Active Directory UDF: _AD_GetObjectsInOU doesn't return the expected result

[DonChunior]

If I use a program to read the AD attributes mail and objectGUID from an AD account, I can't find the original AD account again using the _AD_GetObjectsInOU function and the objectGUID attribute.

The example program below works if I use _AD_GetObjectsInOU in combination with mail:
_ArrayDisplay shows me again the account I defined in the variable $sUsername.
However, if I use the _AD_GetObjectsInOU in combination with objectGUID and comment out the line above, nothing is displayed.

What is my mistake here?

#include <AD.au3>

Opt("MustDeclareVars", 1)

Main()

Func Main()
    Local $sUsername = "abc"
    _AD_Open("", "", "DC=xyz,DC=i", "xyz.i:3269", "CN=Configuration,DC=xyz,DC=i", $ADS_SECURE_AUTH + $ADS_USE_SSL)
    Local $sMail = _AD_GetObjectAttribute($sUsername, "mail")
    ConsoleWrite("mail=" & $sMail & @CRLF)
    Local $sObjectGUID = _AD_GetObjectAttribute($sUsername, "objectGUID")
    ConsoleWrite("objectGUID=" & $sObjectGUID & @CRLF)
    Local $aObjectsInOU = _AD_GetObjectsInOU("", "(mail=" & $sMail & ")")
;~  Local $aObjectsInOU = _AD_GetObjectsInOU("", "(objectGUID=" & $sObjectGUID & ")")
    ConsoleWrite("@error=" & @error & ", @extended=" & @extended & @CRLF)
    _AD_Close()
    _ArrayDisplay($aObjectsInOU)
EndFunc

 

[water]

What is the value of @error and @extended after calling _AD_GetObjectsInOu when searching for GUID?

Looks like you need to enter the GUID in a special format as described here.

Quote

In order to form an LDAP Filter that searches based on an ObjectGUID, the GUID value must be entered in a special syntax in the filter - where each byte in the hexadecimal representation of the GUID must be escaped with a backslash symbol. To provide an example, in order to search for an object with hexadecimal GUID "90395F191AB51B4A9E9686C66CB18D11", the corresponding filter should be set as:

(objectGUID=\90\39\5F\19\1A\B5\1B\4A\9E\96\86\C6\6C\B1\8D\11)

 

Edited July 20, 2024 by water

[DonChunior]

Hello @water,

thanks for the explanation.
By escaping the individual bytes, it finally works with the LDAP filter. 👍
In Microsoft's TechNet Wiki Archive I found further documentation of this facts: Active Directory: LDAP Syntax Filters | Microsoft Learn

I created a small auxiliary function for escaping a binary GUID:

; #FUNCTION# ====================================================================================================================
; Name ..........: _AD_EscapeGUIDBytes
; Description ...: Returns the escaped string of a GUID for use in an LDAP filter.
; Syntax ........: _AD_EscapeGUIDBytes(Const Byref $dGUID)
; Parameters ....: $dGUID  - [in/out and const] a binary variant value.
; Return values .: Success - Escaped GUID
;                  Failure - 0, sets @error to:
;                  |1 - GUID is not 128 bits (= 32 nibbles) long. @extended = 0
; Author ........: DonChunior
; Modified ......:
; Remarks .......: Byte arrays, like the objectGUID attribute, can be represented as a series of escaped hexadecimal bytes.
; Related .......: _AD_GetObjectsInOU
; Link ..........: https://learn.microsoft.com/en-us/archive/technet-wiki/5392.active-directory-ldap-syntax-filters
; Example .......: Yes
; ===============================================================================================================================
Func _AD_EscapeGUIDBytes(Const ByRef $dGUID)
    Local Const $iNibblesPerGUID = 32
    Local Const $iNibblesPerByte = 2
    Local Const $sGUID = Hex($dGUID)
    If StringLen($sGUID) <> $iNibblesPerGUID Then Return SetError(1, 0, 0)
    Local $sEscapedGUID = ""
    For $i = 1 To $iNibblesPerGUID Step $iNibblesPerByte
        $sEscapedGUID &= "\"
        $sEscapedGUID &= StringMid($sGUID, $i, $iNibblesPerByte)
    Next
    Return $sEscapedGUID
EndFunc   ;==>_AD_EscapeGUIDBytes

Maybe you'd like to add it to your AD UDF along with the attached usage example?

_AD_EscapeGUIDBytes.au3

[water]

Good idea