rudi Posted June 7, 2010 Share Posted June 7, 2010 Hi.Who knows, how to read the SID of the AD Domain a Windows User is currently authenticated to?I need this to assign rights to registry keys and local files for the AD group "Domain Users" = S-1-5-21domain-513, where "domain" has to be replaced by the Domain's SID.This is how to read the SID for the local PC:;SID of this PC. (See MS KB243330) $Real_SID = "S-1-5-21-274021414-1772892037-1891922755" ; newsid.exe presents that one for my PC $key = "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account" $Val = "V" ; assigning read rights to that key/value may be required (even for local administrators) $String = RegRead($key, $Val) $String = StringRight($String, 12 * 2) ; get final 12 Bytes ConsoleWrite("Final 12 bytes of " & $key & ", " & $Val & " are:" & @CRLF & $String & @CRLF & @CRLF) $Left = StringLeft($String, 8) $Mid = StringMid($String, 8 + 1, 8) $Right = StringRight($String, 8) $Prefix = "S-1-5-21" $SID = shuffle2Dec($Left) & "-" & shuffle2Dec($Mid) & "-" & shuffle2Dec($Right) ConsoleWrite($Real_SID & @CRLF) ConsoleWrite($Prefix & "-" & $SID & @CRLF) ConsoleWrite(@CRLF & "This PC's SID = " & $SID & @CRLF) Func shuffle2Dec($String) Local $l = StringLen($String), $foo, $i For $i = $l - 1 To 1 Step -2 $foo &= StringMid($String, $i, 2) Next $foo = Dec($foo) ConsoleWrite($String & " = " & $foo & @CRLF & "----------------" & @CRLF) Return $foo EndFunc ;==>shuffle2DecRegards, Rudi. Earth is flat, pigs can fly, and Nuclear Power is SAFE! Link to comment Share on other sites More sharing options...
water Posted June 7, 2010 Share Posted June 7, 2010 You could use the Active Directory UDF (for download please see my signature): #include <AD.au3> #include <Array.au3> _AD_Open() $R = _AD_GetObjectProperties(@UserName,"objectSid") _ArrayDisplay($R) _AD_Close() My UDFs and Tutorials: Spoiler UDFs:Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - WikiExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example ScriptsOutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - WikiOutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - DownloadOutlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - WikiPowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - WikiTask Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki Standard UDFs:Excel - Example Scripts - WikiWord - Wiki Tutorials:ADO - WikiWebDriver - Wiki Link to comment Share on other sites More sharing options...
rudi Posted June 7, 2010 Author Share Posted June 7, 2010 (edited) Thanks for AD.AU3 This is just an examaple to demonstrate how to add NTFS / Registry rights for "Domain Users": expandcollapse popup#include <GUIConstantsEx.au3> #include <GUIConstants.au3> #include "AD.au3" ; see signature of "water" above to get AD.au3 FileInstall("setacl.exe", @TempDir & "\setacl.exe", 1) ; use google to get a copy of setacl.exe ; see Microsoft KB for wellknown SIDs: http://support.microsoft.com/kb/243330 ; attention: currently there is are errors in that KB for all entries with SID = *domain*: ; instead of ; SID: S-1-5-21domain-513 it should tell: ; SID: S-1-5-21-domain-513. ; "domain" has to be replaced with the AD-SID Const $Dom_SID = Get_AD_SID() Const $SID_Dom_User = $Dom_SID & "-513" Dim $LabelTxt = "Adding rights for Domain Users:" & @LF & _ "SID for Domain Users = " & $SID_Dom_User & @LF & @LF Dim $OK = True #Region Create some dummy folder and registry value Dim $TestDir = "C:\temp-123456" DirCreate($TestDir) $RegKey = "HKLM\Software\MyTestKey" $RegVal = "MyTestVal" $RegType = "REG_SZ" $RegValue = "I'm just a value, leave me alone!" RegWrite($RegKey, $RegVal, $RegType, $RegValue) #EndRegion Create some dummy folder and registry value Dim $RighsArr[3][2] = [[2], _ [$TestDir, "file"], _ [$RegKey, "reg"]] $w = 450 $h = 250 GUICreate("adding test rights", 400, 250) $Label = GUICtrlCreateLabel($LabelTxt, 20, 20, $w - 40, $h - 80) $Exit = GUICtrlCreateButton("Close", $w / 2 - 30, $h - 50, 60, 30) GUICtrlSetState(-1, $GUI_DISABLE) GUISetState(@SW_SHOW) SetRights($RighsArr, $SID_Dom_User) If $OK Then $LabelTxt &= @LF & @LF & "Done." GUICtrlSetData($Label, $LabelTxt) Else $LabelTxt &= @LF & "Error:" & @LF & "Not all rights could be added!" GUICtrlSetData($Label, $LabelTxt) EndIf GUICtrlSetState($Exit, $GUI_ENABLE) While 1 $msg = GUIGetMsg() Select Case $msg = $GUI_EVENT_CLOSE Exit Case $msg = $Exit Exit EndSelect Sleep(20) WEnd Func SetRights($LocalArr, $SID) For $i = 1 To $RighsArr[0][0] $LabelTxt &= $RighsArr[$i][0] & " : " GUICtrlSetData($Label, $LabelTxt) $result = RunWait(@TempDir & '\setacl -on "' & $RighsArr[$i][0] & '" -ot ' & $RighsArr[$i][1] & ' -actn ace -ace "n:' & $SID & ';p:full;s:y"', "", @SW_HIDE) If $result = 0 Then $LabelTxt &= "OK." & @LF GUICtrlSetData($Label, $LabelTxt) Else $OK = False $LabelTxt &= "SetACL.EXE Error: " & $result & @LF GUICtrlSetData($Label, $LabelTxt) EndIf Next EndFunc ;==>SetRights Func Get_AD_SID() _AD_Open() Local $R = _AD_GetObjectProperties(@UserName, "objectSid") Local $Err = @error Local $Ext = @extended Local $Dom, $S _AD_Close() If IsArray($R) Then $S = $R[1][1] $Dom = StringLeft($S, StringInStr($S, "-", 0, -1) - 1) Return $Dom Else MsgBox(48, "Error reading AD-SID for @Username", "@Error = " & $Err & @LF & "@Extended = " & $Ext) Return False EndIf EndFunc ;==>Get_AD_SID Regards, Rudi. Edited June 7, 2010 by rudi Earth is flat, pigs can fly, and Nuclear Power is SAFE! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now