Active Directory – Change User’s Password – Resolution

 

Preface

In a previous post, I spoke of a SMK ( Shaking My Head ) moment I was having.

I couldn’t change a password assigned to a newly created Service Account.

The post is here.

 

 

Problem Identification

Thankfully, I have friends in high places or at least friends who are not so dim.

As Ron was leaving for the day, I said to him you gonna hate me for bothering you.

But, what is with my inability to change my password.

He said it is a Group Policy thing.

I said I checked the Group Policy (GP) and I did not see that.

 

Group Policy Report

Code

Using gpresult we can generate Group Policy Reports.

Generate HTML Output

Script


set "_user=LAB\sbc"
If not exist "d:\temp" md "d:\temp"
gpresult /USER %_user% /F /H d:\temp\grResultUser.html

 

Output

accountandpasswordpolicies

Generate Textual Output

Script


set "_user=LAB\svcSQL"

gpresult /V /USER %_user% | more

Output

rsop-minimumpasswordage

Explanation

Underneath \Policies\Windows Settings \ Account Policies / Password Policy

There  goes a Winning GPO stating “Minimum password age” is 5 days.

 

Conclusion

I still did not get it, and so Ron had to explain it.

A password has to be at least 5 days old, prior to anyone having the ability to change it.

The password was only created yesterday and so I have to a wait a few more days.

 

MSFT’s Recommendation

Cristian Dobre

Link

cristiandobre

 

Confirm Our Last Password Date

Let us confirm our last password date

Code – Credit

As always, I can not write this code.

Stealing this time from Homework

The specific post is titled “How to get the last password change for a user in Active Directory” and it is credited to Alessandro Tani.

It is available here.

Code


Import-Module ActiveDirectory

$ADUser="svcDBHRDB"

$formatDate="yyyy-MM-dd HH:mm"
$now=Get-Date -format $formatDate

"Current Date & TIme is {0}" -f $now

Get-ADuser $ADUser -properties PasswordLastSet | Format-List

 

Output

getaduseroutput-20161201-0838am

Errors

Error – Import-Module : The specified module ‘ActiveDirectory’ was not loaded because no valid module file was found in any module directory.

Please read this QA:

Import-Module : The specified module ‘activedirectory’ was not loaded because no valid module file was found in any module directory
Link

 

References

  1. Security Policy Settings Reference > Account Policies > Password Policy > Minimum password age
    Link
  2. Alessandro Tani
    • How to get the last password change for a user in Active Directory
      Link
  3. Nirmal Sharma
    • When was the Last Password Changed for a User Account in Active Directory
      Link

 

Active Directory – Disabling User’s Ability to Change His\Her Password – Through Group Policy

Background

Let us disable the user’s ability to Change his/her own password.

 

Installation

Let us download and install Group Policy

MS Windows 2003

Download

Unfortunately, we are on MS Windows 2003.

And, so we will download that OS Specific install binary.

The Microsoft Group Policy Management Console (GPMC) with Service Pack 1 (SP1) unifies management of Group Policy across the enterprise. The GPMC consists of a MMC snap-in and a set of programmable interfaces for managing Group Policy.
File :- gpmc.msi
Dated :- 2012-08-12
Link

 

Installed

Installed the download msi file.

 

Usage

Once installed, access Group Policy Management via “Administrative Tools” \ “Group Policy Management”.

Add Group Policy

Outline Steps

Copying “How To Prevent Users from Changing a Password Except When Required in Windows Server 2003” ( Here ) verbatim, here is the instruction:

  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Right-click the domain or organizational unit for which you want to implement the new password change policy, and then click Properties.
  3. Click the Group Policy tab.
  4. Click the Group Policy object (GPO) that you want to work with, and then click Edit. If there are no existing policies listed in the Group Policy Object Links list, click New to create a new policy, type a name for the new policy, and then click Edit.
  5. Expand the GPO, expand User Configuration, expand Administrative Templates, and then expand System.
  6. Click Ctrl+Alt+Del Options.
  7. In the right pane, double-click Remove Change Password.
  8. Click Enabled, and then click OK.
  9. Quit the Group Policy Object Editor snap-in, click OK, and then quit the Active Directory Users and Computers snap-in.
  10. Click Start, and then click Run.
  11. Type cmd in the Open box, and then click OK.
  12. At the command prompt, type the following line, and then press ENTER:
    • gpupdate /target:user /force

Screen Shots

 

Initiate New GPO

Here we walk to Forest \ Domains \ < Domain Name > \ <ou>

In our case Forest \ Domains \ < Domain Name > \ Services.

We right clicked on our OU, Services, and chose “Create and Link a GPO Here…”.

 

initiatemenu-20161130-0204pm

New GPO

Upon clicking New GPO, here is the screen that allows us name a new GPO.

newgpo

 

Group Policy Object

Group Policy Object – Settings

Here is our Group Policy Settings when first created.

settings-20161130-0101pm

 

Group Policy Object – Edit Settings

Once the Group Policy is created, let us go in and customize it for our setting.

Choose the create Group Policy Object ( GPO ), right click it and from the drop down menu click the Edit button.

 

Group Policy Object – Edit Settings – “Initial

Here is the original screen…

grouppolicy-ctrlaltdel-options-initial

 

 

Group Policy Object – Edit Settings – “Amending Changes

Please choose “Remove Change Password”, and double-click on it

grouppolicy-ctrlaltdel-options-inprocess-removechangepassword

 

Group Policy Object – Edit Settings – “Remove Change Password – Enabled

Here is what things look like once we effect “Remove Change Password”.

grouppolicy-ctrlaltdel-options

 

 

Enable Group Policy

gpupdate /force

gpupdate-force

Group Policy Review

Let us review the Group Policy in place

Script

MS Windows 2003

Code


set "_username=LABDOMAIN\svcDB"

gpresult /USER %_username% /V

 

Output

gpresult-20161130-0242pm

Explanation

We see that for our Group Policy, “Group Policy Object – User Password”,  the key Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword is enabled.

MS Windows 2012

On MS Window 2012 and likely OS Versions between Win 2003 and Windows 2012 ( 2008 & 2008/R2), we can output the result to an HTML or XML file.

That is accomplished through the /H or /Z options respectively.

The /F option states to force an overwrite of an existing output file.

Code


set "_user=LAB\svcDB"
If not exist "d:\temp" md "d:\temp"
gpresult /USER %_user% /F /H d:\temp\grResultUser.html

Test GP

Let us connect as our Service Account and see what happens when use CTRL-ALT-DEL or CTRL-ALT-End ( when connected over Remote Desktop )

 

deskop-changepassworddisabled

We see that “Change Password” is disabled.

 

Summary

What we have shown here is the ability to revoke the current user’s ability to change his\her password via CTRL-ALT-DEL.

It does not constrain that ability through Script, Active Users & Computer, etc.

 

References

  1. How To Prevent Users from Changing a Password Except When Required in Windows Server 2003
    Link
  2. Rob Dunn – How to delegate password reset permissions for your IT staff ( SpiceWorks )
    Link
  3. Redspin – Viewing GPO’s on the Commandline
    Link

Active Directory – Change User’s Password – Erroring

 

Preface

This is a difficult post as it does not demonstrate a remedying process.

It merely demonstrates a stumbling block, we ran into as we tried to change an Active Directory Service Account’s password.

BTW, a couple of choices for changing an AD’s Account password are documented here.

 

Changing AD User Password : Attempting

UI

Active Directory Users & Managers

Reset Password

resetpassword

 

Reset Password – Access is Denied

accessisdenied

 

Console

dsmod

Tried to change password using dsmod

Batch File


@echo off

Rem Change a domain account’s password from the command line	
Rem https://itnsomnia.wordpress.com/2008/04/08/change-a-domain-accounts-password-from-the-command-line/

set "_SAMAccountName=SQLSvc"
set "_ADPassword=antelopeWASBEFOREME#"

echo ADUser
dsquery user -samid %_SAMAccountName%

dsquery user -samid %_SAMAccountName%  | dsmod user  -mustchpwd no -pwd %_ADPassword%

Echo ERRORLEVEL is %ERRORLEVEL%



Output


ADUser
"CN=MSSQLsql,OU=ServiceAccounts,OU=LAB,DC=AD"
dsmod failed:CN=MSSQLsql,OU=ServiceAccounts,OU=LAB,DC=AD:Access is denied.:Set password failed
type dsmod /? for help.
ERRORLEVEL is -2147467259
>

 

 

Diagnostic

Active Directory Users And Computers

User’s Properties

Per-using Active Directory Users and Computer, here is the AD Account’s setting:

accountproperties-account

 

Explanation

  1. User must change password at next logon
    • Set
      • Good
  2. User cannot change change password
    • Not Set
      • Good
  3. Password never expires
    • Set
      • Good

Conclusion

From a simple User Property review, nothing should stop this Service Account from changing its own password.

In a follow-up post, will review whether restrictions have been set at the Organization (ou) level.

 

Active Directory – Change User’s Password

 

Background

Requested a few Service Accounts so that we can run a few SQL Server Instances using them.

I need to change the password to something a lot tighter.

Got a nice one from Norton Identity Safe; which is here.

 

Change Password

We can change using UI.

 

UI

UI – Self Change

Logged on to the system from console or through Remote Desktop.

If through remote desktop, access Change Password using CTRL/ALT/End

rdc-menu

 

changeapassword-brused-up

 

Console

Tool – dsmod

dsmod – Change User using User Distinguished name


rem John Howard -MSFT
Rem Sample scripts for dsadd, dsmodify, dsget, dsquery, dsmod, dsmove
Rem https://blogs.technet.microsoft.com/jhoward/2005/01/27/sample-scripts-for-dsadd-dsmodify-dsget-dsquery-dsmod-dsmove/

set "_UserDN=CN=svcLABMSSQL,CN=Users,DC=LAB,DC=org"
set "_ADPassword=Hello2819$"

dsmod user "%_UserDN%" -pwd %_ADPassword%


dsmod – Change User using SAMAccountName


Rem Change a domain account’s password from the command line	
Rem https://itnsomnia.wordpress.com/2008/04/08/change-a-domain-accounts-password-from-the-command-line/

set "_SAMAccountName=svcLABMSSQL"
set "_ADPassword=Hello2819$"

echo ADUser
dsquery user -samid %_SAMAccountName%

dsquery user -samid %_SAMAccountName%  | dsmod user  -mustchpwd no -pwd %_ADPassword%



 

dsmod – Error

If Error Occurs, please ouput out ERRORLEVEL.

Here are some common ones.

 

ErrorLevel Error Description Possible Source Links
 -2147467259 ADO_UNSPECIFIED This number doesn’t indicate a specific reason for this error but will always occur if there are problems in ADO requests, e.g. you forgot to pass the search scope (Subtree, OneLevel etc.) within your request string. This error can occur even without using ADO when you have a type mismatch while writing an object attribute (for example if you use the ADSI method Put to fill an integer or string attribute in a floating point number). In this case you better convert the value into a string first.  ADSI Self ADSI
 

 

 

 

References

  1. Microsoft
    • Reset a User Password
      Link
  2. Mitch Tulloch, author of Windows Server Hacks
    • Windows Server Hacks: Resetting User Passwords
      Link
  3. John Howard
    • Sample scripts for dsadd, dsmodify, dsget, dsquery, dsmod, dsmove
      Link
  4. John Savill
    • How can I change a domain user’s password from the command line in Windows Server 2003?
      Link
  5. itnsomnia
    • Change a domain account’s password from the command line
      Link

“Active Directory Users & Computers” on MS Windows 7

Background

Really missing “Active Directory Users and Computers” on my MS Windows box.

 

Download

Downloaded Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1) from here.

 

Installed

Installed Windows6.1-KB958830-x64-RefreshPkg.msu as my box is 64 bit.

 

Scripts

Documentation

As opted not to use GUI, needs to know the arguments to pass to the DISM installer.

Remote Server Administrative Tools roles

Link

       addsroles

List Features & Status

Script


dism /online /get-features /Format:Table | find "RemoteServerAdministrationTools-Roles"

 

Output

features-remoteserveradministrationtools-roles-ad

 

Enable Features & Status

Script


dism /online /enable-feature /featurename:RemoteServerAdministrationTools

dism /online /enable-feature /featurename:RemoteServerAdministrationTools-Roles

dism /online /enable-feature /featurename:RemoteServerAdministrationTools-Roles-AD

dism /online /enable-feature /featurename:RemoteServerAdministrationTools-Roles-AD-DS

dism /online /enable-feature /featurename:RemoteServerAdministrationTools-Roles-AD-DS-SnapIns

Output

enablefeature-20161021-0214pm

 

Usage

Access MMC

Launch through Window’s Start Menu

Administrative Tools \ Active Directory Users and Computers

startmenu

Use Functionality

Find Users, Contacts, and Groups

ad-findusers

References

  1. What Are the Remote Server Administration Tools?
    Link

 

Active Directory Query using ADSI/VBScript

Background

Microsoft’s Active Directory is likely one of the most widely deployed LDAP Server.

Every Application needs User authentication, but unfortunately the code can be written so deep in the Application that the error code and messages gets lost from suppression.

Thankfully, ADSI makes quick work of it.

Here is Microsoft’s definition of ADSI:

ADSI
https://msdn.microsoft.com/en-us/library/aa772170%28v=vs.85%29.aspx

Active Directory Service Interfaces (ADSI) is a set of COM interfaces used to access the features of directory services from different network providers. ADSI is used in a distributed computing environment to present a single set of directory service interfaces for managing network resources. Administrators and developers can use ADSI services to enumerate and manage the resources in a directory service, no matter which network environment contains the resource.

 

Code

Here is a code that I am trying out to quickly get a subset of the logged-on user’s data:


REM ******************************************************************************************************************************
REM *
REM
REM REM AD Query Script
REM http://www.rlmueller.net/ADOSearchTips.htm

REM Rahul Soni's blog
REM Never assume the obvious is true!
REM http://blogs.msdn.com/b/rahulso/archive/2006/12/29/how-to-read-user-and-system-variables-using-vbscript.aspx

REM ******************************************************************************************************************************

Option Explicit

Const USERDOMAIN = "USERDOMAIN"
Const USERNAME = "USERNAME"

Const USERDOMAIN_EXPAND = "%USERDOMAIN%"
Const USERNAME_EXPAND = "%USERNAME%"

Const USER_SYSTEM = "SYSTEM"

Const bDebug = false

Dim adoCommand, adoConnection, strBase, strAttributes
Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strName, strCN
Dim strLog

Dim objWSH
Dim objUserVariables
Dim objSystemVariables

Dim objWshNetwork 

Dim strFilterSyntax
Dim strFilter

Dim strGivenName
Dim strSurname
Dim strUsername
Dim strUserDomain
Dim strEmailAddress
Dim strTelephoneNumber
Dim strDepartment
Dim strEmployeeID
Dim strDistinguishName

Dim bErrorCheckFailed
Dim strWhenCreated

Dim strFullDN
Dim ou

on error goto 0

strUserName = ""
bErrorCheckFailed = false

if (Wscript.Arguments.Count < 1)  Then

	rem Wscript.Echo "No arguments"

elseif (Wscript.Arguments.Count = 1) Then

	strUserName = Wscript.Arguments.Item(0) 

end if

Set objWSH =  CreateObject("WScript.Shell")

Set objUserVariables = objWSH.Environment("USER")
Set objSystemVariables = objWSH.Environment("SYSTEM")

	Rem http://stackoverflow.com/questions/904739/can-i-pick-up-environment-variables-in-vbscript-wsh-script
	strUserDomain = objSystemVariables(USERDOMAIN)

	if (strUserDomain = "") Then

		Rem http://stackoverflow.com/questions/904739/can-i-pick-up-environment-variables-in-vbscript-wsh-script
		strUserDomain = objWSH.ExpandEnvironmentStrings(UserDomain_EXPAND)

	end	if	

	if (strUserName = "") Then

		strUserName = objSystemVariables(USERNAME)

	end if

	if (strUserName = "") Then

		strUserName = objWSH.ExpandEnvironmentStrings(UserName_EXPAND)

	end	if	

set objWSH =  Nothing

if  ( _
		        (strUserDomain = "") _
		   or ( (strUserName = "") or (strUserName = USER_SYSTEM)) _
	) Then

	' Create a new WshNetwork object to access network properties.
	'http://wsh2.uw.hu/ch11b.html
	Set objWshNetwork = WScript.CreateObject("WScript.Network")

		if (strUserDomain = "") Then

			strUserDomain = objWshNetwork.UserDomain

		end if

		if ( (strUserName = "") or (strUserName = USER_SYSTEM) ) Then

			strUserName = objWshNetwork.UserName

		end if		

	Set objWshNetwork = Nothing

end if

if (strUserDomain = "") Then

	Wscript.Echo "User Domain is empty"
	bErrorCheckFailed = true

end if

if (bErrorCheckFailed) Then

	Wscript.Echo "Validity Check failed!"

	rem http://ss64.com/vb/quit.html
	WScript.Quit -100

end if

strLog = "User Domain: " & strUserDomain
Wscript.Echo strLog

strDNSDomain = strUserDomain

' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection

' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")

strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"

' Filter on user objects.
strFilterSyntax = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=#USERSAMNAME#))"
strFilter = Replace(strFilterSyntax, "#USERSAMNAME#", strUsername)

rem Wscript.Echo "FILTER SYNTAX: " & strFilterSyntax
rem Wscript.Echo "FILTER:        " & strFilter

' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName,sAMAccountName,cn,givenname,sn,mail,telephoneNumber,department,employeeID,whenCreated,lastLogon,lastLogoff,mailNickname"

' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False

' Run the query.
Set adoRecordset = adoCommand.Execute

Dim strLastLogon
Dim strLastLogoff
Dim strMailNickname

' Enumerate the resulting recordset.
on error resume next

strDistinguishName = ""

Do Until adoRecordset.EOF

    ' Retrieve values and display.
    strName = adoRecordset.Fields("sAMAccountName").Value
    strCN = adoRecordset.Fields("cn").value
	strDistinguishName =  adoRecordset.Fields("distinguishedName").value

	strGivenName = adoRecordset.Fields("givenname").value
	strSurname = adoRecordset.Fields("sn").value
	strEmailAddress = adoRecordset.Fields("mail").value
	strTelephoneNumber = adoRecordset.Fields("telephoneNumber").value
	strDepartment = adoRecordset.Fields("department").value
	strEmployeeID = adoRecordset.Fields("employeeID").value
	rem whenCreated
	'strWhenCreated = adoRecordset.Fields("whenCreated").value
	'strLastLogon = adoRecordset.Fields("lastLogon").value
	'strLastLogoff = adoRecordset.Fields("lastLogoff").value
	strMailNickname = adoRecordset.Fields("mailNickname").value

    Wscript.Echo "NT Name: " & strName
	Wscript.Echo "Common Name: " & strCN
	Wscript.Echo "Distinguish Name (dn): " & strDistinguishName
	Wscript.Echo "Given Name: " & strGivenName
	Wscript.Echo "Last Name: " & strSurname
	Wscript.Echo "Email Address: " & strEmailAddress
	Wscript.Echo "Telephone Number: " & strTelephoneNumber
	Wscript.Echo "Department: " & strDepartment
	Wscript.Echo "Employee ID: " & strEmployeeID
	Wscript.Echo "When Created: " & strWhenCreated
	'Wscript.Echo "Last Logoff: " & strLastLogoff
	'Wscript.Echo "Last Logon: " & strLastLogon
	Wscript.Echo "Mail Nickname: " & strMailNickname

    ' Move to the next record in the recordset.
    adoRecordset.MoveNext
Loop

if (Err.Number <> 0) Then

	Wscript.Echo "Err Number " & CSTR(Err.Number)
	Wscript.Echo "Err Description " & CSTR(Err.Description) 

end if

Dim objUser
Dim objLastLogon
Dim objLastLogoff

Dim intLastLogonTime
Dim intLastLogoffTime

if (strDistinguishName <> "") then

	'Set ou = GetObject("LDAP://ou=Accounts,dc=cerrotorre,dc=de")

	'For Each obj In ou
		'WScript.Echo obj.name
	'Next

	strFullDN = "LDAP://" & strDistinguishName

	if (bDebug) Then

		WScript.Echo "Connecting to " & strFullDN & " ..."

	end if

	Set objUser = GetObject(strFullDN)

	if (Err.Number <> 0) Then

		Wscript.Echo "Err connecting to LDAP - Targeted " & strFullDN
		Wscript.Echo "Err Number " & CSTR(Err.Number)
		Wscript.Echo "Err Description " & CSTR(Err.Description) 

	end if

	if ( (objUser is Nothing) = false) Then	

		Set objLastLogon = objUser.Get("lastLogon")
		intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart
		intLastLogonTime = intLastLogonTime / (60 * 10000000)
		intLastLogonTime = intLastLogonTime / 1440

		Set objLastLogoff = objUser.Get("lastLogoff")

		intLastLogoffTime = 0
		if ((objLastLogoff is Nothing) = False) Then

			intLastLogoffTime = objLastLogoff.HighPart * (2^32) + objLastLogoff.LowPart
			intLastLogoffTime = intLastLogoffTime / (60 * 10000000)
			intLastLogoffTime = intLastLogoffTime / 1440

		end if

		WScript.Echo "Last Logon is " & intLastLogonTime + #1/1/1601# 

		if (intLastLogoffTime <> 0) Then

			WScript.Echo "Last Logoff is " & intLastLogoffTime + #1/1/1601# 

		end if		

	else

			WScript.Echo "ou is empty for " & strFullDN 	

	end if

	if ( (objUser is Nothing) = false) Then	

		if (bDebug) Then

			WScript.Echo "Releasing User object ..."

		end if

		Set objUser = Nothing

		if (bDebug) Then

			WScript.Echo "Released User object"

		end if

	end if

end if

on error goto 0

' Clean up.
adoRecordset.Close
adoConnection.Close

Output:

ADQueryUser.vbs

Windows – Windows Script Host/VBScript – Getting Full Name of Network User

Background

Here I am with a Network Logon, but no corresponding Fullname.

 

Windows AD Tools

Depending on the version of Windows, we can quickly put together a script for getting the information.


      dsquery user -name joe | dsget user -display

 

If invalid username, you will get :


    dsget failed:'Target object for this command' is missing

 

If valid user, you will get something such as :


  display
  Adeniji, Daniel

 

Code

VBScript

Here is a VBscript for doing same:

 

 

Option Explicit
Dim strADDomain
Dim strUserName
Dim strUserNameCurrent
Dim objWshShell
Dim strObjectData
Dim strNameNotFound
Dim iCommandLineArgCount
Dim objUser

Const CommandLineArgCountExpected = 1
Const ERR_InvalidProcedureCallORArgument = 5

Const OBJECT_REF_SYNTAX = "WinNT://{0}/{1}"
Const ERR_NAME_NOT_FOUND = "Not not found Domain {0} / User {1}"

rem SQL string formatting in VBScript
rem PEOPLE AREN'T LOOKING FOR WEBSITES, THEY'RE LOOKING FOR ANSWERS.
rem http://lutrov.com/blog/sql-string-formatting-in-vbscript
function fmt(str, args())
   dim res, i
   res = str
   for i = 0 to ubound(args)
      res = replace(res, chr(123) & cstr(i) & chr(125), cstr(args(i)))
   next
   fmt = res
end function

REM *******************************************************************
Rem MS Windows Shell Environment Variables
REM *******************************************************************
Set objWshShell = WScript.CreateObject( "WScript.Shell" )

	strADDomain = objWshShell.ExpandEnvironmentStrings( "%USERDOMAIN%" )

	strUserNameCurrent = objWshShell.ExpandEnvironmentStrings( "%USERNAME%" )

set objWSHShell = Nothing

REM *******************************************************************
Rem Get Command Line Arguments
REM *******************************************************************
iCommandLineArgCount = WScript.Arguments.Count

if (iCommandLineArgCount = CommandLineArgCountExpected) Then

	strUserName = WScript.Arguments.Item(0)

else

	Err.Raise ERR_InvalidProcedureCallORArgument ' Invalid procedure call or argument

end if

REM *******************************************************************
Rem If arguments not passed in, then assume for current user
REM *******************************************************************
if (strUserName = "") Then

	strUserName = strUserNameCurrent

end if

rem strObjectData = "WinNT://" & strADDomain & "/" & strUserName
strObjectData = fmt(OBJECT_REF_SYNTAX, array(strADDomain, strUserName))

rem (null): The network path was not found.
on error resume next

	Set objUser = GetObject(strObjectData)

on error goto 0

rem display full name
if IsObject(objUser) Then

	Wscript.Echo objUser.FullName

else

	strNameNotFound = fmt(ERR_NAME_NOT_FOUND, array(strADDomain, strUserName))

	Wscript.Echo strNameNotFound

end if	

rem free object
if IsObject(objUser) Then

	Set objUser = Nothing

end if

 

 

To try things out:

 


    cscript getUserFullName.vbs dadeniji

 

 

References

VBScript

 

 

 

Summary

How poetic justice is that?

I bemoaned “On error resume next”, Microsoft – Classic ASP – Error Suppressed, barely a week gone by.  And, now I need it to avoid a missing AD Entry warning.

But, nevertheless when used, quickly close it out with an “on error goto 0“.