Active Directory UDF

[supersonic]

Thank you for this helpful link...

That's the way it seems to be...

[water]

Why do you query this group? What information do you want to get?

[supersonic]

Nothing very special...

First, it was a bit strange and confusing to me:

Querying group members for "Domain Users" = empty,

querying member's groups = "Domain Users" present.

Second, the function I used before lists all group members for "Domain Users".

But as the linked forum post explained: This is normal...

[supersonic]

Hi Water,

can you provide me the modified _AD_GetObjectProperties()-function

which returns readable GUIDs and SIDs?

Greets,

-supersonic.

[JonnyThunder]

You've done a brilliant job on this sir, thanks for the effort!

[water]

I'm glad you like it!

But it mainly the effort of Jonathan Clelland. I just brushed it up and extended it a bit.

Edited February 1, 2010 by water

[JonnyThunder]

It's still hugely impressive - many thanks to you and Jonathan Clelland for all the work.

I've just been raking through the list of examples and they all work beautifully. I've got a big project away to start which will require a lot of AD integration and querying so this just saved me a huge chunk of time.

Nice one fella.

[water]

Hi JonnyThunder,

please wait a few minutes before you start with your project.

There might be some script breaking changes in the next version. Some functions use "ByRef" to return data but most of the functions don't.

I think about removing the "ByRef" so the calls to the functions might change.

I'm going to do some performance checks and if there is little difference then I'm going to change it.

I'll keep you informed.

[supersonic]

Hi Water,

thank you for V0.34. Good job!

When I query 300+ users by _AD_GetObjectProperties() the script stops with an:

!>17:17:07 AutoIT3.exe ended.rc:-1073741819

... error. Without _AD_GetObjectProperties() the scripts runs fine.

Maybe it is the user count; querying 10-20 works without errors...

Putting Sleep(0100) somewhere between doesn't help...

Any ideas about this?

Greets,

-supersonic.

[JonnyThunder]

That's quite odd - we have 6000 or so users and it works fine for me.

Water : nice one, I'll keep an eye on this page for updates!

[supersonic]

JonnyThunder,

if it works fine for you... Maybe you - or somebody else - can help me or give me a clue:

At first I run a query like this to get all users (and some of their attributes):

_AD_GetObjectsInOU($aTmp1, $GUICtrlRead, "(&(objectCategory=user))", 2, _ArrayToString($aADQAttributes, ",", 1, 0), "")

After that I would like to get some "encoded" attributes of each user:

Local aADQAttributes ; An one-based array of attributes. If there is a match, the value will be returned to $aTmp2.
Local $aTmp2
_AD_InjectObjectProperties($aTmp2, $aADQAttributes, _AD_FQDNToSamAccountName($aTmp1[$i][1]))
.
.
.
Func _AD_InjectObjectProperties(ByRef $iArr1, ByRef Const $iArr2, $iStr = "")
    Local $aAttr[7] = ["accountExpires", "badPasswordTime", "lastLogon", "lastLogonTimestamp", "objectGUID", "objectSID", "pwdLastSet"]
    Local $aProp    = _AD_GetObjectProperties($iStr)
    If @error <> 1 Then
        For $i = 0 To UBound($aAttr) - 1 Step 1
            Local $vTmp1 = _ArraySearch($iArr2, $aAttr[$i], 1, 0, 0, 0, 1, 0)
            If $vTmp1 > 0 Then
                Local $vTmp2 = _ArraySearch($aProp, $aAttr[$i], 1, 0, 0, 0, 1, 0)
                If $vTmp2 > 0 Then
                    $iArr1[$vTmp1 - 2] = $aProp[$vTmp2][1] ; Less array index and hidden/invisible attribute. "Something" special; please ignore...
                EndIf
            EndIf
        Next
    EndIf
EndFunc

Maybe the code isn't very good!? Could someone provide a better example?

Greets,

-supersonic.

Edited February 2, 2010 by supersonic

[water]

Sounds strange: If I convert your returncode to hex I get 0xC0000005. Google returns some very strange results on that.

Where (is the line number in your script or somewhere in the AD UDF) do you get this error?

I've modified _AD_GetObjectProperties so you can specify which attributes to return in a comma seprated list.

So

$aProperties = _AD_GetObjectProperties(@UserName,"accountExpires, badPasswordTime, lastLogon, lastLogonTimestamp, objectGUID, objectSID, pwdLastSet")

should do the trick.

expandcollapse popup

; #FUNCTION# ====================================================================================================================
; Name...........: _AD_GetObjectProperties
; Description ...: Returns a two-dimensional array with all properties and their values of an object in readable form.
; Syntax.........: _AD_GetObjectProperties([$sAD_Object = @UserName[, $sAD_Attributes = ""]])
; Parameters ....: $sAD_Object - Optional: SamAccountName or FQDN of the object to get the attributes from (e.g. computer, user, group ...) (default = @Username)
;   $sAD_Attributes - Optional: Comma separated list of attributes to return (default = "" = return all attributes)
; Return values .: Success - Returns a two-dimensional array with all properties and their values of an object in readable form
;   Failure - 0 or property name, sets @error to:
;   |1 - $sAD_Object could not be found
;   |2 - No attributes for the specified property. The property is returned as the functions result
; Author ........: Sundance
; Modified.......: Thomas Rupp
; Remarks .......: Dates are returned in format: YYYY/MM/DD HH:MM:SS
;   NT Security Descriptors are returned as: Control:nn, Group:Domain\Group, Owner:Domain\Group, Revision:nn
;   No error is returned if there are attributes in $sAD_Attributes that are not available for the selected object
; Related .......:
; Link ..........: http://www.autoitscript.com/forum/index.php?showtopic=49627&view=findpost&p=422402, http://msdn.microsoft.com/en-us/library/ms675090(VS.85).aspx
; Example .......: Yes
; ===============================================================================================================================
Func _AD_GetObjectProperties($sAD_Object = @UserName, $sAD_Attributes = "")

    Local $aAD_ObjectProperties[1][2]
    Local $sAD_Query, $oAD_Item, $oAD_PropertyEntry, $oAD_Value, $iCount3, $xAD_Dummy
    ; Data Type Mapping between Active Directory and LDAP
    ; http://msdn.microsoft.com/en-us/library/aa772375(VS.85).aspx
    Local Const $ADSTYPE_DN_STRING = 1
    Local Const $ADSTYPE_CASE_IGNORE_STRING = 3
    Local Const $ADSTYPE_BOOLEAN = 6
    Local Const $ADSTYPE_INTEGER = 7
    Local Const $ADSTYPE_OCTET_STRING = 8
    Local Const $ADSTYPE_UTC_TIME = 9
    Local Const $ADSTYPE_LARGE_INTEGER = 10
    Local Const $ADSTYPE_NT_SECURITY_DESCRIPTOR = 25
    Local Const $ADSTYPE_UNKNOWN = 26
    Local $aAD_SAMAccountType[12][2] = [["DOMAIN_OBJECT", 0x0],["GROUP_OBJECT", 0x10000000],["NON_SECURITY_GROUP_OBJECT", 0x10000001], _
            ["ALIAS_OBJECT", 0x20000000],["NON_SECURITY_ALIAS_OBJECT", 0x20000001],["USER_OBJECT", 0x30000000],["NORMAL_USER_ACCOUNT", 0x30000000], _
            ["MACHINE_ACCOUNT", 0x30000001],["TRUST_ACCOUNT", 0x30000002],["APP_BASIC_GROUP", 0x40000000],["APP_QUERY_GROUP", 0x40000001], _
            ["ACCOUNT_TYPE_MAX", 0x7fffffff]]
    Local $aAD_UAC[21][2] = [[0x00000001, "SCRIPT"],[0x00000002, "ACCOUNTDISABLE"],[0x00000008, "HOMEDIR_REQUIRED"],[0x00000010, "LOCKOUT"],[0x00000020, "PASSWD_NOTREQD"], _
            [0x00000040, "PASSWD_CANT_CHANGE"],[0x00000080, "ENCRYPTED_TEXT_PASSWORD_ALLOWED"],[0x00000100, "TEMP_DUPLICATE_ACCOUNT"],[0x00000200, "NORMAL_ACCOUNT"], _
            [0x00000800, "INTERDOMAIN_TRUST_ACCOUNT"],[0x00001000, "WORKSTATION_TRUST_ACCOUNT"],[0x00002000, "SERVER_TRUST_ACCOUNT"],[0x00010000, "DONT_EXPIRE_PASSWD"], _
            [0x00020000, "MNS_LOGON_ACCOUNT"],[0x00040000, "SMARTCARD_REQUIRED"],[0x00080000, "TRUSTED_FOR_DELEGATION"],[0x00100000, "NOT_DELEGATED"], _
            [0x00200000, "USE_DES_KEY_ONLY"],[0x00400000, "DONT_REQUIRE_PREAUTH"],[0x00800000, "PASSWORD_EXPIRED"],[0x01000000, "TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION"]]

    If _AD_ObjectExists($sAD_Object) = 0 Then Return SetError(1, 0, 0)
    $sAD_Attributes = "," & StringReplace($sAD_Attributes, " ", "" ) & ","
    Local $sAD_Property = "sAMAccountName"
    If StringMid($sAD_Object, 3, 1) = "=" Then $sAD_Property = "distinguishedName"; FQDN provided
    $sAD_Query = "<LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain & ">;(" & $sAD_Property & "=" & $sAD_Object & ");ADsPath;subtree"
    Local $oAD_RecordSet = $oAD_Connection.Execute($sAD_Query) ; Retrieve the FQDN for the object
    Local $sAD_LDAPEntry = $oAD_RecordSet.fields(0).value
    Local $oAD_Object = _AD_ObjGet($sAD_LDAPEntry) ; Retrieve the COM Object
    $oAD_Object.GetInfo()
    Local $iCount1 = $oAD_Object.PropertyCount()
    For $iCount2 = 0 To $iCount1 - 1
        $oAD_Item = $oAD_Object.Item($iCount2)
        ; Falls der Wert in der AttributListe vorkommt, dann weiterverarbeiten, sonst ContinueLoop
        If Not ($sAD_Attributes = ",," Or StringInStr($sAD_Attributes,"," & $oAD_Item.Name & ",") > 0) Then ContinueLoop
        $oAD_PropertyEntry = $oAD_Object.GetPropertyItem($oAD_Item.Name, $ADSTYPE_UNKNOWN)
        If IsObj($oAD_PropertyEntry) = 0 Then
            Return SetError (2, 0, $oAD_Item.Name)
        Else
            For $vAD_PropertyValue In $oAD_PropertyEntry.Values
                ReDim $aAD_ObjectProperties[UBound($aAD_ObjectProperties, 1) + 1][2]
                $iCount3 = UBound($aAD_ObjectProperties, 1) - 1
                $aAD_ObjectProperties[$iCount3][0] = $oAD_Item.Name
                If $oAD_Item.ADsType = $ADSTYPE_CASE_IGNORE_STRING Then
                    $aAD_ObjectProperties[$iCount3][1] = $vAD_PropertyValue.CaseIgnoreString
                ElseIf $oAD_Item.ADsType = $ADSTYPE_INTEGER Then
                    If $oAD_Item.Name = "sAMAccountType" Then
                        For $iCount4 = 0 To 11
                            If $vAD_PropertyValue.Integer = $aAD_SAMAccountType[$iCount4][1] Then
                                $aAD_ObjectProperties[$iCount3][1] = $aAD_SAMAccountType[$iCount4][0]
                                ExitLoop
                            EndIf
                        Next
                    ElseIf $oAD_Item.Name = "userAccountControl" Then
                        $aAD_ObjectProperties[$iCount3][1] = $vAD_PropertyValue.Integer & " = "
                        For $iCount4 = 0 To 20
                            If BitAND($vAD_PropertyValue.Integer, $aAD_UAC[$iCount4][0]) = $aAD_UAC[$iCount4][0] Then
                                $aAD_ObjectProperties[$iCount3][1] &= $aAD_UAC[$iCount4][1] & " - "
                            EndIf
                        Next
                        If StringRight($aAD_ObjectProperties[$iCount3][1], 3) = " - " Then $aAD_ObjectProperties[$iCount3][1] = StringTrimRight($aAD_ObjectProperties[$iCount3][1], 3)
                    Else
                        $aAD_ObjectProperties[$iCount3][1] = $vAD_PropertyValue.Integer
                    EndIf
                ElseIf $oAD_Item.ADsType = $ADSTYPE_LARGE_INTEGER Then
                    If $oAD_Item.Name = "pwdLastSet" Or $oAD_Item.Name = "accountExpires" Or $oAD_Item.Name = "lastLogonTimestamp" Or $oAD_Item.Name = "badPasswordTime" Or $oAD_Item.Name = "lastLogon" Then
                        $aAD_ObjectProperties[$iCount3][1] = _DateAdd("s", Int(_AD_LargeInt2Double($vAD_PropertyValue.LargeInteger.LowPart, $vAD_PropertyValue.LargeInteger.HighPart) / (10000000)), "1601/01/01 00:00:00")
                    Else
                        $aAD_ObjectProperties[$iCount3][1] = _AD_LargeInt2Double($vAD_PropertyValue.LargeInteger.LowPart, $vAD_PropertyValue.LargeInteger.HighPart)
                    EndIf
                ElseIf $oAD_Item.ADsType = $ADSTYPE_OCTET_STRING Then
                    $xAD_Dummy = DllStructCreate("byte[56]")
                    DllStructSetData($xAD_Dummy, 1, $vAD_PropertyValue.OctetString)
                    ; objectSID etc. See: http://msdn.microsoft.com/en-us/library/aa379597(VS.85).aspx
                    ; objectGUID etc. See: http://www.autoitscript.com/forum/index.php?showtopic=106163&view=findpost&p=767558
                    If _Security__IsValidSid(DllStructGetPtr($xAD_Dummy)) Then
                        $aAD_ObjectProperties[$iCount3][1] = _Security__SidToStringSid(DllStructGetPtr($xAD_Dummy)) ; SID
                    Else
                        $aAD_ObjectProperties[$iCount3][1] = _WinAPI_StringFromGUID(DllStructGetPtr($xAD_Dummy)) ; GUID
                    EndIf
                ElseIf $oAD_Item.ADsType = $ADSTYPE_DN_STRING Then
                    $aAD_ObjectProperties[$iCount3][1] = $vAD_PropertyValue.DNString
                ElseIf $oAD_Item.ADsType = $ADSTYPE_UTC_TIME Then
                    Local $iAD_DateTime = $vAD_PropertyValue.UTCTime
                    $aAD_ObjectProperties[$iCount3][1] = StringLeft($iAD_DateTime, 4) & "/" & StringMid($iAD_DateTime, 5, 2) & "/" & StringMid($iAD_DateTime, 7, 2) & _
                            " " & StringMid($iAD_DateTime, 9, 2) & ":" & StringMid($iAD_DateTime, 11, 2) & ":" & StringMid($iAD_DateTime, 13, 2)
                ElseIf $oAD_Item.ADsType = $ADSTYPE_BOOLEAN Then
                    If $vAD_PropertyValue.Boolean = 0 Then
                        $aAD_ObjectProperties[$iCount3][1] = "False"
                    Else
                        $aAD_ObjectProperties[$iCount3][1] = "True"
                    EndIf
                ElseIf $oAD_Item.ADsType = $ADSTYPE_NT_SECURITY_DESCRIPTOR Then
                    $oAD_Value = $vAD_PropertyValue.SecurityDescriptor
                    $aAD_ObjectProperties[$iCount3][1] = "Control:" & $oAD_Value.Control & ", " & _
                            "Group:" & $oAD_Value.Group & ", " & _
                            "Owner:" & $oAD_Value.Owner & ", " & _
                            "Revision:" & $oAD_Value.Revision
                Else
                    $aAD_ObjectProperties[$iCount3][1] = "Has the unknown Type: " & $oAD_Item.ADsType
                EndIf
            Next
        EndIf
    Next
    $aAD_ObjectProperties[0][0] = UBound($aAD_ObjectProperties, 1) - 1
    _ArraySort($aAD_ObjectProperties, 0, 1)
    Return $aAD_ObjectProperties

EndFunc ;==>_AD_GetObjectProperties

BTW: Could we move discussions of errors in user scripts to the "General help and Support" forum? I've opened a thread there.

This thread I would like to reserve for announcements and discussions of new functions.

Edited February 2, 2010 by water

[supersonic]

Hi Water,

I've switched over to the "General Help and Support" thread...

Greets,

-supersonic.

[supersonic]

Hi Water,

AD.au3 uses the functions _Security__IsValidSid(), _Security__SidToStringSid() and _WinAPI_StringFromGUID().

They are part of Security.au3 and WinAPI.au3. Make it sense to you to #include them in AD.au3?

Greets,

-supersonic.

[water]

Hi supersonic,

this is already included via date.au3.

I was wondering how the example scripts would have been working otherwise.

water

[TomV]

I Can say one thing:

THANKS for this great UDF!

PS: I recommend this to add to the "included with installation" UDF

Tom

[water]

Hi TomV,

glad you like the UDF.

I try to get it included with the standard AutoIt installation as soon as we've reached version 1.0.

That means function freeze and some successful tests of people who have write access to their AD. Some Exchange related functions will come in the next few weeks.

I've already tried to contact the maintainer of the UDFs but didn't get any response 'til now.

[TomV]

Ok, what do you need to have for that, i'll test it.

Any screenshots? Vids?

Tom

[water]

Hi TomV,

just a bit of testing. I can't test the functions that modify the AD (I onyl have read access). If you like you could run the example scripts that alter the AD and report any problems you see.

Please be careful and use a test environment!

Thanks!

water

[water]

Hi Jaymac,

thanks for your reply!

You don't have to run the AD.au3 That's the UDF itself which is called by all the other example scripts.

But I think it's a good idea to add a readme.txt file that explains how to install the UDF and the associated files.