Problem passing cn's with spaces

TheMSsForum.com: The Microsoft Software Forum

Hi

I'm stuck. I've got a script (listed below) that asks for a user's name and
then disables the corresponding AD account, adds the associated external
account permission to the SELF account and then moves it to a specified OU.

My problem is that if the user's name has a space in it (ie John Doe) then
the associated external account permission will not be assigned to the SELF
account. If the user name has no space in it then everything works perfectly.

Any ideas?

********************************************************
On Error Resume Next

'Defines from which container search will start
Const ADS_SCOPE_SUBTREE = 2

Const ADS_USERDISABLED = &H00002
const E2K_MB_FULL_MB_ACCESS = &H00001
const E2K_MB_SEND_AS = &H00002
const E2K_MB_EXTERNAL_ACCOUNT = &H00004
const E2K_MB_READ_PERMISSIONS = &H20000
const E2K_MB_TAKE_OWNERSHIP = &H80000
const ADS_ACE_REVISION_DS = &H00004
const ADS_ACETYPE_ACCESS_ALLOWED = &H00000
const ADS_ACEFLAG_INHERIT_ACE = &H00002

'Sets User Flag Parameter
Const ADS_UF_ACCOUNTDISABLE = &H2

Dim strUserName

'Creates an input box to type in user's name
strUserName = InputBox("Enter the username:")

'connect to AD
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Set objCommand = CreateObject("ADODB.Command")
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = _
"SELECT ADsPath FROM 'LDAP://DC=london,DC=glenrand'" & _
"WHERE objectCategory='User'" & _
"AND cn='" & strUserName & "'"
Set objRecordSet = objCommand.Execute

'Get user record
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
strPath = objRecordSet.Fields("ADsPath").Value
Set objUser = GetObject(strPath)
intUAC = objUser.Get("userAccountControl")
objUser.Put "userAccountControl", intUAC OR ADS_UF_ACCOUNTDISABLE
objUser.SetInfo
Call SetmsExchMasterAccountSid
'Move user to Ex Employees OU
Set objNewOU = GetObject("LDAP://OU=exemployees,DC=london,DC=glenrand")
intReturn = objNewOU.MoveHere(strPath, vbNullString)
objRecordSet.MoveNext
Loop

msgbox "The user account for " & strUserName & " has been disabled"

'This function sets the msExchMasterAccountSid value in ADSI to SELF.
'ie Adds Associated External Account permission to the SELF account.
Function SetmsExchMasterAccountSid

Dim objSD
Dim objACL
Dim objACE
Dim found

objUser.Put "msExchMasterAccountSid", objUser.Get("objectSID")

'Get the mailbox security descriptor
set objSD = objUser.Get("msExchMailboxSecurityDescriptor")
set objACL = objSD.DiscretionaryAcl
found = false

for each objACE in objACL 'Iterate through the ACL
to find the SELF-Account
if objACE.Trustee = "SELF" Then
found = true
Exit For
end if
next

if not found then 'If no SELF-Account is present, create it
set objACE = CreateObject("AccessControlEntry")
objace.Trustee = "SELF"
objace.AceFlags = ADS_ACEFLAG_INHERIT_ACE
objace.AceType = ADS_ACETYPE_ACCESS_ALLOWED
objacl.addace objace
end if

'Give the SELF-Account the External-Account right
objace.AccessMask = objace.accessmask OR E2K_MB_READ_PERMISSIONS OR
E2K_MB_FULL_MB_ACCESS OR E2K_MB_EXTERNAL_ACCOUNT

'Save the changes
objUser.Put "msExchMailboxSecurityDescriptor", objSD
objUser.setInfo

Set objSD = Nothing
Set objACL = Nothing
Set objACE = Nothing
End Function
Top

Re: Problem passing cn's with spaces by Richard

Richard
Fri Mar 07 10:29:03 CST 2008

Nothing needs to be done to handle Common Names with spaces. I would remove
the "On Error Resume Next" statement so you can see if there are any error
messages. Should the trustee be "NT AUTHORITY\SELF"?

You might want to use the NT names of the users (pre-Windows 2000 logon
names), which is the value of the sAMAccountName attribute. The
sAMAccountName uniquely identifies the user, while cn does not. There could
be several users with the same Common Name.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

"N33dls" <N33dls@discussions.microsoft.com> wrote in message
news:929452C1-EA20-4ED7-895B-AA843E2D62E9@microsoft.com...
> Hi
>
> I'm stuck. I've got a script (listed below) that asks for a user's name
> and
> then disables the corresponding AD account, adds the associated external
> account permission to the SELF account and then moves it to a specified
> OU.
>
> My problem is that if the user's name has a space in it (ie John Doe) then
> the associated external account permission will not be assigned to the
> SELF
> account. If the user name has no space in it then everything works
> perfectly.
>
> Any ideas?
>
> ********************************************************
> On Error Resume Next
>
> 'Defines from which container search will start
> Const ADS_SCOPE_SUBTREE = 2
>
> Const ADS_USERDISABLED = &H00002
> const E2K_MB_FULL_MB_ACCESS = &H00001
> const E2K_MB_SEND_AS = &H00002
> const E2K_MB_EXTERNAL_ACCOUNT = &H00004
> const E2K_MB_READ_PERMISSIONS = &H20000
> const E2K_MB_TAKE_OWNERSHIP = &H80000
> const ADS_ACE_REVISION_DS = &H00004
> const ADS_ACETYPE_ACCESS_ALLOWED = &H00000
> const ADS_ACEFLAG_INHERIT_ACE = &H00002
>
> 'Sets User Flag Parameter
> Const ADS_UF_ACCOUNTDISABLE = &H2
>
> Dim strUserName
>
> 'Creates an input box to type in user's name
> strUserName = InputBox("Enter the username:")
>
> 'connect to AD
> Set objConnection = CreateObject("ADODB.Connection")
> objConnection.Provider = "ADsDSOObject"
> objConnection.Open "Active Directory Provider"
>
> Set objCommand = CreateObject("ADODB.Command")
> Set objCommand.ActiveConnection = objConnection
> objCommand.Properties("Page Size") = 1000
> objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
> objCommand.CommandText = _
> "SELECT ADsPath FROM 'LDAP://DC=london,DC=glenrand'" & _
> "WHERE objectCategory='User'" & _
> "AND cn='" & strUserName & "'"
> Set objRecordSet = objCommand.Execute
>
> 'Get user record
> objRecordSet.MoveFirst
> Do Until objRecordSet.EOF
> strPath = objRecordSet.Fields("ADsPath").Value
> Set objUser = GetObject(strPath)
> intUAC = objUser.Get("userAccountControl")
> objUser.Put "userAccountControl", intUAC OR ADS_UF_ACCOUNTDISABLE
> objUser.SetInfo
> Call SetmsExchMasterAccountSid
> 'Move user to Ex Employees OU
> Set objNewOU = GetObject("LDAP://OU=exemployees,DC=london,DC=glenrand")
> intReturn = objNewOU.MoveHere(strPath, vbNullString)
> objRecordSet.MoveNext
> Loop
>
> msgbox "The user account for " & strUserName & " has been disabled"
>
> 'This function sets the msExchMasterAccountSid value in ADSI to SELF.
> 'ie Adds Associated External Account permission to the SELF account.
> Function SetmsExchMasterAccountSid
>
> Dim objSD
> Dim objACL
> Dim objACE
> Dim found
>
> objUser.Put "msExchMasterAccountSid", objUser.Get("objectSID")
>
> 'Get the mailbox security descriptor
> set objSD = objUser.Get("msExchMailboxSecurityDescriptor")
> set objACL = objSD.DiscretionaryAcl
> found = false
>
> for each objACE in objACL 'Iterate through the
> ACL
> to find the SELF-Account
> if objACE.Trustee = "SELF" Then
> found = true
> Exit For
> end if
> next
>
> if not found then 'If no SELF-Account is present, create it
> set objACE = CreateObject("AccessControlEntry")
> objace.Trustee = "SELF"
> objace.AceFlags = ADS_ACEFLAG_INHERIT_ACE
> objace.AceType = ADS_ACETYPE_ACCESS_ALLOWED
> objacl.addace objace
> end if
>
> 'Give the SELF-Account the External-Account right
> objace.AccessMask = objace.accessmask OR E2K_MB_READ_PERMISSIONS OR
> E2K_MB_FULL_MB_ACCESS OR E2K_MB_EXTERNAL_ACCOUNT
>
> 'Save the changes
> objUser.Put "msExchMailboxSecurityDescriptor", objSD
> objUser.setInfo
>
> Set objSD = Nothing
> Set objACL = Nothing
> Set objACE = Nothing
> End Function


Top