Problem running a script

Tutorials Win: Microsoft Windows Forum

I got a script to set the userAccountControl of all users in an OU to 512.
This is the script I am using:

' UserAccountControl .vbs
' Sample VBScript to enable a user account
' Author Guy Thomas http://computerperformance.co.uk/
' Version 2.0 - May 2005
' --------------------------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strLastUser, strDNSDomain, intAccValue

' Bind to Active Directory Domain
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

' Here is where we set the value to enable the account
' 512 = Enable, 514 = Disable.
intAccValue = 512

' -------------------------------------------------------------'
' Important change OU= to reflect your domain
' -------------------------------------------------------------'
strContainer = "OU=Users "
strContainer = strContainer & strDNSDomain

set objOU =GetObject("LDAP://" & strContainer )

For each objUser in objOU
If objUser.class="user" then
' The heart of this script - Enable users
objUser.Put "userAccountControl", intAccValue
objUser.SetInfo
End if
next

' End of Free Sample UserAccountControl VBScript


The problem is when I run it I get a script error "The server is unwilling
to process the request." Code 80072035. After doing some research it is
pointing to domain policy that is restricting this from running. I have 2000+
users that were imported that have the UF_PASSWD_NOTREQD flag set. I need to
do a bulk modify to set all these users to 512.

My question is, how do I determine which part of domain policy is stopping
this from running so that I can disable it. Or can this be done another way?

Thanks
Top

Re: Problem running a script by Brandon

Brandon
Tue Aug 05 17:01:03 PDT 2008

Thalador wrote:
> I got a script to set the userAccountControl of all users in an OU to 512.
> This is the script I am using:
>
> ' UserAccountControl .vbs
> ' Sample VBScript to enable a user account
> ' Author Guy Thomas http://computerperformance.co.uk/
> ' Version 2.0 - May 2005
> ' --------------------------------------------------------------'
> Option Explicit
> Dim objOU, objUser, objRootDSE
> Dim strContainer, strLastUser, strDNSDomain, intAccValue
>
> ' Bind to Active Directory Domain
> Set objRootDSE = GetObject("LDAP://RootDSE")
> strDNSDomain = objRootDSE.Get("DefaultNamingContext")
>
> ' Here is where we set the value to enable the account
> ' 512 = Enable, 514 = Disable.
> intAccValue = 512
>
> ' -------------------------------------------------------------'
> ' Important change OU= to reflect your domain
> ' -------------------------------------------------------------'
> strContainer = "OU=Users "
> strContainer = strContainer & strDNSDomain
>
> set objOU =GetObject("LDAP://" & strContainer )
>
> For each objUser in objOU
> If objUser.class="user" then
> ' The heart of this script - Enable users
> objUser.Put "userAccountControl", intAccValue
> objUser.SetInfo
> End if
> next
>
> ' End of Free Sample UserAccountControl VBScript
>
>
> The problem is when I run it I get a script error "The server is unwilling
> to process the request." Code 80072035. After doing some research it is
> pointing to domain policy that is restricting this from running. I have 2000+
> users that were imported that have the UF_PASSWD_NOTREQD flag set. I need to
> do a bulk modify to set all these users to 512.
>
> My question is, how do I determine which part of domain policy is stopping
> this from running so that I can disable it. Or can this be done another way?
>
> Thanks

If passwords are currently blank (and they probably are given the flag
you said you set) then you have to turn off password complexity options
in the domain policy before you can set your accounts to use 512 as
their UAC value. If I recall correctly, that is what I did to fix this
same problem a few years ago.
Top

Re: Problem running a script by Thalador

Thalador
Tue Aug 05 18:02:06 PDT 2008

I thought of that but when I imported the users I assigned them all passwords

"Brandon McCombs" wrote:

> Thalador wrote:
> > I got a script to set the userAccountControl of all users in an OU to 512.
> > This is the script I am using:
> >
> > ' UserAccountControl .vbs
> > ' Sample VBScript to enable a user account
> > ' Author Guy Thomas http://computerperformance.co.uk/
> > ' Version 2.0 - May 2005
> > ' --------------------------------------------------------------'
> > Option Explicit
> > Dim objOU, objUser, objRootDSE
> > Dim strContainer, strLastUser, strDNSDomain, intAccValue
> >
> > ' Bind to Active Directory Domain
> > Set objRootDSE = GetObject("LDAP://RootDSE")
> > strDNSDomain = objRootDSE.Get("DefaultNamingContext")
> >
> > ' Here is where we set the value to enable the account
> > ' 512 = Enable, 514 = Disable.
> > intAccValue = 512
> >
> > ' -------------------------------------------------------------'
> > ' Important change OU= to reflect your domain
> > ' -------------------------------------------------------------'
> > strContainer = "OU=Users "
> > strContainer = strContainer & strDNSDomain
> >
> > set objOU =GetObject("LDAP://" & strContainer )
> >
> > For each objUser in objOU
> > If objUser.class="user" then
> > ' The heart of this script - Enable users
> > objUser.Put "userAccountControl", intAccValue
> > objUser.SetInfo
> > End if
> > next
> >
> > ' End of Free Sample UserAccountControl VBScript
> >
> >
> > The problem is when I run it I get a script error "The server is unwilling
> > to process the request." Code 80072035. After doing some research it is
> > pointing to domain policy that is restricting this from running. I have 2000+
> > users that were imported that have the UF_PASSWD_NOTREQD flag set. I need to
> > do a bulk modify to set all these users to 512.
> >
> > My question is, how do I determine which part of domain policy is stopping
> > this from running so that I can disable it. Or can this be done another way?
> >
> > Thanks
>
> If passwords are currently blank (and they probably are given the flag
> you said you set) then you have to turn off password complexity options
> in the domain policy before you can set your accounts to use 512 as
> their UAC value. If I recall correctly, that is what I did to fix this
> same problem a few years ago.
>
Top

Re: Problem running a script by Brandon

Brandon
Tue Aug 05 20:32:12 PDT 2008

Thalador wrote:
> I thought of that but when I imported the users I assigned them all passwords
>

Have you tried to just disable the domain policy for a few minutes while
you run the script?

> "Brandon McCombs" wrote:
>
>> Thalador wrote:
>>> I got a script to set the userAccountControl of all users in an OU to 512.
>>> This is the script I am using:
>>>
>>> ' UserAccountControl .vbs
>>> ' Sample VBScript to enable a user account
>>> ' Author Guy Thomas http://computerperformance.co.uk/
>>> ' Version 2.0 - May 2005
>>> ' --------------------------------------------------------------'
>>> Option Explicit
>>> Dim objOU, objUser, objRootDSE
>>> Dim strContainer, strLastUser, strDNSDomain, intAccValue
>>>
>>> ' Bind to Active Directory Domain
>>> Set objRootDSE = GetObject("LDAP://RootDSE")
>>> strDNSDomain = objRootDSE.Get("DefaultNamingContext")
>>>
>>> ' Here is where we set the value to enable the account
>>> ' 512 = Enable, 514 = Disable.
>>> intAccValue = 512
>>>
>>> ' -------------------------------------------------------------'
>>> ' Important change OU= to reflect your domain
>>> ' -------------------------------------------------------------'
>>> strContainer = "OU=Users "
>>> strContainer = strContainer & strDNSDomain
>>>
>>> set objOU =GetObject("LDAP://" & strContainer )
>>>
>>> For each objUser in objOU
>>> If objUser.class="user" then
>>> ' The heart of this script - Enable users
>>> objUser.Put "userAccountControl", intAccValue
>>> objUser.SetInfo
>>> End if
>>> next
>>>
>>> ' End of Free Sample UserAccountControl VBScript
>>>
>>>
>>> The problem is when I run it I get a script error "The server is unwilling
>>> to process the request." Code 80072035. After doing some research it is
>>> pointing to domain policy that is restricting this from running. I have 2000+
>>> users that were imported that have the UF_PASSWD_NOTREQD flag set. I need to
>>> do a bulk modify to set all these users to 512.
>>>
>>> My question is, how do I determine which part of domain policy is stopping
>>> this from running so that I can disable it. Or can this be done another way?
>>>
>>> Thanks
>> If passwords are currently blank (and they probably are given the flag
>> you said you set) then you have to turn off password complexity options
>> in the domain policy before you can set your accounts to use 512 as
>> their UAC value. If I recall correctly, that is what I did to fix this
>> same problem a few years ago.
>>
Top

Re: Problem running a script by Brandon

Brandon
Tue Aug 05 20:35:17 PDT 2008

Thalador wrote:
> I thought of that but when I imported the users I assigned them all passwords
>

In case it helps, from http://blogs.msdn.com/alextch/default.aspx?p=2 :

The issue was around setting the userAccessControl attribute. Initially
I was setting this attribute in the following sequence:

newUser.Properties["userAccountControl"].Value = 512;
newUser.CommitChanges();
newUser.CommitChanges();
newUser.Invoke("SetPassword", new object[] {
ConfigurationSettings.AppSettings.Get("defaultPwd") });

which worked fine in my lab environment where password complexity policy
was disabled, but would produce the above mentioned error if password
complexity policy is enabled.

Rearanging the sequence like so fixed the issue:

newUser.Invoke("SetPassword", new object[] {
ConfigurationSettings.AppSettings.Get("defaultPwd") });
newUser.Properties["userAccountControl"].Value = 512;
newUser.CommitChanges();
newUser.CommitChanges();



> "Brandon McCombs" wrote:
>
>> Thalador wrote:
>>> I got a script to set the userAccountControl of all users in an OU to 512.
>>> This is the script I am using:
>>>
>>> ' UserAccountControl .vbs
>>> ' Sample VBScript to enable a user account
>>> ' Author Guy Thomas http://computerperformance.co.uk/
>>> ' Version 2.0 - May 2005
>>> ' --------------------------------------------------------------'
>>> Option Explicit
>>> Dim objOU, objUser, objRootDSE
>>> Dim strContainer, strLastUser, strDNSDomain, intAccValue
>>>
>>> ' Bind to Active Directory Domain
>>> Set objRootDSE = GetObject("LDAP://RootDSE")
>>> strDNSDomain = objRootDSE.Get("DefaultNamingContext")
>>>
>>> ' Here is where we set the value to enable the account
>>> ' 512 = Enable, 514 = Disable.
>>> intAccValue = 512
>>>
>>> ' -------------------------------------------------------------'
>>> ' Important change OU= to reflect your domain
>>> ' -------------------------------------------------------------'
>>> strContainer = "OU=Users "
>>> strContainer = strContainer & strDNSDomain
>>>
>>> set objOU =GetObject("LDAP://" & strContainer )
>>>
>>> For each objUser in objOU
>>> If objUser.class="user" then
>>> ' The heart of this script - Enable users
>>> objUser.Put "userAccountControl", intAccValue
>>> objUser.SetInfo
>>> End if
>>> next
>>>
>>> ' End of Free Sample UserAccountControl VBScript
>>>
>>>
>>> The problem is when I run it I get a script error "The server is unwilling
>>> to process the request." Code 80072035. After doing some research it is
>>> pointing to domain policy that is restricting this from running. I have 2000+
>>> users that were imported that have the UF_PASSWD_NOTREQD flag set. I need to
>>> do a bulk modify to set all these users to 512.
>>>
>>> My question is, how do I determine which part of domain policy is stopping
>>> this from running so that I can disable it. Or can this be done another way?
>>>
>>> Thanks
>> If passwords are currently blank (and they probably are given the flag
>> you said you set) then you have to turn off password complexity options
>> in the domain policy before you can set your accounts to use 512 as
>> their UAC value. If I recall correctly, that is what I did to fix this
>> same problem a few years ago.
>>
Top