How to query AD without being on domain yet

[kor]

Yeah yeah, I've read all the threads with sample LDAP query code but I have no idea what the structure needs to be. Everyone wants to make the OU's and domains variables, but I don't. I want to hard code them into my query, but I don't know how. My sample code is on my work computer but here is the just of what I'm trying to do.

(this workstation is NOT on a domain yet)

(our domain is called "ad.example.com", we have a domain controller named "noc-dc3" that I wish to use)

Prompt for AD username

(check to see if this username exists in our domain, if yes continue, if no prompt for another username [loop until valid username])

Prompt for AD password

(check to see if the password entered is the correct password for the associated username, if yes continue, if no prompt to re-enter password)

Past this part I have all my code that I need (so far)

[bo8ster]

If the AutoIt UDFs do not have what you want you will have to turn to what Windows can offer. http://www.ss64.com/nt/

[kor]

Come on, someone must know how to query AD without actually BEING on the domain yet.

$strDomain = "MyDomain"
$strAccount = "UserName"
$objUser = ObjGet("WinNT://" & $strDomain & "/" & $strAccount & ",user")
If IsObj($objUser) Then
    MsgBox(64, "Exists", "User " & $strDomain & "\" & $strAccount & " exists")
Else
    MsgBox(16, "Non-Existing", "User " & $strDomain & "\" & $strAccount & " does not exist")
EndIf

This code works great if I am already on the domain, but if I test it on a computer that is on a workgroup and returns every user as non-existing.

[herewasplato]

Compile the code and start it via the OS runas:

http://www.computerhope.com/runas.htm

[kor]

Compile the code and start it via the OS runas:

http://www.computerhope.com/runas.htm

Tried. Doesn't work. Runas will only recognize the domain if the computer is already a part of it.

I need something that can manually connect to active directory without being on the domain.

[spudw2k]

Tried. Doesn't work. Runas will only recognize the domain if the computer is already a part of it.

I need something that can manually connect to active directory without being on the domain.

Use the /netonly flag. That should work, or lookup RunAs in the Helpfile. It supports netonly.

RunAs ( "username", "domain", "password", logon_flags, "filename" )
 

Parameters

username The username to log on with. 
domain The domain to authenticate against. 
password The password for the user. 
logon_flags 
    0 - Interactive logon with no profile.
    1 - Interactive logon with profile.
    2 - Network credentials only.
    4 - Inherit the calling processes environment instead of the user's. 
filename The name of the executable (EXE, BAT, COM, or PIF) to run.

Edited April 7, 2009 by spudw2k

[kor]

Awesome, the netonly worked. Now my last problem is checking to see if the password entered for a domain account matches the AD password for that user.

Any ideas?

[kor]

Ok, I found this code and got it to work, but once again it only verifies my password if my computer is already on the domain.

$strUser = inputbox("username", "enter username:")
$strpassword = inputbox("password", "password:", '', '*')
$strDomain = inputbox("domain", "the domain:")

MsgBox (0, "", _ValidUserPass ($strUser, $strDomain, $strPassword))

Func _ValidUserPass($username, $computer, $password)
    Local $valid = True
    RunAs($username, $computer, $password, 0, @ComSpec & " /c  echo test", @SystemDir, @SW_Hide)
    If @error Then $valid = False
    Return $valid
EndFunc

I can't hard code in the variables because multiple people will be using this script so I don't know how to do the runas trick. Is there a way to compile this script into an EXE then do a runas on it but be able to pass the variables to it? Or some other way?

Edited April 7, 2009 by kor

[spudw2k]

...I can't hard code in the variables because multiple people will be using this script so I don't know how to do the runas trick. Is there a way to compile this script into an EXE then do a runas on it but be able to pass the variables to it? Or some other way?

If you change the 0 to a 2 in this line

RunAs($username, $computer, $password, 0, @ComSpec & " /c  echo test", @SystemDir, @SW_Hide)

it should be the same as the /netonly flag. If you don't want to hardcode the vars (good choice) then perhaps the runas.exe /netonly is better suited for you. You could pass varibles as cmdline params too. Search for $CMDLINE.

I test domain credentials by attempting to map to a network share using "NET USE". Pretty safe way to test without risking locking out the user, unless multiple attempts are made. I do know that using the netonly flag for runas.exe; if the password is incorrect, will lockout the user upon first attempt at connecting to a machine in that domain.

Edited April 7, 2009 by spudw2k

[kor]

We don't have any account lock out policies in place so would passing an incorrect password through the runas still lock the account out?

We have nothing set for maximum retries for a password in group policy.

[kor]

If you change the 0 to a 2 in this line

RunAs($username, $computer, $password, 0, @ComSpec & " /c  echo test", @SystemDir, @SW_Hide)

it should be the same as the /netonly flag. If you don't want to hardcode the vars (good choice) then perhaps the runas.exe /netonly is better suited for you.

I tried changing the 0 to a 2, and now run I run it on a workgroup computer it returns true for everything. It doesnt matter what username I use, or a correct or incorrect password. It says everything is true.

The goal is to NOT have to have this code as an exe and call it from another script, I want to preform everything within 1 script. I'm hoping there is some way to authenticate or do a runas inside the script itself without having to get something from outside.

Can you post your code on how to do a net use to check if AD password is correct?

Edited April 7, 2009 by kor

[kor]

Alright, I've figured out a way instead of netuse I am going to use netdom. Here is my code.

$strUser = inputbox("username", "enter username:")
$strPassword = inputbox("password", "password:", '', '*')
$strDomain = inputbox("domain", "the domain:")

$test = "netdom query /domain:" & $strDomain & " /userD:" & $strUser & " /passwordD:" & $strPassword & " dc"
$strResult = RunWait(@ComSpec & " /C " & $test,'',@SW_Hide)
MsgBox (0, "output", "output: " & $strResult, " blah")

The only problem I am having though is my msgbox that displays the output is giving me "output: 0" every time. If I run that exact netdom query command in a dos window it works fine. I've tested the $test var to make sure it's outputing the correct command and it is. Here is the thing I'm interested in.

I don't really care about the output of the query command (it returns a list of all DC's on the domain), all I care about is if the command complete successfully. It is either going to give you a list of all the DC's, or it's going to say the username/password was incorrect. That is what I am after. If it says username/password is incorrect then I need to know that somehow, everything else I'm not worried about.

[spudw2k]

Check the helpfile for StdoutRead. You can use that to read the output from netdom but only RunAs allows use of "standard_i/o_flag".

[kor]

SUCCESS. I have it working, finally. Here is my code for everyone else.

#include <String.au3>

Opt("TrayIconHide", 1); Hides tray icon

; Prompt for AD Username
Do 
$strUsername = InputBox("AD Username", "Please enter your AD username:",'', '', 200, 130, default, default)
    If @error Then
        Exit
    EndIf
Until $strUsername <> ""

; Prompt for AD Password
$strGoodPassword = 0
Do
$strPassword = InputBox("AD Password", "Please enter your AD Password:",'','*M', 200, 130, default, default)
    If @error Then
        Exit
    EndIf
    $strNetDom = "netdom query /domain:*youdomain* /userD:" & $strUsername & " /passwordD:" & $strPassword & " dc"
    $strNetDomResult = RunWait(@Comspec & " /C" & $strNetDom,'',@SW_HIDE)
        If $strNetDomResult <> 0 Then
            MsgBox (16, "Error", "The password is incorrect")
            $strGoodPassword = 0
        Else
            $strGoodPassword = 1
        EndIf
Until $strGoodPassword = 1