Jump to content

Active Directory UDF


water
 Share

Recommended Posts

To get the next OU in the hierarchy just change one line:

Global $iPos = StringInStr($sDNComputer, ",")
to
Global $iPos = StringInStr($sDNComputer, ",", 2)
This returns the second occurrence of the "," and so splits of "OU=America, DC=example,DC=com"

BTW: Thanks for your compliments :)

Edited by water

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2024-07-28 - Version 1.6.3.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

Why $iPos + 8?

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2024-07-28 - Version 1.6.3.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

As long as the length is fixed it's not an issue.

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2024-07-28 - Version 1.6.3.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

Hi Water, I've been looking a little more into _AD_HasRequiredRights and I've found something, I think.

If I use MsgBox and have it output BitAND($oAD_ACE.AccessMask, $iAD_Right), it seems to return the correct rights... But if I do:

If StringInStr($aAD_MemberOf[$iCount1], "CN=" & $sAD_TrusteeGroup & ",") Then MsgBox(0,"","Yep!")

It never says "Yep!" -- so I believe that this part of the if statement is what is failing. If I output $sAD_TrusteeGroup, my name is in the list. So I believe this to be just a simple typo, but I'm not sure where.

Link to comment
Share on other sites

That looks promising! I will play a bit with my Resara server and see if I can locate the bug!

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2024-07-28 - Version 1.6.3.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

OK, so I found out something weird. Let me lay this out for you, hopefully it makes sense.

I'm a member of a group called "NSCs - HELPDESK"

I'm also a member of a group called "helpdesk_desktop_staff"

I am added to both groups directly (meaning not in a group that is in that group).

The "NSCs - HELPDESK" group has full permission on the OU and objects in the OU. Those permissions are inherited from the parent. The script fails to determine that I have permission on it.

If I add myself directly to the security of the object and grant myself full permission, the script fails to determine that I have permission on it.

If I add "helpdesk_desktop_staff" and give it full permission, the script DOES detect I have permission on it.

I'm really not sure what's happening or why :(

Edited by chaoticyeshua
Link to comment
Share on other sites

Water,

If $aAD_TrusteeArray[2] = $sAD_User And BitAND($oAD_ACE.AccessMask, $iAD_Right) = $iAD_Right Then Return 1

Returns 1 if I'm added directly to the security of the object.

$aAD_TrusteeArray[1] = domain

$aAD_TrusteeArray[2] = username

So now I just need to find out why it's not correctly parsing groups that have permission that are inherited from the parent...

Edited by chaoticyeshua
Link to comment
Share on other sites

Thanks for this information! I've searched the web but couldn't find a single script that does what we need. Very strange!

Lets see if I can find anything about inheritance.

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2024-07-28 - Version 1.6.3.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

OK, I think I may have found why it's not picking up the inherited permissions. The group is named "NSCs - HELPDESK" but has a pre-Windows 2000 name of NET_NSC_HELPDESK... The latter is the one being picked up by $aAD_TrusteeArray. The former is found in $aAD_MemberOf. So they never match.

So, unless there's a way to check the pre-Windows 2000 name also, I may be SOL. I don't know why they set it up that way...

Link to comment
Share on other sites

Func _AD_HasRequiredRights($sAD_Object, $iAD_Right = 983551, $sAD_User = @UserName)
If _AD_ObjectExists($sAD_User) = 0 Then Return SetError(1, 0, 0)
If _AD_ObjectExists($sAD_Object) = 0 Then Return SetError(2, 0, 0)
If StringMid($sAD_Object, 3, 1) <> "=" Then $sAD_Object = _AD_SamAccountNameToFQDN($sAD_Object) ; sAMAccountName provided
Local $aAD_MemberOf, $aAD_TrusteeArray, $sAD_TrusteeGroup, $sAD_TrusteeArrayFQDN
$aAD_MemberOf = _AD_GetUserGroups($sAD_User, 1)
Local $oAD_Object = __AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_Object)
If IsObj($oAD_Object) Then
  Local $oAD_Security = $oAD_Object.Get("ntSecurityDescriptor")
  Local $oAD_DACL = $oAD_Security.DiscretionaryAcl
  For $oAD_ACE In $oAD_DACL
   $aAD_TrusteeArray = StringSplit($oAD_ACE.Trustee, "\")
   $sAD_TrusteeGroup = $aAD_TrusteeArray[$aAD_TrusteeArray[0]]
   If (UBound($aAD_TrusteeArray) - 1 ) = 2 And $aAD_TrusteeArray[2] = $sAD_User And BitAND($oAD_ACE.AccessMask, $iAD_Right) = $iAD_Right Then Return 1
   If (UBound($aAD_TrusteeArray) - 1 ) = 2 Then
      $sAD_TrusteeArrayFQDN = _AD_SamAccountNameToFQDN($aAD_TrusteeArray[2])
   EndIf
   For $iCount1 = 0 To UBound($aAD_MemberOf) - 1
       If StringInStr($aAD_MemberOf[$iCount1], $sAD_TrusteeArrayFQDN) And _
      BitAND($oAD_ACE.AccessMask, $iAD_Right) = $iAD_Right Then Return 1
    If StringInStr($aAD_MemberOf[$iCount1], "CN=" & $sAD_TrusteeGroup & ",") And _
      BitAND($oAD_ACE.AccessMask, $iAD_Right) = $iAD_Right Then Return 1
   Next
  Next
EndIf
Return 0
EndFunc

If you can clean this up some, this should work... I'm not a master at this but I'm trying lol

Edited by chaoticyeshua
Link to comment
Share on other sites

chaoticyeshua,

I tested with a user who has full rights on an OU where I only have read access and your modifcations return the correct results! Bravo!!

Let's play a bit more with this function. If it works for other users too I will be happy to change the UDF accordingly!

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2024-07-28 - Version 1.6.3.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

Sure thing. I'll do some more testing and see if I can get it to break. So far, every account I've tested has returned the proper permissions, but I've only tested with checking for full permission. I know of one way it'll break probably, and that is if you are a member of a group that is a member of a group that has permission on the object. The script is not coded to check permission for nested groups.

Edit: It works with other permissions. I confirmed that nested groups do not work. I'm not sure how to code that in, or if it's even needed (it isn't for what I'm using it for).

Edited by chaoticyeshua
Link to comment
Share on other sites

; Move object
SplashTextOn("Please Standby", "Currently checking your permissions for the move", 470, 40, -1, -1, 33, "Arial", 12)
Sleep(5000)
SplashOff()
$sFQDN_User = "DomainUser"
$sFQDN_Group = "Domain Admins"
;Check the group membership of the specified user for the specified group
$iResult = _AD_IsMemberOf($sFQDN_Group, $sFQDN_User)
If $iResult = 1 Then
MsgBox(75, "Information!", "You have the required permissions to continue!", 5)
Else
MsgBox(48, "Active Directory Failure", "You do not seem to have the required permissions to move the Computer to the 'Disabled Computers OU', please call or email to have the Computer moved for you!")
_MainGUI()
EndIf
Global $sObject = _AD_GetObjectAttribute($rDisableInput & "$", "distinguishedname")
Global $sTargetOU = "OU=Disabled Computers,DC=Domain,DC=com" ;==>> Change when changing domain
Global $iValue = _AD_MoveObject($sTargetOU, $sObject)
If $iValue = 1 Then
ProgressOn("Please Wait...", "Moving to the Disabled Computers OU .", "Moving...")
For $i = 0 To 100
ProgressSet($i)
Next
ProgressSet(100, "Move Complete")
Sleep(3000)
ProgressOff()
ElseIf @error = 1 Then
MsgBox(64, "Active Directory Failure", "Unable to move '" & $rDisableInput & "' as it does not exist in Active Directory!")
ElseIf @error = 2 Then
MsgBox(64, "Active Directory Failure", "Unable to move '" & $rDisableInput & "' as it does not exist in Active Directory!")
Else
MsgBox(64, "Active Directory Failure", $rDisableInput & " is already in the' Disabled Computers OU '!")
EndIf
_AD_Close(); Close Connection to the Active Directory
_MainGUI()

Hi Water

I seem to be struggling a little.

A user that has permission to disable and change the description of an object is fine, but no permissions to move it to an OU that requires extended permissions. Is there a way to run just that part of the script with extended domain permissions?

I've tried the RunAS() and it dont work unless I'm doing it wrong.

I know that its not secure but the Credentials for this part will be hard coded with a $CALG_MD5 because we don't want to give the password out to anyone.

Thanks in advance

Link to comment
Share on other sites

It depends on how you do _AD_Open.

If you do not specify any parameters the credentials of the current user are used to connect to AD.

So if you need special permissions for a part of your processing you could _AD_Close the current connection, use _AD_Open with domain admin credentials, do your processing and _AD_Close and _AD_Open with the current credentials again.

A bit complex but the UDF doesn't support multiple connections at the same time.

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2024-07-28 - Version 1.6.3.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

Yes. As a whole it would look like:

_AD_Open()
; Do processing with domain user permissions
_AD_Close()
$Username = "Adminaccount"
$Password = "Password"
_AD_Open ($Username, $Password)
; Do processing with domain admin permissions
_AD_Close()
_AD_Open()
; Do rest of processing with domain user permissions
_AD_Close()

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2024-07-28 - Version 1.6.3.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

×
×
  • Create New...