Active Directory UDF (II)

[supersonic]

water,

thank you for your reply and your patience

I'm not experiencing "You get @error = 2 in case number 2?" ...

Case 1: All good.
Case 2: Fallback, pick $aPwdInfo[9], resulting in @extended = 8.  All good.
Case X (in case _AD_GetObjectProperties failed): Fallback, pick $aPwdInfo[9], resulting in @extended = 16 (or vice versa).

I mean, why should this function error out if there is a userful fallback by returning [9] for both cases? Yes, MSDS-UserPasswordExpiryTimeComputed is more precise, of course - but [9] is in many cases good enough. instead of erroring out. Therefore, to avoid @error = 2 this case should be handled by another @extended code.

If an error, is an error, is an error... Accordingly should always erroring out - without exception! That's what you mean?

Edited December 20, 2018 by supersonic

[water]

Thanks for your reply!

D'accord! Will implement your @extended = 16 solution.
 

[supersonic]

water,

you're welcome

If _AD_GetObjectProperties fails I would set @extended = 8 (due to fact that it is the first attempt/step of reading MSDS-UserPasswordExpiryTimeComputed).

 

[water]

New version of the function. Does this meet your requirements?

expandcollapse popup

; #FUNCTION# ====================================================================================================================
; Name...........: _AD_GetPasswordInfo
; Description ...: Returns password information retrieved from the domain policy and the specified user or computer account.
; Syntax.........: _AD_GetPasswordInfo([$sSamAccountName = @UserName])
; Parameters ....: $sObject - Optional: User or computer account to get password info for (default = @UserName). Format is sAMAccountName or FQDN
; Return values .: Success - Returns a one-based array with the following information:
;                  |1 - Maximum Password Age (days)
;                  |2 - Minimum Password Age (days)
;                  |3 - Enforce Password History (# of passwords remembered)
;                  |4 - Minimum Password Length
;                  |5 - Account Lockout Duration (minutes). 0 means the account has to be unlocked manually by an administrator
;                  |6 - Account Lockout Threshold (invalid logon attempts)
;                  |7 - Reset account lockout counter after (minutes)
;                  |8 - Password last changed (YYYY/MM/DD HH:MM:SS in local time of the calling user) or "1601/01/01 00:00:00" (means "Password has never been set")
;                  |9 - Password expires (YYYY/MM/DD HH:MM:SS in local time of the calling user) or empty when password has not been set before or never expires
;                  |10 - Password last changed (YYYY/MM/DD HH:MM:SS in UTC) or "1601/01/01 00:00:00" (means "Password has never been set")
;                  |11 - Password expires (YYYY/MM/DD HH:MM:SS in UTC) or empty when password has not been set before or never expires
;                  |12 - Password properties. Part of Domain Policy. A bit field to indicate complexity / storage restrictions
;                  |      1 - DOMAIN_PASSWORD_COMPLEX
;                  |      2 - DOMAIN_PASSWORD_NO_ANON_CHANGE
;                  |      4 - DOMAIN_PASSWORD_NO_CLEAR_CHANGE
;                  |      8 - DOMAIN_LOCKOUT_ADMINS
;                  |     16 - DOMAIN_PASSWORD_STORE_CLEARTEXT
;                  |     32 - DOMAIN_REFUSE_PASSWORD_CHANGE
;                  |13 - Calculated password expiration date/time. Identical with element 9 of this array.
;                  |     Returns a value even when fine grained password policy is in use; which means that most of the other elements of this array are blank or 0.
;                  |     This is a Virtual Attribute (aka "Pseudo Attribute", "Constructed Attribute" or "Back-link") where the value is calculated by the LDAP Server Implementation and is not actually part of the LDAP Entry.
;                  Failure - "", sets @error to:
;                  |1 - $sObject not found
;                  Warning - Returns a one-based array (see Success), sets @extended to one of the following values (can be a combination of the following values e.g. 3 = 1 (Password does not expire) + 2 (Password has never been set)
;                  |1 - Password does not expire (User Access Control - UAC - is set)
;                  |2 - Password has never been set
;                  |4 - The Maximum Password Age is set to 0 in the domain. Therefore, the password does not expire
;                  |8 - The version of the accessed DC (needs to be >= 2008) does not support property MSDS-UserPasswordExpiryTimeComputed. Element 13 of the returned array is set to element 9.
;                  |16 - Function _AD_GetObjectProperties returned an error when querying property MSDS-UserPasswordExpiryTimeComputed. The error is ignored and element 13 of the returned array is set to element 9.
; Author ........: water
; Modified.......:
; Remarks .......: For details about password properties please check: http://msdn.microsoft.com/en-us/library/aa375371(v=vs.85).aspx
; Related .......: _AD_IsPasswordExpired, _AD_GetPasswordExpired, _AD_GetPasswordDontExpire, _AD_SetPassword, _AD_DisablePasswordExpire, _AD_EnablePasswordExpire, _AD_EnablePasswordChange,  _AD_DisablePasswordChange
; Link ..........: http://www.autoitscript.com/forum/index.php?showtopic=86247&view=findpost&p=619073, http://windowsitpro.com/article/articleid/81412/jsi-tip-8294-how-can-i-return-the-domain-password-policy-attributes.html
; Example .......: Yes
; ===============================================================================================================================
Func _AD_GetPasswordInfo($sObject = @UserName)

    If $sObject = Default Then $sObject = @UserName
    If _AD_ObjectExists($sObject) = 0 Then Return SetError(1, 0, "")
    If StringMid($sObject, 3, 1) <> "=" Then $sObject = _AD_SamAccountNameToFQDN($sObject) ; sAMAccountName provided
    Local $iExtended = 0, $aPwdInfo[14] = [13], $oObject, $oUser, $sPwdLastChanged, $iUAC, $aTemp
    $oObject = __AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain)
    $aPwdInfo[1] = Int(__AD_Int8ToSec($oObject.Get("maxPwdAge"))) / 86400 ; Convert to Days
    $aPwdInfo[2] = __AD_Int8ToSec($oObject.Get("minPwdAge")) / 86400 ; Convert to Days
    $aPwdInfo[3] = $oObject.Get("pwdHistoryLength")
    $aPwdInfo[4] = $oObject.Get("minPwdLength")
    ; Account lockout duration: http://msdn.microsoft.com/en-us/library/ms813429.aspx
    ; http://www.autoitscript.com/forum/topic/158419-active-directory-udf-help-support-iii/page-5#entry1173322
    $aPwdInfo[5] = __AD_Int8ToSec($oObject.Get("lockoutDuration")) / 60 ; Convert to Minutes
    If $aPwdInfo[5] < 0 Or $aPwdInfo[5] > 99999 Then $aPwdInfo[5] = 0
    $aPwdInfo[6] = $oObject.Get("lockoutThreshold")
    $aPwdInfo[7] = __AD_Int8ToSec($oObject.Get("lockoutObservationWindow")) / 60 ; Convert to Minutes
    $oUser = __AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sObject)
    $sPwdLastChanged = $oUser.Get("PwdLastSet")
    $iUAC = $oUser.userAccountControl
    ; Has user account password been changed before?
    If $sPwdLastChanged.LowPart = 0 And $sPwdLastChanged.HighPart = 0 Then
        $iExtended = BitOR($iExtended, 2)
        $aPwdInfo[8] = "1601/01/01 00:00:00"
        $aPwdInfo[10] = "1601/01/01 00:00:00"
    Else
        Local $sTemp = DllStructCreate("dword low;dword high")
        DllStructSetData($sTemp, "Low", $sPwdLastChanged.LowPart)
        DllStructSetData($sTemp, "High", $sPwdLastChanged.HighPart)
        ; Have to convert to SystemTime because _Date_Time_FileTimeToStr has a bug (#1638)
        Local $sTemp2 = _Date_Time_FileTimeToSystemTime(DllStructGetPtr($sTemp))
        $aPwdInfo[10] = _Date_Time_SystemTimeToDateTimeStr($sTemp2, 1)
        ; Convert PwdlastSet from UTC to Local Time
        $sTemp2 = _Date_Time_SystemTimeToTzSpecificLocalTime(DllStructGetPtr($sTemp2))
        $aPwdInfo[8] = _Date_Time_SystemTimeToDateTimeStr($sTemp2, 1)
        ; Is user account password set to expire?
        If BitAND($iUAC, $ADS_UF_DONT_EXPIRE_PASSWD) = $ADS_UF_DONT_EXPIRE_PASSWD Or $aPwdInfo[1] = 0 Then
            If BitAND($iUAC, $ADS_UF_DONT_EXPIRE_PASSWD) = $ADS_UF_DONT_EXPIRE_PASSWD Then $iExtended = BitOR($iExtended, 1)
            If $aPwdInfo[1] = 0 Then $iExtended = BitOR($iExtended, 4) ; The Maximum Password Age is set to 0 in the domain. Therefore, the password does not expire
        Else
            $aPwdInfo[11] = _DateAdd("d", $aPwdInfo[1], $aPwdInfo[10])
            $sTemp2 = _Date_Time_EncodeSystemTime(StringMid($aPwdInfo[11], 6, 2), StringMid($aPwdInfo[11], 9, 2), StringMid($aPwdInfo[11], 1, 4), StringMid($aPwdInfo[11], 12, 2), StringMid($aPwdInfo[11], 15, 2), StringMid($aPwdInfo[11], 18, 2))
            ; Convert PasswordExpires from UTC to Local Time
            $sTemp2 = _Date_Time_SystemTimeToTzSpecificLocalTime(DllStructGetPtr($sTemp2))
            $aPwdInfo[9] = _Date_Time_SystemTimeToDateTimeStr($sTemp2, 1)
        EndIf
    EndIf
    $aPwdInfo[12] = $oObject.Get("pwdProperties")
    $aTemp = _AD_GetObjectProperties($sObject, "MSDS-UserPasswordExpiryTimeComputed")
    If @error = 0 Then
        If UBound($aTemp, 1) > 1 Then
            $aPwdInfo[13] = $aTemp[1][1]
        Else ; Required if DC version < 2008.
            $aPwdInfo[13] = $aPwdInfo[9]
            $iExtended = BitOR($iExtended, 8)
        EndIf
    Else
        $aPwdInfo[13] = $aPwdInfo[9]
        $iExtended = BitOR($iExtended, 16)
    EndIf
    Return SetError(0, $iExtended, $aPwdInfo)

EndFunc   ;==>_AD_GetPasswordInfo

 

[supersonic]

Happy xmas!

water,

thank you - I really appreciate it. A slight final modification/suggestion:

; ...
$aPwdInfo[13] = $aPwdInfo[9] ; Default/fallback/standard.
$aTemp = _AD_GetObjectProperties($sObject, "MSDS-UserPasswordExpiryTimeComputed")
If @error = 0 Then
    If UBound($aTemp, 1) > 1 Then
        $aPwdInfo[13] = $aTemp[1][1]
    Else ; Required if DC version < 2008.
        $iExtended = BitOR($iExtended, 16)
    EndIf
Else
    $iExtended = BitOR($iExtended, 8)
EndIf
; ...

Only in case DC >= 2008 the line "$aPwdInfo[13] = $aTemp[1][1]" will be executed - otherwise always "[13] = [9]". Therefore I would rearrange it and @extended will be added up if needed. Finally - just my favor - I would swap @extended 8/16 because @error strikes first. Finally it's up to you - I'm already happy how it is now.

Edited December 26, 2018 by supersonic

[benched42]

I've been using  your Active Directory UDF for several years now in a script I have written to automatically gather information on a computer's user and the computer hardware and software for use when calling our helpdesk. The information it gathers is very complete. I just have one question that has recently been asked by my manager:

When the script is run when the computer is not connected to our domain, it takes at least 20 seconds to determine that it is not connected before continuing. All data gathered from Active Directory is set to "Not connected to domain" when the computer is not connected. However, when run a second time when not connected to the domain, it seems to take only a second or two. In addition to this, when the user connects to our domain using VPN, it takes only a second or two to gather the Active Directory data; however, when run after disconnecting from VPN it repeats the same behavior demonstrated before connecting to VPN: first run about 20 seconds, subsequent runs only a second or two.

Is there some kind of information left by the AD UDF that it is accessing after that? Or is that typical behavior for Windows?

The script is being tested on a Lenovo Yoga X380 with Windows 10.

[water]

Never had or have heard of this kind of problem. But I have never tested how the UDF acts if a computer is not connected to a domain.
Maybe it is a global connection setting. According to the MS docu the default to wait for a connection is 15 seconds: https://docs.microsoft.com/en-us/sql/ado/reference/ado-api/connectiontimeout-property-ado?view=sql-server-2017

If a connection is established then it remains open for some time to make execution of commands as fast as possible.

The best way to check if a computer is connected to a domain is to check the AutoIt macro @LogonDomain for a valid domain name. IIRC it is set to the name of the PC if there is no connection to a DC.

[benched42]

Thank you so much! I compared the @LogonDomain with @ComputerName to determine if the computer was connected to the domain or not; I think it runs much faster now!

[water]

Glad to be of service

[guidok]

Hi water,

first of all, you did a really great job with your udf for the Active Directory. Top!!!
I use it in several smaller utilities like an AD-Monitoring/Backup Tool for example.

Actually I'm working - based on your adcu & adcg comparing applications - on a tool which will act a little like the good ol' Norton Commander, but for the AD.
On one side I have one user oder group and on the oder side the second user or group. There I can use the comparision functions and - so my oppinion - the possibility of copying and removing.
In principle, that works, but I have no function in ad.au3 to add groups to other groups. Can you think of a workaround?

Thanks in advance,
Guido

[water]

_AD_AddUserToGroup should do the trick, I think (can't test at the moment).
The function name and th docu is a bit misleading.
If it works for you I will update the documentation.

[guidok]

In fact, it works with the function _AD_AddUserToGroup.The problem lies in the combination of the various selected objects, a few of which I still have to intercept, such as user objects on both sides.
Attached is the source code. There are some changes compared to the original adcg.au3 included, especially in the area of ini-file, authorization and maximize functionality. Maybe you find the idea of the ad-commander useful.

 

ADC.au3 ADC.ini

Edited April 25, 2019 by guidok
Updated code with comments & changes

[water]

Thanks!
Have updated the documentation accordingly.
The misleading function names are inherited from the original ADFunctions UDF written by Jonathan Clelland.

[supersonic]

water,

I have an issue using _AD_RenameObject() with FDQN containing special characters. This doesn't work (at least for me):

_AD_RenameObject("CN=geb./test,OU=Users,OU=Computers_W7,OU=GEB,OU=DE,DC=sub01,DC=domain,DC=local", "geb.test")

This will do:

_AD_RenameObject(_AD_FQDNToSamAccountName("CN=geb./test,OU=Users,OU=Computers_W7,OU=GEB,OU=DE,DC=sub01,DC=domain,DC=local"), "geb.test")

Escaping "/" ("CN=geb.\/test,...") won't do any better...

Any other idea to avoid using _AD_FQDNToSamAccountName in this case?

[water]

Sure. Use funcction _AD_FixSpecialChars to escape/unescape those special characters. That's what _AD_FQDNToSamAccountName does under the covers.

[supersonic]

Thanks for the reply -

No luck :(

This works:

_AD_FQDNToSamAccountName("CN=geb./test,OU=Users,OU=Computers_W7,OU=GEB,OU=DE,DC=sub01,DC=domain,DC=local")
; Result   "geb.test"   = correct.

_AD_FixSpecialChars("CN=geb./test,OU=Users,OU=Computers_W7,OU=GEB,OU=DE,DC=sub01,DC=domain,DC=local") ; ->
; Result   "CN\=geb.\/test\,OU\=Users\,OU\=Computers_W7\,OU\=GEB\,OU\=DE\,DC\=sub01\,DC\=domain\,DC\=local"   .

Does'nt work:

_AD_RenameObject(_AD_FixSpecialChars("CN=geb./test,OU=Users,OU=Computers_W7,OU=GEB,OU=DE,DC=sub01,DC=domain,DC=local"), "geb.test")


_AD_RenameObject("CN=geb.\/test,OU=Users,OU=Computers_W7,OU=GEB,OU=DE,DC=sub01,DC=domain,DC=local", "geb.test")


_AD_RenameObject("CN\=geb.\/test\,OU\=Users\,OU\=Computers_W7\,OU\=GEB\,OU\=DE\,DC\=sub01\,DC\=domain\,DC\=local", "geb.test")

Why returns _AD_FQDNToSamAccountName() a correct SamAccountName while _AD_RenameObject() cannot handle this (valid) DN?

[water]

Do not escape ALL special characters as function _AD_FQDNToSamAccountName does:

$sFQDN = _AD_FixSpecialChars($sFQDN, 0, "/#") ; Escape special characters in the FQDN

 

[supersonic]

I took a deeper look into AD.au3 -

The function _AD_RenameObject() fails if _AD_FixSpecialChars() is called before. If so, 'If Not _AD_ObjectExists($sObject) ...' fails. It seems that _AD_ObjectExists() doesn't need _AD_FixSpecialChars() ...

IMHO _AD_RenameObject() should be extended like this:

Func _AD_RenameObject($sObject, $sCN)

    If Not _AD_ObjectExists($sObject) Then Return SetError(1, 0, 0)
    If StringMid($sObject, 3, 1) <> "=" Then $sObject = _AD_SamAccountNameToFQDN($sObject) ; sAMAccountName provided
    If StringMid($sObject, 3, 1) = "=" Then $sObject = _AD_FixSpecialChars($sObject, 0, "/#") ; <<<<<<<<<<
    Local $oObject = __AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sObject)
    Local $oOU = __AD_ObjGet($oObject.Parent) ; Get the object of the OU/CN where the object resides
    $sCN = "CN=" & _AD_FixSpecialChars($sCN) ; escape all special characters
    $oOU.MoveHere("LDAP://" & $sAD_HostServer & "/" & $sObject, $sCN)
    If @error Then Return SetError(@error, 0, 0)
    Return 1

EndFunc   ;==>_AD_RenameObject

What do you think?

Is there a way to detect if a string is already escaped?

Edited May 16, 2019 by supersonic

[water]

20 hours ago, supersonic said:

Any other idea to avoid using _AD_FQDNToSamAccountName in this case?

Any reason you want to avoid _AD_FQDNToSamAccountName in this case?

[supersonic]

water,

just a misunderstanding. Please, let me try to explain once more:

The function _AD_RenameObject() is as good as it is. But if calling this function e. g. like that (in order to consider special characters):

_AD_RenameObject(_AD_FixSpecialChars("CN=geb./test,OU=Users,OU=Computers_W7,OU=GEB,OU=DE,DC=sub01,DC=domain,DC=local", 0, "#/"), "geb.test")

... the very fist line of this function:

If Not _AD_ObjectExists($sObject) Then Return SetError(1, 0, 0)

... runs into SetError() in my attempts (@error = 1). It seems that _AD_ObjectExists() can handle spec. chars. by itself - without the help of _AD_FixSpecialChars(). In code that means this fails:

_AD_ObjectExists(_AD_FixSpecialChars("CN=geb./test,OU=Users,OU=Computers_W7,OU=GEB,OU=DE,DC=sub01,DC=domain,DC=local", 0, "/#"))

... but this works:

_AD_ObjectExists("CN=geb./test,OU=Users,OU=Computers_W7,OU=GEB,OU=DE,DC=sub01,DC=domain,DC=local")

Do you have an environment to test? Would be greatly appreciate 🙂