Active Directory UDF

[water]

To get the next OU in the hierarchy just change one line:

Global $iPos = StringInStr($sDNComputer, ",")

to

Global $iPos = StringInStr($sDNComputer, ",", 2)

This returns the second occurrence of the "," and so splits of "OU=America, DC=example,DC=com"

BTW: Thanks for your compliments

Edited January 21, 2013 by water

[Iceman682]

Thanks Water, I had to also change the following:

Global $sDNOU2 = StringMid($sDNComputer, $iPos + 1)

to

Global $sDNOU2 = StringMid($sDNComputer, $iPos + 8)

Edited January 22, 2013 by Iceman682

[water]

Why $iPos + 8?

[Iceman682]

It was the 8th charactor to the start of the next 'OU=America

Apart from that I haven't got a clue, but it seems to work fine in this instance.

[water]

As long as the length is fixed it's not an issue.

[chaoticyeshua]

Hi Water, I've been looking a little more into _AD_HasRequiredRights and I've found something, I think.

If I use MsgBox and have it output BitAND($oAD_ACE.AccessMask, $iAD_Right), it seems to return the correct rights... But if I do:

If StringInStr($aAD_MemberOf[$iCount1], "CN=" & $sAD_TrusteeGroup & ",") Then MsgBox(0,"","Yep!")

It never says "Yep!" -- so I believe that this part of the if statement is what is failing. If I output $sAD_TrusteeGroup, my name is in the list. So I believe this to be just a simple typo, but I'm not sure where.

[water]

That looks promising! I will play a bit with my Resara server and see if I can locate the bug!

[chaoticyeshua]

OK, so I found out something weird. Let me lay this out for you, hopefully it makes sense.

I'm a member of a group called "NSCs - HELPDESK"

I'm also a member of a group called "helpdesk_desktop_staff"

I am added to both groups directly (meaning not in a group that is in that group).

The "NSCs - HELPDESK" group has full permission on the OU and objects in the OU. Those permissions are inherited from the parent. The script fails to determine that I have permission on it.

If I add myself directly to the security of the object and grant myself full permission, the script fails to determine that I have permission on it.

If I add "helpdesk_desktop_staff" and give it full permission, the script DOES detect I have permission on it.

I'm really not sure what's happening or why

Edited January 23, 2013 by chaoticyeshua

[chaoticyeshua]

Water,

If $aAD_TrusteeArray[2] = $sAD_User And BitAND($oAD_ACE.AccessMask, $iAD_Right) = $iAD_Right Then Return 1

Returns 1 if I'm added directly to the security of the object.

$aAD_TrusteeArray[1] = domain

$aAD_TrusteeArray[2] = username

So now I just need to find out why it's not correctly parsing groups that have permission that are inherited from the parent...

Edited January 24, 2013 by chaoticyeshua

[water]

Thanks for this information! I've searched the web but couldn't find a single script that does what we need. Very strange!

Lets see if I can find anything about inheritance.

[chaoticyeshua]

OK, I think I may have found why it's not picking up the inherited permissions. The group is named "NSCs - HELPDESK" but has a pre-Windows 2000 name of NET_NSC_HELPDESK... The latter is the one being picked up by $aAD_TrusteeArray. The former is found in $aAD_MemberOf. So they never match.

So, unless there's a way to check the pre-Windows 2000 name also, I may be SOL. I don't know why they set it up that way...

[chaoticyeshua]

Func _AD_HasRequiredRights($sAD_Object, $iAD_Right = 983551, $sAD_User = @UserName)
If _AD_ObjectExists($sAD_User) = 0 Then Return SetError(1, 0, 0)
If _AD_ObjectExists($sAD_Object) = 0 Then Return SetError(2, 0, 0)
If StringMid($sAD_Object, 3, 1) <> "=" Then $sAD_Object = _AD_SamAccountNameToFQDN($sAD_Object) ; sAMAccountName provided
Local $aAD_MemberOf, $aAD_TrusteeArray, $sAD_TrusteeGroup, $sAD_TrusteeArrayFQDN
$aAD_MemberOf = _AD_GetUserGroups($sAD_User, 1)
Local $oAD_Object = __AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_Object)
If IsObj($oAD_Object) Then
  Local $oAD_Security = $oAD_Object.Get("ntSecurityDescriptor")
  Local $oAD_DACL = $oAD_Security.DiscretionaryAcl
  For $oAD_ACE In $oAD_DACL
   $aAD_TrusteeArray = StringSplit($oAD_ACE.Trustee, "\")
   $sAD_TrusteeGroup = $aAD_TrusteeArray[$aAD_TrusteeArray[0]]
   If (UBound($aAD_TrusteeArray) - 1 ) = 2 And $aAD_TrusteeArray[2] = $sAD_User And BitAND($oAD_ACE.AccessMask, $iAD_Right) = $iAD_Right Then Return 1
   If (UBound($aAD_TrusteeArray) - 1 ) = 2 Then
      $sAD_TrusteeArrayFQDN = _AD_SamAccountNameToFQDN($aAD_TrusteeArray[2])
   EndIf
   For $iCount1 = 0 To UBound($aAD_MemberOf) - 1
       If StringInStr($aAD_MemberOf[$iCount1], $sAD_TrusteeArrayFQDN) And _
      BitAND($oAD_ACE.AccessMask, $iAD_Right) = $iAD_Right Then Return 1
    If StringInStr($aAD_MemberOf[$iCount1], "CN=" & $sAD_TrusteeGroup & ",") And _
      BitAND($oAD_ACE.AccessMask, $iAD_Right) = $iAD_Right Then Return 1
   Next
  Next
EndIf
Return 0
EndFunc

If you can clean this up some, this should work... I'm not a master at this but I'm trying lol

Edited January 24, 2013 by chaoticyeshua

[water]

chaoticyeshua,

I tested with a user who has full rights on an OU where I only have read access and your modifcations return the correct results! Bravo!!

Let's play a bit more with this function. If it works for other users too I will be happy to change the UDF accordingly!

[chaoticyeshua]

Sure thing. I'll do some more testing and see if I can get it to break. So far, every account I've tested has returned the proper permissions, but I've only tested with checking for full permission. I know of one way it'll break probably, and that is if you are a member of a group that is a member of a group that has permission on the object. The script is not coded to check permission for nested groups.

Edit: It works with other permissions. I confirmed that nested groups do not work. I'm not sure how to code that in, or if it's even needed (it isn't for what I'm using it for).

Edited January 28, 2013 by chaoticyeshua

[Iceman682]

; Move object
SplashTextOn("Please Standby", "Currently checking your permissions for the move", 470, 40, -1, -1, 33, "Arial", 12)
Sleep(5000)
SplashOff()
$sFQDN_User = "DomainUser"
$sFQDN_Group = "Domain Admins"
;Check the group membership of the specified user for the specified group
$iResult = _AD_IsMemberOf($sFQDN_Group, $sFQDN_User)
If $iResult = 1 Then
MsgBox(75, "Information!", "You have the required permissions to continue!", 5)
Else
MsgBox(48, "Active Directory Failure", "You do not seem to have the required permissions to move the Computer to the 'Disabled Computers OU', please call or email to have the Computer moved for you!")
_MainGUI()
EndIf
Global $sObject = _AD_GetObjectAttribute($rDisableInput & "$", "distinguishedname")
Global $sTargetOU = "OU=Disabled Computers,DC=Domain,DC=com" ;==>> Change when changing domain
Global $iValue = _AD_MoveObject($sTargetOU, $sObject)
If $iValue = 1 Then
ProgressOn("Please Wait...", "Moving to the Disabled Computers OU .", "Moving...")
For $i = 0 To 100
ProgressSet($i)
Next
ProgressSet(100, "Move Complete")
Sleep(3000)
ProgressOff()
ElseIf @error = 1 Then
MsgBox(64, "Active Directory Failure", "Unable to move '" & $rDisableInput & "' as it does not exist in Active Directory!")
ElseIf @error = 2 Then
MsgBox(64, "Active Directory Failure", "Unable to move '" & $rDisableInput & "' as it does not exist in Active Directory!")
Else
MsgBox(64, "Active Directory Failure", $rDisableInput & " is already in the' Disabled Computers OU '!")
EndIf
_AD_Close(); Close Connection to the Active Directory
_MainGUI()

Hi Water

I seem to be struggling a little.

A user that has permission to disable and change the description of an object is fine, but no permissions to move it to an OU that requires extended permissions. Is there a way to run just that part of the script with extended domain permissions?

I've tried the RunAS() and it dont work unless I'm doing it wrong.

I know that its not secure but the Credentials for this part will be hard coded with a $CALG_MD5 because we don't want to give the password out to anyone.

Thanks in advance

[water]

It depends on how you do _AD_Open.

If you do not specify any parameters the credentials of the current user are used to connect to AD.

So if you need special permissions for a part of your processing you could _AD_Close the current connection, use _AD_Open with domain admin credentials, do your processing and _AD_Close and _AD_Open with the current credentials again.

A bit complex but the UDF doesn't support multiple connections at the same time.

[Iceman682]

A bit like this?

$Username = "Adminaccount"
$Password = "Password"
_AD_Open ($Username, $Password)
etc
etc
etc
_AD_Close()

[water]

Yes. As a whole it would look like:

_AD_Open()
; Do processing with domain user permissions
_AD_Close()
$Username = "Adminaccount"
$Password = "Password"
_AD_Open ($Username, $Password)
; Do processing with domain admin permissions
_AD_Close()
_AD_Open()
; Do rest of processing with domain user permissions
_AD_Close()

[Iceman682]

Super, I'll give it a try tonight

[Iceman682]

Hi Water

Works great, many thanks

Is there a way to get the meanings of all the return codes?

i.e Return Code -2147352567 from Active Directory

Thanks again

Edited January 29, 2013 by Iceman682