November 5 2009

Improving the SIDMap.wsf script for OCS attribute synchronization

Microsoft’s definition of SIDMap.wsf is : It uses the same disabled user account in the resource forest to enable users for Office Communications Server. To provide single sign-in, the primary user account must also be mapped to the disabled user account in the resource forest for Office Communications Server. This tool performs the mapping.

This script is part of the Office Communications Server 2007 Resource Kit and basically will syncronize the msExchMasterAccountSid attibute to the msRTCSIP-OriginatorSid attribute on the  SIP-enabled disabled user account.

I’ve made some improvements to the script to add a log file and also provide some feedback to the user so they know it has worked. I’ve create a batch file that can be put on a server and run by the support team. This is outlined in attribute_sync.bat below and then the modified SIDMap.wsf is included too.

attribute_sync.bat

REM **   This script copies the value in the msExchMasterAccountSid attibute to the msRTCSIP-OriginatorSid attribute
REM **   for every disabled user that is SIP enabled in the 'Testing' OU
REM **   www.danovich.com.au
for /f "tokens=1* delims= " %%a in ('date/t') do set dayname=%%a
for /f "tokens=1* delims= " %%a in ('date/t') do set mmddyyyy=%%a
for /f "tokens=1* delims=/" %%a in ('echo %mmddyyyy%') do set day=%%a
for /f "tokens=2* delims=/" %%a in ('echo %mmddyyyy%') do set month=%%a
for /f "tokens=3* delims=/" %%a in ('echo %mmddyyyy%') do set year=%%a
for /f "tokens=1* delims=:" %%a in ('echo %time%') do set hour=%%a
for /f "tokens=2* delims=:" %%a in ('echo %time%') do set mins=%%a
for /f "tokens=3* delims=:" %%a in ('echo %time%') do set sec=%%a
for /f "tokens=1* delims=." %%a in ('echo %sec%') do set secs=%%a
for /f "tokens=2* delims=." %%a in ('echo %sec%') do set mili=%%a
wscript //h:cscript //B
c:
cd "C:Program FilesMicrosoft Office Communications Server 2007 R2ResKitLcsSync"
SIDMap.wsf /OU:OU=OU=Testing,DC=danovich,DC=com /logfile:C:LogsOCS-%username%-%day%-%month%-%year%-%hour%.%mins%.%secs%.log

SIDMap.wsf

<?xml version="1.0" ?>
<package>
<job id="Main" prompt="no">
<?job debug="true" error="true" ?>
<runtime>
<named
name="OU"
helpstring="The Active Directory DN of the organizational unit to search under"
many="false"
type="string"
required="false"
/>
<named
name="query"
helpstring="Generates a list of disabled users that are mailbox and SIP enabled and associated with an external account"
type="simple"
required="false"
/>
<named
name="logfile"
helpstring="Text file used to log the output."
type="string"
required="false"
/>
</runtime>
<script id="VBScript_Block" language="VBScript">
<![CDATA[
' Initialize variables
Set WshShell = CreateObject("WScript.Shell")
const ForWriting = 2
intCount = 0
bQuery = False
On Error Resume Next 'Force continuation on errors when initializing globals
' Retrieve command-line arguments
' Check whether an OU is provided.
if WScript.Arguments.Named.Exists("OU") then
strNamingContext = "LDAP://" & WScript.Arguments.Named("OU")
else
Set objRootDSE = GetObject("LDAP://rootDSE")
strNamingContext = "LDAP://" & objRootDSE.Get("defaultNamingContext")
end if
' Check whether the user only wants to query the AD.
if WScript.Arguments.Named.Exists("query") then
' Query only all disabled users that are mailbox and SIP enabled.
' set.
bQuery = True
end if
' Check whether logging to a file is required.
if WScript.Arguments.Named.Exists("logfile") then
strLogFile = WScript.Arguments.Named("logfile")
Set fso = CreateObject("Scripting.FileSystemObject")
Set objLogFile = fso.OpenTextFile(strLogFile, ForWriting, True)
objLogFile.WriteLine("List of disabled users associated with an external account and SIP enabled:")
end if
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open
' Create connection to AD.
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
' Define AD query.
' Search for disabled user accounts that are SIP enabled and mailbox enabled.
objCommand.CommandText = _
"<" & strNamingContext & ">;" & _
"(&(objectCategory=person)(objectClass=user)(msRTCSIP-UserEnabled=TRUE)(msExchMasterAccountSid=*)(userAccountControl:1.2.840.113556.1.4.803:=2));" & _
"ADsPath,cn,msRTCSIP-PrimaryUserAddress,msExchMasterAccountSid,msRTCSIP-OriginatorSid;subtree"
' Disable caching to reduce memory consumption for very large result sets.
objCommand.Properties("Cache Results") = FALSE
' Define the maximum page size.
objCommand.Properties("Page Size") = 1000
' Execute query.
Set objRecordSet = objCommand.Execute
If Err.Number <> 0 Then
WScript.Echo("Failed to query Active Directory " & strNamingContext)
WshShell.Popup "Failed to query Active Directory", ," Attribute sync failed ",  16
WScript.Quit(Err.Number)
end if
While Not objRecordset.EOF
intCount = intCount + 1
if IsObject(objLogFile) then
objLogFile.WriteLine(objRecordset.Fields("cn").Value)
else
WScript.Echo(objRecordset.Fields("cn").Value)
end if
if bQuery = False then
' Set the msRTCSIP-OriginatorSid attribute.
Set objContact = GetObject(objRecordset.Fields("ADsPath"))
strExchSid = objRecordset.Fields("msExchMasterAccountSid").Value
objContact.Put "msRTCSIP-OriginatorSid", strExchSid
objContact.SetInfo
If Err.Number <> 0 Then
if IsObject(objLogFile) then
objLogFile.WriteLine("Failed to set msRTCSIP-OriginatorSid attribute " & _
Err.Number)
else
WScript.Echo("Failed to set msRTCSIP-OriginatorSid attribute " & _
Err.Number)
WshShell.Popup "Failed to set msRTCSIP-OriginatorSid attribute", ," Attribute sync failed ",  16
end if
end if
end if
WScript.Echo()
objRecordSet.MoveNext
Wend
WshShell.Popup "Attribute sync has been successful for " & intCount & " users in the following OU:" & vbCrLf & vbCrLf & strNamingContext & vbCrLf & vbCrLf & "Log file is located at " & strLogFile, ," Attribute sync successful ", 64
WScript.Echo "Attribute sync has been successful for " & intCount & " users in the " & strNamingContext & " OU "
if IsObject(objLogFile) then
objLogFile.WriteLine(vbNewLine & intCount & " disabled users.")
objLogFile.Close
end if
objConnection.Close
]]>
</script>
</job>
</package>



----------------------------------------------------------------------------
I use a maximum of one Google Ad per post to help offset some of my blog hosting costs.

----------------------------------------------------------------------------


Tags: , , , , , ,

Posted November 5, 2009 by danovich in category "OCS / Lync", "Scripting

4 COMMENTS :

  1. By Jason on

    thanks danovich, just wondering if this script works with security group in stead of OU?

    Reply
    1. By danovich (Post author) on

      In theory you could modify the SIDMap.wsf script, but the /OU: function is already built into that script, there is no builtin feature for Group

      Reply
  2. Pingback: Understanding User Mapping in a Skype for Business Resource Forest | UC Sorted

Leave a Reply