pyad icon indicating copy to clipboard operation
pyad copied to clipboard
verified publisher icon zakird

Unable set ObjectGUID-like attribute

Open seanwlk opened this issue 6 years ago • 1 comments

Hello, in our AD we have a custom attribute that is ObjectGUID-Like (called objectGUIDSource). I'm currently able to export the objectGUID from an object but no matter what i try i cannot do update_attribute('ObjectGUIDSource',source_GUID) tried with getting it as user.guid and user.guid_str. both aint working. Then i tried to convert the string guid to an hex one, still throws a pywin32 exception.

Traceback (most recent call last): File "C:\Program Files (x86)\Python37-32\lib\tkinter\__init__.py", line 1705, in __call__ return self.func(*args) File "creautenti.py", line 73, in init_create new_user.update_attribute('ObjectGUIDSource',guid_to_hex(guid_ulssve)) File "C:\Program Files (x86)\Python37-32\lib\site-packages\pyad\adobject.py", line 321, in update_attribute self._flush() File "C:\Program Files (x86)\Python37-32\lib\site-packages\pyad\adobject.py", line 206, in _flush return self._ldap_adsi_obj.SetInfo() File "<COMObject <unknown>>", line 2, in SetInfo pywintypes.com_error: (-2147352567, 'Exception occurred.', (0, 'Active Directory', 'A constraint violation occurred.\r\n', None, 0, -2147016657), None)

I currently have a PS script that does what i want but it's very unpractical for the average user so i made an UI with tkinter and everything works except this, it's basically last piece of the puzzle.

PS Along the way i found some issues in the pyad lib itself that i had to fix, probably will pull request in the future.

seanwlk avatar Jun 05 '19 14:06 seanwlk

I get exactly the same error:

pywintypes.com_error: (-2147352567, 'Exception occurred.', (0, 'Active Directory', 'A constraint violation occurred.\r\n', None, 0, -2147016657), None)

on the last line of:

user = ad.find_user(name)
sd = user.ntSecurityDescriptor
dacl = sd.DiscretionaryAcl
for ace in dacl:
    if ace.ObjectType.lower() == "{ab721a53-1e2f-11d0-9819-00aa0040529b}":
        if ace.Trustee == selfName or ace.Trustee == everyoneName:
            ace.AceType = 0x6 # ADS_ACETYPE_ACCESS_DENIED_OBJECT

sd.DiscretionaryAcl = dacl
user.Put("ntSecurityDescriptor", sd)
user.SetInfo()

Any help is appreciated.

stevstrong avatar Nov 06 '24 07:11 stevstrong