
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-14-2016 10:50 PM - last edited on ‎04-01-2024 04:41 PM by Mercedes_O
I don't know for sure that this is due to the latest upgrade, but my custom actions that use the {cn} parameter no longer work. If I take a VBS and insert the argument that the {cn} parameter used to insert, then the script works.
So, if I use this (what it has been for years), the script fails:
{actionpath}AcctStat.vbs "{cn}"
But if I use this, the script works:
{actionpath}AcctStat.vbs "CN=Doe\, John,OU=US Users,DC=domain,DC=local"
Is there something that has changed the {cn} parameter, or is there anything else I can look at to troubleshoot this? I have several such actions that no longer work.
Thanks!
- Labels:
-
API & Integrations

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-23-2019 03:24 PM
On Error Resume Next
If WScript.Arguments.Count = 1 Then
'Gather user information
struser = WScript.Arguments(0)
Set objUser = GetObject("LDAP://" & struser)
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
Set objSD = objUser.Get("nTSecurityDescriptor")
Set objDACL = objSD.DiscretionaryAcl
intCurrentValue = objUser.Get("userAccountControl")
strSAMAccountName = objUser.Get("sAMAccountName")
strCN = objUser.Get("cn")
strGN = objUser.Get("givenName")
'If no givenName
If Hex(Err)="8000500D" Then
strGN = " "
End If
'Clear any previous errors
Err.Clear
strSN = objUser.Get("sn")
'If no sn
If Hex(Err)="8000500D" Then
strSN = " "
End If
'Clear any previous errors
Err.Clear
Set objNet = CreateObject("WScript.NetWork")
dtmValue = objUser.PasswordLastChanged
intTimeInterval = int(now - dtmValue)
Set objDomainNT = GetObject("WinNT://" & objNet.UserDomain)
intMaxPwdAge = objDomainNT.Get("MaxPasswordAge")/86400
intMinPwdAge = objDomainNT.Get("MinPasswordAge")/86400
For Each Ace In objDACL
If ((Ace.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) And _
(LCase(Ace.ObjectType) = CHANGE_PASSWORD_GUID)) Then
blnEnabled = True
End If
Next
'Clear strMsg
strMsg = ""
'Errors, such as due to No Password Set Date
If Err.Number <> 0 then
If Err.Number = "-2147463155" then
strMsg = strMsg & "An error has occurred while trying to retrieve the date of the last password change. This is most likely because " & strGN & " " & strSN & "'s account is set to force a password change on next logon. Until " & strGN & " " & strSN & " changes his/her password, this may not display all of the requested information. " & VbCrLf & VbCrLf
else
strMsg = strMsg & "An error (number: " & Err.Number & ") has occurred. This may not display all of the requested information." & VbCrLf & VbCrLf
end if
end if
'Account Disabled?
If objuser.AccountDisabled = True Then
MsgBox strGN & " " & strSN & "'s account is Disabled! ***",0,strCN & " (" & strSAMAccountName & ")"
Else
'Account Locked?
If objuser.IsAccountLocked = True Then
strMsg = strMsg & strGN & " " & strSN & "'s account status:" & VbCrLf &_
VBTab & VBTab & VBTab & VBTab & "Enabled" & VbCrLf &_
VBTab & VBTab & VBTab & VBTab & "Locked! ***" & VbCrLf
Else
strMsg = strMsg & strGN & " " & strSN & "'s account status:" & VbCrLf &_
VBTab & VBTab & VBTab & VBTab & "Enabled" & VbCrLf &_
VBTab & VBTab & VBTab & VBTab & "Not Locked" & VbCrLf
End If
'Password Expires?
If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then
strMsg = strMsg & VBTab & VBTab & VBTab & VBTab & "Password Never Expires" & VbCrLf & VbCrLf & VbCrLf &_
"The Password Never Expires for " & strGN & "'s account due to account settings." & VbCrLf & _
" Password Changed: " & dtmValue & VBTab & int(now - dtmvalue) & " days ago" & VbCrLf & VbCrLf
Else
If intMaxPwdAge < 0 Then
strMsg = strMsg & VbCrLf & "The Maximum Password Age is set to 0 in the domain. Therefore, the password does not expire." & VbCrLf & VbCrLf
Else
'Password Expired already?
If intTimeInterval >= intMaxPwdAge Then
strMsg = strMsg & VBTab & VBTab & VBTab & VBTab & "Password Expired! ***" & VbCrLf & VbCrLf & VbCrLf &_
strGN & "'s Password information:" & VbCrLf & _
" Last Changed:" & VBTab & dtmValue & VBTab & VBTab & int(now - dtmvalue) & " days ago" & VbCrLf & _
" Expiration:" & VBTab & dtmValue + intMaxPwdAge & VBTab & VBTab & int(now - (dtmValue + intMaxPwdAge)) & " days ago" & VbCrLf & _
" (Maximum password age is " & intMaxPwdAge & " days)" & VbCrLf & VbCrLf
Else
strMsg = strMsg & VBTab & VBTab & VBTab & VBTab & "Password Not Expired" & VbCrLf & VbCrLf & VbCrLf &_
strGN & "'s Password information:" & VbCrLf & _
" Last Changed:" & VBTab & dtmValue & VBTab & VBTab & int(now - dtmvalue) & " days ago" & VbCrLf & _
" Expiration:" & VBTab & dtmValue + intMaxPwdAge & VBTab & VBTab & "in " & int((dtmValue + intMaxPwdAge) - now + 1) & " days" & VbCrLf & _
" (Maximum password age is " & intMaxPwdAge & " days)" & VbCrLf & VbCrLf
End If
End If
End If
'User can Change the Password?
If blnEnabled Then
strMsg = strMsg & strGN & " cannot change the password due to account settings."
Else
If intMaxPwdAge < 0 Then
strMsg = strMsg & strGN & " can change the password."
Else
If intTimeInterval >= intMaxPwdAge Then
strMsg = strMsg & strGN & " can change the password only while on site with a domain computer."
Else
If intTimeInterval >= intMinPwdAge Then
strMsg = strMsg & strGN & " can change the password."
Else
strMsg = strMsg & strGN & " can change the password after " & DateValue(dtmValue) + intMinPwdAge & "." & VbCrLf & _
" (Minimum password age is "& intMinPwdAge & " days)"
End If
End If
End If
End If
'Display the Info
MsgBox strMsg,0,strCN & " (" & strSAMAccountName & ")"
End If
Else
WScript.Echo "Error"
End If
Set objNet = Nothing
Set objUser = Nothing
Set objSD = Nothing
Set objDACL = Nothing
Set objUserLDAP = Nothing
Set objDomainNT = Nothing

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-23-2019 03:04 PM
Can you please share your acctstat.vbs with me? I found 2 samples on this site and neither are working on my local computer. I wanted to add this custom action because it will help us immensely. Thanks

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-20-2016 03:10 PM

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-20-2016 03:38 PM
lunja wrote:
Can you provide solution for this issue, since we also experience same problem.
Hi lunja. The solution comes from an update (version 6049) that you can get by emailing support@lansweeper.com.
Sorry, I should have included that in my last comment.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-19-2016 09:07 PM

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-19-2016 06:42 PM
Please contact support@lansweeper.com for a fix for this issue.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-16-2016 09:54 PM
I created an action to echo what {cn} is returning:
cmd /k Echo "{cn}"
When I run that, it comes back with this result:
"CN=Doe^\, John,OU=US Users,DC=send,DC=local"
By using double quotes around {cn}, it inserts the carat after the last name, so the script fails as it can't find such a user.
When I run the same thing without the double quotes:
cmd /k Echo {cn}
it comes back with this result:
CN=Doe\, John,OU=US Users,DC=send,DC=local
The return is correct, but since there are spaces in the result, the double quotes are necessary, so the script still fails.
If anyone has any input on this, I'd be very interested in hearing it. I have several custom actions that use that {cn} variable and it's a pain to have to go to old methods to get the information.
Thanks.
