Tuesday, December 9, 2014

add-QADGroupMember : Cannot resolve directory object for the given identity

When the script (variables formed in progress) powershell encountered an unexpected error:

$Group_DN = "CN=MyGroup1,OU=MyOU1,DC=hq,DC=contoso,DC=com"
add-QADGroupMember -identity $Group_DN -member hq\MyUser1



add-QADGroupMember : Cannot resolve directory object for the given identity:


And in a separate window powershell commands are processed normally. First decided to add quotes received a new error:


add-QADGroupMember : Cannot bind parameter 'Identity'. Cannot convert the "" value of type






Then drew attention to the following line in error:




value of type "Microsoft.PowerShell.Commands.MatchInfo" to type "Quest.ActiveRoles.ArsPowerShellSnapIn.Data.IdentityParameter"






And I realized that you just have to convert the variable type










$Group_DN = "CN=MyGroup1,OU=MyOU1,DC=hq,DC=contoso,DC=com"
[string]$Group_DN2 = $Group_DN
add-QADGroupMember -identity $Group_DN2 -member hq\MyUser1












Posted by



at





No comments:
  


















Labels:
,

















          

        

          

        

Monday, December 8, 2014


          

        










Self Service Password Reset Web Site












In a complex network with some trusted and untrusted forests, where users can use the accounts of various woods, there are problems with changing the password, the article http://www.kovanev.net/faq/vbs/164-vbs-3 describes a good script to reset your password. In my version redesigned with a request to WINNT LDAP to view subdomains, and adds the ability to work without authentication for users from untrusted forests.



On the Web server, do the following:

1. Create a folder, eg C:\ChangePass

2. In the folder create a file containing index.html (download index.html)




<html>
<head>
<title>Change User Password</title>
<!--BEGIN CALLOUT A-->
<HTA:APPLICATION
BORDER="thin"
BORDERSTYLE="sunken"
CAPTION="yes"
MAXIMIZEBUTTON="yes"
MINIMIZEBUTTON="yes"
SCROLL="no"
SHOWINTASKBAR="no"
SYSMENU="yes"
WINDOWSTATE="normal" />

<!--END CALLOUT A-->
<script language=javascript>
var sampleWidth = 300;
var sampleHeight = 420;
window.resizeTo(sampleWidth,sampleHeight);
var screenPosX = screen.Width/2 - sampleWidth/2;
var screenPosY = screen.Height/2 - sampleHeight/2;
window.moveTo(800, 300);
</script>
</head>

<body>
    <form action="cp.asp" method="post">
        <!--BEGIN CALLOUT C-->
        <p><font size="3">Specify your username: </font></p><input type="text" name="T1" size="20">
        <!--END CALLOUT C-->
        <p><font size="3">Enter your current password: </font></p><input type="password" name="T2" size="20"></p>
        <p><font size="3">Enter a new password: </font></p><input type="password" name="T3" size="20"></p>
        <p><font size="3">Re-enter new password: </font></p><input type="password" name="T4" size="20"></p>
        <!--BEGIN CALLOUT D-->
        <p><input type="Submit" value="Change password" name="B3" >
        <input type="button" value="Cancel" name="B6" onclick=self.close()></p>
        <!--END CALLOUT D-->
    </form>
</body>
</html>



3. Create user for impersonate authentication, add user to NULL group, exclude from Domain Users

4. In the folder create a file containing cp.asp (download cp.asp), add user login, password, domain




<%@ language="VBScript" %>
<%
Dim objLogon
Set objLogon = Server.CreateObject("LoginAdmin.ImpersonateUser")
objLogon.Logon "youruser", "yourpassword", "youruserdomain"

Set WShell = CreateObject("WScript.Shell")
on error resume next
Dim UserName
UserName = Request.Form("T1")
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 10000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

objCommand.CommandText = _
   "SELECT distinguishedName FROM 'LDAP://hq.contoso.com' WHERE objectCategory='user' " & _ "AND samaccountname = '" & username &"'" &""
Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst
Do Until objRecordSet.EOF
    strDN = objRecordSet.Fields("distinguishedName").Value
    objRecordSet.MoveNext
Loop

Set User = GetObject("LDAP://" & strDN)

objLogon.Logoff
     Set objLogon = Nothing

Dim NewPassword
Dim NewPassword2
Dim OldPassword

OldPassword = Request.Form("T2")
NewPassword = Request.Form("T3")
NewPassword2 = Request.Form("T4")

If Request.Form("T1") = "" Then
    Response.Write("Username can't be empty!")
end if

If NewPassword<>NewPassword2 Then
    Response.Write("ERROR. New passwords do not match.")
end if

if NewPassword=NewPassword2 then
    Err.Clear
    Call user.CHANGEPASSWORD (OldPassword, NewPassword)

If err.number = 0 Then
    Response.Write("SUCCESS. New password has been saved.")
end if

If err.number = "-2147024810" Then
    Response.Write("ERROR. Wrong password!")
end if

If err.number = "-2147022651" Then
    Response.Write("ERROR. The new password does not meet the policy complexity and frequency of passwords!")
end if
end if
 %>



5. Download LoginAdmin.dll or create your own article: "How to impersonate a user from Active Server Pages"

6. Register the dll, eg regsvr32.exe C:\ChangePass\LoginAdmin.dll

7. In IIS console to create a website "ChangePass", specify the folder "C:\ChangePass", configure Bindings, configure https, anonymous authentication

8. When you open the page, you will see:





UPD: In some cases, the need to provide for Identity "youruser" application pool
















Posted by



at





1 comment:
  


















Labels:
,

















        

      









Subscribe to:
Posts (Atom)