May 192011

Hi all,

I covered this in another post, but thought I would make it separate to make it easier to find.

The following code block lets you get the distinguished name of the username that is passed into this function.

function GetDN(strUsername) {

var objUserDN = new ActiveXObject("NameTranslate");
objUserDN.Init(1,"< DOMAIN NAME HERE >");
objUserDN.Set(3,"< DOMAIN NAME HERE >\\"+strUsername);
strUserDN = objUserDN.get(1)
return strUserDN;

This codeblock does the following :

  1. Creates a new NameTranslate Object and binds objUserDN to it
  2. Initialises NameTranslate with the Init method with the ‘1’ setting the type of bind used, which is Domain in this case.
  3. Sets the type of translation used and the username to be translated by using the set method, the 3 specifies that the username that is input is in the NT format of “domain\User”
  4. Gets the Distinguished Name by using the Get method with a parameter of 1 which specifies that it should get the RFC 1779 formatted name.
  5. Returns the distinguished name

References :

May 162011

Just realised that I haven’t had any posts about ADSi errors that you may encounter.
Here is a link to the common errors : Link

Most of the time, you will run up against these errors when you are querying users or groups and they don’t exist or an attribute / property does not exist.
The script will tell you which line you’ve went wrong on, but rarely ever gives you an idea on how to solve the issue. That page will give you a quick idea on how to resolve it.

May 152011

I have recently come across a situation where I need to determine whether an account is locked or not.
Conveniently, the IADsUser interface provides a property that is exactly what I need !.
This little code block will return a true or false depending on whether the account is locked or not, with true representing a locked account.

var objUser = GetObject("LDAP://cn=user,ou=users,dc=example,dc=com");
var boolUsrLocked = objUser.isAccountLocked;
return boolUsrLocked;

Apr 242011

Hi All,

I’ve been making a few scripts lately to modify a user using Javascript rather than VB.
I prefer working with Javascript as it suits my purpose a bit better as I can use variable size arrays to make it do what I want.

I start off with the Distinguished Name (DN) of the object, which can be obtained with :

function GetDN(strUsername) {
var rootdse = GetObject("LDAP://RootDSE");
var objUserDN = new ActiveXObject("NameTranslate");

objUserDN.Init(1,"DOMAIN NAME HERE");
objUserDN.Set(3,"DOMAIN NAME HERE\\"+strUsername);
strUserDN = objUserDN.get(1)
return strUserDN;

That code will get the DN of the user in question. Whether you integrate it into the script itself or use a function that is seperate from the main script is up to you.
I have used a function in this case.

I have posted a way to obtain the Domain Name for this script here.

After you have obtained the DN of the user, you will now need to create an object for the user so we can manipulate the user’s details.

var objUser = GetObject("LDAP://"+strUserDN);

We can now access the properties of the user via the objUser object.
To see what the properties contain already, you can use this :

var strUserDesc = objUser.description;

To modify any properties, the put method is used :

objUser.Put("description","This is the new description");
objUser.Put("profile","This is the new profile path");

The SetInfo method is used to commit changes into AD.
Hopefully no errors will come up when you try to commit the changes, and you have successfully modified a user using Javascript !.

All the properties can be found on the MSDN (reference 4).

Reference :
1. IADsNameTranslate Interface
3. ADS_NAME_TYPE_ENUM Enumeration
4. IADsUser Interface

Jan 042011

Quick snippet on how to query an AD user with Javascript.

Firstly, get the user object with:

var objUser = GetObject("LDAP://cn=username,ou=users,dc=example,dc=com");

With this object, you can query any attributes of the user.

var disabled = objUser.AccountDisabled; // True when the account is disabled
var firstname = objUser.givenname; // Returns the users first name.

A List of attributes can be found here.

Some of the more difficult attributes to query are “memberof” which displays the group memberships, and “lockouttime” which is how long they have been locked out for.

When querying memberof, it will return a VB Array, which Javascript won’t recognise unless you retrieve it with:

var memberof = VBArray(objUser.GetEx("memberof")).toArray();

With lockouttime the number is a 64-bit number, which requires a Highpart and Lowpart to access the whole number.
This code will get the lock out time:

var lockouttime = objUser.lockouttime;
var locktimems = Math.abs(lockouttime.HighPart) * Math.pow(2,32) + Math.abs(lockouttime.LowPart); //locktimems now has the time that the account is locked out until in milliseconds.

More garbage from me later !