4
Vote

Account invalid (SuperReader, SuperUser)

description

If the SuperReader and SuperUser Account exist in another domain, these accounts are marked as invalid. The problem is caused by the method:

function userExists ([string]$name)

In my view this function should use a domain parameter to work properly.

file attachments

comments

JonasEsser wrote Apr 5, 2014 at 10:30 AM

For me they are also invalid, but I've checked for duplicate samaccountnames in the other Domains. There are no users with the same name. I've seen this issue only on windows Server 2008 R2.
I'll try it later with the same configuration file in a Server 2012.

wrote Apr 6, 2014 at 1:20 AM

JonasEsser wrote Apr 6, 2014 at 1:20 AM

ok.. I've tested the configuration on a Windows Server 2012. Still the same issue. To solve it temporarily for me, I have overridden the ValidateCredentials method as follows:
  • 1 - To ignore "invalid" accounts and proceed the installation, I have commented out the throw-
 If ($acctInvalid) {
    Write-Host -ForegroundColor Black -BackgroundColor Red "At least one set of credentials is invalid."
        Write-Host -ForegroundColor Black -BackgroundColor Red "Check usernames and passwords in each place they are used."
        Pause "proceed if you are sure this is OK, or Ctrl-C to exit" "y"
        #Throw " - At least one set of credentials is invalid.`n - Check usernames and passwords in each place they are used."
    } else
    {
        Pause "proceed if you are sure this is OK, or Ctrl-C to exit" "y"
    }
  • 2 - I created a copy of the UserExists function with a second parameter "LDAPPATH". If a validation fails the script asks for a ldap path to recheck the user account (see attached screenshot)
 if (!(userExists $accountName))
        {
            Write-Host -BackgroundColor Red -ForegroundColor Black "Invalid!"
            $LDAPPath = Read-Host "Specify a LDAP Path (e.g. DC=dev,DC=company,DC=local) to check account again or press enter continue."
            if (!(userExistsLDAPPath $accountName $LDAPPath))
            {
                Write-Host -BackgroundColor Red -ForegroundColor Black "Invalid!"
                $acctInvalid = $true
            }
            else
            {
                Write-Host -ForegroundColor Black -BackgroundColor Green "Verified."
            }           
        }
function userExistsLDAPPath ([string]$name, [string]$LDAPPATH)
{   
    if($LDAPPath)
    {
        $LDAPPATH = "LDAP://" + $LDAPPATH
    }
    Write-Host "Search explicit in path:" $LDAPPATH
    #written by: Øyvind Nilsen (oyvindnilsen.com)
    [bool]$ret = $false #return variable
    $domainRoot = [ADSI]$LDAPPATH
    $dirSearcher = New-Object System.DirectoryServices.DirectorySearcher($domainRoot)
    $dirSearcher.filter = "(&(objectClass=user)(sAMAccountName=$name))"
    #$dirSearcher.SearchRoot = $LDAPPATH
    $results = $dirSearcher.findall()
    if ($results.Count -gt 0) #if a user object is found, that means the user exists.
    {
        $ret = $true
    }
    return $ret
}
not very user friendly but enough for me :-)

wrote Feb 25, 2015 at 7:03 AM

SqueakyMetal wrote Feb 25, 2015 at 7:05 AM

I was able to replicate this on Win Server 2012 R2.

I did find that in my case, the Pre-Windows2000 Logon Name (i.e. 20 characters) account worked for the Super Reader account, while the normal account name was just fine as a Managed Account

KevinColeMCM wrote Feb 23 at 7:12 PM

I also had this issue where the server was on DOMAINA and user accounts were on DOMAINB

The option I used instead however was to create an entry in the autospinstallerconfig.xml and modify the functions so that an LDAP path is passed into the user exists method if it is provided in the config file.


Updated userExists function to accept ldap option for override:
# ====================================================================================
# Func: userExists
# Desc: "Here is a little powershell function I made to see check if specific active directory users exists or not."
# From: http://oyvindnilsen.com/powershell-function-to-check-if-active-directory-users-exists/
# ====================================================================================
function userExists ([string]$name, [string]$ldap)
{
    #written by: Øyvind Nilsen (oyvindnilsen.com)
    [bool]$ret = $false #return variable
    $domainRoot = [ADSI]"$ldap"
    $dirSearcher = New-Object System.DirectoryServices.DirectorySearcher($domainRoot)
    $dirSearcher.filter = "(&(objectClass=user)(sAMAccountName=$name))"
    $results = $dirSearcher.findall()
    if ($results.Count -gt 0) #if a user object is found, that means the user exists.
    {
        $ret = $true
    }
    return $ret
}
Updated foreach block in AutoSPInstallerFunctions.ps1 :: ValidateCredentials
foreach ($account in $accountsToCheck)
    {
        $domain,$accountName = $account -split "\\"
        Write-Host -ForegroundColor White " - Account `"$account`"..." -NoNewline
        if (!(userExists $accountName -ldap $xmlinput.Configuration.Farm.CustomLdap))
        {
            Write-Host -BackgroundColor Red -ForegroundColor Black "Invalid!"
            $acctInvalid = $true
        }
        else
        {
            Write-Host -ForegroundColor Black -BackgroundColor Green "Verified."
        }
    }
Added under <Farm> element into config xml:
<Configuration Environment="PILOT" Version="3.99.60">
        <Farm>
        <CustomLdap>LDAP://DC=LAN,DC=local</CustomLdap>
        </Farm>
</Configuration>

wrote Feb 23 at 7:12 PM