Active Directory UDF

water · March 3, 2016

Glad you like the UDF

mlazovjp · March 7, 2016

I am trying to compile the example scripts _AD_JoinDomain.au3 and _AD_GetObjectProperties.au3 but Scite keeps giving me the following warnings and does not compile.

C:\autoit\Includes\AD_1.4.3.0\AD.au3"(3830,27) : warning: $iResult2: declared, but not used in func.
    Local $iResult, $iResult2,
    ~~~~~~~~~~~~~~~~~~~~~~~~~^
C:\autoit\Includes\AD_1.4.3.0\_AD_JoinDomain.au3 - 0 error(s), 1 warning(s)

The strange thing is that from what I can tell, $iResult2 IS used in that function. I even added the line "$iResult2 = 0" about 5-6 lines down to force it being used just to see what would happen but it still reports the same warning.

I am running AutoIt v3.3.14.2 and your AD UDF v1.4.3.0

Func _AD_UnJoinDomain($sComputer = @ComputerName, $sWorkgroup = "", $sUserParam = "", $sPasswordParam = "")

    Local $NETSETUP_ACCT_DELETE = 4 ; According to MS it should be 2 but only 4 works
    If _AD_ObjectExists($sComputer & "$") = 0 Then Return SetError(1, 0, 0)
    Local $iResult, $iResult2, $sUnJoinUser, $sUnJoinPassword, $aTempUser
    $iResult2 = 0
    Local $sDomainName = StringReplace(StringReplace($sAD_DNSDomain, "DC=", ""), ",", ".")
    ; Create WMI object
    Local $oComputer = ObjGet("winmgmts:{impersonationLevel=Impersonate}!\\" & $sComputer & "\root\cimv2:Win32_ComputerSystem.Name='" & $sComputer & "'")
    If @error Or Not IsObj($oComputer) Then Return SetError(3, @error, 0)
    If $oComputer.Domain <> $sDomainName Then Return SetError(4, 0, 0)
    ; Unjoin domain. We use NetBiosName: domain\user
    If $sUserParam <> "" Then
        $sUnJoinPassword = $sPasswordParam
        $sUnJoinUser = $sUserParam
        If StringInStr($sUserParam, "\") = 0 And StringInStr($sUserParam, "@") = 0 Then ; Windows login name has been passed. Create a NetBiosName out of it
            If _AD_ObjectExists($sUserParam) = 0 Then Return SetError(2, 0, 0)
            $sUnJoinUser = $sDomainName & "\" & $sUserParam
        ElseIf StringInStr($sUserParam, "@") <> 0 Then ; User principal name has been passed. Create a NetBiosName out of it
            $aTempUser = StringSplit($sUserParam, "@")
            If _AD_ObjectExists($aTempUser[1]) = 0 Then Return SetError(2, 0, 0)
            $sUnJoinUser = $sDomainName & "\" & $aTempUser[1]
        Else ; NetBios name has been passed
            $aTempUser = StringSplit($sUserParam, "\")
            If _AD_ObjectExists($aTempUser[2]) = 0 Then Return SetError(2, 0, 0)
        EndIf
    ElseIf $sAD_UserId <> "" Then
        $sUnJoinPassword = $sAD_Password
        $sUnJoinUser = $sAD_UserId
        If StringInStr($sAD_UserId, "\") = 0 And StringInStr($sAD_UserId, "@") = 0 Then
            $sUnJoinUser = $sDomainName & "\" & $sAD_UserId ; Windows login name has been passed. Create a NetBiosName out of it
        ElseIf StringInStr($sAD_UserId, "@") <> 0 Then ; User principal name has been passed. Create a NetBiosName out of it
            $aTempUser = StringSplit($sAD_UserId, "@")
            $sUnJoinUser = $sDomainName & "\" & $aTempUser[1]
        EndIf
    Else
        $sUnJoinPassword = Default
        $sUnJoinUser = Default
    EndIf
    ; UnJoin domain
    $iResult = $oComputer.UnjoinDomainOrWorkGroup($sUnJoinPassword, $sUnJoinUser, $NETSETUP_ACCT_DELETE)
    If $iResult <> 0 Then Return SetError(5, $iResult, 0)
    ; Move unjoined computer to another workgroup
    If $sWorkgroup <> "" Then
        $iResult = $oComputer.JoinDomainOrWorkGroup($sWorkgroup, Default, Default, Default, Default)
        If $iResult <> 0 Then Return SetError(6, $iResult, 0)
    EndIf
    Return 1

EndFunc   ;==>_AD_UnJoinDomain

water · March 7, 2016

Simply remove $iResult2 from this line as it isn't used anywhere in the function.
That's a bug in 1.4.3.0 which I already have fixed in the upcoming 1.4.4.0.

supersonic · April 25, 2016

water,

maybe a bug (curr. release)?

"D:\SUPERSONIC\_\AUTOIT\Include\Water\AD_01.04.03.00\AD.au3"(3830,27) : warning: $iResult2: declared, but not used in func.
Local $iResult, $iResult2,
~~~~~~~~~~~~~~~~~~~~~~~~~^

Edited April 25, 2016 by supersonic

water · April 25, 2016

Please check post #1363 above

supersonic · April 25, 2016

Oops! My fault. Too early in the morning...

colombeen · May 2, 2016

I have 2 things I'd like to ask/point out

1) How can I check if I have read/write access to a specific field of an object? I need to check if a user can read ms-MCS-AdmPwd & ms-MCS-AdmPwdExpirationTime . I've checked the examples but couldn't find anything. if anyone needs more info => Google LAPS (local admin password solution)

2) the join domain function... it uses wmi to switch the domain but how can it work when the person who is trying to add the system to AD is using a network account and the system you are trying to add will only have local accounts at that point. you should be able to provide a local user/pass for the wmi connection...

question 1 is the most important one for me at this point.

thx

Edited May 2, 2016 by colombeen

water · May 2, 2016

I don't know if you can check read permissions for a single property.
I would try it the other way round: Read the properties and if you get an error/no result then the permission is missing.

colombeen · May 2, 2016

4 minutes ago, water said:

I don't know if you can check read permissions for a single property.
I would try it the other way round: Read the properties and if you get an error/no result then the permission is missing.

hi water

in this example they show if you can read it but i don't know if you can use this to check with AD udf.

https://blog.netspi.com/running-laps-around-cleartext-passwords/

=> Script Usage and Output section

water · May 2, 2016

You could run the _AD_GetObjectProperties example script and query a user with this additional properties. The example returns a list of all properties.
Run this script with the credentials for a user with and without the permission to read this properties.

What do you get?

colombeen · May 2, 2016

28 minutes ago, water said:

You could run the _AD_GetObjectProperties example script and query a user with this additional properties. The example returns a list of all properties.
Run this script with the credentials for a user with and without the permission to read this properties.

What do you get?

I'm still checking. so far i just don't see the property appear when I use an account that doesn't have read rights on the specific property

does your function return "" or null when it's empty? if empty is Always "" and unreadable is Always null I know how to check it

strange thing is that i can read the password expiration date in the _arraydisplay but when i just get it with a query it returns null :-s

So this return nothing for the exp date

$AD_comp_query = _AD_GetObjectsInOU("", "(&(objectcategory=computer)(objectclass=computer)(sAMAccountName=" & $CompName & "$" & "))", 2, _
    "name,dnshostname,objectclass,operatingsystem,operatingsystemservicepack,operatingsystemversion,whencreated,whenchanged,lastlogon,canonicalname,ms-Mcs-AdmPwd,ms-Mcs-AdmPwdExpirationTime", "displayname")

but this shows the exp time for the same object

#include <AD.au3>

_AD_Open()
If @error Then Exit MsgBox(16, "Active Directory Example Skript", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)

$aProperties = _AD_GetObjectProperties("NBGEN51730$")
_ArrayDisplay($aProperties, "Active Directory Functions - Example 1 - Properties for user '" & @ComputerName & "'")

Edited May 2, 2016 by colombeen

water · May 2, 2016

Version 1.4.4.0 of the UDF has been released.

Enhanced performance in function _AD_GetObjectProperties

Please test before using in production!
For download please see my signature.

water · May 2, 2016

The problem is caused by _AD_GetObjectsInOU. This function does not translate the values into a readable format, _AD_GetObjectProperties does.
I just released version 1.4.4.0 of the AD UDF which enhances performance of function _AD_GetObjectProperties.

colombeen · May 2, 2016

8 minutes ago, water said:

The problem is caused by _AD_GetObjectsInOU. This function does not translate the values into a readable format, _AD_GetObjectProperties does.
I just released version 1.4.4.0 of the AD UDF which enhances performance of function _AD_GetObjectProperties.

isn't there an easier way to convert it into an integer without changing a big piece of my script?

something like $Array[1][11].toInteger of something

Edited May 2, 2016 by colombeen

water · May 2, 2016

Quote

something like $Array[1][11].toInteger of something

Unfortunately not. The problem is caused by the RecordSet being a local variable so it is dropped as soon as the function ends. Hence the ToInteger method is no longer available.
This problem has been discussed a few times and yet there is no simple and fast solution.

_AD_GetObjectsInOU is only needed if you retrieve more than a single record. Use _AD_GetObjectProperties to retrieve all (needed) properties for a single record.

colombeen · May 2, 2016

when i use _ad_getobjectproperties for "ms-MCS-AdmPwd" then it returns this : Has the unknown ADsType: 4

with _AD_GetObjectsInOU it just showed me the password (which is a cleartext string)

that should be : ADSTYPE_PRINTABLE_STRING = 4,
https://msdn.microsoft.com/en-us/library/aa772240(v=vs.85).aspx

Edited May 2, 2016 by colombeen

water · May 2, 2016

That's an ADSType that currently isn't handled by the function.
Does it work when you modify

Case $ADSTYPE_CASE_IGNORE_STRING
                    $aObjectProperties[$iPropertyRecord][1] = $vPropertyValue.CaseIgnoreString

to

Case $ADSTYPE_CASE_IGNORE_STRING, $ADSTYPE_PRINTABLE_STRING
                    $aObjectProperties[$iPropertyRecord][1] = $vPropertyValue.CaseIgnoreString

?

colombeen · May 2, 2016

11 minutes ago, water said:

That's an ADSType that currently isn't handled by the function.
Does it work when you modify

Case $ADSTYPE_CASE_IGNORE_STRING
                    $aObjectProperties[$iPropertyRecord][1] = $vPropertyValue.CaseIgnoreString

to

Case $ADSTYPE_CASE_IGNORE_STRING, $ADSTYPE_PRINTABLE_STRING
                    $aObjectProperties[$iPropertyRecord][1] = $vPropertyValue.CaseIgnoreString

?

is this a new part in the UDF? still working with the previous version

water · May 2, 2016

Correct, version 1.4.4.0 has been restructured here to enhance performance.
1.4.3.0 should be:

If $oItem.ADsType = $ADSTYPE_CASE_IGNORE_STRING Or $oItem.ADsType = $ADSTYPE_PRINTABLE_STRING Then
                    $aObjectProperties[$iCount3][1] = $vPropertyValue.CaseIgnoreString

Edited May 2, 2016 by water

colombeen · May 2, 2016

19 minutes ago, water said:

Correct, version 1.4.4.0 has been restructured here to enhance performance.
1.4.3.0 should be:

If $oItem.ADsType = $ADSTYPE_CASE_IGNORE_STRING Or $oItem.ADsType = $ADSTYPE_PRINTABLE_STRING Then
                    $aObjectProperties[$iCount3][1] = $vPropertyValue.CaseIgnoreString

$ADSTYPE_PRINTABLE_STRING wasn't defined but I added it

now testing with your suggested changes

Sign In

Active Directory UDF

Recommended Posts

water

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

water

BrewManNH

mnorland

Posted Images

mlazovjp

water

supersonic

water

supersonic

colombeen

water

colombeen

water

colombeen

water

water

colombeen

water

colombeen

water

colombeen

water

colombeen

Similar Content

adding a variable inside a PowerShell command

AD - Active Directory UDF

Compare Active Directory Groups

Using the PowerShell Group Policy Module with AutoIt

Active Directory - Need to search where user is/was logged

Browse

AutoIt Resources

Release

Beta