I spent a few hours to improve this script to allow creation of multiple LDAP entries with login and password. The result is here: addldap.vbs. It fix some flaws of the previous scripts such as:

  • only one ldap account
  • user has a popup on next outlook startup

It works perfectly with anonymous LDAP, but setting a password do not work very well: you can pass an array representing the password obtained by a manual setup.

But It will only work with this account because the password is encoded using DPAPI which use the user personal key to encrypt the data. Trying to deploy this to other user will badly fails (as outlook will find the whole ldap account broken).

There is a way to mitigate this problem: when using SPA authentication outlook will firt use the credential of the logged user before those supplied in the account creation (if they are different). So if you want to have a non anonymous access to LDAP and what the logged user to provide his credential you just have to call the script and supply the username, an empty array as password and set doSPA parameter to 1.

I also discovered that unlike email accounts, LDAP accounts do not prompt the user when the password is wrong. Which reduce the number of prompt the user receive when a password has expired.

At the end the only two cases where this script is useless are:

  • accessing an LDAP with a generic account
  • accessing an LDAP that do not support SPA (aka NTLM authentication)

I guess those case are pretty rare (well I hope)