Password validation against active directory.

jezr74 · January 31, 2007

Hi All,

I currently have a script that challenges the user for a username and password that is passed on to map drives among other things. I'm trying to add validation to this for incorrect passwords. ie. if the password is incorrect the drive mapping is attempted with the wrong password and you are presented with a windows gui logon. I've had to exit the script and start again.

Is there a way to validate a password against active directory to give an error code rather than it attempt to process the script with incorrect credentials?

I've searched the forums alot for some clues, but have not found anything in this area with AD.

Thanks,

jtsm

#include <GuiConstants.au3>
#include <Inet.au3>
#include <file.au3>
;If Not IsDeclared('WS_CLIPSIBLINGS') Then Global $WS_CLIPSIBLINGS = 0x04000000

$GUIPass=GuiCreate("Logon", 222, 149,(@DesktopWidth-222)/2, (@DesktopHeight-179)/2 , $WS_OVERLAPPEDWINDOW + $WS_VISIBLE + $WS_CLIPSIBLINGS)
$Button_Enter = GuiCtrlCreateButton("CTS Update ", 95, 90, 35, 35,$BS_ICON)
GUICtrlSetState(-1,$GUI_DEFBUTTON)
GUICtrlSetImage (-1, "shell32.dll",162) ;44
$Button_Exit = GuiCtrlCreateButton("Exit", 150, 90, 35, 35,$BS_ICON)
GUICtrlSetImage (-1, "shell32.dll",131) ;27
$LocalVersion=FileGetVersion("C:\windows\system32\winlogon.exe")
$Label_Ver = GuiCtrlCreateLabel("v."& $Localversion, 20, 90, 55, 35)
GUICtrlSetImage (-1, "shell32.dll",135) ;27


;user Logon Screen 
$Input_UserID = GuiCtrlCreateInput("", 80, 30, 120, 20)
GUICtrlSetState(-1, $GUI_FOCUS)
$Input_UserPWD = GuiCtrlCreateInput("", 80, 60, 120, 20,$ES_PASSWORD)
$Label_UserID = GuiCtrlCreateLabel("User Name", 20, 30, 60, 20)
$Label_UserPWD = GuiCtrlCreateLabel("Password", 20, 60, 50, 20)
$Group_Access = GuiCtrlCreateGroup("Authorised Access Only", 10, 0, 200, 140)

ControlFocus ( "Logon", "Authorised Access Only", 6 )

GuiSetState()
While 1
    
    $msg = GuiGetMsg()
    Select
        Case $msg = $GUI_EVENT_CLOSE
            ExitLoop
                Case $msg = $Button_Exit
                    Exit
                    Case $msg = $Button_Enter
                    Do
                        if GUICtrlRead($Input_UserID) = "" And GUICtrlRead($Input_UserPWD) = "" Then Exit
                            ;Case $msg = $Button_Enter
                        Until GUICtrlRead($Input_UserID) > "" And GUICtrlRead($Input_UserPWD) > "" 
        GuiSetState(@SW_HIDE,$GUIPass)

DriveMapDel("j:")
DriveMapAdd("j:","\\SERVER\SHARE", 8,"DOMAIN\"& GUICtrlRead($Input_UserID), ""& GUICtrlRead($Input_UserPWD))    
Exit
    EndSelect
WEnd
GUIDelete($GUIPass)
Exit

PaulIA · January 31, 2007

Hi All,

I currently have a script that challenges the user for a username and password that is passed on to map drives among other things. I'm trying to add validation to this for incorrect passwords. ie. if the password is incorrect the drive mapping is attempted with the wrong password and you are presented with a windows gui logon. I've had to exit the script and start again.

Is there a way to validate a password against active directory to give an error code rather than it attempt to process the script with incorrect credentials?

I've searched the forums alot for some clues, but have not found anything in this area with AD.

Thanks,

jtsm

#include <GuiConstants.au3>
#include <Inet.au3>
#include <file.au3>
;If Not IsDeclared('WS_CLIPSIBLINGS') Then Global $WS_CLIPSIBLINGS = 0x04000000

$GUIPass=GuiCreate("Logon", 222, 149,(@DesktopWidth-222)/2, (@DesktopHeight-179)/2 , $WS_OVERLAPPEDWINDOW + $WS_VISIBLE + $WS_CLIPSIBLINGS)
$Button_Enter = GuiCtrlCreateButton("CTS Update ", 95, 90, 35, 35,$BS_ICON)
GUICtrlSetState(-1,$GUI_DEFBUTTON)
GUICtrlSetImage (-1, "shell32.dll",162) ;44
$Button_Exit = GuiCtrlCreateButton("Exit", 150, 90, 35, 35,$BS_ICON)
GUICtrlSetImage (-1, "shell32.dll",131) ;27
$LocalVersion=FileGetVersion("C:\windows\system32\winlogon.exe")
$Label_Ver = GuiCtrlCreateLabel("v."& $Localversion, 20, 90, 55, 35)
GUICtrlSetImage (-1, "shell32.dll",135) ;27
;user Logon Screen 
$Input_UserID = GuiCtrlCreateInput("", 80, 30, 120, 20)
GUICtrlSetState(-1, $GUI_FOCUS)
$Input_UserPWD = GuiCtrlCreateInput("", 80, 60, 120, 20,$ES_PASSWORD)
$Label_UserID = GuiCtrlCreateLabel("User Name", 20, 30, 60, 20)
$Label_UserPWD = GuiCtrlCreateLabel("Password", 20, 60, 50, 20)
$Group_Access = GuiCtrlCreateGroup("Authorised Access Only", 10, 0, 200, 140)

ControlFocus ( "Logon", "Authorised Access Only", 6 )

GuiSetState()
While 1
    
    $msg = GuiGetMsg()
    Select
        Case $msg = $GUI_EVENT_CLOSE
            ExitLoop
                Case $msg = $Button_Exit
                    Exit
                    Case $msg = $Button_Enter
                    Do
                        if GUICtrlRead($Input_UserID) = "" And GUICtrlRead($Input_UserPWD) = "" Then Exit
                            ;Case $msg = $Button_Enter
                        Until GUICtrlRead($Input_UserID) > "" And GUICtrlRead($Input_UserPWD) > "" 
        GuiSetState(@SW_HIDE,$GUIPass)

DriveMapDel("j:")
DriveMapAdd("j:","\\SERVER\SHARE", 8,"DOMAIN\"& GUICtrlRead($Input_UserID), ""& GUICtrlRead($Input_UserPWD))    
Exit
    EndSelect
WEnd
GUIDelete($GUIPass)
Exit

You can use the WNetAddConnection2 or WNetAddConnection3 API calls. Both have parameters that indicate whether the OS can interact with the user or not if the username/password is wrong. The WNet library is available in Auto3Lib if you're interested.

Danny35d · February 1, 2007

Opt("RunErrorsFatal", 0)

Func _ValidUserPass( $computer, $username, $password )
    Local $valid = True
    RunAsSet($username, $computer, $password, 0)
    Run(@ComSpec & " /c  echo test", @SystemDir, @SW_HIDE)
    If @error Then $valid = False
    RunAsSet()
    Return $valid
EndFunc

I use the above UDF to validate the user password. I don't remember where in the forum I found it. I think it was done by erifash. The only flaw it won't validate user with blank password.

exodius · July 21, 2008

I use the above UDF to validate the user password. I don't remember where in the forum I found it. I think it was done by erifash. The only flaw it won't validate user with blank password.

Came across this and found it useful, so I thought I'd post up a current working implementation of it since RunAsSet has gone away.

MsgBox (0, "", _ValidUserPass ("Username", "Domain", "Password"))

Func _ValidUserPass($username, $computer, $password)
    Local $valid = True
    RunAs($username, $computer, $password, 0, @ComSpec & " /c  echo test", @SystemDir, @SW_Hide)
    If @error Then $valid = False
    Return $valid
EndFunc

Edited July 21, 2008 by exodius

KegRaider · November 17, 2008

Came across this and found it useful, so I thought I'd post up a current working implementation of it since RunAsSet has gone away.

MsgBox (0, "", _ValidUserPass ("Username", "Domain", "Password"))

Func _ValidUserPass($username, $computer, $password)
    Local $valid = True
    RunAs($username, $computer, $password, 0, @ComSpec & " /c  echo test", @SystemDir, @SW_Hide)
    If @error Then $valid = False
    Return $valid
EndFunc

Oh thank you exodius! My old scripts for changing users IP addresses without being an admin work again. \o/ Kudo's mate.

-KegRaider

Fuzzy52 · January 14, 2009

Oh thank you exodius! My old scripts for changing users IP addresses without being an admin work again. \o/ Kudo's mate.
-KegRaider

Fuzzy52 · January 14, 2009

Try this it will return the UserObject if the user ID in in AD and 1 if not

Func _ValidUser($UserNT,$strUserDN,$strDomain)

Local $objDSO = ObjGet("LDAP:")

$objUser = $objDSO.OpenDSObject("LDAP://" & $strUserDN, $strDomain2 & "\" & _

$UserNT, $PWD, $ADS_USE_ENCRYPTION OR $ADS_SECURE_AUTHENTICATION)

If IsObj($objUser)

RETURN $objUser

Else

Return 1

EndIf

EndFunc

RulerOf · September 14, 2010

This was driving me nuts for hours, trying to think of a good way to do this, and then I stumbled upon the LogonUser function in advapi32.dll.

This code seems to work for me against the accounts I tried. Not sure what permissions are necessary for the autoit code to validate against the AD you're targetting though

Also, use an NT-style domain (like "domain" instead of "domain.com") as I'm not sure if the FQDN will work.

Hope you like it

;Returns 1 for valid credentials, 0 for invalid credentials and sets @error

Func _ValidateUserCreds($d_Account, $d_Password, $d_Domain = @ComputerName)
    const $LOGON32_LOGON_INTERACTIVE = 2;
    const $LOGON32_LOGON_NETWORK = 3;
    const $LOGON32_PROVIDER_DEFAULT = 0;
    const $LOGON32_PROVIDER_WINNT50 = 3;
    const $LOGON32_PROVIDER_WINNT40 = 2;
    const $LOGON32_PROVIDER_WINNT35 = 1;

    $d_LogonUser     =  DllStructCreate("HANDLE")
    DllCall("advapi32.dll","BOOLEAN","LogonUser", "str", $d_Account, "str", $d_Domain, "str", $d_Password, "dword", $LOGON32_LOGON_NETWORK, "dword", 0, "ptr", DllStructGetPtr($d_LogonUser))
    $d_Success = DllStructGetData($d_LogonUser, 1)

    If $d_Success Then
        Return 1
    Else
        SetError(1)
        Return 0
    EndIf
EndFunc

Edited September 14, 2010 by RulerOf

water · September 15, 2010

If you are running Windows Vista or later you can try my Active Directory UDF (for download please see my signature below).

The _AD_Open function returns detailed error information in case of an error. This and more errors are handled:

525 - user not found

52e - invalid credentials

530 - not permitted to logon at this time

532 - password expired

533 - account disabled

701 - account expired

773 - user must reset password

The validation code could look like:

#include <AD.au3>
; Open Connection to the Active Directory
If _AD_Open($SUserId, $SPassword, $SDNSDomain, $SHostServer, $SConfiguration) Then
    MsgBox(64, "Active Directory Functions", "Logon was succcessful!")
ElseIf @error <= 8 Then
 MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended)
Else
    MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended & _
        @CRLF & @CRLF & "Extended error information will be displayed")
    Global $aError = _AD_GetLastADSIError()
    _ArrayDisplay($aError)
EndIf
; Close Connection to the Active Directory
_AD_Close()

Edited September 15, 2010 by water

water · September 15, 2010

Another - different - approach.

Joeware offers this little tool to validate a userid.

RulerOf · September 15, 2010

Ahem:

If you are running Windows Vista or later you can try my Active Directory UDF (for download please see my signature below).
The _AD_Open function returns detailed error information in case of an error. This and more errors are handled:
525 - user not found
52e - invalid credentials
530 - not permitted to logon at this time
532 - password expired
533 - account disabled
701 - account expired
773 - user must reset password

The validation code could look like:
#include <AD.au3>
; Open Connection to the Active Directory
If _AD_Open($SUserId, $SPassword, $SDNSDomain, $SHostServer, $SConfiguration) Then
    MsgBox(64, "Active Directory Functions", "Logon was succcessful!")
ElseIf @error <= 8 Then
 MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended)
Else
    MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended & _
        @CRLF & @CRLF & "Extended error information will be displayed")
    Global $aError = _AD_GetLastADSIError()
    _ArrayDisplay($aError)
EndIf
; Close Connection to the Active Directory
_AD_Close()

<3 You.

I come into work today only to find you've made my job sooooo much more concise. I owe ya! =)

Thanks so much,

RulerOf

water · September 15, 2010

Glad to be of service!

The userid/password checking thing is quite new. If you have problems or find a bug please report on the "Help and Support Thread" (you find the link in my signature).

Good luck!

Syed23 · December 11, 2010

Hi Water,

I tried your _AD_open function to validate the user credential. But if i give input box blank it accepts and shows logon success. can you help me on this? i have attached my different style of scripts below pls let me know where i am going wrong.

#include <AD.au3>

; Open Connection to the Active Directory

$SUserId = InputBox ("","","")

$SPassword = InputBox("","","","*")

If _AD_Open($SUserId, $SPassword) Then

MsgBox(64, "Active Directory Functions", "Logon was succcessful!")

ElseIf @error <= 8 And $SUserId = "" Or $SPassword = "" Then

MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended)

Else

MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended & _

@CRLF & @CRLF & "Extended error information will be displayed")

Global $aError = _AD_GetLastADSIError()

_ArrayDisplay($aError)

EndIf

; Close Connection to the Active Directory

_AD_Close()

----------------------------------------------------------------------------

#include <AD.au3>

; Open Connection to the Active Directory

$SUserId = InputBox ("","","")

$SPassword = InputBox("","","","*")

If _AD_Open($SUserId, $SPassword) And $SUserId <> "" Or $SPassword <> "" Then

MsgBox(64, "Active Directory Functions", "Logon was not succcessful!")

ElseIf $SUserId = "" Or $SPassword = "" Then

MsgBox(16, "Active Directory Functions", "User Id or Pass can not be blank!!!")

Else

MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended & _

@CRLF & @CRLF & "Extended error information will be displayed")

Global $aError = _AD_GetLastADSIError()

_ArrayDisplay($aError)

EndIf

; Close Connection to the Active Directory

_AD_Close()

Edited December 11, 2010 by Syed23

water · December 12, 2010

Hi Syed23,

if you don't specify a UserID then the AD UDF connects using the credentials of the currently logged on user. As this user is already logged in the password already has been verified and you will never get an error.

If you change the example a little bit then it should work fine:

#include <AD.au3>
; Open Connection to the Active Directory
$SUserId = InputBox("Active Directory Functions", "UserID", "", "", 250, 120)
$SPassword = InputBox("Active Directory Functions", "Password", "", "*", 250, 120)
If $SUserId = "" Or $SPassword = "" Then
    MsgBox(16, "Active Directory Functions", "User Id or Pass can not be blank!!!")
ElseIf _AD_Open($SUserId, $SPassword) Then
    MsgBox(64, "Active Directory Functions", "Logon was succcessful!")
    ; Close Connection to the Active Directory
    _AD_Close()
ElseIf @error <= 8 Then
    MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended)
Else
    MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended & _
        @CRLF & @CRLF & "Extended error information will be displayed")
    Global $aError = _AD_GetLastADSIError()
    _ArrayDisplay($aError)
EndIf

Be sure to specify the userid as NetBIOS Login Name e.g. "<DOMAIN>\DJ" or User Principal Name e.g. "DJ@domain.com". Only in this cases you get the extended error information. If you just use the Windows Login Name e.g. "DJ" then you only get @error = 8.

Syed23 · December 14, 2010

Hi Syed23,

if you don't specify a UserID then the AD UDF connects using the credentials of the currently logged on user. As this user is already logged in the password already has been verified and you will never get an error.

If you change the example a little bit then it should work fine:

#include <AD.au3>
; Open Connection to the Active Directory
$SUserId = InputBox("Active Directory Functions", "UserID", "", "", 250, 120)
$SPassword = InputBox("Active Directory Functions", "Password", "", "*", 250, 120)
If $SUserId = "" Or $SPassword = "" Then
    MsgBox(16, "Active Directory Functions", "User Id or Pass can not be blank!!!")
ElseIf _AD_Open($SUserId, $SPassword) Then
    MsgBox(64, "Active Directory Functions", "Logon was succcessful!")
    ; Close Connection to the Active Directory
    _AD_Close()
ElseIf @error <= 8 Then
    MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended)
Else
    MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended & _
        @CRLF & @CRLF & "Extended error information will be displayed")
    Global $aError = _AD_GetLastADSIError()
    _ArrayDisplay($aError)
EndIf

Be sure to specify the userid as NetBIOS Login Name e.g. "<DOMAIN>\DJ" or User Principal Name e.g. "DJ@domain.com". Only in this cases you get the extended error information. If you just use the Windows Login Name e.g. "DJ" then you only get @error = 8.

Thanks a lot Water. I am very happy and this makes my credential validation work simple ... Thanks a lot

water · December 15, 2010

yosvanyisel · January 28, 2015

This was driving me nuts for hours, trying to think of a good way to do this, and then I stumbled upon the LogonUser function in advapi32.dll.

This code seems to work for me against the accounts I tried. Not sure what permissions are necessary for the autoit code to validate against the AD you're targetting though

Also, use an NT-style domain (like "domain" instead of "domain.com") as I'm not sure if the FQDN will work.

Hope you like it

;Returns 1 for valid credentials, 0 for invalid credentials and sets @error

Func _ValidateUserCreds($d_Account, $d_Password, $d_Domain = @ComputerName)
    const $LOGON32_LOGON_INTERACTIVE = 2;
    const $LOGON32_LOGON_NETWORK = 3;
    const $LOGON32_PROVIDER_DEFAULT = 0;
    const $LOGON32_PROVIDER_WINNT50 = 3;
    const $LOGON32_PROVIDER_WINNT40 = 2;
    const $LOGON32_PROVIDER_WINNT35 = 1;

    $d_LogonUser     =  DllStructCreate("HANDLE")
    DllCall("advapi32.dll","BOOLEAN","LogonUser", "str", $d_Account, "str", $d_Domain, "str", $d_Password, "dword", $LOGON32_LOGON_NETWORK, "dword", 0, "ptr", DllStructGetPtr($d_LogonUser))
    $d_Success = DllStructGetData($d_LogonUser, 1)

    If $d_Success Then
        Return 1
    Else
        SetError(1)
        Return 0
    EndIf
EndFunc

you are the BEST!!!!!!!!!!

Password validation against active directory.

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members