Solved: AD User setAttribute issues

Subnet88 · ‎04-02-2012

I am attempting to use the AD_User.setAttribute method as part of a workflow to unlock a user account, I can read the attribute, but it does not seem to get successfully written.

My code is:

User.setAttribute("lockoutTime" , "0");

where User is of type AD:User

The workflow runs successfully, but I can read the attribute again and the lockoutTime value hasnt changed.

Am I calling this correctly, or is this a bug?

Burke- · ‎04-03-2012

So, as it turns out SSL is NOT required for this to work. After a bit of back & forth with some internal contacts, I went ahead and tried this again in my dev environment...

Windows 2003 Domain Controller...

Set group policy to lockout accounts for 120 minutes after 3 bad password attempts

Attempted to login 4 times with invalid password

confirmed account was locked out

Confirmed my AD plug-in was configured with and ADMINISTRATIVE account

Used the following code to unlock the locked account:

user.setAttribute('lockoutTime','0');

In the above line, "user" is my AD:User account that was locked out. After executing the workflow containing that code, I confirmed that the user was no longer llocked out and could log in to my Windows 2003 domain.

UPDATE: Also just tested in another test environment, this one using a Windows 2008 R2 domain - same results as above. Successfully unlocked account using user.setAttribute('lockoutTime','0');

Message was edited by: Burke-

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you!

Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator
for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter

View solution in original post

Burke- · ‎04-02-2012

I'm pretty sure you need to have the AD Plugin configured to use SSL if you wish to make this particular change.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you!

Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator
for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter

Subnet88 · ‎04-02-2012

The plugin is configured for SSL. I CAN successfully set passwords, so that is verified.

Burke- · ‎04-02-2012

I don't have SSL available in my test environments to test this.. could you please try using the workflow "Enable a User". When I had asked about this particular use-ase, I was told to try that workflow...

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you!

Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator
for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter

Subnet88 · ‎04-02-2012

the workflow "Enable a User" successfully runs, and enables a disabled user.

Burke- · ‎04-02-2012

But, does it also "Unlock" a locked out user??

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you!

Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator
for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter

Subnet88 · ‎04-02-2012

no, it does not.

Burke- · ‎04-02-2012

OK, thanks for letting me know.. I have forwarded this thread information on to the person I had worked with here inside VMware to see if they can follow up on the issue.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you!

Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator
for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter

tschoergez · ‎04-02-2012

Hi folk!

That is an interesting thread!

@burke: Can you please also forward this to the Techdoc-Team? Would be helpful if you it is in the docs....

Cheers,

Joerg

Burke- · ‎04-03-2012

So, as it turns out SSL is NOT required for this to work. After a bit of back & forth with some internal contacts, I went ahead and tried this again in my dev environment...

Windows 2003 Domain Controller...

Set group policy to lockout accounts for 120 minutes after 3 bad password attempts

Attempted to login 4 times with invalid password

confirmed account was locked out

Confirmed my AD plug-in was configured with and ADMINISTRATIVE account

Used the following code to unlock the locked account:

user.setAttribute('lockoutTime','0');

In the above line, "user" is my AD:User account that was locked out. After executing the workflow containing that code, I confirmed that the user was no longer llocked out and could log in to my Windows 2003 domain.

UPDATE: Also just tested in another test environment, this one using a Windows 2008 R2 domain - same results as above. Successfully unlocked account using user.setAttribute('lockoutTime','0');

Message was edited by: Burke-

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you!

Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator
for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter

Subnet88 · ‎04-03-2012

Thanks for the assist. I changed my JS to match yours and my account unlocks successfully. Could it be the double quotes vs single?

Burke- · ‎04-03-2012

That may have something to do with it... perhaps a combination of the type of quotes and other system settings that I'm unaware of... But, out of curiosity, I just went back to my test system with the 2008 domain and tried with double quotes - it worked... So, not sure what exactly is causing your issue, but if the single quotes are working, keep them

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you!

Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator
for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter

All

AD User setAttribute issues