Back to User management: Other
DESCRIPTION
When viewing the badPasswordTime attribute, ActiveRoles Server will display the value as obtained from the domain controller to which ARS currently happens to be connected. Since badPasswordTime is not a replicated attribute, the value will be inaccurate if requested from a DC other than the DC to which the user most recently attempted authentication (or the PDC emulator).
This script will intercept any request for the badPasswordTime attribute and then retrieve that attribute from the PDC emulator. The resulting value will be stored in the virtual attribute edsvaBadPasswordTime.
Note This code may use functions from the ARS Script Policy Best Practices. Please, follow the link to obtain instructions and code for those functions.
SCRIPT
'*********************************************************************************
' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
' EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
' WARRANTIES OF MERCHANTBILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
'
' IF YOU WANT THIS FUNCTIONALITY TO BE CONDITIONALLY SUPPORTED,
' PLEASE CONTACT QUEST PROFESSIONAL SERVICES.
'*********************************************************************************
'
' This code is published on the ActiveRoles Script Center:
' http://communities.quest.com/docs/DOC-9991
'
' This code may use functions from the ARS Script Policy Best Practices:
' http://communities.quest.com/docs/DOC-10016
'
' Please, follow the link to obtain instructions and code for those functions.
'*********************************************************************************
Option Explicit
Sub onPreGet(Request)
If Request.Class <> "user" Then Exit Sub
' If the badPasswordTime attribute has not been requested, then exit the procedure
Dim PropertyList: PropertyList = Request.RequestedAttributes
If Request.IsAttributeRequested("badPasswordTime") = False Then
Exit Sub
End If
' Bind to the user on the PDC emulator and retrieve the badPasswordTime attribute from that server specifically
Dim strPDCEmulator: strPDCEmulator = EnumeratePDCEmulator
Dim objUser: Set objUser = GetObject("LDAP://" & strPDCEmulator & "/" & Request.Get("distinguishedName"))
Dim objLInteger: Set objLInteger = CreateObject("AelitaEDM.EDMLargeInteger")
objLInteger.Set objUser.Get("badPasswordTime")
Dim strBadPasswordTime
strBadPasswordTime = CStr(objLInteger.GetDate)
'EventLog.ReportEvent 2, "The last bad password time for '" & Request.Name & "' is '" & strBadPasswordTime & "'." & vbCRLF & "String value: '" & objLInteger.GetString & "'"
' Convert the date from UTC to the local time of the ARS server
Dim objTimeConversion
Set objTimeConversion = CreateObject("AelitaEDM.EDMTimeConversion")
objTimeConversion.SetUTCTime(CDate(strBadPasswordTime))
strBadPasswordTime = objTimeConversion.GetLocalTime()
Set objTimeConversion = Nothing
objLInteger.SetDate CDate(strBadPasswordTime)
strBadPasswordTime = objLInteger.GetString()
'EventLog.ReportEvent 2, "The converted last bad password time is: '" & objLInteger.GetDate & "'" & vbCRLF & "String value: '" & objLInteger.GetString & "'"
' Add the value to the Request object, even though this is not currently being used for anything.
Request.AddRequestedAttribute "edsvaBadPasswordTime"
Request.Put "edsvaBadPasswordTime", objLInteger.GetString
' Add the value to the user's virtual attribute.
Set objUser = GetObject("EDMS://" & Request.Get("distinguishedName"))
objUser.Put "edsvaBadPasswordTime", objLInteger.GetIADSLargeInteger()
objUser.SetInfo
Set objUser = Nothing
End Sub
Private Function EnumeratePDCEmulator()
Dim objRootDSE, objDomain, strPDCEmulator, objNtds, objComputer
Set objRootDSE = GetObject("LDAP://rootDSE")
Set objDomain = GetObject("LDAP://" & objRootDSE.Get("defaultNamingContext"))
strPDCEmulator = objDomain.Get("fSMORoleOwner")
Set objNtds = GetObject("LDAP://" & strPDCEmulator)
Set objComputer = GetObject(objNtds.Parent)
EnumeratePDCEmulator = objComputer.dNSHostName
Set objComputer = Nothing
Set objNtds = Nothing
Set objDomain = Nothing
Set objRootDSE = Nothing
End Function
'***** END OF CODE ***************************************************************
COMPATIBILITY
Script compatible with the following version(s): <Not specified>