Active Directory PSO细粒度密码msDS MaximumPasswordAge

Question

查看如何创建vbscript以获取PSO策略已设置的最大天数。它返回的值是...我不知道如何获得设定的实际值。

这就是我到目前为止所知道的：

Option Explicit

Const ADS_UF_PASSWD_CANT_CHANGE = &H40
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000

Dim strFilePath, objFSO, objFile, adoConnection, adoCommand, objCDOConf
Dim objRootDSE, strDNSDomain, strFilter, strQuery, adoRecordset, objMaxPwdAge
Dim strDN, objShell, lngBiasKey, lngBias, blnPwdExpire, strDept, strAdd
Dim objDate, dtmPwdLastSet, lngFlag, k, address, objAdd, objMessage

' Check for required arguments.
If (Wscript.Arguments.Count < 1) Then
    Wscript.Echo "Arguments <FileName> required. For example:" & vbCrLf _
        & "cscript PwdLastChanged.vbs c:\MyFolder\UserList.txt"
    Wscript.Quit(0)
End If

strFilePath = Wscript.Arguments(0)
Set objFSO = CreateObject("Scripting.FileSystemObject")

' Open the file for write access.
On Error Resume Next
Set objFile = objFSO.OpenTextFile(strFilePath, 2, True, 0)
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "File " & strFilePath & " cannot be opened"
    Wscript.Quit(1)
End If
On Error GoTo 0

Set objShell = CreateObject("Wscript.Shell")
lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\Control\" _
    & "TimeZoneInformation\ActiveTimeBias")
If (UCase(TypeName(lngBiasKey)) = "LONG") Then
    lngBias = lngBiasKey
ElseIf (UCase(TypeName(lngBiasKey)) = "VARIANT()") Then
    lngBias = 0
    For k = 0 To UBound(lngBiasKey)
        lngBias = lngBias + (lngBiasKey(k) * 256^k)
    Next
End If

' Use ADO to search the domain for all users.
Set adoConnection = CreateObject("ADODB.Connection")
Set adoCommand = CreateObject("ADODB.Command")
adoConnection.Provider = "ADsDSOOBject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection

' Determine the DNS domain from the RootDSE object.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

' Filter to retrieve all user objects.
strFilter = "(&(objectClass=msDS-PasswordSettings))"

' Filter to retrieve all computer objects.    
strQuery = "<LDAP://CN=PSO-Information Systems,CN=Password Settings Container,CN=System,DC=yrmc,DC=org>;" _
    & ";cn,msDS-LockoutDuration,msDS-MaximumPasswordAge,msDS-

PasswordSettingsPrecedence;subtree"

    adoCommand.CommandText = strQuery
    adoCommand.Properties("Page Size") = 100
    adoCommand.Properties("Timeout") = 30
    adoCommand.Properties("Cache Results") = False

Set adoRecordset = adoCommand.Execute
Do Until adoRecordset.EOF
    objFile.WriteLine adoRecordset.Fields("cn").Value
    adoRecordset.MoveNext
Loop
adoRecordset.Close

我可以得到cn甚至msDS-PasswordSettingsPrecedence的值，但不能得到msDS-MaximumPasswordAge的值。任何帮助都将不胜感激。

Answer 1

这充其量只是一个部分的答案，但我做了一些搜索，我相信你将需要以下一个或多个：

1. DSGet/DSQuery
2. LDIFDE将管理粒子群算法。
3. Quest的"Free PowerShell Commands for Active Directory"

使用Quest的免费工具，你可能会发现这个link很方便

Answer 2

将我们的Active Directory属性名称放在方括号中：

有关更多信息，请参阅博客文章"How can I retrieve the value of an active directory attribute that has a hyphen in its name"。

Answer 3

你必须像这样在你的广告中找到UsersPSO的位置

domainLookupString = ""CN=UsersPSO,CN=Password Settings Container,CN=System,DC=COMPAY,DC=ORG";

然后运行ldap查询

ldapFilterString = "(&(objectClass=msDS-PasswordSettings))";

最后，获取具有当前PSO策略的最大密码期限的ldap属性

"msDS-MaximumPasswordAge"