ADS_USE_ENCRYPTION = 2
        Const ADS_SECURE_AUTHENTICATION = 1
        
        strUsername = "xxx"
        strPassword = "xxxx"
        
        Set objUser = GetObject _
          ("LDAP://" &name &" , " &strUsername &" , " &strPassword, ADS_USE_ENCRYPTIONOR ADS_SECURE_AUTHENTICATION)
         '("LDAP://" &name)

        
        
        objUser.IsAccountLocked = True
        objUser.SetInfo
        
        MsgBox"" &name &" unlocked"
    EndSub


    Thursday, February 2, 2017 11:12 AM

Answers

  • I would suggest the following in place of your GetObject statement:

    Set objNS = GetObject("LDAP:")
    Set objUser = objNS.OpenDSObject("LDAP://" & name, strUsername, strPassword, _
        ADS_SECURE_AUTHENTICATION)
    

    This is what I have used in the past to employ alternate credentials.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, February 2, 2017 3:12 PM
    Moderator
  • The only way to lock out an account is to repeatedly use a bad password the number of times that is configured for lockout.

    -- Bill Stewart [Bill_Stewart]

    Thursday, February 2, 2017 5:56 PM
    Moderator

All replies

  • First, don't you need to use:

    objUser.IsAccountLocked = FALSE

    Second, if you get an error message indicating that you do not have sufficient permissions, then the credentials you used (user name and password) are not good. You need credentials of an account with permissions to unlock users.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, February 2, 2017 1:07 PM
    Moderator
  • hello

    Thanks about your answer.

    i changed the credentials to admin credentials. Now I have following error :

    "ActiveX component can't create object :'GetObject' 800A01AD"

    Any Idea ?

    thanks

    Thursday, February 2, 2017 2:11 PM
  • I would suggest the following in place of your GetObject statement:

    Set objNS = GetObject("LDAP:")
    Set objUser = objNS.OpenDSObject("LDAP://" & name, strUsername, strPassword, _
        ADS_SECURE_AUTHENTICATION)
    

    This is what I have used in the past to employ alternate credentials.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, February 2, 2017 3:12 PM
    Moderator
  • Hello Richard,

    Thanks A lot, it works, now I can enable and unlock users from my script..

    really big thanks

    Thursday, February 2, 2017 3:44 PM
  • hello Richard, As said your script now works fine, I can :

    Disable/enable an account

    unlock an account

    but I cannot lock an account (yes this happens too.....)

    here is the part of the script

       Set objNS   = GetObject("LDAP:")
        Set objUser = objNS.OpenDSObject("LDAP://" & name, strUsername, strPassword, _
        ADS_SECURE_AUTHENTICATION)

        
        
        objUser.IsAccountLocked = True
        'objUser.AccountDisabled = True 
        objUser.SetInfo

    I receive a Null value as answer

    Any Idea ?

    thanks



    Thursday, February 2, 2017 4:14 PM
  • The only way to lock out an account is to repeatedly use a bad password the number of times that is configured for lockout.

    -- Bill Stewart [Bill_Stewart]

    Thursday, February 2, 2017 5:56 PM
    Moderator
  • Hello

    ok thanks, so the script is complete now.

    kind regards

    Friday, February 3, 2017 2:49 PM