Powershell Active Directory Account Expiration Script

Similar Messages

• How to avoid duplicate DN exception when creating Active Directory Account

  I am using OIM 9.1.0.2 to provision Active Directory accounts.
  I run into issues when the DN of the user to be created already exists and I would like to know if anyone has some logic I can use to generate a different DN for new user by adding a number or something like that to the DN
  Here is an example.
  User 1 exists already and their DN: cn=john smith, cn=users, dc=company,dc=org
  New user joins the company and his name is also john smith and he has no middle name: so system attempts to create his account as cn=john smith, cn=users, dc=company,dc=org
  how can I accomplish this by making the account say cn=john smith_1, cn=users, dc=company,dc=org

  855640 wrote:
  I run into issues when the DN of the user to be created already exists and I would like to know if anyone has some logic I can use to generate a different DN for new user by adding a number or something like that to the DN
  There are two different questions:
  1. How to generate a sequence of candidates for the name attribute
  2. How to check if a record with the given name candidate already exists in the Active Directory, and hence try the next candidate from the sequence.
  The answer for the first part is usually defined by the policy existing in your organization, in the simplest case you can append sequential integer numbers to the end of the original name.
  The answer for the second question is not so simple if you use are provisioning with MSAD connector.
  There are two places you can put the check:
  -- in the pre-populate adapter for the UD_ADUSER_COMMONNAME field
  -- in the adpADCSCREATEUSER event handler, which is responsible for new AD user record creation.
  Both cases need some coding, since you have to obtain the AD connection and search AD for matching records.
  Pros & cons
  Placing check code in the pre-populate adapter:
  Pros:
  the result is visible in the form, administrator can change the pre-calculated value if he wishes
  Cons:
  you need to have all access to connection parameters, and establish one extra connection
  this is not the way OIM is supposed to work :-(
  Placing check code in the AD user creation task:
  Pros:
  you have all access to connection parameters, and open a connection here anyway
  Cons:
  the result is not present in the form, so no way for manual interaction by administrator here
  BTW: this problem is not only related to DN generation, some other AD attributes (e.g. sAMAccountName, mailNickName, userPrincipalName, mail) should be unique in the AD domain scope.
  Edited by: madhatter on Sep 7, 2012 12:02 AM

• 'Public' Active Directory account no longer works w/Tiger?

  We have approx 20 public Macs that all log onto our Windows 2003 server using the same Active Directory account - 'Public'
  This has worked fine until Tiger - Now when we attempt to log onto one of our network drives with this account name I'm told by a pop-up window that the account is either disabled or I've put the password in incorrectly.
  Can anyone confirm if 'Public' cannot be used by a user on Tiger? Is it exclusively for the OS?

  Ran accross this in help file...
  "Mac OS X 10.3 or later: "Invalid user name and password combination" Message When Using Active Directory
  When binding a Mac OS X client computer to Active Directory, the account entered is not validated (resolved) at that time. It is used as entered. If entered incorrectly, you will see an alert message later.
  Symptom
  After configuring the Active Directory Directory Access plug-in, an alert message appears at the client computer that says "invalid user name and password combination."
  Products affected
  Mac OS X 10.3 or later
  Solution
  This happens when an incorrect name and/or password is entered, including a username entered with incorrect syntax.
  The user's login name (also known as "PrincipalName") is required when binding a computer to Active Directory.
  The user can also use the short part of the login name (such as "virginia"). The typical syntax of a login name is similar to "[email protected]".
  Note: If the user's login name has been modified from the default "[email protected]", then the default login name must be used. The modified login name (such as "[email protected]") cannot be used."

• ActiveSync mail/contacts/calendars removed after Active Directory account is locked out?

  Hey guys,
  Wondering if anybody has seen an issue like this.  This is a new Exchange 2010 deployment (8+ CAS servers) and the devices are all iPhones/iPads running the latest version of iOS (7.1.2).  The CAS servers are behind a load-balancer.
  Basically when a users' Active Directory account is Locked in AD (either manually or by entering the wrong password) their ActiveSync Contacts, Calendars and all Mail folders (except the Inbox strangely!) will be removed from the iOS device within a few hours.  So an account might get locked out at say 6pm, if left locked out by the next morning the ActiveSync account will still be setup on the device as normal, but everything is gone except the mail in the Inbox.  If a user has an iPad and iPhone both will be blanked.
  The behaviour is similar to what is documented here - iOS: How to mitigate a full sync or reload of Exchange account data - however the Exchange servers are not issuing HTTP500 errors as we have captured logging during the window where the device blanks itself.
  Any thoughts would be appreciated!
  Thanks!

  Hello,
  which event ids are shown in the event viewer from the DCs? Or maybe locally also some errors are locked that give some more details.
  If this happens it sounds personally for me that Java is the problem. Have you already opened a call at
  https://community.oracle.com/welcome ?
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://msmvps.com/blogs/mweber/
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

• Active Directory account lockout from OS X Server

  I'm looking for assistance in tracking down why our 10.9 Mac server is constantly trying to use my Active Directory account. I changed my password a week ago and have been getting locked out constantly, and it appears the lockouts are coming from invalid password attempts from this OS X server. However, I don't know why the server would be using my AD credentials since I login to the Mac with an admin account and not my own. The only thing I can think of that may have used my AD credentials is connecting to a network file share at some point in the past, but I wouldn't have saved the credentials and it shouldn't be auto-mapping the share. The Mac itself is bound to Active Directory too.
  I checked the Login Items and there is nothing there. I also reset the keychain to defaults and that didn't help. Does anyone else have any ideas for me to try to narrow down what the OS X server may be trying to use my credentials for?

  So I'm going to guess I'm the only one that's ever had this issue...
  Further digging with Wireshark shows that the OS X server is indeed issuing bind requests using my old AD account credentials multiple times per minute. I tried unbinding and rebinding, but that didn't help. The requests also start right away after a reboot, so whatever is using my credentials is doing so prior to any user logins on the server. Now I'm trying to track down what is actually issuing these requests on the server
  In a span of a few seconds the machine issues three bind requests. The first is
  bindRequest (1) "[email protected]" simple
  Followed by
  bindRequest (1) "<ROOT>" sasl
  then
  bindRequest (2) "<ROOT>" sasl
  Anyone have an idea for me as to how to track down where my user account comes into play? It wasn't used to bind the machine to AD, I didn't see it anywhere in the keychain, and I only have a few apps running on the server, none of which use AD authentication or would request binding.

• Creating Active Directory Accounts for vSphere 5.1 Services

  To set up the management pieces of vSphere, I need to have an account or accounts created in Active Directory.  I need to determine how many to create and what permissions they need.
  In Single Sign on Server, I need to choose an account that vCenter server will use when it connects to SSO.  I can use the default admin@system-domain.  Or I can add an account that is configured in Active Directory.  Or, I can also use an active directory group instead of an individual user.  What is the best way to do this and if I use an AD account, what permissions does it need at the domain level and at the local level on the Single Sign on Server?  (I'm using multisite mode, so I can't use local accounts)
  In SQL Server, I need to choose an account to use for the SQL server service.  Should this account be an active directory account or a local user account?  If so, what permissions should be assigned to the account in Active Directory and what permissions should be assigned to it on the local machine?  What AD group, if any should it be a part of?  What local permissions does it need?
  In vCenter Server, I need to choose an account to run the "vCenter Server Service" in.  Is it best to use the default "system" account or to use an account from Active Directory, or a local account?
  I'm trying to get a big picture of an AD account/group strategy to use that covers the main management pieces of vSphere - vCenter Server, Single Sign on, Inventory Service, Web Client Services.
  For example, create one group called "vSphere Services", then create separate accounts for each management piece, and assign them specific permissions on specific systems.  Or create separate groups for each management piece and assign permissions to the groups.  Is it better to consolidate some of these user names or split them out?  Any experiences / suggestions welcome.  Thanks.

  Hello,
  For general services I use a service specific account within AD. This was before SSO and I use the same after SSO. SSO is used by only two services that I know about at the moment (Inventory Service and perhaps vCloud). However, there are many other service accounts that should be created. You want one account per service and I use AD for this, this way I can create a service account group and give it the appropriate roles and privileges. FOr example I have service accounts for:
  VMware View
  XenDesktop
  vCops
  HPSIM
  Solarwinds
  VMTurbo
  NetApp
  etc.
  One service, one service account, each with either a general role or custom role depending on access requirements to vCenter.
  For SSO, I to am waiting on general information, but I set mine up fairly basically to cover only those resources that make use of SSO. Since the vast majority of items do not use SSO, the rule still applies.  Once SSO is supported by more than one or two tools, you still need to maintain that separation.
  So I say yes, tie SSO to AD and do everything in one place, unfortunately, that is not very clear, or at least was not to me and these SSO issues are either beng fixed, documented, or both.
  Best regards,
  Edward L. Haletky aka Texiwill

• Time Machine Backup using Active Directory account

  I have two macbook pros (running 10.6.4) using Active Directory accounts and I am trying to backup them up to an Active Directory integrated XServe (running 10.6.4) with a shared Time Machine backup point. I open Time Machine preferences, select the disk, entering username and password, and it starts trying to make the backup disk available. However, it quits and gives me the following error - the network backup disk could not be accessed because there was a problem with the network username and password. The username and password are correct. I have tried three different accounts and they all produce this error.

  This happened to an issue AFP. I had AFP authentication set to use Kerberos. I changed it to use "Any Method" and it is working properly.

• Snow leopard Active directory account taking a long time to verify password

  Hi,
  My mac is configured to use an active directory account (windows small biz server 2008), i configured a mobile account when i was still under leopard and it was working fine. Since i upgraded to snow leopard i started experience the following issues:
  When i am out of the office (not connected on the domain), logging in to my mac take about 5min after i type the password, same thing when the mac awakes from sleep, i type my password and it says verifying password and this takes about 5 minutes to complete! Another issue i am experiencing is that whenever i put my mac to sleep, when it wakes up most of the running applications crash and i have to restart them. i was hoping 10.6.2 would fix that but it didn't.
  Sorry for the long post. Thank you in advance for your support!

  I guess we will have to wait for someone to give us a clue, or for apple to release 10.6.3 .

• What is involved in going from local user accounts to active directory accounts with CCM 9.1.2?

  We are currently using local user accounts with CUCM 9.1.2 and are looking at integrating it into the active directory structure.
  We do utilize the same structure for user ID's.
  I am looking to find out what the changeover will entail and if anything else needs to be done prior to the integration.
  We also have Unity syncing up with CUCM for users as well as Contact Center sync'ed up for our ACD system.
  Thanks
  Mike

  Hey Mike,
  The process is pretty straight forward.  CUCM 9.X supports the coexistence of AD integrated users and local users so you don't have to worry about local accounts disappearing if they don't have an AD account.  The biggest thing to watch out for is that if you decide to revert back for whatever reason then the accounts that were in AD will be marked for deletion (from the CUCM, not AD) and will be removed after approximately 24 hours.  
  I recommend the following if you'd like to move to AD.
  Run a DRS backup of CUCM.  This is not necessary for the integration but is good practice in my opinion.  I'd also do a full export of your users using the BAT so you can reimport users to how they were before the integration should you decide to revert for any reason.
  Determine if you want to put the user's extensions in the telephonenumber field or ipPhone field in AD.  Once you make a decision, I recommend populating that information in AD so it is available when you do the integration.  
  Make sure your local CUCM user accounts usernames are exactly the same as your domain accounts.  That way when you do the integration the local users become AD users and keep all of their phone associations, group memberships, etc.  If you need to change the usernames then be sure to notify your users ahead of time so they can start logging into UCCX or UCM user pages, etc. using their new username. 
  Create an account in AD that has read-only rights to your directory.  Set the password to never expire.  You will use this account later for the integration.  
  In CUCM, go into Serviceability and make sure the "Cisco DirSync" service is activated on the Publisher server.
  Also in CUCM, navigate to the administration page and do the following:
  Go to System > LDAP > LDAP System and Check the box to enable Synchronizing.  Confirm the LDAP server type and attribute for User ID is accurate.  This is typically Microsoft Active Directory and sAMAccountName respectively.
  Go to System > LDAP > LDAP Directory
  Click Add New
  Give it a name (whatever you want).
  Put in the Distinguished Name of the AD integration account you created earlier. For example, if you created an account called ciscoldap in the Service Accounts OU in the abc.com domain then it would look something like this... CN=ciscoldap,OU=Service Accounts,DC=abc,DC=com
  Enter the password for the account.
  Enter the search base.  This can be a specific OU where your users exist, a parent OU which contains other OUs which contain all of your users or the entire domain.  If you do the entire domain then in the abc.com example you would specify DC=abc,DC=com.
  Select the option to perform a sync with AD on periodic intervals.  The lowest interval you can set is every 6 hours.
  Select either the telephonenumber or ipPhone field to be used for the user's extensions.  This will be whatever you decided and populated in AD in an earlier step.
  Add your primary and any backup domain controllers and ports.  If they are just domain controllers and you are not using SSL then specify port 389.  If they are also global catalog servers then you can do port 3268.
  Click Save and Click the "Perform Full Sync Now" button.
  I recommend that you also use LDAP for authentication as well so you only have one username and password to remember which is all controlled by AD.  To add this do the following:Go to System > LDAP > LDAP Authentication.
  Click Add New
  Check the box to use LDAP Authentication
  Add the same Distinguished name, passwords and user seach base that you used for your integration account earlier under the synchronization section.  Also add the same primary and secondary LDAP servers and ports you used earlier.  
  Click Save
  You can go a step further and create a filter to only pull in the users within the search base you specified and apply that.  For example, maybe only pull in users that have their ipPhone field populated.  Let me know if you have any questions on that or any of the above.
  I hope this helps!

• ICloud/iTunes Account Locking out Active Directory Account [?]

  The facts:
  I have been having this problem for the past four+ months.
  My work email address is my iTunes account name
  My work AD account gets logged out most evenings, sometimes within an hour of leaving work, sometimes late at night
  I know when my account is logged out because my iPhone will ask for my Exchange password, or I cannot get into Outlook Web Access
  When my iTunes/iCloud account password is the same as my Active Directory password this does not happen. When this was the case earlier this year I went 90 days without a lockout. The day after my password expired and I changed my password - locked out again
  Exchange recognizes two mobile devices, my iPad2 and my iPhone 4, as mobile ActiveSync clients
  I have reset both of these devices, updated to the latest iOS and reinstalled and reconfigured my apps
  This occurs even when neither of these devices has an active ActiveSync account set up to use my work Exchange server
  The keyrings (Mac) and Credential Managers (PC) of all my home machines have been sanitized
  Mail (Mac) and Outlook are not configured on my home machines, and they are not affiliated with the work domain in any way
  From these facts it seems to me that the issue is:
  There exists a machine attempting to reach my Exchange account using a password I have used in the past
  If it is a computer that I have possession of, it must be an iDevice, because this behavior has still occurred when all others have been powered off
  If it is an iDevice under my control then it is something in iCloud/iTunes, because it does not depend on having the Exchange account configured on either iDevice and those are the only applications with knowledge of my work email address
  So,
  If it is my iCloud/iTunes account then WHY in the name of all that is sacred is it hitting my work Exchange server and locking out my account?
  I can think of no other -possible- devices or online services that have both that password, and knowledge of that email address. I remotely wiped an old phone that might have had the email account configured.
  Help?

  I would very much like to hear from someone at Apple regarding this as I'm having a very similar if not the exact same issue.

• Active Directory accounts no longer connect to Server

  I administrate a small office network.
  We have a Windows 2000 Server with active directory and a Windows 2003 Storage Server Appliance. (From Iomega)
  After upgrading to 10.4.8 (it seems), our Mac integrated to the Active Directory has had problems connecting to the storage server.
  When attempt to connect to smb://storage (the 2003 server appliance) we get a Error code -36 -- could not be read or written.
  This only happens when logged into an AD account. Local accounts on the machine access the server as normal.
  Also of note, the AD accounts have no problems accessing shares on the 2000 server.
  Any ideas why this is only effecting AD accounts and a solution?

  There are a couple of things you can check...
  1. Check to make sure that the SMB signing option is disabled for the Windows 2003 Storage appliance. This can be done in the local group policy on the Server.
  2. If it is a storage appliance, you should be able to run Microsoft's Services for Macintosh. This would give you AFP on the file server - a potential way to eliminate the need for using SMB on the Macs.
  3. Use a 3rd party software on the Windows 2003 Storace Server called ExtremeZ-IP by Group Logic. It is a full featured AFP/IP file server for Windows (replacing SFM). We have an HP DL380 NAS device on our network (running Windows 2003 Storage Edition) that has 1.5 TB of storage for our MAc users. We use ExtremeZ-IP... I have nothing bu great things to say for it...

• Cannot login with Active Directory Account

  Hello,
  I am testing SnowLeopard (10.6.1) for deployment in my labs for the Spring 2010 semester. We use local home directories. This is a brand new fresh install of SL, on a freshly formatted Hard Drive.
  When bound to Active Directory I can get any AD account that I've tested (5 different accounts) to authenticate except one, which happens to be my own personal AD account.
  The secure.log shows these entries when I attempt to login:
  Oct 9 14:18:29 mac-0017f20fc40 SecurityAgent[209]: User info context values set for ctarbox
  Oct 9 14:18:29 mac-0017f20fc40 authorizationhost[208]: Failed to authenticate user <ctarbox> (tDirStatus: -14090).
  Considering that I could log in with other accounts, and after resetting my AD password then still not being able to authenticate, I came to the conclusion that I had a corrupt OU in Active Directory.
  I contacted one of our AD admins and had him delete both of my AD accounts: ctarbox and ctarbox1 then recreate both accounts. I still cannot login to AD with my ctarbox account.
  I can still login to my current lab machines anywhere on campus running 10.5.8 with ctarbox.
  I am baffled by this. I have been authenticating to Active Directory since 10.1 and have never seen anything like this.
  Any idea, anyone?
  Cheryl Tarbox
  Macintosh Support Specialist
  Binghamton University

  I have found the solution to my problem. I have accounts in two different domains in our AD tree. I'll called these domains Domain A and Domain B.
  Domain A is the primary domain for authentication to our public computing labs.
  Domain B is a secondary domain for authentication to shared resources for faculty/staff.
  Both accounts have the same user ID, but different passwords. In my Directory Utility>Advanced>Administrative window I have the option "Allow authentication from any domain in the forest' checked.
  With this option checked Directory Utility in 10.6.1 will allow me to authenticate Domain B, but not Domain A.
  With this option checked in Directory Utility in 10.5.8 just the opposite is taking place, I can authenticate to Domain A, but not Domain B.
  It seems that somewhere in the upgrade to 10.6.1 the search policy for Active Directory has changed. My workaround is to uncheck this option and specifically choose Domain A in the search policy.

• Active Directory accounts problem logging in to Mavericks

  We have twenty iMacs in a lab and five in an Internet café, all wired to a multiple subnet network. OS X Mavericks is bound to Active Directory.  Frequently OS X Mavericks behaves as if the network user account password is entered incorrectly until the iMac is restarted.  This did not happen when we had Mountain Lion.  We never have problems logging in to Windows computers bound to Active Directory.

  We have twenty iMacs in a lab and five in an Internet café, all wired to a multiple subnet network. OS X Mavericks is bound to Active Directory.  Frequently OS X Mavericks behaves as if the network user account password is entered incorrectly until the iMac is restarted.  This did not happen when we had Mountain Lion.  We never have problems logging in to Windows computers bound to Active Directory.

• Setting up Wiki Calendars in iCal with Active Directory Accounts

  I'm Having a little trouble wrapping my head around our Wiki Calendar Solution,
  Id like to find a way to get the 10.6 Wiki Server Calendar's in iCal Client - using our active directory authentication.
  I have a test 10.6 Server bound to our Active Directory with Wiki's up and running and am able to log in with AD account's and view and manage the Wiki Calendar - I can see how to subscribe to the calendar's - But I need full integration with iCal and maybe even Outlook - subscribing only provides read access.
  anyone have any idea how his can be accomplished in and active directory setting - my searches have lead me to OD solutions and thats not going to work.

  I don't know how much I'll be able to help, but I do have AD accounts using wiki services. Can you verify a few things:
  1. The AD group is listed in the "Wiki Creators" box in Server Admin, yes?
  2. If you open Terminal and run "sudo serveradmin settings teams:enableClearTextAuth", does it return "teams:enableClearTextAuth = yes"?
  3. If you open System Preferences -> Accounts and then edit the directory servers, does the AD domain show as working normally?
  Also, have you worked to isolate the problem? Have you tried creating an OD user to test against the wiki? Are the logs showing anything?

• Unable to login with an Active Directory account on 10.6.7

  I just got a Mac Airbook and I'm trying to connect with my AD account. I was able to bind my computer to the domain succesfully but when I try and logon with my AD account I get the shakes. I verified my binding with the green light next to "Network Account Server". I asked some admins who have older macs and they guided me through the settings but it still doesn't work for me. The only thing that shows up in the logs when I attempt to login is "Active Directory could not find GUID for DOMAIN\domain to update admin group". And yes, my local user is different than my AD user.
  Any ideas?

  Not for me. Some things mount others do not. Plus you can't use links from e-mails or save to from applications. It makes most applications completely unuse-able for me. It looks like I'm going to have to run almost everything over Parallels. Kind of of lame that Mac can't get this fixed.