Active Directory Active Directory: Inputs & Outputs

Summary

Each plugin uses a set of dictionaries to store data.

These are used by plugin actions as both inputs and outputs.

This page will cover:

  • The dictionaries used in this plugin
  • The information each dictionary contains

Info

See Users, Groups, & Computers for each action's inputs & outputs.

Dictionary Types

Computer

  • Contains Active Directory Computer LDAP attributes

  • Expand below to see each key and a link to the relevant Microsoft article

Active Directory Computer Keys

accountExpires: Date string or null [Account-Expires].

carLicense: String or null [carLicense].

cn: String or null [Common-Name].

description: String or null [Description].

displayName: String or null [Display-Name].

distinguishedName: String [Obj-Dist-Name].

info: String or null [Comment].

lastLogoff: Date string or null [Last-Logoff].

lastLogon: Date string or null [Last-Logon].

lastLogonTimestamp: Date string or null [Last-Logon-Timestamp].

lockoutTime: Date string or null [Lockout-Time].

logonCount: Integer [Logon-Count].

mail: String or null [E-mail-Addresses].

mail: String or null [Managed-By].

memberOf: List of Group Dictionaries [Is-Member-Of-DL].

name: String or null [RDN].

objectGUID: String [Object-Guid].

objectSid: String [Object-Sid].

operatingSystem: String or null [Operating-System].

operatingSystemHotfix: String or null [Operating-System-Hotfix].

operatingSystemServicePack: String or null [Operating-System-Service-Pack].

operatingSystemVersion: String or null [Operating-System-Version].

pwdLastSet: Date string or null [Pwd-Last-Set].

sAMAccountName: String [Sam-Account-Name].

sAMAccountType: Integer [Sam-Account-Type].

userAccountControl: Integer [User-Account-Control].

userPrincipalName: String or null [User-Principal-Name].

See more about Computers here

DomainController

  • Contains Domain Controller connection details

  • It is used as an input to many of the actions in this plugin

  • The example below shows the dictionary structure in YAML

  • See the required and optional keys underneath the example

Supplying Credentials

You should always use a PPA Vault integration to provide credentials to a plugin action.

Example

1
2
3
4
5
6
domain_controller:
  address: 1.2.3.4
  domain: example.domain.net
  port: 636
  username: [username]
  password: [password]

Required Keys

address: Domain Controller IP or DNS address.

domain: FQDN of the Active Directory domain.

username: Username for authentication.

password: Password for authentication.

Optional Keys

port: The LDAPS port on the Domain Controller (defaults to 636).

Group

  • Contains Active Directory Group LDAP attributes

  • Expand below to see each key and a link to the relevant Microsoft article

Active Directory Group Keys

cn: String or null [Common-Name].

description: String or null [Description].

distinguishedName: String [Obj-Dist-Name].

gidNumber: Integer or null [gidNumber].

groupType: String [Group-Type].

info: String or null [Comment].

managedBy: String or null [ManagedBy].

member: List of User, Group, or Computer distinguished names or null [Member].

memberUid: List of strings or null [memberUid].

name: String or null [RDN].

objectGUID: String [Object-Guid].

objectSid: String [Object-Sid].

sAMAccountName: String [Sam-Account-Name].

sAMAccountType: Integer [Sam-Account-Type].

Group Membership Limit

Due to an Active Directory limitation, the member key can only hold up to 1500 group members.

If the group has more than 1500 members, only members 1-1500 will be included in this key.

You can bypass this limitation by getting nested users with the get_members action.

See more about Groups here

OrganizationalUnit

  • Contains Active Directory Organizational Unit LDAP attributes

  • Expand below to see each key and a link to the relevant Microsoft article

Active Directory Organizational Unit Keys

distinguishedName: String [Obj-Dist-Name].

name: String [Organizational-Unit-Name].

objectGUID: String [Object-Guid].

ou: String [Organizational-Unit-Name].

See more about Organizational Units here

User

  • Contains Active Directory User LDAP attributes

  • Expand the sections below for more information

Active Directory User Keys

accountExpires: Date string or null [Account-Expires].

badPasswordTime: Date string or null [Bad-Password-Time].

badPwdCount: Integer [Bad-Pwd-Count].

carLicense: String or null [carLicense].

cn: String or null [Common-Name].

countryCode: String or null [Country-Code].

displayName: String or null [Display-Name].

distinguishedName: String [Obj-Dist-Name].

gidNumber: Integer or null [gidNumber].

givenName: String or null [Given-Name].

info: String or null [Comment].

lastLogoff: Date string or null [Last-Logoff].

lastLogon: Date string or null [Last-Logon].

lastLogonTimestamp: Date string or null [Last-Logon-Timestamp].

lockoutTime: Date string or null [Lockout-Time].

loginShell: String or null [loginShell].

logonCount: Integer [Logon-Count].

mail: String or null [E-mail-Addresses].

manager: String or null [Manager].

memberOf: List of Group Dictionaries [Is-Member-Of-DL].

name: String or null [RDN].

objectGUID: String [Object-Guid].

objectSid: String [Object-Sid].

physicalDeliveryOfficeName: String or null [Physical-Delivery-Office-Name].

pwdLastSet: Date string or null [Pwd-Last-Set].

sAMAccountName: String [Sam-Account-Name].

sAMAccountType: Integer [Sam-Account-Type].

sn: String or null [Surname].

telephoneNumber: String or null [Telephone-Number].

thumbnailPhoto: String or null [Picture].

uid: String or null [uid].

uidNumber: String or null [uidNumber].

unixHomeDirectory: String or null [unixHomeDirectory].

userAccountControl: Integer [User-Account-Control].

userPrincipalName: String or null [User-Principal-Name].

Extra User Keys

The following keys are created by PPA based on other Active Directory attributes:

is_disabled: Boolean indicating whether the user is disabled.

is_enabled: Boolean indicating whether the user is enabled.

is_expired: Boolean indicating whether the user is expired.

is_locked: Boolean indicating whether the user is locked out.

password_age: A dictionary containing the user's password age in days, hours, & minutes.

See more about Users here