Active Directory UDF

water · January 31, 2014

Add this line to the top of your script

#Obfuscator_Ignore_Funcs=_AD_FixSpecialChars

jazzyjeff · February 3, 2014

Checking group membership seems slow with the new AD UDF. Is that just my script or network, or has this been a known issue. I am trying different things (turning off recursive checking, changing groups to search), but I can't get it to return a value as quick as it used to.

water · February 3, 2014

Not that I know of.

Can you test with version 1.4.0.0 and the latest with acceptable performance and post the time difference?

water · February 4, 2014

You are talking about function _AD_IsMemberOf?

jazzyjeff · February 4, 2014

Yes, I am back in the office now, so I will do some more testing.

ScriptingNewbie · February 5, 2014

I think I figured out how to create Exchange 2010 accounts using PowerShell in 1 line.

Create just a mailbox.

$sAMAccountName = "AutoIt"
$databaseName = "Exchange Datebase Name"

RunWait("C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe add-pssnapin Microsoft.Exchange.Management.Powershell.E2010 ; Enable-Mailbox -Identity " & $sAMAccountName & " -Database '" & $databaseName & "'")

This hides the user from the GAL

RunWait("C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe add-pssnapin Microsoft.Exchange.Management.Powershell.E2010 ; Set-Mailbox -Identity " & $sAMAccountName & " -HiddenFromAddressListsEnabled $true")

Change the $true to $false to show them in the GAL

It seems you can use semicolon to do another command. So in theory you can move the mailbox etc.

I hope this helps others who need to deal with Exchange 2010.

jazzyjeff · February 7, 2014

Water,

I am sorry for the delay on this. This is what I have so far in the login script. There are other things that happen after this piece of code, but this is the part that takes a long time to finish executing.

I am using Autoit 3.3.10.3 and the AD UDF 1.40.

It can take over 40 seconds to return the values of _AD_IsMemberOf functions. If it finished checking the values of _AD_Ismemberof, I would expect it to display the next label on my GUI, but it continues to stay at "Checking user membership..."

;**************************************************************
;*                                                            *
;* Start GUI to inform user of the login script activity      *
;*                                                            *
;**************************************************************
GUICreate("TCAPS Logon Script - Please wait.", 339, 55, -1, -1, $WS_CAPTION, $WS_EX_TOOLWINDOW)
$iProgress_1 = GUICtrlCreateProgress(10, 25, 316, 20, $PBS_MARQUEE)
$Label1 = GUICtrlCreateLabel("Updating policies...", 10, 8, 280, 17)
GUISetState(@SW_SHOW)
_ProgressMarquee_Start($iProgress_1)
;**************************************************************
;*                                                            *
;* Update Group Policy                                        *
;*                                                            *
;**************************************************************
$pidGP = Run('gpupdate /force', "", @SW_HIDE)
_AD_Open()
Global $sSam = @ComputerName & "$"
Global $sFQDN = _AD_SamAccountNameToFQDN($sSam)
$Label1 = GUICtrlCreateLabel("Checking user membership...", 10, 8, 280, 17)

If _AD_IsMemberOf("EL_Students", @UserName, True, True) Then
    $nestedGroup = "EL"
ElseIf _AD_IsMemberOf("Sec_Students", @UserName, True, True) Then
    $nestedGroup = "SEC"
EndIf

;**************************************************************
;*  *
;* Password check and reset for Secondary Students  *
;*  *
;**************************************************************
$Label1 = GUICtrlCreateLabel("Checking user account...", 10, 8, 280, 17)

Global $username = @UserName
$server = Random(1, 3, 1)
If $server = 1 Then
$server = "server1"
ElseIf $server = 2 Then
$server = "server"
ElseIf $server = 3 Then
$server = "server3"
EndIf
_DecryptPW1()
RunAs("username", "domain", $sPW, 0, "\\" & $server & "\netlogon\another.exe " & $username)

water · February 7, 2014

Does it always take 40 seconds or does it - most of the time - run faster?

Do you have a user where it always takes 40 seconds?

jazzyjeff · February 7, 2014

It happens for every user on any machine.

jazzyjeff · February 7, 2014

We have 64 bit and 32 bit Windows 7 and Windows XP machines, but it doesn't matter on the OS version or architecture.

water · February 7, 2014

Fine ;-)

Can you run all 3 modifications below so we know which functionality takes so long to complete?

_AD_IsMemberOf("EL_Students", @UserName)
_AD_IsMemberOf("EL_Students", @UserName, True)
_AD_IsMemberOf("EL_Students", @UserName, False, True)

jazzyjeff · February 7, 2014

Thanks for your quick responses Water.

Here are my timed results for this code:

$Label1 = GUICtrlCreateLabel("Checking user membership 1...", 10, 8, 280, 17)

If _AD_IsMemberOf("EL_Students", @UserName, True, True) Then
    $nestedGroup = "EL"
ElseIf _AD_IsMemberOf("Sec_Students", @UserName, True, True) Then
    $nestedGroup = "SEC"
EndIf

$Label1 = GUICtrlCreateLabel("Checking user membership 2...", 10, 8, 280, 17)
If _AD_IsMemberOf("EL_Students", @UserName) Then
    $nestedGroup = "EL"
ElseIf _AD_IsMemberOf("Sec_Students", @UserName) Then
    $nestedGroup = "SEC"
EndIf

$Label1 = GUICtrlCreateLabel("Checking user membership 3...", 10, 8, 280, 17)
If _AD_IsMemberOf("EL_Students", @UserName, True) Then
    $nestedGroup = "EL"
ElseIf _AD_IsMemberOf("Sec_Students", @UserName, True) Then
    $nestedGroup = "SEC"
EndIf

$Label1 = GUICtrlCreateLabel("Checking user membership 4...", 10, 8, 280, 17)
If _AD_IsMemberOf("EL_Students", @UserName, False, True) Then
    $nestedGroup = "EL"
ElseIf _AD_IsMemberOf("Sec_Students", @UserName, False, True) Then
    $nestedGroup = "SEC"
EndIf

Checking user membership 1: 34 seconds USING: _AD_IsMemberOf("EL_Students", @UserName,True, True)

Checking user membership 2: 2 seconds USING: _AD_IsMemberOf("EL_Students", @UserName)

Checking user membership 3: 2 seconds USING: _AD_IsMemberOf("EL_Students", @UserName, True)

Checking user membership 4: 34 seconds USING: _AD_IsMemberOf("EL_Students", @UserName, False, True)

So this indicates the recursive lookup is whats taking so long. Is there anything to speed this up?

water · February 7, 2014

Is there a difference when you try:

_AD_IsMemberOf("EL_Students", @UserName, False, True, 2)

jazzyjeff · February 7, 2014

So adding this line took the same amount of time to retrieve the AD groups as test 1 and 4.

34 seconds.

water · February 7, 2014

Strange.

Here the recursive call takes 0.148 seconds, the non recursive 0.014 seconds.

water · February 7, 2014

I think there is a bug!

Can you please change line

If _AD_IsMemberOf($oMember.distinguishedName, $sObject, $bRecursive, $iDepth - 1) Then Return 1

in function _AD_IsMemberOf to

If _AD_IsMemberOf($oMember.distinguishedName, $sObject, False, True, $iDepth - 1) Then Return 1

jazzyjeff · February 7, 2014

I changed the function to read this, but it is still taking about 30 something seconds.

Func _AD_IsMemberOf($sGroup, $sObject = @UserName, $bIncludePrimaryGroup = False, $bRecursive = False, $iDepth = 10)

    If _AD_ObjectExists($sGroup) = 0 Then Return SetError(1, 0, 0)
    If _AD_ObjectExists($sObject) = 0 Then Return SetError(2, 0, 0)
    If StringMid($sObject, 3, 1) <> "=" Then $sObject = _AD_SamAccountNameToFQDN($sObject) ; sAMAccountName provided
    If StringMid($sGroup, 3, 1) <> "=" Then $sGroup = _AD_SamAccountNameToFQDN($sGroup) ; sAMAccountName provided
    Local $oGroup = __AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sGroup)
    Local $iResult = $oGroup.IsMember("LDAP://" & $sAD_HostServer & "/" & $sObject)
    If $iResult = 0 And $bRecursive = True Then
        For $oMember In $oGroup.Members
            If StringLower($oMember.Class) = 'group' Then
                If $iDepth > 0 Then
                    If _AD_IsMemberOf($oMember.distinguishedName, $sObject, False, True, $iDepth - 1) Then Return 1
                EndIf
            Else
                If StringLower($oMember.distinguishedName) = $sObject Then Return 1
            EndIf
        Next
    EndIf
    ; Check Primary Group if $sObject isn't a member of the specified group and the flag is set
    If $iResult = 0 And $bIncludePrimaryGroup Then $iResult = (_AD_GetUserPrimaryGroup($sObject) = $sGroup)
    ; Abs is necessary to make it work for AutoIt versions < 3.3.2.0 with bug #1068
    Return Abs($iResult)

EndFunc   ;==>_AD_IsMemberOf

water · February 7, 2014

Can you run this script and post the results? Replace "***" with your groupname.

#include <AD.au3>

Global $sGroup = "***"
_AD_Open()
If @error Then Exit MsgBox(16, "Active Directory Example Skript", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)
Global $iTimer = TimerInit()
$iResult = _AD_IsMemberOfEX($sGroup, @UserName, False, True)
ConsoleWrite("Execution Time For Top Level: " & TimerDiff($iTimer) & @LF)
$iTimer = TimerInit()
_AD_Close()

Func _AD_IsMemberOfEX($sGroup, $sObject = @UserName, $bIncludePrimaryGroup = False, $bRecursive = False, $iDepth = 10)

    If _AD_ObjectExists($sGroup) = 0 Then Return SetError(1, 0, 0)
    If _AD_ObjectExists($sObject) = 0 Then Return SetError(2, 0, 0)
    If StringMid($sObject, 3, 1) <> "=" Then $sObject = _AD_SamAccountNameToFQDN($sObject) ; sAMAccountName provided
    If StringMid($sGroup, 3, 1) <> "=" Then $sGroup = _AD_SamAccountNameToFQDN($sGroup) ; sAMAccountName provided
    Local $oGroup = __AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sGroup)
    Local $iResult = $oGroup.IsMember("LDAP://" & $sAD_HostServer & "/" & $sObject)
    If $iResult = 0 And $bRecursive = True Then
        For $oMember In $oGroup.Members
            If StringLower($oMember.Class) = 'group' Then
                If $iDepth > 0 Then
                    ConsoleWrite($oMember.distinguishedName & @LF)
$iTimer = TimerInit()
                    If _AD_IsMemberOfEX($oMember.distinguishedName, $sObject, False, True, $iDepth - 1) Then
ConsoleWrite("  Execution Time For Level " & $iDepth & ": " & TimerDiff($iTimer) & @LF)
                        Return 1
                    EndIf
                EndIf
            Else
                If StringLower($oMember.distinguishedName) = $sObject Then Return 1
            EndIf
        Next
    EndIf
    ; Check Primary Group if $sObject isn't a member of the specified group and the flag is set
    If $iResult = 0 And $bIncludePrimaryGroup Then $iResult = (_AD_GetUserPrimaryGroup($sObject) = $sGroup)
    ; Abs is necessary to make it work for AutoIt versions < 3.3.2.0 with bug #1068
    Return Abs($iResult)

EndFunc   ;==>_AD_IsMemberOf

Edited February 7, 2014 by water

water · February 7, 2014

Another question:

How big is your AD environment? Could some of the groups be stored on another Domain Controller?

jazzyjeff · February 7, 2014

OK, if I use a group that my user account is nested in, I get this:

1506.47854685442

If I use a group that I am directly a member of, I get this:

284.186677357038

Active Directory UDF

Recommended Posts

Link to comment

Share on other sites

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

water

BrewManNH

mnorland

Posted Images

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Recently Browsing 0 members

Similar Content