Active Directory UDF - Help & Support (III)

[Subz]

Understand, although if you capture lastLogon attribute you shouldn't require _AD_GetLastLoginDate, you would just need something like the _ConvertLastLogon function I used above to get the date in a string format.

[water]

Agreed.

Do you think this should be added to the UDF as a helper function?
Or even better, should I extract all code from _AD_GetObjectProperties that translates data into readable format to such helper functions (like __AD_LargeInt2Double) so they can directly be called by users?
That will slow down _AD_GetObjectProperties a bit but could enhance performance for user written functions!

[Subz]

I think adding either option or including both would be a great addition to the UDF.  Having to make less connections to the DCs would speed up the process considerably when obtaining details for more than one user and having the help functions translate the data into readable format, would save having to convert it after capturing the data, so win win.  

Thanks again for your time looking into it.

[water]

I have modified function _AD_GetObjectProperties so it now calls a function to convert large integer to a date string format.
I didn't see a difference in processing time.
If it works for you I will make ordinary functions out of this internal functions.

This will make scripts, which need to extract large integer values, much faster. Now they can translate the results of _AD_GetObjectsInOU without having to call _AD_GetObjectProperties to translate.

expandcollapse popup

; #FUNCTION# ====================================================================================================================
; Name...........: _AD_GetObjectProperties
; Description ...: Returns a two-dimensional array of all or selected properties and their values of an object in readable form.
; Syntax.........: _AD_GetObjectProperties([$vObject = @UserName[, $sProperties = ""[, $bSort = True]]])
; Parameters ....: $vObject     - Optional: SamAccountName, FQDN or ADSPath of the object to retrieve properties from (e.g. computer, user, group ...) (default = @Username)
;                  |Can be of type object as well. Useful to get properties for a schema or configuration object (see _AD_ListRootDSEAttributes)
;                  $sProperties - Optional: Comma separated list of properties to return (default = "" = return all properties)
;                  $bSort       - Optional: True specifies that the array will be sorted on property name (default = True)
; Return values .: Success - Returns a one based two-dimensional array with all properties and their values of an object in readable form
;                  Failure - "" or property name, sets @error to:
;                  |1 - $vObject could not be found
;                  |2 - No values for the specified property. The name of the property in error is returned as the function result
;                  |3 - Error retrieving $vObject. @Extended is set to the error returned by LDAP
; Author ........: Sundance
; Modified.......: water
; Remarks .......: Dates are returned in format: YYYY/MM/DD HH:MM:SS local time of the calling user (AD stores all dates in UTC - Universal Time Coordinated)
;                  Exception: AD internal dates like "whenCreated", "whenChanged" and "dSCorePropagationData". They are returned as UTC
;                  NT Security Descriptors are returned as: Control:nn, Group:Domain\Group, Owner:Domain\Group, Revision:nn
;                  No error is returned if there are properties in $sProperties that are not available for the selected object
;+
;                  Properties are returned in alphabetical order. If $sProperties is set to "samaccountname,displayname" the returned array will contain
;                  displayname as the first and samaccountname as the second row.
; Related .......:
; Link ..........: http://www.autoitscript.com/forum/index.php?showtopic=49627&view=findpost&p=422402, http://msdn.microsoft.com/en-us/library/ms675090(VS.85).aspx
; Example .......: Yes
; ===============================================================================================================================
Func _AD_GetObjectProperties($vObject = @UserName, $sProperties = "", $bSort = True)

    If $vObject = Default Then $vObject = @UserName
    If $sProperties = Default Then $sProperties = ""
    If $bSort = Default Then $bSort = True
    Local $aObjectProperties[10000][2], $oObject
    Local $oProperty, $oPropertyEntry, $sPropertyName, $oValue, $iPropertyRecord = 0, $xAD_Dummy
    Local $aSAMAccountType[12][2] = [["DOMAIN_OBJECT", 0x0], ["GROUP_OBJECT", 0x10000000], ["NON_SECURITY_GROUP_OBJECT", 0x10000001], _
            ["ALIAS_OBJECT", 0x20000000], ["NON_SECURITY_ALIAS_OBJECT", 0x20000001], ["USER_OBJECT", 0x30000000], ["NORMAL_USER_ACCOUNT", 0x30000000], _
            ["MACHINE_ACCOUNT", 0x30000001], ["TRUST_ACCOUNT", 0x30000002], ["APP_BASIC_GROUP", 0x40000000], ["APP_QUERY_GROUP", 0x40000001], _
            ["ACCOUNT_TYPE_MAX", 0x7fffffff]]
    Local $aUAC[21][2] = [[0x00000001, "SCRIPT"], [0x00000002, "ACCOUNTDISABLE"], [0x00000008, "HOMEDIR_REQUIRED"], [0x00000010, "LOCKOUT"], [0x00000020, "PASSWD_NOTREQD"], _
            [0x00000040, "PASSWD_CANT_CHANGE"], [0x00000080, "ENCRYPTED_TEXT_PASSWORD_ALLOWED"], [0x00000100, "TEMP_DUPLICATE_ACCOUNT"], [0x00000200, "NORMAL_ACCOUNT"], _
            [0x00000800, "INTERDOMAIN_TRUST_ACCOUNT"], [0x00001000, "WORKSTATION_TRUST_ACCOUNT"], [0x00002000, "SERVER_TRUST_ACCOUNT"], [0x00010000, "DONT_EXPIRE_PASSWD"], _
            [0x00020000, "MNS_LOGON_ACCOUNT"], [0x00040000, "SMARTCARD_REQUIRED"], [0x00080000, "TRUSTED_FOR_DELEGATION"], [0x00100000, "NOT_DELEGATED"], _
            [0x00200000, "USE_DES_KEY_ONLY"], [0x00400000, "DONT_REQUIRE_PREAUTH"], [0x00800000, "PASSWORD_EXPIRED"], [0x01000000, "TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION"]]
    If Not IsObj($vObject) Then
        If StringLeft($vObject, 7) <> "LDAP://" Then ; No ADsPath
            If _AD_ObjectExists($vObject) = 0 Then Return SetError(1, 0, "")
            Local $sProperty = "sAMAccountName"
            If StringMid($vObject, 3, 1) = "=" Then $sProperty = "distinguishedName" ; FQDN provided
            $__oAD_Command.CommandText = "<LDAP://" & $sAD_HostServer & "/" & $sAD_DNSDomain & ">;(" & $sProperty & "=" & $vObject & ");ADsPath;subtree"
            Local $oRecordSet = $__oAD_Command.Execute ; Retrieve the ADsPath for the object
            If @error Or Not IsObj($oRecordSet) Then Return SetError(3, @error, "")
            $vObject = $oRecordSet.fields(0).Value
        EndIf
        $oObject = __AD_ObjGet($vObject) ; Retrieve the COM Object
    Else
        $oObject = $vObject
    EndIf
    If $sProperties = "" Then
        $oObject.GetInfo() ; Refresh values of all properties in the property cache of the ADSI object
    Else
        Local $aProperties = StringSplit($sProperties, ",", $STR_NOCOUNT)
        $oObject.GetInfoEX($aProperties, 0) ; Refresh values of the selected properties in the property cache of the ADSI object
    EndIf
    Local $iPropertyCount = $oObject.PropertyCount()
    For $iCurrentProperty = 0 To $iPropertyCount - 1
        $oProperty = $oObject.Item($iCurrentProperty)
        $oPropertyEntry = $oObject.GetPropertyItem($oProperty.Name, $ADSTYPE_UNKNOWN)
        $sPropertyName = $oProperty.Name
        If Not IsObj($oPropertyEntry) Then Return SetError(2, 0, $sPropertyName)
        For $vPropertyValue In $oPropertyEntry.Values
            $iPropertyRecord = $iPropertyRecord + 1
            $aObjectProperties[$iPropertyRecord][0] = $sPropertyName
            Switch $oProperty.ADsType
                Case $ADSTYPE_DN_STRING
                    $aObjectProperties[$iPropertyRecord][1] = $vPropertyValue.DNString
                Case $ADSTYPE_CASE_IGNORE_STRING
                    $aObjectProperties[$iPropertyRecord][1] = $vPropertyValue.CaseIgnoreString
                Case $ADSTYPE_CASE_EXACT_STRING
                    $aObjectProperties[$iPropertyRecord][1] = $vPropertyValue.CaseExactString
                Case $ADSTYPE_NUMERIC_STRING
                    $aObjectProperties[$iPropertyRecord][1] = $vPropertyValue.NumericString
                Case $ADSTYPE_PRINTABLE_STRING
                    $aObjectProperties[$iPropertyRecord][1] = $vPropertyValue.PrintableString
                Case $ADSTYPE_INTEGER
                    If $sPropertyName = "sAMAccountType" Then
                        For $iCount4 = 0 To UBound($aSAMAccountType) - 1
                            If $vPropertyValue.Integer = $aSAMAccountType[$iCount4][1] Then
                                $aObjectProperties[$iPropertyRecord][1] = $aSAMAccountType[$iCount4][0]
                                ExitLoop
                            EndIf
                        Next
                    ElseIf $sPropertyName = "userAccountControl" Then
                        $aObjectProperties[$iPropertyRecord][1] = $vPropertyValue.Integer & " = "
                        For $iCount4 = 0 To UBound($aUAC) - 1
                            If BitAND($vPropertyValue.Integer, $aUAC[$iCount4][0]) = $aUAC[$iCount4][0] Then
                                $aObjectProperties[$iPropertyRecord][1] &= $aUAC[$iCount4][1] & " - "
                            EndIf
                        Next
                        If StringRight($aObjectProperties[$iPropertyRecord][1], 3) = " - " Then $aObjectProperties[$iPropertyRecord][1] = StringTrimRight($aObjectProperties[$iPropertyRecord][1], 3)
                    Else
                        $aObjectProperties[$iPropertyRecord][1] = $vPropertyValue.Integer
                    EndIf
                Case $ADSTYPE_LARGE_INTEGER
                    If $sPropertyName = "pwdLastSet" Or $sPropertyName = "accountExpires" Or $sPropertyName = "lastLogonTimestamp" Or $sPropertyName = "badPasswordTime" Or $sPropertyName = "lastLogon" Or _
                            $sPropertyName = "lockoutTime" Or $sPropertyName = "ms-Mcs-AdmPwdExpirationTime" Or $sPropertyName = "MSDS-UserPasswordExpiryTimeComputed" Then
                        $aObjectProperties[$iPropertyRecord][1] = __AD_LargeInt2DateString($vPropertyValue.LargeInteger.LowPart, $vPropertyValue.LargeInteger.HighPart)
                    Else
                        $aObjectProperties[$iPropertyRecord][1] = __AD_LargeInt2Double($vPropertyValue.LargeInteger.LowPart, $vPropertyValue.LargeInteger.HighPart)
                    EndIf
                Case $ADSTYPE_OCTET_STRING
                    $xAD_Dummy = DllStructCreate("byte[56]")
                    DllStructSetData($xAD_Dummy, 1, $vPropertyValue.OctetString)
                    ; objectSID etc. See: http://msdn.microsoft.com/en-us/library/aa379597(VS.85).aspx
                    ; objectGUID etc. See: http://www.autoitscript.com/forum/index.php?showtopic=106163&view=findpost&p=767558
                    If _Security__IsValidSid(DllStructGetPtr($xAD_Dummy)) Then
                        $aObjectProperties[$iPropertyRecord][1] = _Security__SidToStringSid(DllStructGetPtr($xAD_Dummy)) ; SID
                    Else
                        $aObjectProperties[$iPropertyRecord][1] = _WinAPI_StringFromGUID(DllStructGetPtr($xAD_Dummy)) ; GUID
                    EndIf
                Case $ADSTYPE_UTC_TIME
                    $aObjectProperties[$iPropertyRecord][1] = StringRegExpReplace($vPropertyValue.UTCTime, "(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})", "$1/$2/$3 $4:$5:$6") ; YYYY/MM/DD HH:MM:SS
                Case $ADSTYPE_BOOLEAN
                    If $vPropertyValue.Boolean = 0 Then
                        $aObjectProperties[$iPropertyRecord][1] = "False"
                    Else
                        $aObjectProperties[$iPropertyRecord][1] = "True"
                    EndIf
                Case $ADSTYPE_NT_SECURITY_DESCRIPTOR
                    $oValue = $vPropertyValue.SecurityDescriptor
                    $aObjectProperties[$iPropertyRecord][1] = "Control:" & $oValue.Control & ", " & _
                            "Group:" & $oValue.Group & ", " & _
                            "Owner:" & $oValue.Owner & ", " & _
                            "Revision:" & $oValue.Revision
                Case Else
                    $aObjectProperties[$iPropertyRecord][1] = "Has the unknown ADsType: " & $oProperty.ADsType
            EndSwitch
        Next
    Next
    ReDim $aObjectProperties[$iPropertyRecord + 1][2]
    $aObjectProperties[0][0] = $iPropertyRecord
    $aObjectProperties[0][1] = 2
    If $bSort And $iPropertyRecord > 1 Then _ArraySort($aObjectProperties, 0, 1) ; Only sort if flag is set and array contains > 1 records
    Return $aObjectProperties

EndFunc   ;==>_AD_GetObjectProperties

; #INTERNAL_USE_ONLY#============================================================================================================
; Name...........: __AD_LargeInt2DateString
; Description ...: Converts a large Integer value to a date string (YYYY/MM/DD HH:MM:SS).
; Syntax.........: __AD_LargeInt2DateString($iLow, $iHigh)
; Parameters ....: $iLow - Lower Part of the Large Integer
;                  $iHigh - Higher Part of the Large Integer
; Return values .: Date string (YYYY/MM/DD HH:MM:SS)
; Author ........: ?
; Modified.......: water
; Remarks .......: This function is used internally
; Related .......:
; Link ..........:
; Example .......:
; ===============================================================================================================================
Func __AD_LargeInt2DateString($iLow, $iHigh)
    If $iLow = 0 And $iHigh = 0 Then
        Return "1601/01/01 00:00:00"
    Else
        Local $sTemp = DllStructCreate("dword low;dword high")
        DllStructSetData($sTemp, "Low", $iLow)
        DllStructSetData($sTemp, "High", $iHigh)
        Local $sTemp2 = _Date_Time_FileTimeToSystemTime(DllStructGetPtr($sTemp))
        Local $sTemp3 = _Date_Time_SystemTimeToTzSpecificLocalTime(DllStructGetPtr($sTemp2))
        Return _Date_Time_SystemTimeToDateTimeStr($sTemp3, 1)
    EndIf
EndFunc   ;==>__AD_LargeInt2DateString

 

[willichan]

Hi water,

I have production version 3.3.14.5 installed on a 64-bit Windows 7 machine on the company domain.  I have domain administrator access.  I am using AD.au3 UDF version 1.4.8.0.

With this test code

#include <ad.au3>
_AD_Open()
Global $aGroups = _AD_GetObjectsInOU("","(objectClass=group)", 2, "name,description")
_AD_Close()

I get the following

>"C:\Program Files (x86)\AutoIt3\SciTE\..\AutoIt3.exe" "C:\Program Files (x86)\AutoIt3\SciTE\AutoIt3Wrapper\AutoIt3Wrapper.au3" /run /prod /ErrorStdOut /in "\\server1\Home\XXXXXXXX\AU3Projects\XXXXAuditReports\2018version\test.au3" /UserParams    
+>17:52:02 Starting AutoIt3Wrapper v.17.224.935.0 SciTE v.3.7.3.0   Keyboard:00000409  OS:WIN_7/Service Pack 1  CPU:X64 OS:X64  Environment(Language:0409)  CodePage:0  utf8.auto.check:4
+>         SciTEDir => C:\Program Files (x86)\AutoIt3\SciTE   UserDir => C:\Users\XXXXXXXX\AppData\Local\AutoIt v3\SciTE\AutoIt3Wrapper   SCITE_USERHOME => C:\Users\XXXXXXXX\AppData\Local\AutoIt v3\SciTE 
>Running AU3Check (3.3.14.5)  from:C:\Program Files (x86)\AutoIt3  input:\\server1\Home\XXXXXXXX\AU3Projects\XXXXAuditReports\2018version\test.au3
"C:\Au3Includes\ad.au3"(2234,99) : error: _WinAPI_StringFromGUID(): undefined function.
                        $aObjectProperties[$iPropertyRecord][1] = _WinAPI_StringFromGUID(DllStructGetPtr($xAD_Dummy))
                        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
\\server1\Home\XXXXXXXX\AU3Projects\XXXXAuditReports\2018version\test.au3 - 1 error(s), 0 warning(s)
!>17:52:02 AU3Check ended. Press F4 to jump to next error.rc:2
+>17:52:03 AutoIt3Wrapper Finished.
>Exit code: 2    Time: 0.9034

I am guessing that this is due to changes in the WinAPI includes, since adding WinAPIConv.au3 (per the help file) to the include list results in

!>18:09:23 AutoIt3.exe ended.rc:259

Any suggestions?

Does this sound like it should be a bug report?

 

UPDATE:

I found your post about the new version of AD.au3 (1.4.9.0) and installed it.

I no longer get the undefined function error, but still get the rc:259 error.

 

Edited July 24, 2018 by willichan
New information

[willichan]

I found the problem.  One of the security programs on our systems was blocking the script and causing it to error out.

I added an exception entry in the system, and it is working fine now.

Sorry for the hassle.

[water]

Version 1.4.10.0 of the UDF has been released.

Please test before using in production!

For download please see my signature.

[ohaya]

Hi,

I have some newb questions about this UDF:

- Do I have to unzip the entire UDF files into the default AutoIT includes directory and then just include "ad.au3" in my program?

- What if I don't want to unzip all those files into the default includes dir?  Can I unzip them somewhere else and if so, what do I have to include in my app?

 

Jim

[water]

The only file you need to unzip to the AutoIt include directory is AD.au3.
The rest are example or help files.

[ohaya]

water,

Ok, cool, thx!  I thought the ad.au3 was just some kind of reference to the other _AD...au3 files, so good.

Jim

[ohaya]

So I am still confused about something (well, probably about a lot of things), but can AD UDF be used to access non-AD LDAP servers? 

So far, I have various references that end up not working, e.g.:

And also examples that don't work with a generic LDAP (e.g., OpenDJ or Oracle OUD (=~ SunDS).

I really/mainly need to authenticate and query the generic LDAP, but cannot find a way to do it with AutoIT. 

I am thinking that maybe I need to write a Java app that takes parameters and does something similar to ldapsearch and then execute the Java app to do the authentication and search.  Is that really the only way to do this??

 

Thanks,

Jim

[water]

5 hours ago, ohaya said:

can AD UDF be used to access non-AD LDAP servers? 

Unfortunately th answer is No. The UDF uses LDAP commands the way Active Directory expects them ans well as it handles results as they are reutrned by Active Directory.

I think you can access other directory services using AutoIt as long as they provide an API.
Hopefully the web provides information about a Programmer's Guide for OpenDJ etc. If you find examples for Visual Basic, it should be easy to translate them to AutoIt.

[water]

Version 1.4.11.0 of the UDF has been released.

Please test before using in production!

For download please see my signature.

[water]

Version 1.4.12.0 of the UDF has been released.

Please test before using in production!

For download please see my signature.

[water]

Version 1.4.13.0 of the UDF has been released.

Please test before using in production!

For download please see my signature.
On the download page you'll find a list of changes in the "What's New" section

[water]

Poll

Some of the functions in the AD UDF can process different types of objects (users, computers, groups ...) but have - for historical reasons - one of this object types as part of the function name (example: _AD_AddUserToGroup processes users, groups or computers).

This makes some users think that a function to add a computer or group to a group is missing.

I'm thinking about creating alias functions to solve this issue. Means there will be a _AD_AddComputerToGroup, _AD_AddGroupToGroup and _AD_AddUserToGroup all pointing to a new function _AD_AddObjectToGroup which will hold the code from _AD_AddUserToGroup.

What do you think?

[DonChunior]

2 hours ago, water said:

Poll

Some of the functions in the AD UDF can process different types of objects (users, computers, groups ...) but have - for historical reasons - one of this object types as part of the function name (example: _AD_AddUserToGroup processes users, groups or computers).

This makes some users think that a function to add a computer or group to a group is missing.

I'm thinking about creating alias functions to solve this issue. Means there will be a _AD_AddComputerToGroup, _AD_AddGroupToGroup and _AD_AddUserToGroup all pointing to a new function _AD_AddObjectToGroup which will hold the code from _AD_AddUserToGroup.

What do you think?

I think it's a good idea to create unified wrapper functions.
Especially for beginners it would lower the entry hurdle a bit.
It would definitely be an improvement, so you have my vote!

[water]

Version 1.4.14.0 of the UDF has been released.

Please test before using in production!

For download please see my signature.
On the download page you'll find a list of changes in the "What's New" section

[legend]

Attention all Windows-AD admins: March 2020 will be a lot of fun!

Microsoft intends to release a security update on Windows Update to enable LDAP channel binding and LDAP signing hardening changes and anticipate this update will be available in March 2020.

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

TLDR: If you install the "march 2020" updates and you didnt configure LDAPs properly until then, you are in trouble.

 

More info: https://docs.microsoft.com/en-us/archive/blogs/russellt/identifying-clear-text-ldap-binds-to-your-dcs

"If the application has no way binding securely, throw it out. OK, sometimes thats not always possible, but if your application vendor won't provide a secure way to do LDAP binds, you will need to get a little extreme and encrypt the whole TCP stream between the application and DC using IPSEC with ESP. Thankfully most modern applications have some kind of ability to perform secure LDAP connections and we don't need to go this far."

 

I think this fixes it: 

_AD_Open("", "", "", "", "", 3) 

Edited February 28, 2020 by legend

[water]

If needed the default for _AD_Open could be changed.