Active Directory UDF

[Lantz]

I am looking to retrieve some information about the Public key services stored in the Configuration Context, but for the life of me I can figure out how to mange that context with this UDF.

To clarify i want be able to read the caCertificate attribute of: 
CN=domain-CA,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=local

[water]

Can you please post what you have tried so far and which errors you get?

[kyo]

Hi Water,

With the latest version of AD.au3 (1.4.3.0), I get this warning while compiling:

"C:\Program Files (x86)\AutoIt3\Include\AD.au3"(3830,27) : warning: $iResult2: declared, but not used in func.

Easy to correct at this end, but thought you'd like to know..

My compile settings include this:

#AutoIt3Wrapper_Au3Check_Parameters=-d -w 1 -w 2 -w 3 -w- 4 -w 5 -w 6 -w 7

Thanks again for very fine work!

[water]

Thanks for the heads up. I've fixed it for the next release  

[heartilly]

I tried this example, but get an error message:

AutoIT\Include\AD.au3" (3074) : ==> The requested action with this object has failed.:
$aPwdInfo[1] = Int(__AD_Int8ToSec($oObject.Get("maxPwdAge"))) / 86400
$aPwdInfo[1] = Int(__AD_Int8ToSec($oObject^ ERROR

 

#AutoIt3Wrapper_AU3Check_Parameters= -d -w 1 -w 2 -w 3 -w 4 -w 5 -w 6
#AutoIt3Wrapper_AU3Check_Stop_OnWarning=Y
; *****************************************************************************
; Example 1
; Get the domain password policy and the password info for the current user
; *****************************************************************************
#include <AD.au3>

; Open Connection to the Active Directory
_AD_Open()
If @error Then Exit MsgBox(16, "Active Directory Example Skript", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)

; Get the password info
Global $aAD_PwdInfo[13][2] = [[12],["Maximum Password Age (days)"],["Minimum Password Age (days)"],["Enforce Password History (# of passwords remembered)"], _
["Minimum Password Length"],["Account Lockout Duration (minutes)"],["Account Lockout Threshold (invalid logon attempts)"],["Reset account lockout counter after (minutes)"], _
["Password last changed (YYYY/MM/DD HH:MM:SS local time)"],["Password expires (YYYY/MM/DD HH:MM:SS local time)"],["Password last changed (YYYY/MM/DD HH:MM:SS UTC)"], _
["Password expires (YYYY/MM/DD HH:MM:SS UTC)"],["Password properties"]]

Global $aTemp = _AD_GetPasswordInfo()
For $iCount = 1 To $aTemp[0]
$aAD_PwdInfo[$iCount][1] = $aTemp[$iCount]
Next
$aAD_PwdInfo[0][0] = $aTemp[0]

_ArrayDisplay($aAD_PwdInfo, "Active Directory Functions - Example 1", -1, 0, "<")

; Close Connection to the Active Directory
_AD_Close()
 

[david1337]

Hi water

Is it possible with your AD UDF, to view and edit other users AD Attributes?
If the user running the script has the rights for it of course.

Edited October 22, 2015 by david1337

[water]

Sure!

[water]

Heartilly,

Which version of AutoIt and the AD UDF do you run?

[david1337]

Heartilly,

Which version of AutoIt and the AD UDF do you run?

Cool

Autoit: 3.3.12.0

AD UDF: 2015-08-07 - Version 1.4.2.0

[water]

Cool

Autoit: 3.3.12.0

AD UDF: 2015-08-07 - Version 1.4.2.0

Check function _AD_ModifyAttribute. 

[water]

I tried this example, but get an error message:

 

#AutoIt3Wrapper_AU3Check_Parameters= -d -w 1 -w 2 -w 3 -w 4 -w 5 -w 6
#AutoIt3Wrapper_AU3Check_Stop_OnWarning=Y
; *****************************************************************************
; Example 1
; Get the domain password policy and the password info for the current user
; *****************************************************************************
#include <AD.au3>

; Open Connection to the Active Directory
_AD_Open()
If @error Then Exit MsgBox(16, "Active Directory Example Skript", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)

; Get the password info
Global $aAD_PwdInfo[13][2] = [[12],["Maximum Password Age (days)"],["Minimum Password Age (days)"],["Enforce Password History (# of passwords remembered)"], _
["Minimum Password Length"],["Account Lockout Duration (minutes)"],["Account Lockout Threshold (invalid logon attempts)"],["Reset account lockout counter after (minutes)"], _
["Password last changed (YYYY/MM/DD HH:MM:SS local time)"],["Password expires (YYYY/MM/DD HH:MM:SS local time)"],["Password last changed (YYYY/MM/DD HH:MM:SS UTC)"], _
["Password expires (YYYY/MM/DD HH:MM:SS UTC)"],["Password properties"]]

Global $aTemp = _AD_GetPasswordInfo()
For $iCount = 1 To $aTemp[0]
$aAD_PwdInfo[$iCount][1] = $aTemp[$iCount]
Next
$aAD_PwdInfo[0][0] = $aTemp[0]

_ArrayDisplay($aAD_PwdInfo, "Active Directory Functions - Example 1", -1, 0, "<")

; Close Connection to the Active Directory
_AD_Close()
 

I tested with AutoIt 3.3.12.0 and the latest AD UDF and it works just fine here.

[araneon]

Tell me how to find out the time when the password expires, the user account?
Am I correct in thinking that is the attribute msDS-UserPasswordExpiryTimeComputed?

[water]

Function _AD_GetPasswordInfo will return the password info.
Function _AD_GetObjectProperties(@username, "accountExpires") will return the user account information.
 

[hroberts]

Thank you so very much for these functions.  They are saving me a lot of work.  I am using your move AD Move Object Script and get OU scripts , and I am trying to figure out the best way to use the Get OU script and use those in an array to then create a combo box for the AD Move script.  I am VERY new to autoit and am wondering if anyone can give me some pointers on the best way to do this.

Thanks for any help you can provide.

 

Edited December 11, 2015 by hroberts
typo's

[water]

You could have a look at _AD_Example_GetOUTreeView example script that displays the OU structure in a TreeView.

[TaHreHc]

hi, thank you for ad.au3.

need you help in remove information from ldap

Func _AD_MyHasRightsOnUsers($sObject)

    If _AD_ObjectExists($sObject) = 0 Then Return SetError(2, 0, 0)
    If StringMid($sObject, 3, 1) <> "=" Then $sObject = _AD_SamAccountNameToFQDN($sObject)
    Local $oObject = __AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sObject)
    If IsObj($oObject) Then
        Local $oSecurity = $oObject.Get("ntSecurityDescriptor")
        Local $oDACL = $oSecurity.DiscretionaryAcl
        For $oACE In $oDACL
            if $oACE.Trustee = 'com\user' then
                 ; here must be code for delete this information             
            endif
        next
    EndIf
    Return 0

EndFunc   ;==>_AD_MyHasRightsOnUsers

 

[water]

Unfortunately the AD UDF has no function to remove permissions this way.
In the old adfunctions.au3 I've found the follwoing function which might give you an idea:

expandcollapse popup

Func _ADRemoveMailboxRights($mailbox, $accountsam, $ntsendas = 1)
    $obj_mailbox = _ADObjGet("LDAP://" & $strHostServer & "/" & $mailbox)
    If Not IsObj($obj_mailbox) Then
        ;MsgBox(0, "Error", "Mailbox was not a FQDN or was not found.")
        $obj_mailbox = 0
        SetError(3)
        Return
    EndIf
    $obj_mailboxsecurity = $obj_mailbox.MailboxRights
    $mailbox_dacl = $obj_mailboxsecurity.DiscretionaryAcl

    For $ace In $mailbox_dacl
        If $ace.trustee = $accountsam Then
            $mailbox_dacl.RemoveAce($ace)
        EndIf
    Next

    $obj_mailboxsecurity.DiscretionaryAcl = $mailbox_dacl
    $obj_mailbox.MailboxRights = $obj_mailboxsecurity
    If $ntsendas = 1 Then
        $obj_ntsecurity = $obj_mailbox.Get("ntSecurityDescriptor")
        $ntsecurity_dacl = $obj_ntsecurity.DiscretionaryAcl

        For $ace In $ntsecurity_dacl
            If $ace.trustee = $accountsam Then
                $ntsecurity_dacl.RemoveAce($ace)
            EndIf
        Next

        $obj_ntsecurity.DiscretionaryAcl = $ntsecurity_dacl
        $obj_mailbox.Put("ntSecurityDescriptor", $obj_ntsecurity)
        $obj_mailbox.SetOption($ADS_OPTION_SECURITY_MASK, $ADS_SECURITY_INFO_DACL)
        $obj_mailbox.SetInfo
    EndIf
    $obj_mailboxsecurity = 0
    $obj_ntsecurity = 0
    $ntsecurity_dacl = 0
    $mailbox_dacl = 0
    $ace = 0
    $obj_mailbox = 0

    Return @error

EndFunc   ;==>_ADRemoveMailboxRights

 

Edited February 1, 2016 by water

[TaHreHc]

yeap, idea came

Func _AD_DeleteRecordInSecurityInset($sObject,$sRecord)
   If _AD_ObjectExists($sObject) = 0 Then Return SetError(2, 0, 0)
   If StringMid($sObject, 3, 1) <> "=" Then $sObject = _AD_SamAccountNameToFQDN($sObject) ; sAMAccountName provided
   Local $oObject = __AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sObject)
   Local $oSecurity = $oObject.Get("ntSecurityDescriptor")
   Local $oDACL = $oSecurity.DiscretionaryAcl
   for $oACE In $oDACL
      If $oACE.Trustee = $sRecord then
         $oDACL.RemoveAce($oACE)
      EndIf
   Next
   $oSecurity.DiscretionaryAcl = $oDACL
   $oObject.Put("ntSecurityDescriptor",$oSecurity)
   If @error Then Return SetError(@error, 0, 0)
   $oObject.SetInfo
   If @error Then Return SetError(@error, 0, 0)
EndFunc

thank you for help

Edited February 2, 2016 by TaHreHc

[water]

[FreeBeing]

Thank you for that great UDF, it really save a lot of time to manage an AD