Active Directory UDF

[chaoticyeshua]

Water,

I've been trying Johnathan Clelland's version of the script, and I don't think it's working for me on his either. Either it never worked at all, or I'm just doing something stupid.

[water]

Hmmm

As I said, I'm not firm with AD permissions. I couldn't find any additional information regarding _ADHasRequiredRights (examples etc.).

Would it be possible for your script to present all OUs for the user to select and then display an error message if creating the computer in the selected OU fails?

[chaoticyeshua]

Yeah, I'll see how that goes when I have time to work on it again. The beginning of the school semester is always extremely busy

In the meantime, is there anyone that can be contacted for assistance in getting _AD_HasRequiredRights fixed? Can anyone else even confirm it does/doesn't work for them? As I said, I may just be doing something wrong.

[water]

I would be interested too if anyone got it working.

A good reading about AD permissions (how to set, how to query them) would be helpful too.

[chaoticyeshua]

It's not very pretty, but this VB script accurately returns the permissions on the same object. I don't know if this will help troubleshoot the problem or not

expandcollapse popup

Const SE_DACL_PROTECTED = &H1000

Set objUser = GetObject _
("LDAP://cn=ubp_students,ou=groups,ou=ub,ou=instdiv,dc=domain,dc=edu")

Set objNtSecurityDescriptor = objUser.Get("ntSecurityDescriptor")
intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control

WScript.Echo "Permissions Tab"
strMessage = "Allow inheritable permissions from the parent to " & _
"propogate to this object and all child objects "
If (intNtSecurityDescriptorControl And SE_DACL_PROTECTED) Then
Wscript.Echo strMessage & "is disabled."
Else
WScript.Echo strMessage & "is enabled."
End If
WScript.Echo

Set objDiscretionaryAcl = objNtSecurityDescriptor.DiscretionaryAcl
DisplayAceInformation objDiscretionaryAcl, "DACL"

Sub DisplayAceInformation(SecurityStructure, strType)
Const ADS_ACETYPE_ACCESS_ALLOWED = &H0
Const ADS_ACETYPE_ACCESS_DENIED = &H1
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
intAceCount = 0
For Each objAce In SecurityStructure
     strTrustee = Mid(objAce.Trustee,1,12)
     If StrComp(strTrustee, "NT AUTHORITY", 1) <> 0 Then
         intAceCount = intAceCount + 1
         WScript.Echo strType & " permission entry: " & intAceCount
         WScript.Echo "Name: " & objAce.Trustee

         intAceType = objAce.AceType
         If (intAceType = ADS_ACETYPE_ACCESS_ALLOWED Or _
             intAceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT) Then
             WScript.Echo "Type: Allow Access"
         ElseIf (intAceType = ADS_ACETYPE_ACCESS_DENIED Or _
             intAceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) Then
             WScript.Echo "Type: Deny Acess"
         Else
             WScript.Echo "Acess Type Unknown."
         End If
         ReadBitsInAccessMask(objAce.AccessMask)
         WScript.Echo
     End If
Next
End Sub

Sub ReadBitsInAccessMask(AccessMask)
Const ADS_RIGHT_DELETE = &H10000
Const ADS_RIGHT_READ_CONTROL = &H20000
Const ADS_RIGHT_WRITE_DAC = &H40000
Const ADS_RIGHT_WRITE_OWNER = &H80000
Const ADS_RIGHT_DS_CREATE_CHILD = &H1
Const ADS_RIGHT_DS_DELETE_CHILD = &H2
Const ADS_RIGHT_ACTRL_DS_LIST = &H4
Const ADS_RIGHT_DS_SELF = &H8
Const ADS_RIGHT_DS_READ_PROP = &H10
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_RIGHT_DS_DELETE_TREE = &H40
Const ADS_RIGHT_DS_LIST_OBJECT = &H80
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100

WScript.Echo VbCrLf & "Standard Access Rights"
If (AccessMask And ADS_RIGHT_DELETE) Then _
     WScript.Echo vbTab & "-Delete an object."
If (AccessMask And ADS_RIGHT_READ_CONTROL) Then _
     WScript.Echo vbTab & "-Read permissions."
If (AccessMask And ADS_RIGHT_WRITE_DAC) Then _
     WScript.Echo vbTab & "-Write permissions."
If (AccessMask And ADS_RIGHT_WRITE_OWNER) Then _
     WScript.Echo vbTab & "-Modify owner."

WScript.Echo VbCrLf & "Directory Service Specific Access Rights"
If (AccessMask And ADS_RIGHT_DS_CREATE_CHILD) Then _
     WScript.Echo vbTab & "-Create child objects."
If (AccessMask And ADS_RIGHT_DS_DELETE_CHILD) Then _
     WScript.Echo vbTab & "-Delete child objects."
If (AccessMask And ADS_RIGHT_ACTRL_DS_LIST) Then _
     WScript.Echo vbTab & "-Enumerate an object."
If (AccessMask And ADS_RIGHT_DS_READ_PROP) Then _
     WScript.Echo vbTab & "-Read the properties of an object."
If (AccessMask And ADS_RIGHT_DS_WRITE_PROP) Then _
     WScript.Echo vbTab & "-Write the properties of an object."
If (AccessMask And ADS_RIGHT_DS_DELETE_TREE) Then _
     WScript.Echo vbTab & "-Delete a tree of objects"
If (AccessMask And ADS_RIGHT_DS_LIST_OBJECT) Then _
     WScript.Echo vbTab & "-List a tree of objects."

WScript.Echo VbCrLf & "Control Access Rights"
If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) + _
     (AccessMask And ADS_RIGHT_DS_SELF) = 0 Then
         WScript.Echo "-None"
Else
     If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) Then _
         WScript.Echo vbTab & "-Extended access rights."
     If (AccessMask And ADS_RIGHT_DS_SELF) Then
         WScript.Echo vbTab & "-Active Directory must validate a property "
         WScript.Echo vbTab & " write operation beyond the schema " & _
             "definition "
         WScript.Echo vbTab & " for the attribute."
     End If
End If
End Sub

[water]

I have found this script too. Maybe I can translate it to AutoIt and strip it down to answer the question: Has the specified user the desired permissions?

Unfortunately this will take some time ...

[chaoticyeshua]

No worries, take your time. Thank you so much for your help on this.

[chaoticyeshua]

Water,

Just looking at _AD_HasRequiredRights step by step and doing _ArrayDisplay or MsgBox on the variables throughout that script, it looks like it's pulling the right information from AD. It lists all the groups I'm in and everything. It just looks like it's failing on this:

For $iCount1 = 0 To UBound($aAD_MemberOf) - 1
    If StringInStr($aAD_MemberOf[$iCount1], "CN=" & $sAD_TrusteeGroup & ",") And _
      BitAND($oAD_ACE.AccessMask, $iAD_Right) = $iAD_Right Then Return 1
   Next

As for why that is, I haven't had time to find that out yet. We have a huge event that I have to go help set up for. I'll see if I can figure something out later.

[water]

Thanks for taking the time to search for the bug!

[Iceman682]

expandcollapse popup

Case $BOK ;OK button
_ResourcePlaySound("Sound_WAV_4")
Global $sObject = GUICtrlRead($IObject)
Global $ssComputer = GUICtrlRead($ComputerToMove)
Global $hSelection = _GUICtrlTreeView_GetSelection($hTree)
If $hSelection = 0 Then
MsgBox(64, "Whoops, It Seems You Forgot Something!", "You MUST select an OU before pressing the Move and Update button!")
Else
For $i = 1 To $aTreeView[0][0]
If $hSelection = $aTreeView[$i][2] Then ExitLoop
Next
Global $sOU = $aTreeView[$i][1]
ExitLoop
EndIf
EndSwitch
WEnd
; Change attribute
$iValue = _AD_ModifyAttribute($ssComputer & "$", "description", $sDescription)
If $iValue = 1 Then
ProgressOn("Please Wait...", "Updating Computer Description in AD.", "Updating...")
For $i = 0 To 100
ProgressSet($i)
Next
ProgressSet(100, "Update Complete!")
Sleep(3000)
ProgressOff()
ElseIf @error = 1 Then
MsgBox(64, "Active Directory Error", "Unable to update description as Computer does not exist in AD!")
Else
MsgBox(64, "Active Directory Error", "Computer is already in Active Directory!")
EndIf
; Move object
$iValue = _AD_MoveObject($sOU, $sObject)
If $iValue = 1 Then
ProgressOn("Please Wait...", "Moving Computer to the requested OU.", "Moving...")
For $i = 0 To 100
ProgressSet($i)
Next
ProgressSet(99, "Move Complete! ... Updating Group Policy!")
Local $rc = _RunDos("Gpupdate /force")
ProgressSet(100, "Group Policy Update Complete!")
Sleep(3000)
ProgressOff()
ElseIf @error = 1 Then
MsgBox(0, "", "")
ElseIf @error = 2 Then
MsgBox(64, "Active Directory Error", "Unable to move as Computer does not exist in AD!")
Else
MsgBox(64, "Active Directory Error", "Unable to move as Computer is already in that OU!")
EndIf
_AD_Close()
MsgBox(64, "Done", "All Complete!")

Hi Water

I'm stuck and can't find where its going wrong.

This always closes after the MsgBox(64, "Done", "All Complete!")

I've tried all sort to try and loop it back to the child GUI so I can run it again if required but can't find a solution.

The progress bars are cosmetic only as I know they are not needed.

Any help most welcome

Edited January 19, 2013 by Iceman682

[water]

I ran Tidy (Ctrl-t in SciTE) to make the code more readable and got a few errors. Can you Tidy the whole script and check the errors you get?

EndSwitch and WEnd seem to cause the problem.

[Iceman682]

I ran Tidy (Ctrl-t in SciTE) on the whole script and no error were found.

[water]

I get the following errors by Tidy with the code you posted:

expandcollapse popup

Case $BOK ;OK button
    _ResourcePlaySound("Sound_WAV_4")
    Global $sObject = GUICtrlRead($IObject)
    Global $ssComputer = GUICtrlRead($ComputerToMove)
    Global $hSelection = _GUICtrlTreeView_GetSelection($hTree)
    If $hSelection = 0 Then
        MsgBox(64, "Whoops, It Seems You Forgot Something!", "You MUST select an OU before pressing the Move and Update button!")
    Else
        For $i = 1 To $aTreeView[0][0]
            If $hSelection = $aTreeView[$i][2] Then ExitLoop
        Next
        Global $sOU = $aTreeView[$i][1]
        ExitLoop
    EndIf
;### Tidy Error: next line creates a negative tablevel.
;### Tidy Error: next line creates a negative tablevel for the line after it.
;### Tidy Error -> "endswitch" is closing previous "case" on line 1
EndSwitch
;### Tidy Error: next line creates a negative tablevel.
;### Tidy Error: next line creates a negative tablevel for the line after it.
WEnd
; Change attribute
$iValue = _AD_ModifyAttribute($ssComputer & "$", "description", $sDescription)
If $iValue = 1 Then
    ProgressOn("Please Wait...", "Updating Computer Description in AD.", "Updating...")
    For $i = 0 To 100
        ProgressSet($i)
    Next
    ProgressSet(100, "Update Complete!")
    Sleep(3000)
    ProgressOff()
ElseIf @error = 1 Then
    MsgBox(64, "Active Directory Error", "Unable to update description as Computer does not exist in AD!")
Else
    MsgBox(64, "Active Directory Error", "Computer is already in Active Directory!")
EndIf
; Move object
$iValue = _AD_MoveObject($sOU, $sObject)
If $iValue = 1 Then
    ProgressOn("Please Wait...", "Moving Computer to the requested OU.", "Moving...")
    For $i = 0 To 100
        ProgressSet($i)
    Next
    ProgressSet(99, "Move Complete! ... Updating Group Policy!")
    Local $rc = _RunDos("Gpupdate /force")
    ProgressSet(100, "Group Policy Update Complete!")
    Sleep(3000)
    ProgressOff()
ElseIf @error = 1 Then
    MsgBox(0, "", "")
ElseIf @error = 2 Then
    MsgBox(64, "Active Directory Error", "Unable to move as Computer does not exist in AD!")
Else
    MsgBox(64, "Active Directory Error", "Unable to move as Computer is already in that OU!")
EndIf
_AD_Close()
MsgBox(64, "Done", "All Complete!")

[Iceman682]

The whole code works fine with no errors in it's own GUI but in a child GUI with no errors it just closes after the msgbox, that might be the issue but I haven't got a clue why.

[water]

I don't see anything wrong with the code you posted.

Maybe the "WEnd" (end of the loop) is at the wrong place?

[Iceman682]

Thanks Water, I will have a play and try and resolve.

Another question if I may:

Is there a way of getting the description of the current OU that the @ComputerName is in?

I've tried

$Result = _AD_GetObjectAttribute(@ComputerName & "$", "distinguishedname")

$ADResult = _AD_GetObjectAttribute$Result & "$", "description")

and

$Result = _AD_GetObjectAttribute(@ComputerName & "$", "distinguishedname")

$sOUDescription = _AD_GetobjectAttribute($Result ,"description")

With no joy

Many thanks

Iceman682

[water]

You have to strip of the RDN (Relative Domain Name) from the DN (Distinguished Name) which then is the DN of the OU.

Let's say the DN of your computer is CN=Computer,OU=computers,DC=example,DC=com. Search for the first comma and take the rest to the right as the DN of the OU and query the property.

[Iceman682]

Wow, well I must say you have managed to totally baffle me with science on this one

[water]

Something like this:

#include <AD.au3>

_AD_Open()
If @error Then Exit MsgBox(16, "Active Directory Example Skript", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)

Global $sDNComputer = _AD_GetObjectAttribute(@ComputerName & "$", "distinguishedname")
If @error Then
    MsgBox(16, "Active Directory Example Skript", "Function _AD_GetObjectAttribute (Computer) encountered a problem. @error = " & @error & ", @extended = " & @extended)
Else
    Global $iPos = StringInStr($sDNComputer, ",")
    Global $sDNOU = StringMid($sDNComputer, $iPos + 1)
    Global $sOUDescription = _AD_GetObjectAttribute($sDNOU, "description")
    If @error Then
        MsgBox(16, "Active Directory Example Skript", "OU '" & $sDNOU & "' has no description property or other error occurred. @error = " & @error & ", @extended = " & @extended)
    Else
        MsgBox(64, "Active Directory Example Skript", "OU '" & $sDNOU & "', property 'description': " & $sOUDescription)
    EndIf
Endif
_AD_Close()
Exit

[Iceman682]

Water,

What would we all do without you being here to help and guide us in the right direction?

Absolutely fantastic!

Having resolved that little beast i.e FLD, I've been trying to strip out a different name i.e America

CN=Computer,OU=FLD, OU=America, DC=example,DC=com.

I've tried all permitations within the code you so greatfully provided but to no avail.