Since going to 6048 Custom Actions using {cn} No Longer Work

Jono · ‎12-14-2016

I don't know for sure that this is due to the latest upgrade, but my custom actions that use the {cn} parameter no longer work. If I take a VBS and insert the argument that the {cn} parameter used to insert, then the script works.

So, if I use this (what it has been for years), the script fails:

{actionpath}AcctStat.vbs "{cn}"

But if I use this, the script works:

{actionpath}AcctStat.vbs "CN=Doe\, John,OU=US Users,DC=domain,DC=local"

Is there something that has changed the {cn} parameter, or is there anything else I can look at to troubleshoot this? I have several such actions that no longer work.

Thanks!

Jono · ‎01-23-2019

Sure. I hope this works well for you.

On Error Resume Next
If WScript.Arguments.Count = 1 Then

	'Gather user information
	struser = WScript.Arguments(0)
	Set objUser = GetObject("LDAP://" & struser)
	Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
	Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
	Const CHANGE_PASSWORD_GUID  = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
	Set objSD = objUser.Get("nTSecurityDescriptor")
	Set objDACL = objSD.DiscretionaryAcl
	intCurrentValue = objUser.Get("userAccountControl")
	strSAMAccountName = objUser.Get("sAMAccountName")
	strCN = objUser.Get("cn")
	strGN = objUser.Get("givenName")
		
		'If no givenName
		If Hex(Err)="8000500D" Then
			strGN = " "
		End If
	  'Clear any previous errors
	    Err.Clear
	strSN = objUser.Get("sn")
		
		'If no sn
		If Hex(Err)="8000500D" Then
			strSN = " "
		End If
	  'Clear any previous errors
	    Err.Clear
	Set objNet = CreateObject("WScript.NetWork")
	dtmValue = objUser.PasswordLastChanged 
	intTimeInterval = int(now - dtmValue)
	Set objDomainNT = GetObject("WinNT://" & objNet.UserDomain)
	intMaxPwdAge = objDomainNT.Get("MaxPasswordAge")/86400
	intMinPwdAge = objDomainNT.Get("MinPasswordAge")/86400
	
	For Each Ace In objDACL
		If ((Ace.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) And _
			(LCase(Ace.ObjectType) = CHANGE_PASSWORD_GUID)) Then
		blnEnabled = True
		End If
	Next


'Clear strMsg

	strMsg = ""


'Errors, such as due to No Password Set Date

If Err.Number <> 0 then
	If Err.Number = "-2147463155" then
		strMsg = strMsg & "An error has occurred while trying to retrieve the date of the last password change.  This is most likely because " & strGN & " " & strSN & "'s account is set to force a password change on next logon.  Until " & strGN & " " & strSN & " changes his/her password, this may not display all of the requested information. " & VbCrLf & VbCrLf
	else
		strMsg = strMsg & "An error (number: " & Err.Number & ") has occurred.  This may not display all of the requested information." & VbCrLf & VbCrLf
	end if
end if


'Account Disabled?

	If objuser.AccountDisabled = True Then
		MsgBox strGN & " " & strSN & "'s account is Disabled! ***",0,strCN & "  (" & strSAMAccountName & ")"
	Else


'Account Locked?

		If objuser.IsAccountLocked = True Then
			strMsg = strMsg & strGN & " " & strSN & "'s account status:" & VbCrLf &_
			VBTab & VBTab & VBTab & VBTab & "Enabled" & VbCrLf &_
			VBTab & VBTab & VBTab & VBTab & "Locked! ***" & VbCrLf
		Else
			strMsg = strMsg & strGN & " " & strSN & "'s account status:" & VbCrLf &_
			VBTab & VBTab & VBTab & VBTab & "Enabled" & VbCrLf &_
			VBTab & VBTab & VBTab & VBTab & "Not Locked" & VbCrLf
		End If


'Password Expires?

		If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then
			strMsg = strMsg & VBTab & VBTab & VBTab & VBTab & "Password Never Expires" & VbCrLf & VbCrLf & VbCrLf &_
			"The Password Never Expires for " & strGN & "'s account due to account settings." & VbCrLf & _
				"   Password Changed:       " & dtmValue & VBTab & int(now - dtmvalue) & " days ago" & VbCrLf & VbCrLf
		Else

			If intMaxPwdAge < 0 Then
				strMsg = strMsg & VbCrLf & "The Maximum Password Age is set to 0 in the domain. Therefore, the password does not expire." & VbCrLf & VbCrLf
			Else


'Password Expired already?

				If intTimeInterval >= intMaxPwdAge Then
				strMsg = strMsg & VBTab & VBTab & VBTab & VBTab & "Password Expired! ***" & VbCrLf & VbCrLf & VbCrLf &_
						strGN & "'s Password information:" & VbCrLf & _
						"   Last Changed:" & VBTab & dtmValue & VBTab & VBTab & int(now - dtmvalue) & " days ago" & VbCrLf & _
						"   Expiration:" & VBTab & dtmValue + intMaxPwdAge & VBTab & VBTab & int(now - (dtmValue + intMaxPwdAge)) & " days ago" & VbCrLf &  _
						"   (Maximum password age is " & intMaxPwdAge & " days)" & VbCrLf & VbCrLf
			        Else
					strMsg = strMsg & VBTab & VBTab & VBTab & VBTab & "Password Not Expired" & VbCrLf & VbCrLf & VbCrLf &_
						strGN & "'s Password information:" & VbCrLf & _
						"   Last Changed:" & VBTab & dtmValue & VBTab & VBTab & int(now - dtmvalue) & " days ago" & VbCrLf & _
						"   Expiration:" & VBTab & dtmValue + intMaxPwdAge & VBTab & VBTab & "in " & int((dtmValue + intMaxPwdAge) - now + 1) & " days" & VbCrLf & _
						"   (Maximum password age is " & intMaxPwdAge & " days)" & VbCrLf & VbCrLf
				End If
			End If
		End If


'User can Change the Password?

		If blnEnabled Then
			strMsg = strMsg & strGN & " cannot change the password due to account settings."
		Else
			If intMaxPwdAge < 0 Then
				strMsg = strMsg & strGN & " can change the password."
			Else
				If intTimeInterval >= intMaxPwdAge Then
					strMsg = strMsg & strGN & " can change the password only while on site with a domain computer."
	  			Else
  					If intTimeInterval >= intMinPwdAge Then
  						strMsg = strMsg & strGN & " can change the password."
  					Else
  						strMsg = strMsg & strGN & " can change the password after " & DateValue(dtmValue) + intMinPwdAge & "." & VbCrLf & _
  						"   (Minimum password age is "& intMinPwdAge & " days)"
  					End If
  				End If
			End If
		End If
'Display the Info

		MsgBox strMsg,0,strCN & "  (" & strSAMAccountName & ")"

	End If

Else
	WScript.Echo "Error"

End If

Set objNet = Nothing
Set objUser = Nothing
Set objSD = Nothing
Set objDACL = Nothing
Set objUserLDAP = Nothing
Set objDomainNT = Nothing

jmont · ‎01-23-2019

Jono,

Can you please share your acctstat.vbs with me? I found 2 samples on this site and neither are working on my local computer. I wanted to add this custom action because it will help us immensely. Thanks

lunja · ‎12-20-2016

Can you provide solution for this issue, since we also experience same problem.

Jono · ‎12-20-2016

lunja wrote:
Can you provide solution for this issue, since we also experience same problem.

Hi lunja. The solution comes from an update (version 6049) that you can get by emailing support@lansweeper.com.

Sorry, I should have included that in my last comment.

Jono · ‎12-19-2016

Thank you! Everything works well now.

Bert_D · ‎12-19-2016

Hi Jono,

Please contact support@lansweeper.com for a fix for this issue.

Jono · ‎12-16-2016

Update:

I created an action to echo what {cn} is returning:

cmd /k Echo "{cn}"

When I run that, it comes back with this result:

"CN=Doe^\, John,OU=US Users,DC=send,DC=local"

By using double quotes around {cn}, it inserts the carat after the last name, so the script fails as it can't find such a user.

When I run the same thing without the double quotes:

cmd /k Echo {cn}

it comes back with this result:

CN=Doe\, John,OU=US Users,DC=send,DC=local

The return is correct, but since there are spaces in the result, the double quotes are necessary, so the script still fails.

If anyone has any input on this, I'd be very interested in hearing it. I have several custom actions that use that {cn} variable and it's a pain to have to go to old methods to get the information.

Thanks.

Since going to 6048 Custom Actions using {cn} No Longer Work

General Discussions

New to Lansweeper?

Try Lansweeper For Free