Active Directory UDF

HaeMHuK · April 5, 2011

I should fill this parameters manually or it could take credentials automatically?

water · April 5, 2011

_AD_Open()
uses the credentials of the currently logged on user
_AD_Open($sAD_UserIdParam, $sAD_PasswordParam)
uses the specified credentials to connect to the domain the computer is a member of
_AD_Open("", "", $sAD_DNSDomainParam, $sAD_HostServerParam, $sAD_ConfigurationParam)
uses the credentials of the currently logged on user to connect to the specified domain server. Necessary when the computer is not a member of a domain or if you want to connect to another domain or just want to connect to a specific domain server in the current domain
_AD_Open($sAD_UserIdParam, $sAD_PasswordParam, $sAD_DNSDomainParam, $sAD_HostServerParam, $sAD_ConfigurationParam)
uses the specified credentials to connect to the specified domain (server)

Edited April 5, 2011 by water

HaeMHuK · April 5, 2011

_AD_Open()
uses the credentials of the currently logged on user
_AD_Open($sAD_UserIdParam, $sAD_PasswordParam)
uses the specified credentials to connect to the domain the computer is a member of
_AD_Open("", "", $sAD_DNSDomainParam, $sAD_HostServerParam, $sAD_ConfigurationParam)
uses the credentials of the currently logged on user to connect to the specified domain server. Necessary when the computer is not a member of a domain or if you want to connect to another domain or just want to connect to a specific domain server in the current domain
_AD_Open($sAD_UserIdParam, $sAD_PasswordParam, $sAD_DNSDomainParam, $sAD_HostServerParam, $sAD_ConfigurationParam)
uses the specified credentials to connect to the specified domain (server)

Sorry, maybe I've written the question not correctly.

Can I use something like this?:

_AD_Open()
RunAs ($sAD_UserId, @LogonDomain, $sAD_Password, flag, "\\ip-adress\share\file.exe")
_AD_Close()

How can I assign current userId and password to RunAs using AD UDF.

water · April 5, 2011

How can I assign current userId and password to RunAs using AD UDF.

You can't. The AD UDF doesn't set any variables with userid and/or password.

If you want to connect to AD with different credentials you have to pass them to _AD_Open.

But why do you want to use runas when you use the credentials of the current user? I would suggest to use run in this case.

If you need to use the credentials of another user you have to pass them to _AD_Open AND runas.

HaeMHuK · April 5, 2011

You can't. The AD UDF doesn't set any variables with userid and/or password.
If you want to connect to AD with different credentials you have to pass them to _AD_Open.
But why do you want to use runas when you use the credentials of the current user? I would suggest to use run in this case.
If you need to use the credentials of another user you have to pass them to _AD_Open AND runas.

Ranas was just an example.

I have the program which connects to bugtracking system with same credentials as in AD.

So it will be comfortable to use current credentials.

water · April 5, 2011

I see.

It would be a security hole if you could extract the password of the logged in user.

The problem you describe is the problem of each single-signon-solution. The started solution has to be able to check permissions of the user (either current user or passed credentials).

I fear that the AD UDF can't help in this case.

HaeMHuK · April 5, 2011

I see.
It would be a security hole if you could extract the password of the logged in user.
The problem you describe is the problem of each single-signon-solution. The started solution has to be able to check permissions of the user (either current user or passed credentials).
I fear that the AD UDF can't help in this case.

Ok. Thanks a lot for information.

Suba · April 6, 2011

About the connexion, still for specific purpose I've modified a little bit the _AD_Open function.

I sometime connect to a server without knowing his AD name .. so here is the modification (not much) :

If $sAD_DNSDomainParam <> "" Then
        If $sAD_HostServerParam = "" Or $sAD_ConfigurationParam = "" Then Return SetError(6, 0, 0)
        $oAD_RootDSE = ObjGet("LDAP://" & $sAD_HostServerParam & "/RootDSE")
        If Not IsObj($oAD_RootDSE) Or @error <> 0 Then Return SetError(4, @error, 0)
        $sAD_DNSDomain = $sAD_DNSDomainParam
        $sAD_HostServer = $sAD_HostServerParam
        $sAD_Configuration = $sAD_ConfigurationParam
    ElseIf $sAD_HostServerParam <> "" Then                      ;=> added to allow connexion with no AD Name
        $oAD_RootDSE = ObjGet("LDAP://" & $sAD_HostServerParam & "/RootDSE")
        If Not  IsObj($oAD_RootDSE) Then Return SetError(4, @error, 0)
        $sAD_DNSDomain = $oAD_RootDSE.Get("defaultNamingContext")
        $sAD_HostServer = $sAD_HostServerParam
        $sAD_Configuration = $oAD_RootDSE.Get("ConfigurationNamingContext")         
    Else        
        $oAD_RootDSE = ObjGet("LDAP://RootDSE")
        If Not IsObj($oAD_RootDSE) Or @error <> 0 Then Return SetError(4, @error, 0)
        $sAD_DNSDomain = $oAD_RootDSE.Get("defaultNamingContext") ; Retrieve the current AD domain name
        $sAD_HostServer = $oAD_RootDSE.Get("dnsHostName") ; Retrieve the name of the connected DC
        $sAD_Configuration = $oAD_RootDSE.Get("ConfigurationNamingContext") ; Retrieve the Configuration naming context
        $oAD_RootDSE = ObjGet("LDAP://" & $sAD_HostServer & "/RootDSE") ; To guarantee a persistant binding
    EndIf

Edited April 6, 2011 by Suba

water · April 6, 2011

Hi Suba,

thanks for the code. I will have a look at it over the weekend.

Does it make sense to include this code in the UDF?

Suba · April 6, 2011

It's just a minor modification of _AD_Open , I'll let you judge

In my case, yes : it's a lot easier to open a connexion with only the DC name, but I dunno if other ppl will use it like this.

Edited April 7, 2011 by Suba

HaeMHuK · April 15, 2011

Hi Water.

Could you please help me to implement Exchange Hide From Address Lists through your udf:

VBS:

Const ADS_PROPERTY_UPDATE = 2 

cn_string = inputbox("Please enter users CN ex. cn=username,ou=OU_Names,dc=Domain,dc=Tld")
sLDAP = "LDAP://" & cn_string
'Write user properties
Set objGroup = GetObject(sLDAP) 
 
objGroup.Put "msExchHideFromAddressLists", "TRUE"

objGroup.SetInfo

wscript.echo "done"

water · April 19, 2011

I am on vacation amd will reply next week.

water · April 24, 2011

Use function _AD_ModifyAttribute like this:

$sCN = InputBox ("title", "Please enter users CN ex. cn=username,ou=OU_Names,dc=Domain,dc=Tld")
$iRC = _AD_ModifyAttribute($sCN, "msExchHideFromAddressLists", True)
if @error <> 0 Then Exit MsgBox(16, "Example Script", "Error " & @error & " when setting attribute msExchHideFromAddressLists")

BTW: The function allows to pass the FQDN or the samaccountname of a user.

HaeMHuK · April 26, 2011

Thanks,

with FQDN it works better

Global $sFQDN = _AD_SamAccountNameToFQDN(@UserName)
$iRC = _AD_ModifyAttribute($sFQDN, "msExchHideFromAddressLists", True)

Just one question else:

Can I delete all groups from Member Of Tab?

Something like this:

_AD_RemoveUserFromGroup(*, $sAD_User)

Edited April 26, 2011 by HaeMHuK

water · April 26, 2011

with FQDN it works better

Doesn't make any difference.

If the parameter doesn't contain a "=" (and therefore is a samaccountname) the parameter is atuomatically translated to FQDN by calling _AD_SamAccountNameToFQDN internally.

Can I delete all groups from Member Of Tab?
Something like this:
_AD_RemoveUserFromGroup(*, $sAD_User)

No, you have to specify a group from which the user will be removed.

So you'll have to use a two-step-approach:

Get all groups where the users is a member of using _AD_GetUserGroups
Loop through the resulting array and call _AD_RemoveUserFromGroup for each group

Edited April 26, 2011 by water

HaeMHuK · April 27, 2011

Doesn't make any difference.
If the parameter doesn't contain a "=" (and therefore is a samaccountname) the parameter is atuomatically translated to FQDN by calling _AD_SamAccountNameToFQDN internally.
No, you have to specify a group from which the user will be removed.
So you'll have to use a two-step-approach:
Get all groups where the users is a member of using _AD_GetUserGroups
Loop through the resulting array and call _AD_RemoveUserFromGroup for each group

OK, thank you very much.

water · April 27, 2011

Right now I'm working on the I've started to place additional information (tips & tricks etc.) in the Wiki.

What do you think - is this something you would like to see for the AD UDF as well?

If yes, what kind of information do you want to see?

HaeMHuK · April 27, 2011

Hi again!

It seems there are problems with _AD_DeleteObject

error code 80072032, "An invalid dn

syntax has been specified".

It doesn't work with PCs

Works only this string with user:

CN=Name Surname,OU=xxxxxx,DC=domain,DC=com

Edited April 27, 2011 by HaeMHuK

water · April 27, 2011

To delete a computer you either have to use

_AD_DeleteObject(<samaccountname>, "computer")

or

_AD_DeleteObject(<FQDN>, "computer")

Keep in mind that the samaccountname for a computer is the computername plus an appended dollar sign.

Edited April 27, 2011 by water

HaeMHuK · April 28, 2011

To delete a computer you either have to use
_AD_DeleteObject(<samaccountname>, "computer")
or
_AD_DeleteObject(<FQDN>, "computer")
Keep in mind that the samaccountname for a computer is the computername plus an appended dollar sign.

Thanks, now it works. Why _AD_GetObjectClass(_AD_FQDNToSamAccountName($sObject)) doesn't work?

Sign In

Active Directory UDF

Recommended Posts

HaeMHuK

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

water

BrewManNH

mnorland

Posted Images

water

HaeMHuK

water

HaeMHuK

water

HaeMHuK

Suba

water

Suba

HaeMHuK

water

water

HaeMHuK

water

HaeMHuK

water

HaeMHuK

water

HaeMHuK

Similar Content

adding a variable inside a PowerShell command

AD - Active Directory UDF

Compare Active Directory Groups

Using the PowerShell Group Policy Module with AutoIt

Active Directory - Need to search where user is/was logged

Browse

AutoIt Resources

Release

Beta