in reply to Re^2: perl module for AD administration
in thread perl module for AD administration

If I can access ntSecurityDescriptor, that would be great. However: 
my $ldap_session=Net::LDAP->new($ldaphost) or die "error connecting to
+ LDAP $ldaphost: $@\n";
my $mesg=$ldap_session->bind($ldapuser, password=>$ldappassword) or di
+e "error binding: $@\n";

my $temp=$ldap_session->search(
     base=>$base,
     filter=>"(distinguishedName=$user)",
     attrs=> [ '*' ] ) or die "error searching tree:$@\n";
my $tempuser = $temp->entry(0);
$data->{securityflag}=$tempuser->get_value('nTSecurityDescriptor')?$te
+mpuser->get_value('nTSecurityDescriptor'):'none';
my @attributes=$tempuser->attributes;
$data->{values}='';
foreach(@attributes){
     $data->{values}=$data->{values}.'<br>'.$_.'='.$tempuser->get_valu
+e($_);
}

[download]
$data->{securityflag} displays 'none' and nowhere in $data->{values} shows nTSecurityDescriptor. I am seeing a few Exchange fields, but I haven't played with them enough to know if they actually edit Exchange or simply reference Exchange settings. However, I don't see anything that looks related to Communicator. Here are the fields returned: 
objectClass
cn
sn
c
l
st
title
postalCode
physicalDeliveryOfficeName
telephoneNumber
facsimileTelephoneNumber
userCertificate
givenName
initials
distinguishedName
instanceType
whenCreated
whenChanged
displayName
uSNCreated
info
memberOf
uSNChanged
co
department
company
proxyAddresses
streetAddress
displayNamePrintable
name
objectGUID
userAccountControl
badPwdCount
codePage
countryCode
homeDirectory
homeDrive
badPasswordTime
lastLogoff
lastLogon
logonHours
pwdLastSet
primaryGroupID
userParameters
objectSid
adminCount
accountExpires
logonCount
sAMAccountName
sAMAccountType
showInAddressBook
legacyExchangeDN
userPrincipalName
lockoutTime
objectCategory
msNPAllowDialin
dSCorePropagationData
lastLogonTimestamp
mail
manager
mobile
pager
msRTCSIP-PrimaryUserAddress
ciscoEcsbuTransferId
msExchRecordedName
mailNickname
publicDelegatesBL
ciscoEcsbuAmisDisableOutbound
msRTCSIP-UserEnabled
msExchPoliciesIncluded
ciscoEcsbuUMLocationObjectId
msRTCSIP-ArchivingEnabled
msExchRecipientDisplayType
mDBUseDefaults
ciscoEcsbuDtmfId
msRTCSIP-PrimaryHomeServer
ciscoEcsbuObjectType
ciscoEcsbuListInUMDirectory
msExchMailboxGuid
msExchUserCulture
msExchMailboxSecurityDescriptor
msExchUserAccountControl
msRTCSIP-OptionFlags
msExchRecipientTypeDetails
msExchVersion
msExchMobileMailboxFlags
homeMTA
homeMDB
msExchHomeServerName
ciscoEcsbuUnityAttributes

[download]
(values not displayed for security reasons)

Replies are listed 'Best First'.
Re^4: perl module for AD administration
by NetWallah (Canon) on Jul 16, 2010 at 05:36 UTC
    The ntSecurityDescriptor is a complex attribute, and I have not had a chance to play with it.

    Leads from the internet indicate that you need to do something like this (VB): 

    Const SE_DACL_PROTECTED  = &H1000
Dim objUser, objNtSecurityDescriptor, intNtSecurityDescriptorControl

Set objUser = GetObject("LDAP://cn=TestUser,dc=MyDomain,dc=com")
Wscript.Echo "User: " & objUser.sAMAccountName

Set objNtSecurityDescriptor = objUser.Get("ntSecurityDescriptor")
intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control

If (intNtSecurityDescriptorControl And SE_DACL_PROTECTED) Then
  Wscript.Echo "Allow inheritable permissions check box disabled"
Else
  Wscript.Echo "Allow inheritable permissions check box enabled"
End If

    [download]
    Here are some links for your persual:
    http://www.servernewsgroups.net/group/microsoft.public.windows.server.scripting/topic10521.aspx
    http://ldap.perl.org/FAQ.html See section titled "How do I create a Microsoft Exchange user."
    http://msdn.microsoft.com/en-us/magazine/cc188700.aspx

         Syntactic sugar causes cancer of the semicolon.        --Alan Perlis

[reply]
[d/l]

In Section Seekers of Perl Wisdom