Change attribute in AD via script

We are in the process of piloting a new IM solution for the company, and part of that involves changing an attribute in AD, namely the one that lists the user's SIP address (msRTCSIP-PrimaryUserAddress)

I have been able to successfully read this value from AD:

dscl "/Active Directory/MYDOMAIN/All Domains" read /Users/USERNAME dsAttrTypeNative:msRTCSIP-PrimaryUserAddress

However, I am running into difficulties writing the new sip address value:

dscl "/Active Directory/DOMAIN/All Domains" create /Users/USER dsAttrTypeNative:msRTCSIP-PrimaryUserAddress "NEWSIPADDRESS" -u "SERVICEACCOUNT" -P "PASSWORD"

<main> attribute status: eDSPermissionError

<dscl_cmd> DS Error: -14120 (eDSPermissionError)

The aim is to be able to run this script in concert with the new IM app install.

Is there something clearly with the command (Have not done a lot of writing to AD from Terminal) or should I be looking deeper into the rights for that service account?

Page 1 / 1

I'm really not certain, but I think you may need to drop the dsAttrTypeNative from the lines. I was able to run this against my account and got my SIP address back in the results.

dscl "/Active Directory/MYDOMAIN/All Domains" read /Users/USERNAME msRTCSIP-PrimaryUserAddress

Maybe try doing the update in the same way, using just msRTCSIP-PrimaryUserAddress? I'm not willing to test this on my own AD record, so you'll need to try it out.

Have you tried change instead of create? -change record_path key old_val new_val

I think create assumes a new attribute is being added.

Ooh, good point @davidacland ! I didn't even think of that but you're right. You need to use -change to update an existing entry. -create should only be for creating a new entry in the record.

I think part of the problem was that the service account credentials needed to be in front rather than at the end of the script.

Changing that allowed me to change the sip address.

@ocla&&09 Out of interest, what was the full command in the end?

dscl -u serviceaccount -P password "/Active Directory/domain/All Domains" -change /Users/username msRTCSIP-PrimaryUserAddress sip:oldaddress sip:newaddress

Thanks

No problem.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded