Sign in to follow this  
Followers 0
supersonic

How to determine whether a user has AD write permissions or not?

3 posts in this topic

Hi!

I'm trying to figure out whether the CURRENTLY LOGGED ON user has AD write permissons or not.

Therefore I use the UDF adfunctions.au3 (latest release; see "Download").

With the function called _ADHasFullRights() I check for access rights to the user object "Administrator":

MsgBox(0, "", _ADHasFullRights(_ADSamAccountNameToFQDN("Administrator"), @UserName), 0)

As described in the UDF you have to activate the following code line (after global defs):

_ADRecursiveGetMemberOf ($loggedonusergroups, _ADSamAccountNameToFQDN (@UserName))

... I have done so.

My problem is: Even when the currently logged on user has successfully authenticated against the AD

as Administrator (e. g. "NET.EXE USER \\SERVER\IPC$ /USER:DOMAIN\Administrator <PASSWORD>") and can

actually write to the AD the functions always returns 0.

When running the function against e. g. "Administrator" (or any other administrative user account) the functions returns 1:

MsgBox(0, "", _ADHasFullRights(_ADSamAccountNameToFQDN("Administrator"), "Administrator"), 0)

Maybe the function checks for access rights only within the AD?

Anyone any idea to solve this issue?

Greets,

-supersonic.

Share this post


Link to post
Share on other sites



Hi!

I'm trying to figure out whether the CURRENTLY LOGGED ON user has AD write permissons or not.

Therefore I use the UDF adfunctions.au3 (latest release; see "Download").

With the function called _ADHasFullRights() I check for access rights to the user object "Administrator":

MsgBox(0, "", _ADHasFullRights(_ADSamAccountNameToFQDN("Administrator"), @UserName), 0)

As described in the UDF you have to activate the following code line (after global defs):

_ADRecursiveGetMemberOf ($loggedonusergroups, _ADSamAccountNameToFQDN (@UserName))

... I have done so.

My problem is: Even when the currently logged on user has successfully authenticated against the AD

as Administrator (e. g. "NET.EXE USER \\SERVER\IPC$ /USER:DOMAIN\Administrator <PASSWORD>") and can

actually write to the AD the functions always returns 0.

When running the function against e. g. "Administrator" (or any other administrative user account) the functions returns 1:

MsgBox(0, "", _ADHasFullRights(_ADSamAccountNameToFQDN("Administrator"), "Administrator"), 0)

Maybe the function checks for access rights only within the AD?

Anyone any idea to solve this issue?

Greets,

-supersonic.

Hi,

i think the problem is, that the function uses macro reference @UserName. This is currently logged on user. I think this value doesn't change, even if you use your mentioned 'net.exe User....'. Just try:

msgbox (0,"",@Username)
RunWait (@comspec & " /c " & "NET.EXE USER \\SERVER\IPC$ /USER:DOMAIN\Administrator <PASSWORD>")
msgbox (0,"",@Username)

;-))

Stefan

Share this post


Link to post
Share on other sites

Running the NET command will not change value for @UserName, of course...

But how can I figure out whether a user have authenticated himself againt the AD by a different user/password?

Maybe _ADHasFullRights() is not the way to go...

Hi,

i think the problem is, that the function uses macro reference @UserName. This is currently logged on user. I think this value doesn't change, even if you use your mentioned 'net.exe User....'. Just try:

msgbox (0,"",@Username)
RunWait (@comspec & " /c " & "NET.EXE USER \\SERVER\IPC$ /USER:DOMAIN\Administrator <PASSWORD>")
msgbox (0,"",@Username)

;-))

Stefan

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0