Domänen-Benutzer auflisten AD.au3

    Hi,
    Habe ein seltsames Problem

    Wenn ich versuche mit

    Spoiler anzeigen
    [autoit]

    _AD_Open()
    $qased = _AD_GetGroupMembers("CN=Domänen-Benutzer,CN=Users,DC=DOMAINXY,DC=de")
    _ArrayDisplay($qased)
    _AD_Close()

    [/autoit]

    bzw. mit

    Spoiler anzeigen
    [autoit]

    _AD_Open()
    $qased = _AD_GetGroupMembers("Domänen-Benutzer")
    _ArrayDisplay($qased)
    _AD_Close()

    [/autoit]

    die Benutzer auszulesen, erhalte ich immer $qased[0] = 0, obwohl ~150 Benutzer sich darin befinden sollten.
    Andere Benutzergruppen in der Domäne funktionieren einwandfrei (sind aber auch nicht so groß)

    Jemand eine Idee woran das liegen könnte? (am ä vermutlich nicht, da Domänen-Admins aufgelistet werden)

    21 is only half the truth.

    Einmal editiert, zuletzt von Mahagon (18. Februar 2011 um 09:43)

    In aller Kürze: WAD - Works as designed.
    Erklärung: Jeder User ist einer sogenannten "Primary Group" zugeordnet. In 99.9% der Fälle ist das die Gruppe "Domänen-Benutzer". Wenn Du solche "Primary Groups" nach ihren Gruppenmitgliedern abfragst, erhältst Du immer eine leere Liste. Denn die wäre unter Umständen kilometerlang.
    Die Funktionen _AD_IsMemberOf, _AD_GetUserGroups, _AD_GetUserPrimaryGroup und _AD_SetUserPrimaryGroup behandeln diese speziellen Gruppen.

    Du solltest also nicht von der Gruppe auf die User, sondern über die User auf die Gruppen schliessen.

    Was willst Du eigentlich genau erreichen? Vielleicht geht das auch anders.

    Ah okay...Danke ^^
    Naja kurz und Bündig: ich will Berechtigungen inkl Benutzer auflisten :)

    Spoiler anzeigen
    [autoit]

    #RequireAdmin
    #include <File.au3>
    #include <AD.au3>
    #include <GUIConstants.au3>
    Local _
    $FILE_READ_DATA__FILE_LIST_DIRECTORY = 1, _;Grants the right to read data from the file. For a directory, this value grants the right to list the contents of the directory.
    $FILE_WRITE_DATA__FILE_ADD_FILE = 2, _;Grants the right to write data to the file. For a directory, this value grants the right to create a file in the directory.
    $FILE_APPEND_DATA__FILE_ADD_SUBDIRECTORY = 4, _;Grants the right to append data to the file. For a directory, this value grants the right to create a subdirectory.
    $FILE_READ_EA = 8, _;Grants the right to read extended attributes.
    $FILE_WRITE_EA = 16, _;Grants the right to write extended attributes.
    $FILE_EXECUTE__FILE_TRAVERSE = 32, _;Grants the right to execute a file. For a directory, the directory can be traversed.
    $FILE_DELETE_CHILD = 64, _;Grants the right to delete a directory and all the files it contains (its children), even if the files are read-only.
    $FILE_READ_ATTRIBUTES = 128, _;Grants the right to read file attributes.
    $FILE_WRITE_ATTRIBUTES = 256, _;Grants the right to change file attributes.
    $DELETE = 65536, _;Grants delete access.
    $READ_CONTROL = 131072, _;Grants read access to the security descriptor and owner.
    $WRITE_DAC = 262144, _;Grants write access to the discretionary access control list (ACL).
    $WRITE_OWNER = 524288, _;Assigns the write owner.
    $SYNCHRONIZE = 1048576, _;Synchronizes access and allows a process to wait for an object to enter the signaled state.
    $OBJECT_INHERIT_ACE = 1, _;Noncontainer child objects inherit the ACE as an effective ACE. For child objects that are containers, the ACE is inherited as an inherit-only ACE unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set.
    $CONTAINER_INHERIT_ACE = 2, _ ; Child objects that are containers, such as directories, inherit the ACE as an effective ACE. The inherited ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set.
    $NO_PROPAGATE_INHERIT_ACE = 4, _ ;If the ACE is inherited by a child object, the system clears the OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE flags in the inherited ACE. This prevents the ACE from being inherited by subsequent generations of objects.
    $INHERIT_ONLY_ACE = 8, _ ;Indicates an inherit-only ACE which does not control access to the object to which it is attached. If this flag is not set, the ACE is an effective ACE which controls access to the object to which it is attached. Both effective and inherit-only ACEs can be inherited depending on the state of the other inheritance flags.
    $INHERITED_ACE = 16, _ ;The system sets this bit when it propagates an inherited ACE to a child object.
    $wbemFlagReturnImmediately = 0x10, _
    $wbemFlagForwardOnly = 0x20, _
    $colItems = "", _
    $strComputer = "localhost", _
    $objSD, _
    $Output = "", _
    $objDaclAccessmask
    Local $aRights2dArray[1][21]
    Local $aRightFlags[14] = [$FILE_READ_DATA__FILE_LIST_DIRECTORY, $FILE_WRITE_DATA__FILE_ADD_FILE, $FILE_APPEND_DATA__FILE_ADD_SUBDIRECTORY, $FILE_READ_EA, $FILE_WRITE_EA, $FILE_EXECUTE__FILE_TRAVERSE, $FILE_DELETE_CHILD, $FILE_READ_ATTRIBUTES, $FILE_WRITE_ATTRIBUTES, $DELETE, $READ_CONTROL, $WRITE_DAC, $WRITE_OWNER, $SYNCHRONIZE]
    Local $aAceflags[5] = [$OBJECT_INHERIT_ACE, $CONTAINER_INHERIT_ACE, $NO_PROPAGATE_INHERIT_ACE, $INHERIT_ONLY_ACE, $INHERITED_ACE]
    Local $sRootFolder = FileSelectFolder("Verzeichnis zum auslesen der Berechtigungen auswählen", "",2,"C:")
    Local $pathall
    Local $sProtokoll = @ScriptDir & "\" & StringReplace(StringReplace($sRootFolder, "\", "_"), ":", "-") & " Berechtigungen " & @YDAY & @MON & @MDAY & @HOUR & @MIN & @SEC & ".log"

    [/autoit] [autoit][/autoit] [autoit]

    Local Const $PBS_MARQUEE = 0x08

    [/autoit] [autoit][/autoit] [autoit]

    $hGui = GUICreate("Berechtigungen werden überprüft", 464, 56, 193, 115)
    $Progress = GUICtrlCreateProgress(8, 8, 446, 17, $PBS_MARQUEE)
    $statLabel = GUICtrlCreateLabel("Bitte warten", 8, 32, 446, 17)
    GUISetState(@SW_SHOW)

    [/autoit] [autoit][/autoit] [autoit]

    _GUICtrlProgressSetMarquee($Progress)
    ConsoleWrite($sProtokoll & @CRLF)
    ConsoleWrite($sRootFolder & " wird durchsucht ..." & @CRLF)
    $aReturnfolderlist = _ReFileListToString($sRootFolder & "\")
    ConsoleWrite(UBound($aReturnfolderlist) & " Ordner gefunden" & @CRLF)
    Local $aAllGoupsandUsers[1]
    FileWrite($sProtokoll, "== Auflistung der Berechtigungen für " & $sRootFolder & " ==" & @CRLF & @CRLF)
    For $i3 = 0 To UBound($aReturnfolderlist) - 1
    If StringRight($aReturnfolderlist[$i3], 1) = "\" Then $aReturnfolderlist[$i3] = StringTrimRight($aReturnfolderlist[$i3], 1)
    $aReturnRights = _geteffberechtigungen($aReturnfolderlist[$i3])
    For $i2 = 1 To UBound($aReturnRights) - 1
    For $i = 0 To UBound($aReturnRights, 2) - 7
    If $aReturnRights[$i2][1] = $aReturnfolderlist[$i3] And Not $aReturnRights[$i2][19] = "INHERIT_ONLY_ACE" ANd $i = 0 Then FileWrite($sProtokoll, @CRLF)
    If Not $aReturnRights[$i2][19] = "INHERIT_ONLY_ACE" And Not $aReturnRights[$i2][$i] = "" And Not $aReturnRights[$i2][20] = "INHERIT_ACE" Then
    If $aReturnRights[$i2][1] = $aReturnfolderlist[$i3] Then FileWrite($sProtokoll, $aReturnRights[$i2][$i] & @CRLF)
    ElseIf Not $aReturnRights[$i2][19] = "INHERIT_ONLY_ACE" And Not $aReturnRights[$i2][$i] = "" And $sRootFolder = $aReturnRights[$i2][1] Then
    If $aReturnRights[$i2][1] = $aReturnfolderlist[$i3] Then FileWrite($sProtokoll, $aReturnRights[$i2][$i] & @CRLF)
    EndIf
    Next
    _ArrayAdd($aAllGoupsandUsers, $aReturnRights[$i2][0])
    Next
    Next
    _ArrayDelete($aAllGoupsandUsers, 0)
    $aAllGoupsandUsers = _ArrayUnique($aAllGoupsandUsers)
    _ArrayDelete($aAllGoupsandUsers, 0)
    $aReturnGroups = _getGroupsAndMembers($aAllGoupsandUsers)
    ConsoleWrite("...Done" & @CRLF)

    [/autoit] [autoit][/autoit] [autoit]

    FileWrite($sProtokoll, @CRLF & "== Auflistung der Benutzergruppen ==" & @CRLF & @CRLF)
    ConsoleWrite("Durchsuchen der Benutzergruppen in der Domäne: " & @CRLF)
    For $i = 0 To UBound($aReturnGroups) - 1
    If Not $aReturnGroups[$i][0] = "" Then
    For $i2 = 0 To UBound($aReturnGroups, 2) - 1
    If Not $aReturnGroups[$i][$i2] = "" Then FileWrite($sProtokoll, $aReturnGroups[$i][$i2] & @CRLF)
    Next
    FileWrite($sProtokoll, @CRLF)
    EndIf
    Next
    ConsoleWrite("...Done" & @CRLF)
    GUIDelete($hGui)
    ShellExecute("notepad.exe", '"' & $sProtokoll & '"')

    [/autoit] [autoit][/autoit] [autoit]

    Func _getGroupsAndMembers($aGroup)
    $aGroup = _getAllGroupsinGroups($aGroup)
    Local $aUsersinGroup[1][1]
    _AD_Open()
    Local $iMembers = 0
    For $iGroup = 0 To UBound($aGroup) - 1
    $aMembers = _AD_GetGroupMembers($aGroup[$iGroup])
    If Not @error > 0 Then
    If Not $aMembers[0] = 0 Then
    If $iMembers < UBound($aMembers + 1) Then $iMembers = UBound($aMembers) + 1
    ReDim $aUsersinGroup[UBound($aGroup)][$iMembers + 1]
    _ArraySort($aMembers, 0, 1)
    $aMembers = _ArrayUnique($aMembers)
    _ArrayDelete($aMembers, 0)
    $aUsersinGroup[$iGroup][0] = "Gruppe: " & $aGroup[$iGroup]
    For $x = 1 To UBound($aMembers) - 1
    $aUsersinGroupRegex = StringRegExp($aMembers[$x], "(?i)^CN=(.*?),", 1)
    If Not @error Then $aUsersinGroup[$iGroup][$x] = $aUsersinGroupRegex[0]
    Next
    EndIf
    EndIf
    Next
    _AD_Close()
    Return $aUsersinGroup
    EndFunc ;==>_getGroupsAndMembers

    [/autoit] [autoit][/autoit] [autoit]

    Func _getAllGroupsinGroups($aGroup)
    $countold = UBound($aGroup)
    $sGroup = _ArrayToString($aGroup)
    For $group In $aGroup
    _AD_Open()
    $aMembers = _AD_GetGroupMembers($group)
    If Not @error > 0 Then
    If Not $aMembers[0] = 0 Then
    _ArrayDelete($aMembers,0)
    For $member In $aMembers
    $areturnmember = StringRegExp($member, "(?i)^CN=(.*?),", 1)
    If Not UBound($areturnmember) = 0 Then
    $aGroupMembers = _AD_GetGroupMembers($areturnmember[0])
    If Not @error > 0 Then
    If Not $aGroupMembers[0] = 0 Then
    $sGroup &= "|" & $areturnmember[0]
    EndIf
    EndIf
    EndIf
    Next
    EndIf
    EndIf
    _AD_Close()
    Next
    $aGroup = StringSplit($sGroup, "|", 2)
    _ArraySort($aGroup)
    $aGroup = _ArrayUnique($aGroup)
    _ArrayDelete($aGroup, 0)
    If $countold < UBound($aGroup) Then _getAllGroupsinGroups($aGroup)
    Return $aGroup
    EndFunc ;==>_getAllGroupsinGroups

    [/autoit] [autoit][/autoit] [autoit]

    Func _geteffberechtigungen($sFolder)
    Local $objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\CIMV2")
    Local $colItems = $objWMIService.ExecQuery('SELECT * FROM Win32_LogicalFileSecuritySetting WHERE Path="' & StringReplace($sFolder, "\", "\\") & '"', "WQL", $wbemFlagReturnImmediately + $wbemFlagForwardOnly)
    If IsObj($colItems) Then
    For $objItem In $colItems
    $objItem.GetSecurityDescriptor($objSD)
    $colDacl = $objSD.DACL
    For $objDacl In $colDacl
    ReDim $aRights2dArray[UBound($aRights2dArray) + 1][21]
    $iRights2dArray = 0
    $aRights2dArray[UBound($aRights2dArray) - 1][$iRights2dArray] = $objDacl.Trustee.Name
    $iRights2dArray += 1
    $aRights2dArray[UBound($aRights2dArray) - 1][$iRights2dArray] = $objItem.Path
    $iRights2dArray += 1
    For $RightFlag In $aRightFlags
    If BitAND($objDacl.AccessMask, $RightFlag) Then $aRights2dArray[UBound($aRights2dArray) - 1][$iRights2dArray] = _makerightflagsreadable($RightFlag)
    $iRights2dArray += 1
    Next
    For $Aceflag In $aAceflags
    If BitAND($objDacl.AceFlags, $Aceflag) Then $aRights2dArray[UBound($aRights2dArray) - 1][$iRights2dArray] = _makeaceflagsreadable($Aceflag)
    $iRights2dArray += 1
    Next
    Next
    Next
    Return $aRights2dArray
    Else
    Return SetError(0)
    EndIf
    EndFunc ;==>_geteffberechtigungen

    [/autoit] [autoit][/autoit] [autoit][/autoit] [autoit]

    Func _makerightflagsreadable($sFlag)
    Switch $sFlag
    Case $FILE_READ_DATA__FILE_LIST_DIRECTORY
    Return "Ordner auflisten / Daten lesen"
    Case $FILE_WRITE_DATA__FILE_ADD_FILE
    Return "Dateien erstellen / Daten schreiben"
    Case $FILE_APPEND_DATA__FILE_ADD_SUBDIRECTORY
    Return "Ordner erstellen / Daten anhängen"
    Case $FILE_READ_EA
    Return "Erweiterte Attribute lesen"
    Case $FILE_WRITE_EA
    Return "Erweiterte Attribute schreiben"
    Case $FILE_EXECUTE__FILE_TRAVERSE
    Return "Ordner durchsuchen / Dateien ausführen"
    Case $FILE_DELETE_CHILD
    Return "Unterordner und Dateien löschen"
    Case $FILE_READ_ATTRIBUTES
    Return "Attribute lesen"
    Case $FILE_WRITE_ATTRIBUTES
    Return "Attribute schreiben"
    Case $DELETE
    Return "Löschen"
    Case $READ_CONTROL
    Return "Berechtigungen lesen"
    Case $WRITE_DAC
    Return "Berechtigungen ändern"
    Case $WRITE_OWNER
    Return "Besitz übernehmen"
    Case $SYNCHRONIZE
    Return "Synchronisiert den Zugriff und erlaubt einem Prozess auf einem bestimmten Status eines Objektes zu warten"
    EndSwitch
    EndFunc ;==>_makerightflagsreadable

    [/autoit] [autoit][/autoit] [autoit]

    Func _makeaceflagsreadable($sFlag)
    Switch $sFlag
    Case $OBJECT_INHERIT_ACE
    Return "OBJECT_INHERIT_ACE"
    Case $CONTAINER_INHERIT_ACE
    Return "CONTAINER_INHERIT_ACE"
    Case $NO_PROPAGATE_INHERIT_ACE
    Return "NO_PROPAGATE_INHERIT_ACE"
    Case $INHERIT_ONLY_ACE
    Return "INHERIT_ONLY_ACE"
    Case $INHERITED_ACE
    Return "INHERITED_ACE"
    EndSwitch
    EndFunc ;==>_makeaceflagsreadable

    [/autoit] [autoit][/autoit] [autoit]

    Func _ReFileListToString($path) ;by Oscar (Autoit.de)
    Local $count, $Files
    Local $dFileList = _FileListToArray($path, '*', 2)
    $pathall &= $path & "|"
    If IsArray($dFileList) Then
    For $i = 1 To $dFileList[0]
    Local $hSearch, $sFile
    $hSearch = FileFindFirstFile($path & $dFileList[$i] & "\" & '*.*')
    If $hSearch <> -1 Then
    While 1
    $sFile = FileFindNextFile($hSearch)
    If @error Then
    SetError(0)
    ExitLoop
    EndIf
    If StringInStr(FileGetAttrib($path & $dFileList[$i] & "\" & $sFile), "D") <> 0 Then ContinueLoop
    $count += 1
    $Files &= $path & $dFileList[$i] & "\" & $sFile & '|'
    WEnd
    FileClose($hSearch)
    EndIf
    _ReFileListToString($path & $dFileList[$i] & '\')
    Next
    EndIf
    Return StringSplit(StringTrimRight($pathall, 1), "|", 2)
    EndFunc ;==>_ReFileListToString

    [/autoit] [autoit][/autoit] [autoit]

    Func _GUICtrlProgressSetMarquee($h_Progress, $f_Mode = 1, $i_Time = 100)

    [/autoit] [autoit][/autoit] [autoit]

    Local Const $WM_USER = 0x0400
    Local Const $PBM_SETMARQUEE = ($WM_USER + 10)

    [/autoit] [autoit][/autoit] [autoit]

    Local $var = GUICtrlSendMsg($h_Progress, $PBM_SETMARQUEE, $f_Mode, Number($i_Time))
    If $var = 0 Then
    SetError(1)
    Return 0
    Else
    SetError(0)
    Return $var
    EndIf

    [/autoit] [autoit][/autoit] [autoit]

    EndFunc ;==>_GUICtrlProgressSetMarquee

    [/autoit]


    PS: Script ist noch lang nicht fertig ;)

    21 is only half the truth.

    Hast Du schon einen Blick auf mein ADAudit Skript (Download siehe Signatur) geworfen? Das stellt User/Berechtigungen in einer Excel Tabelle dar.

    Na dann viel Spaß damit!