msRTCSIP-UserPolicy - Here's How to Read it

How to read the msRTCSIP-UserPolicy attribute using VBscript or Perl (click here for the PowerShell version). When working with an Active Directory user's Office Communication Server settings with a script, you may need to look at the user's meeting policy or enterprise voice policy.  The msRTCSIP-UserPolicy attribute is a DNwithBinary object that appears to be impenetrable to your average scripter. Most of the Active Directory attributes that we scripters come across are clear text and are easy to manipulate. Not so with the dreaded DNwithBinary. And thanks to Microsoft, there are no good examples of how these things are handled. Well, here are a few code examples to help you out. But first a little explanation.

The msRTCSIP-UserPolicy attribute of the Active Directory User object is a pointer (or a list of pointers) to policy object(s) (mcRTCSIP-GlobalUserPolicy objects), which are located elsewhere in AD. The policy settings are not stored in the user object, they're stored in the policy object.

The DNwithBinary object has two properties. The DNString and the BinaryValue. The DNString, in the case of the msRTCSIP-UserPolicy attribute, is the distinguished name of the actual policy object. The binary value is an 8 bit value that signifies what type of policy we're pointing to. This Technet article defines these values as follows:

01000000: Meeting Policy
02000000: UC Policy
04000000: Presence Policy

So, when you write a script and you've got a user object, and you get the msRTCSIP-User Policy attribute, you've either got a DNwithBinary object, or an array of DNwithBinary objects. So first, you have to test to see if you got an array or not. If you got an array, walk though each object.

For each DNwithBinary object, you can then get the DNString, and the BinaryValue. The DNString is printable text, but the BinaryValue is a byte array. So you have to unpack the byte array into readable digits. Finally, you have readable data that tells you the policy type, and the distinguished Name of the policy object. To get the actual policy settings, you have to get the policy object, and get its msRTCSIP-PolicyContent attribute. That attribute contains the policy settings formatted in XML. I'll cover that in another post. For now, let's just print out the binary and the distinguished names of the policies that the user is pointing to.

Reading the msRTCSIP-UserPolicy Attribute in VBScript:

Set user = GetObject("LDAP://CN=myUser,CN=Users,DC=myDomain,DC=com")
policyRef = user.Get("msRTCSIP-UserPolicy")
if IsArray(policyRef) Then
 for each p in policyRef
end if
Function ReadPolicy(pol)
 Dim x
 Dim byteString
 binaryValue = pol.BinaryValue
 For x = 1 To Lenb(binaryValue)
   byteString = byteString & Right("0" & Hex(Ascb(Midb(binaryValue, x, 1))), 2)
 Wscript.Echo "B:8:" & byteString & ":" & pol.DNString
End Function

Reading the msRTCSIP-UserPolicy Attribute in Perl:

use Win32::OLE;
if(ref($policyRef) eq "ARRAY"){
 foreach $p (@{$policyRef}){
sub readPolicy{
 foreach $byte (@byteArray){
 print "B:8:$byteString:$pol->{DNString}\n";

Watch for my next post on how to write the msRTCSIP-UserPolicy attribute. Also please look at my other OCS posts, some of which brush on the topic, including how to read the policy settings, at


Anonymous said...

I got the error object doesn'n support this property or method when using the VBscript. GetEx insted of Get worked.

Brian said...

I think it depends on what schema version of the ADSI client you are using, in other words, what version of the Windows client you are running.

Post a Comment

Related Posts Plugin for WordPress, Blogger...