Active Directory UDF

[HaeMHuK]

I should fill this parameters manually or it could take credentials automatically?

[water]

• _AD_Open()

  uses the credentials of the currently logged on user

• _AD_Open($sAD_UserIdParam, $sAD_PasswordParam)

  uses the specified credentials to connect to the domain the computer is a member of

• _AD_Open("", "", $sAD_DNSDomainParam, $sAD_HostServerParam, $sAD_ConfigurationParam)

  uses the credentials of the currently logged on user to connect to the specified domain server. Necessary when the computer is not a member of a domain or if you want to connect to another domain or just want to connect to a specific domain server in the current domain

• _AD_Open($sAD_UserIdParam, $sAD_PasswordParam, $sAD_DNSDomainParam, $sAD_HostServerParam, $sAD_ConfigurationParam)

  uses the specified credentials to connect to the specified domain (server)

Edited April 5, 2011 by water

[HaeMHuK]

• _AD_Open()

  uses the credentials of the currently logged on user

• _AD_Open($sAD_UserIdParam, $sAD_PasswordParam)

  uses the specified credentials to connect to the domain the computer is a member of

• _AD_Open("", "", $sAD_DNSDomainParam, $sAD_HostServerParam, $sAD_ConfigurationParam)

  uses the credentials of the currently logged on user to connect to the specified domain server. Necessary when the computer is not a member of a domain or if you want to connect to another domain or just want to connect to a specific domain server in the current domain

• _AD_Open($sAD_UserIdParam, $sAD_PasswordParam, $sAD_DNSDomainParam, $sAD_HostServerParam, $sAD_ConfigurationParam)

  uses the specified credentials to connect to the specified domain (server)

Sorry, maybe I've written the question not correctly.

Can I use something like this?:

_AD_Open()
RunAs ($sAD_UserId, @LogonDomain, $sAD_Password, flag, "\\ip-adress\share\file.exe")
_AD_Close()

How can I assign current userId and password to RunAs using AD UDF.

[water]

How can I assign current userId and password to RunAs using AD UDF.

You can't. The AD UDF doesn't set any variables with userid and/or password.

If you want to connect to AD with different credentials you have to pass them to _AD_Open.

But why do you want to use runas when you use the credentials of the current user? I would suggest to use run in this case.

If you need to use the credentials of another user you have to pass them to _AD_Open AND runas.

[HaeMHuK]

You can't. The AD UDF doesn't set any variables with userid and/or password.

If you want to connect to AD with different credentials you have to pass them to _AD_Open.

But why do you want to use runas when you use the credentials of the current user? I would suggest to use run in this case.

If you need to use the credentials of another user you have to pass them to _AD_Open AND runas.

Ranas was just an example.

I have the program which connects to bugtracking system with same credentials as in AD.

So it will be comfortable to use current credentials.

[water]

I see.

It would be a security hole if you could extract the password of the logged in user.

The problem you describe is the problem of each single-signon-solution. The started solution has to be able to check permissions of the user (either current user or passed credentials).

I fear that the AD UDF can't help in this case.

[HaeMHuK]

I see.

It would be a security hole if you could extract the password of the logged in user.

The problem you describe is the problem of each single-signon-solution. The started solution has to be able to check permissions of the user (either current user or passed credentials).

I fear that the AD UDF can't help in this case.

Ok. Thanks a lot for information.

[Suba]

About the connexion, still for specific purpose I've modified a little bit the _AD_Open function.

I sometime connect to a server without knowing his AD name .. so here is the modification (not much) :

If $sAD_DNSDomainParam <> "" Then
        If $sAD_HostServerParam = "" Or $sAD_ConfigurationParam = "" Then Return SetError(6, 0, 0)
        $oAD_RootDSE = ObjGet("LDAP://" & $sAD_HostServerParam & "/RootDSE")
        If Not IsObj($oAD_RootDSE) Or @error <> 0 Then Return SetError(4, @error, 0)
        $sAD_DNSDomain = $sAD_DNSDomainParam
        $sAD_HostServer = $sAD_HostServerParam
        $sAD_Configuration = $sAD_ConfigurationParam
    ElseIf $sAD_HostServerParam <> "" Then                      ;=> added to allow connexion with no AD Name
        $oAD_RootDSE = ObjGet("LDAP://" & $sAD_HostServerParam & "/RootDSE")
        If Not  IsObj($oAD_RootDSE) Then Return SetError(4, @error, 0)
        $sAD_DNSDomain = $oAD_RootDSE.Get("defaultNamingContext")
        $sAD_HostServer = $sAD_HostServerParam
        $sAD_Configuration = $oAD_RootDSE.Get("ConfigurationNamingContext")         
    Else        
        $oAD_RootDSE = ObjGet("LDAP://RootDSE")
        If Not IsObj($oAD_RootDSE) Or @error <> 0 Then Return SetError(4, @error, 0)
        $sAD_DNSDomain = $oAD_RootDSE.Get("defaultNamingContext") ; Retrieve the current AD domain name
        $sAD_HostServer = $oAD_RootDSE.Get("dnsHostName") ; Retrieve the name of the connected DC
        $sAD_Configuration = $oAD_RootDSE.Get("ConfigurationNamingContext") ; Retrieve the Configuration naming context
        $oAD_RootDSE = ObjGet("LDAP://" & $sAD_HostServer & "/RootDSE") ; To guarantee a persistant binding
    EndIf

Edited April 6, 2011 by Suba

[water]

Hi Suba,

thanks for the code. I will have a look at it over the weekend.

Does it make sense to include this code in the UDF?

[Suba]

It's just a minor modification of _AD_Open , I'll let you judge

In my case, yes : it's a lot easier to open a connexion with only the DC name, but I dunno if other ppl will use it like this.

Edited April 7, 2011 by Suba

[HaeMHuK]

Hi Water.

Could you please help me to implement Exchange Hide From Address Lists through your udf:

VBS:

Const ADS_PROPERTY_UPDATE = 2 

cn_string = inputbox("Please enter users CN ex. cn=username,ou=OU_Names,dc=Domain,dc=Tld")
sLDAP = "LDAP://" & cn_string
'Write user properties
Set objGroup = GetObject(sLDAP) 
 
objGroup.Put "msExchHideFromAddressLists", "TRUE"

objGroup.SetInfo

wscript.echo "done"

[water]

I am on vacation amd will reply next week.

[water]

Use function _AD_ModifyAttribute like this:

$sCN = InputBox ("title", "Please enter users CN ex. cn=username,ou=OU_Names,dc=Domain,dc=Tld")
$iRC = _AD_ModifyAttribute($sCN, "msExchHideFromAddressLists", True)
if @error <> 0 Then Exit MsgBox(16, "Example Script", "Error " & @error & " when setting attribute msExchHideFromAddressLists")

BTW: The function allows to pass the FQDN or the samaccountname of a user.

[HaeMHuK]

Thanks,

with FQDN it works better

Global $sFQDN = _AD_SamAccountNameToFQDN(@UserName)
$iRC = _AD_ModifyAttribute($sFQDN, "msExchHideFromAddressLists", True)

Just one question else:

Can I delete all groups from Member Of Tab?

Something like this:

_AD_RemoveUserFromGroup(*, $sAD_User)

Edited April 26, 2011 by HaeMHuK

[water]

with FQDN it works better

Doesn't make any difference.

If the parameter doesn't contain a "=" (and therefore is a samaccountname) the parameter is atuomatically translated to FQDN by calling _AD_SamAccountNameToFQDN internally.

Can I delete all groups from Member Of Tab?

Something like this:

_AD_RemoveUserFromGroup(*, $sAD_User)

No, you have to specify a group from which the user will be removed.

So you'll have to use a two-step-approach:

• Get all groups where the users is a member of using _AD_GetUserGroups
• Loop through the resulting array and call _AD_RemoveUserFromGroup for each group

Edited April 26, 2011 by water

[HaeMHuK]

Doesn't make any difference.

If the parameter doesn't contain a "=" (and therefore is a samaccountname) the parameter is atuomatically translated to FQDN by calling _AD_SamAccountNameToFQDN internally.

No, you have to specify a group from which the user will be removed.

So you'll have to use a two-step-approach:

• Get all groups where the users is a member of using _AD_GetUserGroups
• Loop through the resulting array and call _AD_RemoveUserFromGroup for each group

OK, thank you very much.

[water]

Right now I'm working on the I've started to place additional information (tips & tricks etc.) in the Wiki.

What do you think - is this something you would like to see for the AD UDF as well?

If yes, what kind of information do you want to see?

[HaeMHuK]

Hi again!

It seems there are problems with _AD_DeleteObject

error code 80072032, "An invalid dn

syntax has been specified".

It doesn't work with PCs

Works only this string with user:

CN=Name Surname,OU=xxxxxx,DC=domain,DC=com

Edited April 27, 2011 by HaeMHuK

[water]

To delete a computer you either have to use

_AD_DeleteObject(<samaccountname>, "computer")

or

_AD_DeleteObject(<FQDN>, "computer")

Keep in mind that the samaccountname for a computer is the computername plus an appended dollar sign.

Edited April 27, 2011 by water

[HaeMHuK]

To delete a computer you either have to use

_AD_DeleteObject(<samaccountname>, "computer")

or

_AD_DeleteObject(<FQDN>, "computer")

Keep in mind that the samaccountname for a computer is the computername plus an appended dollar sign.

Thanks, now it works. Why _AD_GetObjectClass(_AD_FQDNToSamAccountName($sObject)) doesn't work?