Active Directory UDF

water · November 2, 2016

You can pass the property to return to _AD_GetObjectProperties as well. The property seems to be encoded and only _AD_GetObjectProperties does the decoding for you.

Surf243 · November 3, 2016

22 hours ago, Lazegalli said:

I want to read the Value of the AD Attribute "ms-Mcs-AdmPwd" with the Function "_AD_GetObjectAttribute()". Sadly I always get an empty Value, although the Attribute is filled and @error is zero. If I call the Function "_AD_GetObjectProperties()" to get all Attributes, the Values are shown properly.

Hi @Lazegalli, It just so happens I created some functions for my script that you may find helpful.

It gets the Local Admin Password and checks the expiration time. Everything outputs to the console. Feel free to use/modify to your liking.

#include <AD.au3>
#include <Array.au3>
#include <Date.au3>

Global $g_iAdminTime
Global $g_sAdminPwd

_Get_Local_Admin()

Func _Get_Local_Admin()
    Local $aProperties, $aType[4] = ["3", "h", "n", "s"]
    Local $iDateCalc, $iAdminTime

    If @UserName = "Administrator" Then Return False

    _AD_Open()
    If @error Then
        _ArrayDisplay(_AD_GetLastADSIError(), "Error: _AD_Open", Default, 32)
    Else
        $aProperties = _AD_GetObjectProperties(@ComputerName & "$", "ms-Mcs-AdmPwd,ms-Mcs-AdmPwdExpirationTime")
        If Not @error Then
            $g_sAdminPwd = $aProperties[1][1]
            $g_iAdminTime = _Epoch2Date($aProperties[2][1])
            $iAdminTime = _SwapDate($g_iAdminTime)
            ConsoleWrite(@ComputerName & "\Administrator" & @CRLF & $g_sAdminPwd & @CRLF & @CRLF)

            For $i = 1 To $aType[0]
                $iDateCalc = _DateDiff($aType[$i], _NowCalcDate() & " " & _NowTime(5), $iAdminTime)
                ConsoleWrite("Type: " & $aType[$i] & @CRLF & "_NowCalcDate: " & _NowCalcDate() & " " & _NowTime(5) & @CRLF & "$iAdminTime:  " & _
                    $iAdminTime & @CRLF & "$g_iAdminTime: " & $g_iAdminTime & @CRLF)
                If Not @error Then
                    Switch $iDateCalc
                        Case 0
                            If $i <> $aType[0] Then
                                ContinueLoop
                            Else
                                ExitLoop
                            EndIf
                        Case Else
                            ConsoleWrite("Time Left: " & $iDateCalc & " " & $aType[$i] & @CRLF & "$g_iAdminTime: " & $g_iAdminTime & @CRLF)
                            ExitLoop
                    EndSwitch
                Else
                    ConsoleWrite("_DateDiff Error:" & @error & @CRLF)
                    ExitLoop
                EndIf
            Next
        Else
            ;|1 - $vObject could not be found
            ;|2 - No values for the specified property. The property in error is returned as the function result
            ;|3 - Error retrieving $vObject. @Extended is set to the error returned by LDAP
            ConsoleWrite("_AD_GetObjectProperties() Error: " & @error & @CRLF)
        EndIf
    EndIf
    _AD_Close()
EndFunc   ;==>__Get_Local_Admin

Func _SwapDate($iTime)
    Local $aMyDate, $aMyTime

    $iTime = StringStripWS($iTime, 2)
    Local $sAMPM = StringRight($iTime, 2)
    _DateTimeSplit($iTime, $aMyDate, $aMyTime)

    If $sAMPM = "PM" Then
        $aMyTime[1] += 12
    ElseIf $sAMPM = "AM" Then
        $aMyTime[1] = "0" & $aMyTime[1]
    EndIf

    For $i = 1 To $aMyDate[0]
        If StringLen($aMyDate[$i]) = 1 Then $aMyDate[$i] = "0" & $aMyDate[$i]
    Next

    For $i = 1 To $aMyTime[0]
        If StringLen($aMyTime[$i]) = 1 Then $aMyTime[$i] = "0" & $aMyTime[$i]
    Next

    Local $sMyTime = $aMyDate[3] & "/" & $aMyDate[1] & "/" & $aMyDate[2] & " " & $aMyTime[1] & ":" & $aMyTime[2] & ":" & $aMyTime[3]
    Return $sMyTime
EndFunc   ;==>SwapDate

Func _Epoch2Date($iTime)
    Local $sOutput = ""
    Local $iPID = Run(@ComSpec & " /c " & "w32tm.exe /ntte " & $iTime, "", @SW_HIDE, 2)
    While 1
        $sOutput &= StdoutRead($iPID)
        If @error Then ExitLoop
    WEnd
    $sOutput = StringSplit($sOutput, " - ", 2 + 1)
    Return $sOutput[1]
EndFunc   ;==>Epoch2Date

_Get_Local_Admin.au3

Lazegalli · November 7, 2016

@Water, Surf243:

Thank you both. This works like a charm.

water · November 7, 2016

Lazegalli · November 7, 2016

@water:

I've changed the case "$ADSTYPE_LARGE_INTEGER" in Function "_AD_GetObjectProperties()" and added $sPropertyName = "ms-Mcs-AdmPwdExpirationTime" so I'll get a readable Date Format. Maybe this could be a general improvement for the next version.

@ Surf243 :

Your Function _Epoch2Date is good, but way too slow if you'll execute it on thousends of AD Objects! Additionally it ends in an infinite loop sometimes.

Edited November 7, 2016 by Lazegalli

water · November 7, 2016

Done

legend · November 7, 2016

1 hour ago, water said:

Done

sorry for my dumb question, but what is done :)?

water · November 7, 2016

I referred to Lazegalli's request to add "ms-Mcs-AdmPwdExpirationTime" to _AD_GetObjectProperties.

mko · November 25, 2016

@All

For Migration issue i needed a function which shows the SID friendly name

_AD_GetObjectAttribute($object, "objectSID")
returns a value like this: 0x01020000000000052000000022020000

"Friendly Name" would be like this "S-1-5-32-546"

Maybe someone helps this...

#cs ----------------------------------------------------------------------------
    AutoIt Version: 3.3.14.2
    Author:         Martin Koeberle
    Script Function: Example for _AD_GetObjectSID
#ce ----------------------------------------------------------------------------

#include <AD.au3>

Local $iObject, $l_SID

_AD_Open()

$iObject = InputBox("AD Object", "Login / Groupname", "", "", 170, 130)

If $iObject = "" Then Exit

$l_SID = _AD_GetObjectSID($iObject)

If $l_SID <> "" Then
    MsgBox(64, "SID of " & $iObject, $l_SID)
    ClipPut($l_SID)
Else
    MsgBox(16, "Error", "Function _AD_GetObjectSID encountered a problem. @error = " & @error & ", @extended = " & @extended)
EndIf

_AD_Close()

; #FUNCTION# ====================================================================================================================
; Name...........: _AD_GetObjectSID
; Description ...: Returns SID friendly name of a object
; Syntax.........: _AD_GetObjectSID($sObject)
; Parameters ....: $sObject - sAMAccountName or FQDN of the object the SID attribute should be retrieved from
; Return values .: Success - friendly name of SID
;                  Failure - "", sets @error to:
;                  |x - @error as set by function _AD_GetObjectAttribute
; Author ........: Martin Koeberle
; Remarks .......: Returns a SID like "S-1-5-32-546"
; ===============================================================================================================================

Func _AD_GetObjectSID($sObject)

    Local $l_SID_Hex, $l_SID, $l_No_of_groups
    Local $i, $j, $l_pos, $l_tmp

    $l_SID_Hex = _AD_GetObjectAttribute($sObject, "objectSID")
    If @error Then Return SetError(@error, @extended, "")
    ;Returns a Value like...
    ;0x0105000000000005150000003181E19BFC7F51A41EC4559907050000
    ;0x01020000000000052000000022020000

    $l_SID = "S-"

    ;Version
    $l_tmp = StringMid($l_SID_Hex, 03, 2)

    $l_SID &= Dec($l_tmp) & "-"

    ;Number of groups
    $l_tmp = StringMid($l_SID_Hex, 05, 2)
    $l_No_of_groups = Dec($l_tmp)

    ;Constante Big-Endian (6 Bytes A 2 Hexdigits from left to right)
    $l_pos = 7
    $l_tmp = StringMid($l_SID_Hex, $l_pos, 12)
    $l_SID &= Dec($l_tmp, 2) & "-"
    $l_pos = $l_pos + 12

    ;Get Groups Little Endian (4 Bytes from right to left)
    For $i = 1 To $l_No_of_groups
        $l_tmp = ""
        ;Next 4 Bytes
        For $j = 1 To 4
            $l_tmp = StringMid($l_SID_Hex, $l_pos, 2) & $l_tmp
            $l_pos = $l_pos + 2
        Next
        $l_SID &= Dec($l_tmp, 2)
        If $i < $l_No_of_groups Then $l_SID &= "-"
    Next

    Return ($l_SID)
EndFunc   ;==>_AD_GetObjectSID

Edited November 25, 2016 by mko
improvement

water · November 25, 2016

Function _AD_GetObjectProperties already returns the friendly name

mko · November 25, 2016

Yes, Thank you for the hint !

_AD_GetObjectProperties(@UserName,"objectSID")

Manny Work for nothing

water · November 25, 2016

I'm sure you've learned a lot about the internals of Active Directory

legend · November 30, 2016

When running the script, is there a way to check from a normal domain user to make a check on itself (the current logged in user) if it's

domain administrator or not?

Let's say I'm just a normal domain user, and i run the script, it will popup saying: Your not a domain admin.

I know i can just check if the user is a member of a specific group, but that's not an option, as it's a tool i want to use in multiple AD's without knowing the group name

Edited November 30, 2016 by legend

water · November 30, 2016

Sure:

$iResult = _AD_IsMemberOf("Domain Admins", "Your User name to check")

$iResult:

Success - 1, Specified object (user, group, computer) is a member of the specified group
Failure - 0, @error set
0 - $sObject is not a member of $sGroup
1 - $sGroup does not exist
2 - $sObject does not exist

legend · December 14, 2016

Is it just me or does _AD_GetObjectAttribute only works for user objects and not for machine objects?

_AD_GetObjectAttribute($machine_name, "extensionAttribute2")

but a user works fine:

_AD_GetObjectAttribute($username, "extensionAttribute2")

Edited December 14, 2016 by legend

water · December 14, 2016

Did you add a "$" at the end of the machine object?
To get information about your computer you need to use:

#include <AD.au3>
_AD_Open()
If @error Then Exit MsgBox(16, "Active Directory Example Skript", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)
Global $sResult = _AD_GetObjectAttribute(@Computername & "$", "extensionAttribute2")
If @error Then Exit MsgBox(16, "Active Directory Example Skript", "Function _AD_GetObjectAttribute encountered a problem. @error = " & @error & ", @extended = " & @extended)
MsgBox(16, "Active Directory Example Skript", "Value is: " & $sResult)

legend · December 14, 2016

1 hour ago, water said:

Did you add a "$" at the end of the machine object?
To get information about your computer you need to use:

#include <AD.au3>
_AD_Open()
If @error Then Exit MsgBox(16, "Active Directory Example Skript", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)
Global $sResult = _AD_GetObjectAttribute(@Computername & "$", "extensionAttribute2")
If @error Then Exit MsgBox(16, "Active Directory Example Skript", "Function _AD_GetObjectAttribute encountered a problem. @error = " & @error & ", @extended = " & @extended)
MsgBox(16, "Active Directory Example Skript", "Value is: " & $sResult)

thank's that solved it

water · December 14, 2016

Such details can be found in the wiki

water · December 14, 2016

As the Active Directory UDF thread has grown too big, I start a new one.
The new thread can be found here.

Sign In

Active Directory UDF

Recommended Posts

water

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

water

BrewManNH

mnorland

Posted Images

Surf243

Lazegalli

water

Lazegalli

water

legend

water

mko

water

mko

water

legend

water

legend

water

legend

water

water

Browse

AutoIt Resources

Release

Beta