15 replies to this topic

[jezr74]

Hi All,

I currently have a script that challenges the user for a username and password that is passed on to map drives among other things. I'm trying to add validation to this for incorrect passwords. ie. if the password is incorrect the drive mapping is attempted with the wrong password and you are presented with a windows gui logon. I've had to exit the script and start again.

Is there a way to validate a password against active directory to give an error code rather than it attempt to process the script with incorrect credentials?
I've searched the forums alot for some clues, but have not found anything in this area with AD.

Thanks,

jtsm

AutoIt        expandcollapse  popup

#include <GuiConstants.au3>
#include <Inet.au3>
#include <file.au3>
;If Not IsDeclared('WS_CLIPSIBLINGS') Then Global $WS_CLIPSIBLINGS = 0x04000000

$GUIPass=GuiCreate("Logon", 222, 149,(@DesktopWidth-222)/2, (@DesktopHeight-179)/2 , $WS_OVERLAPPEDWINDOW + $WS_VISIBLE + $WS_CLIPSIBLINGS)
$Button_Enter = GuiCtrlCreateButton("CTS Update ", 95, 90, 35, 35,$BS_ICON)
GUICtrlSetState(-1,$GUI_DEFBUTTON)
GUICtrlSetImage (-1, "shell32.dll",162) ;44
$Button_Exit = GuiCtrlCreateButton("Exit", 150, 90, 35, 35,$BS_ICON)
GUICtrlSetImage (-1, "shell32.dll",131) ;27
$LocalVersion=FileGetVersion("C:\windows\system32\winlogon.exe")
$Label_Ver = GuiCtrlCreateLabel("v."& $Localversion, 20, 90, 55, 35)
GUICtrlSetImage (-1, "shell32.dll",135) ;27


;user Logon Screen 
$Input_UserID = GuiCtrlCreateInput("", 80, 30, 120, 20)
GUICtrlSetState(-1, $GUI_FOCUS)
$Input_UserPWD = GuiCtrlCreateInput("", 80, 60, 120, 20,$ES_PASSWORD)
$Label_UserID = GuiCtrlCreateLabel("User Name", 20, 30, 60, 20)
$Label_UserPWD = GuiCtrlCreateLabel("Password", 20, 60, 50, 20)
$Group_Access = GuiCtrlCreateGroup("Authorised Access Only", 10, 0, 200, 140)

ControlFocus ( "Logon", "Authorised Access Only", 6 )

GuiSetState()
While 1
    
    $msg = GuiGetMsg()
    Select
        Case $msg = $GUI_EVENT_CLOSE
            ExitLoop
                Case $msg = $Button_Exit
                    Exit
                    Case $msg = $Button_Enter
                    Do
                        if GUICtrlRead($Input_UserID) = "" And GUICtrlRead($Input_UserPWD) = "" Then Exit
                            ;Case $msg = $Button_Enter
                        Until GUICtrlRead($Input_UserID) > "" And GUICtrlRead($Input_UserPWD) > "" 
        GuiSetState(@SW_HIDE,$GUIPass)

DriveMapDel("j:")
DriveMapAdd("j:","\\SERVER\SHARE", 8,"DOMAIN\"& GUICtrlRead($Input_UserID), ""& GUICtrlRead($Input_UserPWD))    
Exit
    EndSelect
WEnd
GUIDelete($GUIPass)
Exit

[PaulIA]

Hi All,

I currently have a script that challenges the user for a username and password that is passed on to map drives among other things. I'm trying to add validation to this for incorrect passwords. ie. if the password is incorrect the drive mapping is attempted with the wrong password and you are presented with a windows gui logon. I've had to exit the script and start again.

Is there a way to validate a password against active directory to give an error code rather than it attempt to process the script with incorrect credentials?
I've searched the forums alot for some clues, but have not found anything in this area with AD.

Thanks,

jtsm

AutoIt        expandcollapse  popup

#include <GuiConstants.au3>
#include <Inet.au3>
#include <file.au3>
;If Not IsDeclared('WS_CLIPSIBLINGS') Then Global $WS_CLIPSIBLINGS = 0x04000000

$GUIPass=GuiCreate("Logon", 222, 149,(@DesktopWidth-222)/2, (@DesktopHeight-179)/2 , $WS_OVERLAPPEDWINDOW + $WS_VISIBLE + $WS_CLIPSIBLINGS)
$Button_Enter = GuiCtrlCreateButton("CTS Update ", 95, 90, 35, 35,$BS_ICON)
GUICtrlSetState(-1,$GUI_DEFBUTTON)
GUICtrlSetImage (-1, "shell32.dll",162) ;44
$Button_Exit = GuiCtrlCreateButton("Exit", 150, 90, 35, 35,$BS_ICON)
GUICtrlSetImage (-1, "shell32.dll",131) ;27
$LocalVersion=FileGetVersion("C:\windows\system32\winlogon.exe")
$Label_Ver = GuiCtrlCreateLabel("v."& $Localversion, 20, 90, 55, 35)
GUICtrlSetImage (-1, "shell32.dll",135) ;27
;user Logon Screen 
$Input_UserID = GuiCtrlCreateInput("", 80, 30, 120, 20)
GUICtrlSetState(-1, $GUI_FOCUS)
$Input_UserPWD = GuiCtrlCreateInput("", 80, 60, 120, 20,$ES_PASSWORD)
$Label_UserID = GuiCtrlCreateLabel("User Name", 20, 30, 60, 20)
$Label_UserPWD = GuiCtrlCreateLabel("Password", 20, 60, 50, 20)
$Group_Access = GuiCtrlCreateGroup("Authorised Access Only", 10, 0, 200, 140)

ControlFocus ( "Logon", "Authorised Access Only", 6 )

GuiSetState()
While 1
    
    $msg = GuiGetMsg()
    Select
        Case $msg = $GUI_EVENT_CLOSE
            ExitLoop
                Case $msg = $Button_Exit
                    Exit
                    Case $msg = $Button_Enter
                    Do
                        if GUICtrlRead($Input_UserID) = "" And GUICtrlRead($Input_UserPWD) = "" Then Exit
                            ;Case $msg = $Button_Enter
                        Until GUICtrlRead($Input_UserID) > "" And GUICtrlRead($Input_UserPWD) > "" 
        GuiSetState(@SW_HIDE,$GUIPass)

DriveMapDel("j:")
DriveMapAdd("j:","\\SERVER\SHARE", 8,"DOMAIN\"& GUICtrlRead($Input_UserID), ""& GUICtrlRead($Input_UserPWD))    
Exit
    EndSelect
WEnd
GUIDelete($GUIPass)
Exit

You can use the WNetAddConnection2 or WNetAddConnection3 API calls. Both have parameters that indicate whether the OS can interact with the user or not if the username/password is wrong. The WNet library is available in Auto3Lib if you're interested.

[Danny35d]

Opt("RunErrorsFatal", 0)

Func _ValidUserPass( $computer, $username, $password )
    Local $valid = True
    RunAsSet($username, $computer, $password, 0)
    Run(@ComSpec & " /c  echo test", @SystemDir, @SW_HIDE)
    If @error Then $valid = False
    RunAsSet()
    Return $valid
EndFunc

I use the above UDF to validate the user password. I don't remember where in the forum I found it. I think it was done by erifash. The only flaw it won't validate user with blank password.

[exodius]

I use the above UDF to validate the user password. I don't remember where in the forum I found it. I think it was done by erifash. The only flaw it won't validate user with blank password.

Came across this and found it useful, so I thought I'd post up a current working implementation of it since RunAsSet has gone away.

MsgBox (0, "", _ValidUserPass ("Username", "Domain", "Password"))

Func _ValidUserPass($username, $computer, $password)
    Local $valid = True
    RunAs($username, $computer, $password, 0, @ComSpec & " /c  echo test", @SystemDir, @SW_Hide)
    If @error Then $valid = False
    Return $valid
EndFunc

Edited by exodius, 21 July 2008 - 04:59 PM.

[KegRaider]

Came across this and found it useful, so I thought I'd post up a current working implementation of it since RunAsSet has gone away.

MsgBox (0, "", _ValidUserPass ("Username", "Domain", "Password"))

Func _ValidUserPass($username, $computer, $password)
    Local $valid = True
    RunAs($username, $computer, $password, 0, @ComSpec & " /c  echo test", @SystemDir, @SW_Hide)
    If @error Then $valid = False
    Return $valid
EndFunc

Oh thank you exodius! My old scripts for changing users IP addresses without being an admin work again. \o/ Kudo's mate.


-KegRaider

[Fuzzy52]

Oh thank you exodius! My old scripts for changing users IP addresses without being an admin work again. \o/ Kudo's mate.


-KegRaider

[Fuzzy52]

Try this it will return the UserObject if the user ID in in AD and 1 if not

Func _ValidUser($UserNT,$strUserDN,$strDomain)
Local $objDSO = ObjGet("LDAP:")
$objUser = $objDSO.OpenDSObject("LDAP://" & $strUserDN, $strDomain2 & "\" & _
$UserNT, $PWD, $ADS_USE_ENCRYPTION OR $ADS_SECURE_AUTHENTICATION)
If IsObj($objUser)
RETURN $objUser
Else
Return 1
EndIf
EndFunc

[RulerOf]

This was driving me nuts for hours, trying to think of a good way to do this, and then I stumbled upon the LogonUser function in advapi32.dll.

This code seems to work for me against the accounts I tried. Not sure what permissions are necessary for the autoit code to validate against the AD you're targetting though

Also, use an NT-style domain (like "domain" instead of "domain.com") as I'm not sure if the FQDN will work.

Hope you like it

;Returns 1 for valid credentials, 0 for invalid credentials and sets @error

Func _ValidateUserCreds($d_Account, $d_Password, $d_Domain = @ComputerName)
    const $LOGON32_LOGON_INTERACTIVE = 2;
    const $LOGON32_LOGON_NETWORK = 3;
    const $LOGON32_PROVIDER_DEFAULT = 0;
    const $LOGON32_PROVIDER_WINNT50 = 3;
    const $LOGON32_PROVIDER_WINNT40 = 2;
    const $LOGON32_PROVIDER_WINNT35 = 1;

    $d_LogonUser     =  DllStructCreate("HANDLE")
    DllCall("advapi32.dll","BOOLEAN","LogonUser", "str", $d_Account, "str", $d_Domain, "str", $d_Password, "dword", $LOGON32_LOGON_NETWORK, "dword", 0, "ptr", DllStructGetPtr($d_LogonUser))
    $d_Success = DllStructGetData($d_LogonUser, 1)

    If $d_Success Then
        Return 1
    Else
        SetError(1)
        Return 0
    EndIf
EndFunc

Edited by RulerOf, 14 September 2010 - 05:09 PM.

[water]

If you are running Windows Vista or later you can try my Active Directory UDF (for download please see my signature below).
The _AD_Open function returns detailed error information in case of an error. This and more errors are handled:
525 - user not found
52e - invalid credentials
530 - not permitted to logon at this time
532 - password expired
533 - account disabled
701 - account expired
773 - user must reset password

The validation code could look like:

#include <AD.au3>
; Open Connection to the Active Directory
If _AD_Open($SUserId, $SPassword, $SDNSDomain, $SHostServer, $SConfiguration) Then
    MsgBox(64, "Active Directory Functions", "Logon was succcessful!")
ElseIf @error <= 8 Then
 MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended)
Else
    MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended & _
        @CRLF & @CRLF & "Extended error information will be displayed")
    Global $aError = _AD_GetLastADSIError()
    _ArrayDisplay($aError)
EndIf
; Close Connection to the Active Directory
_AD_Close()

Edited by water, 15 September 2010 - 06:09 AM.

[water]

Another - different - approach.
Joeware offers this little tool to validate a userid.

[RulerOf]

Ahem:

If you are running Windows Vista or later you can try my Active Directory UDF (for download please see my signature below).
The _AD_Open function returns detailed error information in case of an error. This and more errors are handled:
525 - user not found
52e - invalid credentials
530 - not permitted to logon at this time
532 - password expired
533 - account disabled
701 - account expired
773 - user must reset password

The validation code could look like:

#include <AD.au3>
; Open Connection to the Active Directory
If _AD_Open($SUserId, $SPassword, $SDNSDomain, $SHostServer, $SConfiguration) Then
    MsgBox(64, "Active Directory Functions", "Logon was succcessful!")
ElseIf @error <= 8 Then
 MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended)
Else
    MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended & _
        @CRLF & @CRLF & "Extended error information will be displayed")
    Global $aError = _AD_GetLastADSIError()
    _ArrayDisplay($aError)
EndIf
; Close Connection to the Active Directory
_AD_Close()

<3 You.

I come into work today only to find you've made my job sooooo much more concise. I owe ya! =)

Thanks so much,
RulerOf

[water]

Glad to be of service!

The userid/password checking thing is quite new. If you have problems or find a bug please report on the "Help and Support Thread" (you find the link in my signature).

Good luck!

[Syed23]

Hi Water,
I tried your _AD_open function to validate the user credential. But if i give input box blank it accepts and shows logon success. can you help me on this? i have attached my different style of scripts below pls let me know where i am going wrong.

#include <AD.au3>
; Open Connection to the Active Directory
$SUserId = InputBox ("","","")
$SPassword = InputBox("","","","*")
If _AD_Open($SUserId, $SPassword) Then
MsgBox(64, "Active Directory Functions", "Logon was succcessful!")
ElseIf @error <= 8 And $SUserId = "" Or $SPassword = "" Then
MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended)
Else
MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended & _
@CRLF & @CRLF & "Extended error information will be displayed")
Global $aError = _AD_GetLastADSIError()
_ArrayDisplay($aError)
EndIf
; Close Connection to the Active Directory
_AD_Close()

----------------------------------------------------------------------------


#include <AD.au3>
; Open Connection to the Active Directory
$SUserId = InputBox ("","","")
$SPassword = InputBox("","","","*")
If _AD_Open($SUserId, $SPassword) And $SUserId <> "" Or $SPassword <> "" Then
MsgBox(64, "Active Directory Functions", "Logon was not succcessful!")
ElseIf $SUserId = "" Or $SPassword = "" Then
MsgBox(16, "Active Directory Functions", "User Id or Pass can not be blank!!!")
Else
MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended & _
@CRLF & @CRLF & "Extended error information will be displayed")
Global $aError = _AD_GetLastADSIError()
_ArrayDisplay($aError)
EndIf
; Close Connection to the Active Directory
_AD_Close()

Edited by Syed23, 11 December 2010 - 06:16 PM.

[water]

Hi Syed23,

if you don't specify a UserID then the AD UDF connects using the credentials of the currently logged on user. As this user is already logged in the password already has been verified and you will never get an error.
If you change the example a little bit then it should work fine:

#include <AD.au3>
; Open Connection to the Active Directory
$SUserId = InputBox("Active Directory Functions", "UserID", "", "", 250, 120)
$SPassword = InputBox("Active Directory Functions", "Password", "", "*", 250, 120)
If $SUserId = "" Or $SPassword = "" Then
    MsgBox(16, "Active Directory Functions", "User Id or Pass can not be blank!!!")
ElseIf _AD_Open($SUserId, $SPassword) Then
    MsgBox(64, "Active Directory Functions", "Logon was succcessful!")
    ; Close Connection to the Active Directory
    _AD_Close()
ElseIf @error <= 8 Then
    MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended)
Else
    MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended & _
        @CRLF & @CRLF & "Extended error information will be displayed")
    Global $aError = _AD_GetLastADSIError()
    _ArrayDisplay($aError)
EndIf

Be sure to specify the userid as NetBIOS Login Name e.g. "<DOMAIN>\DJ" or User Principal Name e.g. "DJ@domain.com". Only in this cases you get the extended error information. If you just use the Windows Login Name e.g. "DJ" then you only get @error = 8.

[Syed23]

Hi Syed23,

if you don't specify a UserID then the AD UDF connects using the credentials of the currently logged on user. As this user is already logged in the password already has been verified and you will never get an error.
If you change the example a little bit then it should work fine:

#include <AD.au3>
; Open Connection to the Active Directory
$SUserId = InputBox("Active Directory Functions", "UserID", "", "", 250, 120)
$SPassword = InputBox("Active Directory Functions", "Password", "", "*", 250, 120)
If $SUserId = "" Or $SPassword = "" Then
    MsgBox(16, "Active Directory Functions", "User Id or Pass can not be blank!!!")
ElseIf _AD_Open($SUserId, $SPassword) Then
    MsgBox(64, "Active Directory Functions", "Logon was succcessful!")
    ; Close Connection to the Active Directory
    _AD_Close()
ElseIf @error <= 8 Then
    MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended)
Else
    MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended & _
        @CRLF & @CRLF & "Extended error information will be displayed")
    Global $aError = _AD_GetLastADSIError()
    _ArrayDisplay($aError)
EndIf

Be sure to specify the userid as NetBIOS Login Name e.g. "<DOMAIN>\DJ" or User Principal Name e.g. "DJ@domain.com". Only in this cases you get the extended error information. If you just use the Windows Login Name e.g. "DJ" then you only get @error = 8.

Thanks a lot Water. I am very happy and this makes my credential validation work simple ... Thanks a lot

[water]