Active Directory: Inputs & Outputs
Summary
Each plugin uses a set of dictionaries to store data.
These are used by plugin actions as both inputs and outputs.
This page will cover:
- The dictionaries used in this plugin
- The information each dictionary contains
Dictionary Types
Computer
-
Contains Active Directory Computer LDAP attributes
-
Expand below to see each key and a link to the relevant Microsoft article
Active Directory Computer Keys
accountExpires: Date string or null [Account-Expires].
carLicense: String or null [carLicense].
cn: String or null [Common-Name].
description: String or null [Description].
displayName: String or null [Display-Name].
distinguishedName: String [Obj-Dist-Name].
info: String or null [Comment].
lastLogoff: Date string or null [Last-Logoff].
lastLogon: Date string or null [Last-Logon].
lastLogonTimestamp: Date string or null [Last-Logon-Timestamp].
lockoutTime: Date string or null [Lockout-Time].
logonCount: Integer [Logon-Count].
mail: String or null [E-mail-Addresses].
mail: String or null [Managed-By].
memberOf: List of Group Dictionaries [Is-Member-Of-DL].
name: String or null [RDN].
objectGUID: String [Object-Guid].
objectSid: String [Object-Sid].
operatingSystem: String or null [Operating-System].
operatingSystemHotfix: String or null [Operating-System-Hotfix].
operatingSystemServicePack: String or null [Operating-System-Service-Pack].
operatingSystemVersion: String or null [Operating-System-Version].
pwdLastSet: Date string or null [Pwd-Last-Set].
sAMAccountName: String [Sam-Account-Name].
sAMAccountType: Integer [Sam-Account-Type].
userAccountControl: Integer [User-Account-Control].
userPrincipalName: String or null [User-Principal-Name].
See more about Computers here
DomainController
-
Contains Domain Controller connection details
-
It is used as an input to many of the actions in this plugin
-
The example below shows the dictionary structure in YAML
-
See the required and optional keys underneath the example
Supplying Credentials
You should always use a PPA Vault integration to provide credentials to a plugin action.
Example
1 2 3 4 5 6 | |
Required Keys
address: Domain Controller IP or DNS address.
domain: FQDN of the Active Directory domain.
username: Username for authentication.
password: Password for authentication.
Optional Keys
port: The LDAPS port on the Domain Controller (defaults to 636).
Group
-
Contains Active Directory Group LDAP attributes
-
Expand below to see each key and a link to the relevant Microsoft article
Active Directory Group Keys
cn: String or null [Common-Name].
description: String or null [Description].
distinguishedName: String [Obj-Dist-Name].
gidNumber: Integer or null [gidNumber].
groupType: String [Group-Type].
info: String or null [Comment].
managedBy: String or null [ManagedBy].
member: List of User, Group, or Computer distinguished names or null [Member].
memberUid: List of strings or null [memberUid].
name: String or null [RDN].
objectGUID: String [Object-Guid].
objectSid: String [Object-Sid].
sAMAccountName: String [Sam-Account-Name].
sAMAccountType: Integer [Sam-Account-Type].
Group Membership Limit
Due to an Active Directory limitation, the member key can only hold up to 1500 group members.
If the group has more than 1500 members, only members 1-1500 will be included in this key.
You can bypass this limitation by getting nested users with the get_members action.
See more about Groups here
OrganizationalUnit
-
Contains Active Directory Organizational Unit LDAP attributes
-
Expand below to see each key and a link to the relevant Microsoft article
Active Directory Organizational Unit Keys
distinguishedName: String [Obj-Dist-Name].
name: String [Organizational-Unit-Name].
objectGUID: String [Object-Guid].
ou: String [Organizational-Unit-Name].
See more about Organizational Units here
User
-
Contains Active Directory User LDAP attributes
-
Expand the sections below for more information
Active Directory User Keys
accountExpires: Date string or null [Account-Expires].
badPasswordTime: Date string or null [Bad-Password-Time].
badPwdCount: Integer [Bad-Pwd-Count].
carLicense: String or null [carLicense].
cn: String or null [Common-Name].
countryCode: String or null [Country-Code].
displayName: String or null [Display-Name].
distinguishedName: String [Obj-Dist-Name].
gidNumber: Integer or null [gidNumber].
givenName: String or null [Given-Name].
info: String or null [Comment].
lastLogoff: Date string or null [Last-Logoff].
lastLogon: Date string or null [Last-Logon].
lastLogonTimestamp: Date string or null [Last-Logon-Timestamp].
lockoutTime: Date string or null [Lockout-Time].
loginShell: String or null [loginShell].
logonCount: Integer [Logon-Count].
mail: String or null [E-mail-Addresses].
manager: String or null [Manager].
memberOf: List of Group Dictionaries [Is-Member-Of-DL].
name: String or null [RDN].
objectGUID: String [Object-Guid].
objectSid: String [Object-Sid].
physicalDeliveryOfficeName: String or null [Physical-Delivery-Office-Name].
pwdLastSet: Date string or null [Pwd-Last-Set].
sAMAccountName: String [Sam-Account-Name].
sAMAccountType: Integer [Sam-Account-Type].
sn: String or null [Surname].
telephoneNumber: String or null [Telephone-Number].
thumbnailPhoto: String or null [Picture].
uid: String or null [uid].
uidNumber: String or null [uidNumber].
unixHomeDirectory: String or null [unixHomeDirectory].
userAccountControl: Integer [User-Account-Control].
userPrincipalName: String or null [User-Principal-Name].
Extra User Keys
The following keys are created by PPA based on other Active Directory attributes:
is_disabled: Boolean indicating whether the user is disabled.
is_enabled: Boolean indicating whether the user is enabled.
is_expired: Boolean indicating whether the user is expired.
is_locked: Boolean indicating whether the user is locked out.
password_age: A dictionary containing the user's password age in days, hours, & minutes.
See more about Users here