[windows2000] cli AD account manipulation

  • From: Brain Anderson <brainstem@xxxxxxxxxxxxx>
  • To: windows2000@xxxxxxxxxxxxx
  • Date: Mon, 1 Nov 2004 13:11:10 -0800 (PST)

I'm writing a web based tool for some of our front
line support people for supporting our web portal.
I've been writing everything in PHP and have run into
a snag with dealing with AD accounts (the user account
back end of the portal sits on Win2k AD). I can query
LDAP and check values (and even modify most of the
text fields), but I haven't been able to modify/reset
passwords, nor disable/enable accts or unlock them.
After a few days research on the net, I've come to
realize that it seems to have something to do with SSL
communication between PHP and AD. 

But that's all besides the point. A really easy way
for me to get around this is to execute shell commands
within my script to do what I need. Before anyone
tells me that it's a bad idea to execute shell
commands from a web form, I'll just say that this is
not on a publicly addressable web server, and the
analysts already have access to a trimmed down version
of dsa.msc running via citrix session. I'm just trying
to simplify their whole support process. 

I've seen examples of using NET USER to reset
passwords, but I haven't seen anything having to do
with enabling or disabling accounts, or unlocking
locked ones. 

Any ideas?

This Weeks Sponsor StressedPuppy.com Games
Feeling stressed out? Check out our games to
relieve your stress.
To Unsubscribe, set digest or vacation
mode or view archives use the below link.


Other related posts: