Jump to content
Sign in to follow this  
kor

How to query AD without being on domain yet

Recommended Posts

kor

Yeah yeah, I've read all the threads with sample LDAP query code but I have no idea what the structure needs to be. Everyone wants to make the OU's and domains variables, but I don't. I want to hard code them into my query, but I don't know how. My sample code is on my work computer but here is the just of what I'm trying to do.

(this workstation is NOT on a domain yet)

(our domain is called "ad.example.com", we have a domain controller named "noc-dc3" that I wish to use)

Prompt for AD username

(check to see if this username exists in our domain, if yes continue, if no prompt for another username [loop until valid username])

Prompt for AD password

(check to see if the password entered is the correct password for the associated username, if yes continue, if no prompt to re-enter password)

Past this part I have all my code that I need (so far)

Share this post


Link to post
Share on other sites
bo8ster

If the AutoIt UDFs do not have what you want you will have to turn to what Windows can offer. http://www.ss64.com/nt/


Post your code because code says more then your words can. SciTe Debug mode - it's magic: #AutoIt3Wrapper_run_debug_mode=Y. Use Opt("MustDeclareVars", 1)[topic="84960"]Brett F's Learning To Script with AutoIt V3[/topic][topic="21048"]Valuater's AutoIt 1-2-3, Class... is now in Session[/topic]Contribution: [topic="87994"]Get SVN Rev Number[/topic], [topic="93527"]Control Handle under mouse[/topic], [topic="91966"]A Presentation using AutoIt[/topic], [topic="112756"]Log ConsoleWrite output in Scite[/topic]

Share this post


Link to post
Share on other sites
kor

Come on, someone must know how to query AD without actually BEING on the domain yet.

$strDomain = "MyDomain"
$strAccount = "UserName"
$objUser = ObjGet("WinNT://" & $strDomain & "/" & $strAccount & ",user")
If IsObj($objUser) Then
    MsgBox(64, "Exists", "User " & $strDomain & "\" & $strAccount & " exists")
Else
    MsgBox(16, "Non-Existing", "User " & $strDomain & "\" & $strAccount & " does not exist")
EndIf

This code works great if I am already on the domain, but if I test it on a computer that is on a workgroup and returns every user as non-existing.

Share this post


Link to post
Share on other sites
kor

Compile the code and start it via the OS runas:

http://www.computerhope.com/runas.htm

Tried. Doesn't work. Runas will only recognize the domain if the computer is already a part of it.

I need something that can manually connect to active directory without being on the domain.

Share this post


Link to post
Share on other sites
spudw2k

Tried. Doesn't work. Runas will only recognize the domain if the computer is already a part of it.

I need something that can manually connect to active directory without being on the domain.

Use the /netonly flag. That should work, or lookup RunAs in the Helpfile. It supports netonly.

RunAs ( "username", "domain", "password", logon_flags, "filename" )
 

Parameters

username The username to log on with. 
domain The domain to authenticate against. 
password The password for the user. 
logon_flags 
    0 - Interactive logon with no profile.
    1 - Interactive logon with profile.
    2 - Network credentials only.
    4 - Inherit the calling processes environment instead of the user's. 
filename The name of the executable (EXE, BAT, COM, or PIF) to run.
Edited by spudw2k

Share this post


Link to post
Share on other sites
kor

Awesome, the netonly worked. Now my last problem is checking to see if the password entered for a domain account matches the AD password for that user.

Any ideas?

Share this post


Link to post
Share on other sites
kor

Ok, I found this code and got it to work, but once again it only verifies my password if my computer is already on the domain.

$strUser = inputbox("username", "enter username:")
$strpassword = inputbox("password", "password:", '', '*')
$strDomain = inputbox("domain", "the domain:")

MsgBox (0, "", _ValidUserPass ($strUser, $strDomain, $strPassword))

Func _ValidUserPass($username, $computer, $password)
    Local $valid = True
    RunAs($username, $computer, $password, 0, @ComSpec & " /c  echo test", @SystemDir, @SW_Hide)
    If @error Then $valid = False
    Return $valid
EndFunc

I can't hard code in the variables because multiple people will be using this script so I don't know how to do the runas trick. Is there a way to compile this script into an EXE then do a runas on it but be able to pass the variables to it? Or some other way?

Edited by kor

Share this post


Link to post
Share on other sites
spudw2k

...I can't hard code in the variables because multiple people will be using this script so I don't know how to do the runas trick. Is there a way to compile this script into an EXE then do a runas on it but be able to pass the variables to it? Or some other way?

If you change the 0 to a 2 in this line
RunAs($username, $computer, $password, 0, @ComSpec & " /c  echo test", @SystemDir, @SW_Hide)
it should be the same as the /netonly flag. If you don't want to hardcode the vars (good choice) then perhaps the runas.exe /netonly is better suited for you. You could pass varibles as cmdline params too. Search for $CMDLINE.

I test domain credentials by attempting to map to a network share using "NET USE". Pretty safe way to test without risking locking out the user, unless multiple attempts are made. I do know that using the netonly flag for runas.exe; if the password is incorrect, will lockout the user upon first attempt at connecting to a machine in that domain.

Edited by spudw2k

Share this post


Link to post
Share on other sites
kor

We don't have any account lock out policies in place so would passing an incorrect password through the runas still lock the account out?

We have nothing set for maximum retries for a password in group policy.

Share this post


Link to post
Share on other sites
kor

If you change the 0 to a 2 in this line

RunAs($username, $computer, $password, 0, @ComSpec & " /c  echo test", @SystemDir, @SW_Hide)
it should be the same as the /netonly flag. If you don't want to hardcode the vars (good choice) then perhaps the runas.exe /netonly is better suited for you.
I tried changing the 0 to a 2, and now run I run it on a workgroup computer it returns true for everything. It doesnt matter what username I use, or a correct or incorrect password. It says everything is true.

The goal is to NOT have to have this code as an exe and call it from another script, I want to preform everything within 1 script. I'm hoping there is some way to authenticate or do a runas inside the script itself without having to get something from outside.

Can you post your code on how to do a net use to check if AD password is correct?

Edited by kor

Share this post


Link to post
Share on other sites
kor

Alright, I've figured out a way instead of netuse I am going to use netdom. Here is my code.

$strUser = inputbox("username", "enter username:")
$strPassword = inputbox("password", "password:", '', '*')
$strDomain = inputbox("domain", "the domain:")

$test = "netdom query /domain:" & $strDomain & " /userD:" & $strUser & " /passwordD:" & $strPassword & " dc"
$strResult = RunWait(@ComSpec & " /C " & $test,'',@SW_Hide)
MsgBox (0, "output", "output: " & $strResult, " blah")

The only problem I am having though is my msgbox that displays the output is giving me "output: 0" every time. If I run that exact netdom query command in a dos window it works fine. I've tested the $test var to make sure it's outputing the correct command and it is. Here is the thing I'm interested in.

I don't really care about the output of the query command (it returns a list of all DC's on the domain), all I care about is if the command complete successfully. It is either going to give you a list of all the DC's, or it's going to say the username/password was incorrect. That is what I am after. If it says username/password is incorrect then I need to know that somehow, everything else I'm not worried about.

Share this post


Link to post
Share on other sites
spudw2k

Check the helpfile for StdoutRead. You can use that to read the output from netdom but only RunAs allows use of "standard_i/o_flag".

Share this post


Link to post
Share on other sites
kor

SUCCESS. I have it working, finally. Here is my code for everyone else.

#include <String.au3>

Opt("TrayIconHide", 1); Hides tray icon

; Prompt for AD Username
Do 
$strUsername = InputBox("AD Username", "Please enter your AD username:",'', '', 200, 130, default, default)
    If @error Then
        Exit
    EndIf
Until $strUsername <> ""

; Prompt for AD Password
$strGoodPassword = 0
Do
$strPassword = InputBox("AD Password", "Please enter your AD Password:",'','*M', 200, 130, default, default)
    If @error Then
        Exit
    EndIf
    $strNetDom = "netdom query /domain:*youdomain* /userD:" & $strUsername & " /passwordD:" & $strPassword & " dc"
    $strNetDomResult = RunWait(@Comspec & " /C" & $strNetDom,'',@SW_HIDE)
        If $strNetDomResult <> 0 Then
            MsgBox (16, "Error", "The password is incorrect")
            $strGoodPassword = 0
        Else
            $strGoodPassword = 1
        EndIf
Until $strGoodPassword = 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.