Skip to main content
Question

Change attribute in AD via script

O
Forum|alt.badge.img+5

We are in the process of piloting a new IM solution for the company, and part of that involves changing an attribute in AD, namely the one that lists the user's SIP address (msRTCSIP-PrimaryUserAddress)

I have been able to successfully read this value from AD:

dscl "/Active Directory/MYDOMAIN/All Domains" read /Users/USERNAME dsAttrTypeNative:msRTCSIP-PrimaryUserAddress

However, I am running into difficulties writing the new sip address value:

dscl "/Active Directory/DOMAIN/All Domains" create /Users/USER dsAttrTypeNative:msRTCSIP-PrimaryUserAddress "NEWSIPADDRESS" -u "SERVICEACCOUNT" -P "PASSWORD"
<main> attribute status: eDSPermissionError
<dscl_cmd> DS Error: -14120 (eDSPermissionError)

The aim is to be able to run this script in concert with the new IM app install.

Is there something clearly with the command (Have not done a lot of writing to AD from Terminal) or should I be looking deeper into the rights for that service account?

    8 replies

    M
    Forum|alt.badge.img+16
    • mm2270
    • Legendary Contributor
    • 7880 replies
    • May 26, 2015

    I'm really not certain, but I think you may need to drop the dsAttrTypeNative from the lines. I was able to run this against my account and got my SIP address back in the results.

    dscl "/Active Directory/MYDOMAIN/All Domains" read /Users/USERNAME msRTCSIP-PrimaryUserAddress

    Maybe try doing the update in the same way, using just msRTCSIP-PrimaryUserAddress? I'm not willing to test this on my own AD record, so you'll need to try it out.

    D
    Forum|alt.badge.img+18
    • davidacland
    • Valued Contributor
    • 1811 replies
    • May 26, 2015

    Have you tried change instead of create? -change record_path key old_val new_val

    I think create assumes a new attribute is being added.

    M
    Forum|alt.badge.img+16
    • mm2270
    • Legendary Contributor
    • 7880 replies
    • May 26, 2015

    Ooh, good point @davidacland ! I didn't even think of that but you're right. You need to use -change to update an existing entry. -create should only be for creating a new entry in the record.

    O
    Forum|alt.badge.img+5
    • ocla__09
    • Author
    • Contributor
    • 83 replies
    • May 26, 2015

    I think part of the problem was that the service account credentials needed to be in front rather than at the end of the script.

    Changing that allowed me to change the sip address.

    D
    Forum|alt.badge.img+18
    • davidacland
    • Valued Contributor
    • 1811 replies
    • May 26, 2015

    @ocla&&09 Out of interest, what was the full command in the end?

    O
    Forum|alt.badge.img+5
    • ocla__09
    • Author
    • Contributor
    • 83 replies
    • May 26, 2015
    dscl -u serviceaccount -P password "/Active Directory/domain/All Domains" -change /Users/username msRTCSIP-PrimaryUserAddress sip:oldaddress sip:newaddress
    D
    Forum|alt.badge.img+18
    • davidacland
    • Valued Contributor
    • 1811 replies
    • May 26, 2015

    Thanks

    O
    Forum|alt.badge.img+5
    • ocla__09
    • Author
    • Contributor
    • 83 replies
    • May 26, 2015

    No problem.

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings