Change attribute in AD via script
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-26-2015 02:11 PM
We are in the process of piloting a new IM solution for the company, and part of that involves changing an attribute in AD, namely the one that lists the user's SIP address (msRTCSIP-PrimaryUserAddress)
I have been able to successfully read this value from AD:
dscl "/Active Directory/MYDOMAIN/All Domains" read /Users/USERNAME dsAttrTypeNative:msRTCSIP-PrimaryUserAddressHowever, I am running into difficulties writing the new sip address value:
dscl "/Active Directory/DOMAIN/All Domains" create /Users/USER dsAttrTypeNative:msRTCSIP-PrimaryUserAddress "NEWSIPADDRESS" -u "SERVICEACCOUNT" -P "PASSWORD"
<main> attribute status: eDSPermissionError
<dscl_cmd> DS Error: -14120 (eDSPermissionError)The aim is to be able to run this script in concert with the new IM app install.
Is there something clearly with the command (Have not done a lot of writing to AD from Terminal) or should I be looking deeper into the rights for that service account?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-26-2015 02:19 PM
I'm really not certain, but I think you may need to drop the dsAttrTypeNative from the lines. I was able to run this against my account and got my SIP address back in the results.
dscl "/Active Directory/MYDOMAIN/All Domains" read /Users/USERNAME msRTCSIP-PrimaryUserAddressMaybe try doing the update in the same way, using just msRTCSIP-PrimaryUserAddress? I'm not willing to test this on my own AD record, so you'll need to try it out.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-26-2015 02:20 PM
Have you tried change instead of create? -change record_path key old_val new_val
I think create assumes a new attribute is being added.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-26-2015 02:44 PM
Ooh, good point @davidacland ! I didn't even think of that but you're right. You need to use -change to update an existing entry. -create should only be for creating a new entry in the record.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-26-2015 03:25 PM
I think part of the problem was that the service account credentials needed to be in front rather than at the end of the script.
Changing that allowed me to change the sip address.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-26-2015 03:28 PM
@ocla&&09 Out of interest, what was the full command in the end?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-26-2015 03:30 PM
dscl -u serviceaccount -P password "/Active Directory/domain/All Domains" -change /Users/username msRTCSIP-PrimaryUserAddress sip:oldaddress sip:newaddress- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-26-2015 03:32 PM
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-26-2015 03:33 PM
No problem.
