NET::LDAP disable AD user

OldManYoss has asked for the wisdom of the Perl Monks concerning the following question:

Hi, I need some help disabling Active Directory users with NET::LDAP. I am able to connect to the User and modify/add other values.

looking here, http://support.microsoft.com/kb/305144, it says that the userAccountControl flag for disabled is 2, but if I look in ADSI edit it seems that disabled accounts have the userAccountControl set as 514. I cant seem to set either of those values in my script.

Here is a bit of my code

$res = $ldap->modify ($distinguishedName,
# delete and readd the userAccountControl
# this will disable the account
   delete => {userAccountControl=> []},
   add => {userAccountControl => "514"}
);
# if there is an error stop and let us know
if ( $res->code()) { 
    die ("error: ", $res->code(),"\n",
    "error name: ",$res->error_name(),"\n", 
    "error text: ",$res->error_text(),"\n");
}
[download]

The error I receive from the above code is;
error:53
error name: LDAP_UNWILLING_TO_PERFORM
error text: The server is unwilling to perform the requested operation

I guess the way I am trying to modify the userAccountControl attribute is not supported but I am not sure how to go about changing it.
I can change the value in ADSI edit and it enables/disables accounts ok but maybe it is hiding the actual process.
Any help is appreciated.

Comment on NET::LDAP disable AD user Download Code

Replies are listed 'Best First'.
Re: NET::LDAP disable AD user by dasgar (Priest) on Sep 28, 2010 at 11:26 UTC
I've never used that module, but I've got a few ideas. Hopefully I'm not too off base with them. Here's my guess on what may be happening. In your code, you're trying to delete the userAccountControl attribute and then add it back in with a value. Active Directory is probably considering this to be a required and/or protected attribute and is throwing an error when you try to delete it. After taking a quick peek at the Net::LDAP module's documentation, I'd recommend trying to use 'replace' method instead of the 'delete' and 'add' combo. In other words, something like: `$res = $ldap->modify ($distinguishedName, replace => {userAccountControl => "514"} };` [download] I'm not guaranteeing that this will for sure work, but it seems to make sense in my mind at least.	[reply] [d/l]
Re^2: NET::LDAP disable AD user by OldManYoss (Initiate) on Sep 28, 2010 at 12:27 UTC
Hi, thanks for the reply but I am getting the same error when trying to use the replace function.	[reply]
Re^3: NET::LDAP disable AD user by dasgar (Priest) on Sep 28, 2010 at 12:53 UTC
I've got one last idea. Are you sure that you're passing the value in the correct format? Since you've got the 514 inside of quotes, that would cause Perl to treat it as a string. Also, I'm guessing that from the link you provided that Active Directory may be dealing with hexadecimal numbers. If you provide it with 514 and it treats that as a hexadecimal value, it could be interpreting your request as saying that you want to set the account to be a "NORMAL_ACCOUNT" and a "TEMP_DUPLICATE_ACCOUNT" at the same time. Again, not saying that this is the reason behind the errors, but it might be worth a shot to try dropping the double-quotes around the 514 to see what happens.	[reply]
Re^3: NET::LDAP disable AD user by locked_user sundialsvc4 (Abbot) on Sep 28, 2010 at 13:32 UTC
I also wonder if either of the two systems might have recorded more information in the system event-log... It might be worth a looky.
Re^4: NET::LDAP disable AD user by OldManYoss (Initiate) on Sep 30, 2010 at 07:52 UTC
Re^2: NET::LDAP disable AD user by Anonymous Monk on Mar 22, 2013 at 09:16 UTC
`my $res = $ldap->modify ( $aduser, replace => { 'userAccountControl'=>514 } );`	[reply] [d/l]