AD authentication

shaunexe · October 25, 2012

Hi

myself and a collegue have been having difficulties getting this little script working. All it is supposed to do is authenticate the user to AD then check they are a memeber of a certain and if they are log the user name and open IE. We don't appear to be having much luck with this and hoped somebody could help.

#include <file.au3>
#include <AD.au3>
#include <GuiConstants.au3>
#include <EditConstants.au3>

Global $Susername, $Spassword

$gui = GuiCreate("Authenticate",120,170)

GUICtrlCreateLabel("Username:",10,10,50,20)
$Susername = GUICtrlCreateInput("",10,35,100,20)
GUICtrlCreateLabel("Password:",10,70,50,20)
$Spassword = GUICtrlCreateInput("",10,95,100,20,$ES_PASSWORD)


$go = GuiCtrlCreateButton("OK",10,130,50,25)
$cancel = GuiCtrlCreateButton("Cancel",60,130,50,25)

GUISetState()

Do
$msg = GUIGetMsg()

If $msg = $go Then



_AD_Open(GUICtrlRead($Susername), GUICtrlRead($Spassword))
_AD_Open()
If _AD_IsMemberOf("") <> 1 Then
;MsgBox(0,"AD","Error " & @error " returned by _AD_Open.") ; Invalid userid/password etc.
MsgBox(64, "Authentication Failed", "Try Again!")
Exit
Endif

_AD_Close()
; Output Username to a log file with date and time
_FileWriteLog(@ScriptDir & "Username.log", GUICtrlRead($Susername))

ShellExecute("C:\Program Files\Internet Explorer\iexplore.exe")

EndIf

If $msg = $cancel Then
Exit
EndIf

Until GUIGetMsg() = $GUI_EVENT_CLOSE
GuiDelete($gui)

Thanks

water · October 25, 2012

This should work. Set variable $sGroup to the group you want to check membership:

#include <file.au3>
#include <AD.au3>
#include <GuiConstants.au3>
#include <ButtonConstants.au3>
#include <EditConstants.au3>

_AD_ErrorNotify(2)
Global $hUserName, $hPassword, $sUserName, $sPassword, $sGroup = "Test"
$gui = GUICreate("Authenticate", 120, 170)
GUICtrlCreateLabel("Username:", 10, 10, 50, 20)
$hUserName = GUICtrlCreateInput("", 10, 35, 100, 20)
GUICtrlCreateLabel("Password:", 10, 70, 50, 20)
$hPassword = GUICtrlCreateInput("", 10, 95, 100, 20, $ES_PASSWORD)
$go = GUICtrlCreateButton("OK", 10, 130, 50, 25, $BS_DEFPUSHBUTTON)
$cancel = GUICtrlCreateButton("Cancel", 60, 130, 50, 25)
GUISetState()
While 1
    $msg = GUIGetMsg()
    Switch $msg
        Case $go
            $sUserName = GUICtrlRead($hUserName)
            $sPassword = GUICtrlRead($hPassword)
            _AD_Open($sUserName, $sPassword)
            If @error Then
                MsgBox(64, "Error", "Authentication Failed! Try again!" & @CRLF & "@error: " & @error & ", @extended: " & @extended)
                Exit
            ElseIf _AD_IsMemberOf($sGroup) <> 1 Then
                MsgBox(64, "Error", "User is not member of group '" & $sGroup & "'!" & @CRLF & "@error: " & @error & ", @extended: " & @extended)
                _AD_Close()
                Exit
            EndIf
            _AD_Close()
        ; Output Username to a log file with date and time
;        _FileWriteLog(@ScriptDir & "Username.log", GUICtrlRead($hUserName))
;        ShellExecute("C:\Program Files\Internet Explorer\iexplore.exe")
        Case $cancel, $GUI_EVENT_CLOSE
            Exit
    EndSwitch
WEnd
GUIDelete($gui)

shaunexe · October 25, 2012

Hi

still not working, even tried the put in the full path to the group and failed. It does appear to be authenticating as if I test with incorrect password it gives the authentication failure error.

water · October 25, 2012

What's the exact @error and @extended values you get?

shaunexe · October 25, 2012

@error:0 @extended:0 that's just using membership of Domain Users.

water · October 25, 2012

You have to pass the username to function _AD_IsMemberOf as parameter 2 (samaccountname or FQDN). And if you want to check the primary group you have to set parameter 3 to True (because in AD primary groups have no members - so the membership check has to be done differently).

Or you could use function _AD_GetUserPrimaryGroup to check for the primary group of the user.

shaunexe · October 25, 2012

Sorry you have lost me on that one?

water · October 25, 2012

Your current script allows to enter any user name plus this users password. You then connect to the AD with this credentials.

But function _AD_IsMemberOf - as you use it right now - uses the current user name (the user logged on to the computer) to check the membership.

That's why you have to pass the username to the function.

Every user has a primary group he is assigned to. You can query the members of every group but not the primary group for performance reasons (limitation of AD).

That's why you need parameter 3 if you want to check the primary group.

water · October 25, 2012

Something like this:

#include <file.au3>
#include <AD.au3>
#include <GuiConstants.au3>
#include <ButtonConstants.au3>
#include <EditConstants.au3>

_AD_ErrorNotify(2)
Global $hUserName, $hPassword, $sUserName, $sPassword, $sGroup = "Domain Users"
$gui = GUICreate("Authenticate", 120, 170)
GUICtrlCreateLabel("Username:", 10, 10, 50, 20)
$hUserName = GUICtrlCreateInput("", 10, 35, 100, 20)
GUICtrlCreateLabel("Password:", 10, 70, 50, 20)
$hPassword = GUICtrlCreateInput("", 10, 95, 100, 20, $ES_PASSWORD)
$go = GUICtrlCreateButton("OK", 10, 130, 50, 25, $BS_DEFPUSHBUTTON)
$cancel = GUICtrlCreateButton("Cancel", 60, 130, 50, 25)
GUISetState()
While 1
    $msg = GUIGetMsg()
    Switch $msg
        Case $go
            $sUserName = GUICtrlRead($hUserName)
            $sPassword = GUICtrlRead($hPassword)
            _AD_Open($sUserName, $sPassword)
            If @error Then
                MsgBox(64, "Error", "Authentication Failed! Try again!" & @CRLF & "@error: " & @error & ", @extended: " & @extended)
                Exit
            ElseIf _AD_IsMemberOf($sGroup, $sUserName, True) <> 1 Then
                MsgBox(64, "Error", "User is not member of group '" & $sGroup & "'!" & @CRLF & "@error: " & @error & ", @extended: " & @extended)
                _AD_Close()
                Exit
            EndIf
            _AD_Close()
        ; Output Username to a log file with date and time
        _FileWriteLog(@ScriptDir & "Username.log", $sUserName)
        ShellExecute("C:\Program Files\Internet Explorer\iexplore.exe")
        Case $cancel, $GUI_EVENT_CLOSE
            Exit
    EndSwitch
WEnd
GUIDelete($gui)

shaunexe · October 25, 2012

That's great thanks very much.

water · November 20, 2018

On 25.10.2012 at 10:07 AM, shaunexe said:

_AD_Open(GUICtrlRead($Susername), GUICtrlRead($Spassword)) _AD_Open()

The script calls _AD_Opn twice, which does not make sense.
Could you please try the _AD_Open.au3 example script which comes with the AD UDF?

amdinside · March 31, 2021

goes great.

it is also possible to query two or more AD Groups GROUPS
i tried it, but i didn´t get it works.

Quote

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Icon=..\Program Files (x86)\AutoIt3\_ICOS\924.ico
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#include <file.au3>
#include <AD.au3>
#include <GuiConstants.au3>
#include <ButtonConstants.au3>
#include <EditConstants.au3>

_AD_ErrorNotify(2)
Global $hUserName, $hPassword, $sUserName, $sPassword, $sGroup1 = "Group1", $sGroup2 = "Group2"
$gui = GUICreate("Authenticate", 120, 170)
GUICtrlCreateLabel("Username:", 10, 10, 50, 20)
$hUserName = GUICtrlCreateInput("", 10, 35, 100, 20)
GUICtrlCreateLabel("Password:", 10, 70, 50, 20)
$hPassword = GUICtrlCreateInput("", 10, 95, 100, 20, $ES_PASSWORD)
$go = GUICtrlCreateButton("OK", 10, 130, 50, 25, $BS_DEFPUSHBUTTON)
$cancel = GUICtrlCreateButton("Cancel", 60, 130, 50, 25)
GUISetState()
While 1
$msg = GUIGetMsg()
Switch $msg
Case $go
$sUserName = GUICtrlRead($hUserName)
$sPassword = GUICtrlRead($hPassword)
_AD_Open($sUserName, $sPassword)
If @error Then
MsgBox(64, "Error", "Authentication Failed! Try again!" & @CRLF & "@error: " & @error & ", @extended: " & @extended)
                   Exit
           ElseIf _AD_IsMemberOf($sGroup1, $sUserName, True) or _AD_IsMemberOf($sGroup2, $sUserName, True) <> 1 Then
                   MsgBox(64, "Error", "User is not member of groups '" & $sGroup1 & "__" & "or" & "__"& $sGroup2 & "'!" & @CRLF & "@error: " & @error & ", @extended: " & @extended)
                   ; MsgBox(64, "Error", "User is not member of groups '" & $sGroup2 & "'!" & @CRLF & "@error: " & @error & ", @extended: " & @extended)
_AD_Close()
Exit
EndIf
_AD_Close()
; Output Username to a log file with date and time
_FileWriteLog(@Scriptdir & "\Username.log", GUICtrlRead($hUserName))

ShellExecute("explorer.exe")
       Exit
       case $cancel, $GUI_EVENT_CLOSE
Exit
EndSwitch
WEnd
GUIDelete($gui)

water · March 31, 2021

Quote

i tried it, but i didn´t get it works.

Please be more specific. Do you get an error or wrong results or omething else you don't expect?

amdinside · March 31, 2021

I do not know whether my above solution is thought so correctly and whether I may have made a mistake in

the query of the two groups. It only works when the user is in group1.

the message box "user not in group" appears in group2

here the line:

ElseIf _AD_IsMemberOf($sGroup1, $sUserName, True) or _AD_IsMemberOf($sGroup2, $sUserName, True) <> 1 Then

water · March 31, 2021

Use:

ElseIf _AD_IsMemberOf($sGroup1, $sUserName, True) <> 1 And _AD_IsMemberOf($sGroup2, $sUserName, True) <> 1 Then

This line returns True when $sUsername ist not Member of group1 and not Member of group2.

Edited March 31, 2021 by water

AD authentication

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members