Re: NET::LDAP disable AD user

I've never used that module, but I've got a few ideas. Hopefully I'm not too off base with them.

Here's my guess on what may be happening. In your code, you're trying to delete the userAccountControl attribute and then add it back in with a value. Active Directory is probably considering this to be a required and/or protected attribute and is throwing an error when you try to delete it.

After taking a quick peek at the Net::LDAP module's documentation, I'd recommend trying to use 'replace' method instead of the 'delete' and 'add' combo. In other words, something like:

$res = $ldap->modify ($distinguishedName,
   replace => {userAccountControl => "514"}
};
[download]

I'm not guaranteeing that this will for sure work, but it seems to make sense in my mind at least.

Comment on Re: NET::LDAP disable AD user Download Code

Replies are listed 'Best First'.
Re^2: NET::LDAP disable AD user by OldManYoss (Initiate) on Sep 28, 2010 at 12:27 UTC
Hi, thanks for the reply but I am getting the same error when trying to use the replace function.	[reply]
Re^3: NET::LDAP disable AD user by dasgar (Priest) on Sep 28, 2010 at 12:53 UTC
I've got one last idea. Are you sure that you're passing the value in the correct format? Since you've got the 514 inside of quotes, that would cause Perl to treat it as a string. Also, I'm guessing that from the link you provided that Active Directory may be dealing with hexadecimal numbers. If you provide it with 514 and it treats that as a hexadecimal value, it could be interpreting your request as saying that you want to set the account to be a "NORMAL_ACCOUNT" and a "TEMP_DUPLICATE_ACCOUNT" at the same time. Again, not saying that this is the reason behind the errors, but it might be worth a shot to try dropping the double-quotes around the 514 to see what happens.	[reply]
Re^3: NET::LDAP disable AD user by locked_user sundialsvc4 (Abbot) on Sep 28, 2010 at 13:32 UTC
I also wonder if either of the two systems might have recorded more information in the system event-log... It might be worth a looky.
Re^4: NET::LDAP disable AD user by OldManYoss (Initiate) on Sep 30, 2010 at 07:52 UTC
Hi, Thanks for the suggestions, but I have been unable to get this to work. Its not a massive problem for me in this instance as I am moving all accounts into a new OU so I can select them all and disable them manually.	[reply]
Re^2: NET::LDAP disable AD user by Anonymous Monk on Mar 22, 2013 at 09:16 UTC
`my $res = $ldap->modify ( $aduser, replace => { 'userAccountControl'=>514 } );`	[reply] [d/l]