Active Directory UDF

Lantz · October 13, 2015

I am looking to retrieve some information about the Public key services stored in the Configuration Context, but for the life of me I can figure out how to mange that context with this UDF.

To clarify i want be able to read the caCertificate attribute of:
CN=domain-CA,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=local

water · October 14, 2015

Can you please post what you have tried so far and which errors you get?

kyo · October 21, 2015

Hi Water,

With the latest version of AD.au3 (1.4.3.0), I get this warning while compiling:

"C:\Program Files (x86)\AutoIt3\Include\AD.au3"(3830,27) : warning: $iResult2: declared, but not used in func.

Easy to correct at this end, but thought you'd like to know..

My compile settings include this:

#AutoIt3Wrapper_Au3Check_Parameters=-d -w 1 -w 2 -w 3 -w- 4 -w 5 -w 6 -w 7

Thanks again for very fine work!

water · October 21, 2015

Thanks for the heads up. I've fixed it for the next release

heartilly · October 21, 2015

I tried this example, but get an error message:

AutoIT\Include\AD.au3" (3074) : ==> The requested action with this object has failed.:
$aPwdInfo[1] = Int(__AD_Int8ToSec($oObject.Get("maxPwdAge"))) / 86400
$aPwdInfo[1] = Int(__AD_Int8ToSec($oObject^ ERROR

#AutoIt3Wrapper_AU3Check_Parameters= -d -w 1 -w 2 -w 3 -w 4 -w 5 -w 6
#AutoIt3Wrapper_AU3Check_Stop_OnWarning=Y
; *****************************************************************************
; Example 1
; Get the domain password policy and the password info for the current user
; *****************************************************************************
#include <AD.au3>

; Open Connection to the Active Directory
_AD_Open()
If @error Then Exit MsgBox(16, "Active Directory Example Skript", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)

; Get the password info
Global $aAD_PwdInfo[13][2] = [[12],["Maximum Password Age (days)"],["Minimum Password Age (days)"],["Enforce Password History (# of passwords remembered)"], _
["Minimum Password Length"],["Account Lockout Duration (minutes)"],["Account Lockout Threshold (invalid logon attempts)"],["Reset account lockout counter after (minutes)"], _
["Password last changed (YYYY/MM/DD HH:MM:SS local time)"],["Password expires (YYYY/MM/DD HH:MM:SS local time)"],["Password last changed (YYYY/MM/DD HH:MM:SS UTC)"], _
["Password expires (YYYY/MM/DD HH:MM:SS UTC)"],["Password properties"]]

Global $aTemp = _AD_GetPasswordInfo()
For $iCount = 1 To $aTemp[0]
$aAD_PwdInfo[$iCount][1] = $aTemp[$iCount]
Next
$aAD_PwdInfo[0][0] = $aTemp[0]

_ArrayDisplay($aAD_PwdInfo, "Active Directory Functions - Example 1", -1, 0, "<")

; Close Connection to the Active Directory
_AD_Close()

david1337 · October 22, 2015

Hi water

Is it possible with your AD UDF, to view and edit other users AD Attributes?
If the user running the script has the rights for it of course.

Edited October 22, 2015 by david1337

water · October 22, 2015

Sure!

water · October 22, 2015

Heartilly,

Which version of AutoIt and the AD UDF do you run?

david1337 · October 22, 2015

Heartilly,
Which version of AutoIt and the AD UDF do you run?

Cool

Autoit: 3.3.12.0

AD UDF: 2015-08-07 - Version 1.4.2.0

water · October 22, 2015

Cool
Autoit: 3.3.12.0
AD UDF: 2015-08-07 - Version 1.4.2.0

Check function _AD_ModifyAttribute.

water · October 26, 2015

I tried this example, but get an error message:

#AutoIt3Wrapper_AU3Check_Parameters= -d -w 1 -w 2 -w 3 -w 4 -w 5 -w 6
#AutoIt3Wrapper_AU3Check_Stop_OnWarning=Y
; *****************************************************************************
; Example 1
; Get the domain password policy and the password info for the current user
; *****************************************************************************
#include <AD.au3>

; Open Connection to the Active Directory
_AD_Open()
If @error Then Exit MsgBox(16, "Active Directory Example Skript", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)

; Get the password info
Global $aAD_PwdInfo[13][2] = [[12],["Maximum Password Age (days)"],["Minimum Password Age (days)"],["Enforce Password History (# of passwords remembered)"], _
["Minimum Password Length"],["Account Lockout Duration (minutes)"],["Account Lockout Threshold (invalid logon attempts)"],["Reset account lockout counter after (minutes)"], _
["Password last changed (YYYY/MM/DD HH:MM:SS local time)"],["Password expires (YYYY/MM/DD HH:MM:SS local time)"],["Password last changed (YYYY/MM/DD HH:MM:SS UTC)"], _
["Password expires (YYYY/MM/DD HH:MM:SS UTC)"],["Password properties"]]

Global $aTemp = _AD_GetPasswordInfo()
For $iCount = 1 To $aTemp[0]
$aAD_PwdInfo[$iCount][1] = $aTemp[$iCount]
Next
$aAD_PwdInfo[0][0] = $aTemp[0]

_ArrayDisplay($aAD_PwdInfo, "Active Directory Functions - Example 1", -1, 0, "<")

; Close Connection to the Active Directory
_AD_Close()

I tested with AutoIt 3.3.12.0 and the latest AD UDF and it works just fine here.

araneon · December 1, 2015

Tell me how to find out the time when the password expires, the user account?
Am I correct in thinking that is the attribute msDS-UserPasswordExpiryTimeComputed?

water · December 1, 2015

Function _AD_GetPasswordInfo will return the password info.
Function _AD_GetObjectProperties(@username, "accountExpires") will return the user account information.

hroberts · December 11, 2015

Thank you so very much for these functions. They are saving me a lot of work. I am using your move AD Move Object Script and get OU scripts , and I am trying to figure out the best way to use the Get OU script and use those in an array to then create a combo box for the AD Move script. I am VERY new to autoit and am wondering if anyone can give me some pointers on the best way to do this.

Thanks for any help you can provide.

Edited December 11, 2015 by hroberts
typo's

water · December 11, 2015

You could have a look at _AD_Example_GetOUTreeView example script that displays the OU structure in a TreeView.

TaHreHc · January 31, 2016

hi, thank you for ad.au3.

need you help in remove information from ldap

Func _AD_MyHasRightsOnUsers($sObject)

    If _AD_ObjectExists($sObject) = 0 Then Return SetError(2, 0, 0)
    If StringMid($sObject, 3, 1) <> "=" Then $sObject = _AD_SamAccountNameToFQDN($sObject)
    Local $oObject = __AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sObject)
    If IsObj($oObject) Then
        Local $oSecurity = $oObject.Get("ntSecurityDescriptor")
        Local $oDACL = $oSecurity.DiscretionaryAcl
        For $oACE In $oDACL
            if $oACE.Trustee = 'com\user' then
                 ; here must be code for delete this information             
            endif
        next
    EndIf
    Return 0

EndFunc   ;==>_AD_MyHasRightsOnUsers

water · February 1, 2016

Unfortunately the AD UDF has no function to remove permissions this way.
In the old adfunctions.au3 I've found the follwoing function which might give you an idea:

Func _ADRemoveMailboxRights($mailbox, $accountsam, $ntsendas = 1)
    $obj_mailbox = _ADObjGet("LDAP://" & $strHostServer & "/" & $mailbox)
    If Not IsObj($obj_mailbox) Then
        ;MsgBox(0, "Error", "Mailbox was not a FQDN or was not found.")
        $obj_mailbox = 0
        SetError(3)
        Return
    EndIf
    $obj_mailboxsecurity = $obj_mailbox.MailboxRights
    $mailbox_dacl = $obj_mailboxsecurity.DiscretionaryAcl

    For $ace In $mailbox_dacl
        If $ace.trustee = $accountsam Then
            $mailbox_dacl.RemoveAce($ace)
        EndIf
    Next

    $obj_mailboxsecurity.DiscretionaryAcl = $mailbox_dacl
    $obj_mailbox.MailboxRights = $obj_mailboxsecurity
    If $ntsendas = 1 Then
        $obj_ntsecurity = $obj_mailbox.Get("ntSecurityDescriptor")
        $ntsecurity_dacl = $obj_ntsecurity.DiscretionaryAcl

        For $ace In $ntsecurity_dacl
            If $ace.trustee = $accountsam Then
                $ntsecurity_dacl.RemoveAce($ace)
            EndIf
        Next

        $obj_ntsecurity.DiscretionaryAcl = $ntsecurity_dacl
        $obj_mailbox.Put("ntSecurityDescriptor", $obj_ntsecurity)
        $obj_mailbox.SetOption($ADS_OPTION_SECURITY_MASK, $ADS_SECURITY_INFO_DACL)
        $obj_mailbox.SetInfo
    EndIf
    $obj_mailboxsecurity = 0
    $obj_ntsecurity = 0
    $ntsecurity_dacl = 0
    $mailbox_dacl = 0
    $ace = 0
    $obj_mailbox = 0

    Return @error

EndFunc   ;==>_ADRemoveMailboxRights

Edited February 1, 2016 by water

TaHreHc · February 2, 2016

yeap, idea came

Func _AD_DeleteRecordInSecurityInset($sObject,$sRecord)
   If _AD_ObjectExists($sObject) = 0 Then Return SetError(2, 0, 0)
   If StringMid($sObject, 3, 1) <> "=" Then $sObject = _AD_SamAccountNameToFQDN($sObject) ; sAMAccountName provided
   Local $oObject = __AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sObject)
   Local $oSecurity = $oObject.Get("ntSecurityDescriptor")
   Local $oDACL = $oSecurity.DiscretionaryAcl
   for $oACE In $oDACL
      If $oACE.Trustee = $sRecord then
         $oDACL.RemoveAce($oACE)
      EndIf
   Next
   $oSecurity.DiscretionaryAcl = $oDACL
   $oObject.Put("ntSecurityDescriptor",$oSecurity)
   If @error Then Return SetError(@error, 0, 0)
   $oObject.SetInfo
   If @error Then Return SetError(@error, 0, 0)
EndFunc

thank you for help

Edited February 2, 2016 by TaHreHc

water · February 2, 2016

FreeBeing · March 3, 2016

Thank you for that great UDF, it really save a lot of time to manage an AD

Sign In

Active Directory UDF

Recommended Posts

Lantz

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

water

BrewManNH

mnorland

Posted Images

water

kyo

water

heartilly

david1337

water

water

david1337

water

water

araneon

water

hroberts

water

TaHreHc

water

TaHreHc

water

FreeBeing

Similar Content

adding a variable inside a PowerShell command

AD - Active Directory UDF

Compare Active Directory Groups

Using the PowerShell Group Policy Module with AutoIt

Active Directory - Need to search where user is/was logged

Browse

AutoIt Resources

Release

Beta