#include-once #include #include #include #Tidy_Parameters= /gd 1 /gds 1 /nsdp #AutoIt3Wrapper_AU3Check_Parameters= -d -w 1 -w 2 -w 3 -w 4 -w 5 -w 6 #AutoIt3Wrapper_AU3Check_Stop_OnWarning=Y ; #INDEX# ======================================================================================================================= ; Title .........: Active Directory Function Library ; AutoIt Version : 3.3.6.0 (because of _Date_Time_SystemTimeToDateTimeStr) ; UDF Version ...: 0.43 ; Language ......: English ; Description ...: A collection of functions for accessing and manipulating Microsoft Active Directory ; ; General functions: ; ================== ; _AD_Open ; _AD_Close ; User related functions (see object related functions as well): ; ============================================================== ; _AD_CreateUser ; _AD_GetUserGroups ; _AD_GetUserPrimaryGroup ; _AD_SetUserPrimaryGroup ; _AD_GetManager ; _AD_IsMemberOf ; _AD_AddUserToGroup ; _AD_RemoveUserFromGroup ; _AD_HasFullRights ; _AD_HasUnlockResetRights ; _AD_HasRequiredRights ; _AD_HasGroupUpdateRights ; _AD_GetLastLoginDate ; _AD_IsPasswordExpired ; _AD_GetPasswordExpired ; _AD_GetPasswordDontExpire ; _AD_SetPassword ; _AD_GetPasswordInfo ; _AD_DisablePasswordExpire ; _AD_EnablePasswordExpire ; _AD_EnablePasswordChange ; _AD_DisablePasswordChange ; _AD_SetAccountExpire ; _AD_AddEmailAddress ; _AD_SetPasswordExpire ; _AD_CreateMailbox ; _AD_DeleteMailbox ; ; Group related functions (see object related functions as well): ; =============================================================== ; _AD_CreateGroup ; _AD_GroupAssignManager ; _AD_GroupRemoveManager ; _AD_GetGroupAdmins ; _AD_GroupManagerCanModify ; _AD_GetManagedBy ; _AD_SetGroupManagerCanModify ; _AD_GetGroupMembers ; _AD_GetGroupMemberOf ; _AD_MailEnableGroup ; ; OU related functions (see object related functions as well): ; ============================================================ ; _AD_GetObjectsInOU ; _AD_GetAllOUs ; _AD_CreateOU ; ; Computer related functions (see object related functions as well): ; ================================================================== ; _AD_CreateComputer ; _AD_JoinDomain ; _AD_UnjoinDomain ; ; Object (user, group, computer, OU) related functions: ; ===================================================== ; _AD_RenameObject ; _AD_MoveObject ; _AD_DeleteObject ; _AD_UnlockObject ; _AD_DisableObject ; _AD_EnableObject ; _AD_GetObjectClass ; _AD_SamAccountNameToFQDN ; _AD_FQDNToSamAccountName ; _AD_FQDNToDisplayname ; _AD_ObjectExists ; _AD_GetObjectAttribute ; _AD_IsObjectDisabled ; _AD_IsObjectLocked ; _AD_GetObjectsDisabled ; _AD_GetObjectsLocked ; _AD_ModifyAttribute ; _AD_GetObjectProperties ; _AD_RecursiveGetMemberOf ; _AD_IsAccountExpired ; _AD_GetAccountsExpired ; ; Mail related functions (see user/group related functions as well): ; ================================================================== ; _AD_ListExchangeServers ; _AD_ListExchangeMailboxStores ; _AD_CreateMailbox ; _AD_DeleteMailbox ; _AD_MailEnableGroup ; ; Other functions: ; ================ ; _AD_ListDomainControllers ; _AD_ListRootDSEAttributes ; _AD_ListRoleOwners ; _AD_GetSystemInfo ; _AD_ListPrintQueues ; _AD_ListSchemaVersions ; _AD_ObjectExistsInSchema ; _AD_GetLastADSIError ; _AD_FixSpecialChars ; _AD_GetADOProperties ; _AD_SetADOProperties ; ; Author ........: Jonathan Clelland ; Email .........: jclelland@statestreet.com ; Modified.......: water ; Contributors ..: feeks, KenE, Sundance, supersonic, Talder ; Resources .....: http://www.wisesoft.co.uk/scripts ; http://gallery.technet.microsoft.com/ScriptCenter/en-us ; http://www.rlmueller.net/ ; http://www.activxperts.com/activmonitor/windowsmanagement/scripts/activedirectory/ ; ; Well known SIDs: http://technet.microsoft.com/en-us/library/cc978401.aspx ; AD Schema: http://msdn.microsoft.com/en-us/library/ms675085(VS.85).aspx ; Win32 error codes: http://msdn.microsoft.com/en-us/library/ms681381(v=VS.85).aspx ; ADSI: http://msdn.microsoft.com/en-us/library/aa772170(v=VS.85).aspx ; LDAP: http://msdn.microsoft.com/en-us/library/aa367008(v=VS.85).aspx ; http://www.petri.co.il/ldap_search_samples_for_windows_2003_and_exchange.htm ; =============================================================================================================================== ; #VARIABLES# =================================================================================================================== Global $iAD_Debug = 0 ; Debug level. 0 = no debug information, 1 = Debug info to console, 2 = Debug info to MsgBox, 3 = Debug Info to File .\AD_Debug.txt Global $oAD_MyError ; COM Error handler Global $iAD_COMError = 0 Global $iAD_COMErrorDec = 0 Global $oAD_Connection Global $sAD_DNSDomain Global $sAD_HostServer Global $sAD_Configuration Global $oAD_OpenDS Global $oAD_RootDSE Global $oAD_Command Global $oAD_Bind ; Reference to hold the bind cache Global $bAD_BindFlags ; Bind flags Global $sAD_UserId = "" Global $sAD_Password = "" ; =============================================================================================================================== ; #CONSTANTS# =================================================================================================================== ; ADS_RIGHTS_ENUM Enumeration. See: http://msdn.microsoft.com/en-us/library/aa772285(VS.85).aspx Global Const $ADS_FULL_RIGHTS = 0xF01FF Global Const $ADS_USER_UNLOCKRESETACCOUNT = 0x100 Global Const $ADS_OBJECT_READWRITE_ALL = 0x30 ; ADS_AUTHENTICATION_ENUM Enumeration. See: http://msdn.microsoft.com/en-us/library/aa772247(VS.85).aspx Global Const $ADS_SECURE_AUTH = 0x1 Global Const $ADS_USE_SSL = 0x2 Global Const $ADS_SERVER_BIND = 0x200 ; ADS_USER_FLAG_ENUM Enumeration. See: http://msdn.microsoft.com/en-us/library/aa772300(VS.85).aspx Global Const $ADS_UF_ACCOUNTDISABLE = 0x2 Global Const $ADS_UF_PASSWD_NOTREQD = 0x20 Global Const $ADS_UF_WORKSTATION_TRUST_ACCOUNT = 0x1000 Global Const $ADS_UF_DONT_EXPIRE_PASSWD = 0x10000 ; ADS_GROUP_TYPE_ENUM Enumeration. See: http://msdn.microsoft.com/en-us/library/aa772263(VS.85).aspx Global Const $ADS_GROUP_TYPE_GLOBAL_GROUP = 0x2 Global Const $ADS_GROUP_TYPE_UNIVERSAL_GROUP = 0x8 Global Const $ADS_GROUP_TYPE_SECURITY_ENABLED = 0x80000000 Global Const $ADS_GROUP_TYPE_GLOBAL_SECURITY = BitOR($ADS_GROUP_TYPE_GLOBAL_GROUP, $ADS_GROUP_TYPE_SECURITY_ENABLED) Global Const $ADS_GROUP_TYPE_UNIVERSAL_SECURITY = BitOR($ADS_GROUP_TYPE_UNIVERSAL_GROUP, $ADS_GROUP_TYPE_SECURITY_ENABLED) ; ADS_ACETYPE_ENUM Enumeration. See: http://msdn.microsoft.com/en-us/library/aa772244(VS.85).aspx Global Const $ADS_ACETYPE_ACCESS_ALLOWED = 0 Global Const $ADS_ACETYPE_ACCESS_DENIED = 0x1 Global Const $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 0x5 Global Const $ADS_ACETYPE_ACCESS_DENIED_OBJECT = 0x6 ; ADS_ACEFLAG_ENUM Enumeration. See: http://msdn.microsoft.com/en-us/library/aa772242(VS.85).aspx Global Const $ADS_ACEFLAG_INHERITED_ACE = 0x10 ; Global Const $ADS_FLAGTYPE_ENUM Enumeration. See: http://msdn.microsoft.com/en-us/library/aa772259(VS.85).aspx Global Const $ADS_FLAG_OBJECT_TYPE_PRESENT = 0x1 ; ADS_RIGHTS_ENUM Enumeration. See: http://msdn.microsoft.com/en-us/library/aa772285(VS.85).aspx Global Const $ADS_RIGHT_DS_SELF = 0x8 Global Const $ADS_RIGHT_DS_WRITE_PROP = 0x20 Global Const $ADS_RIGHT_DS_CONTROL_ACCESS = 0x100 Global Const $ADS_RIGHT_GENERIC_READ = 0x80000000 ; GUIDs - LOWER CASE! Global Const $USER_CHANGE_PASSWORD = "{ab721a53-1e2f-11d0-9819-00aa0040529b}" ; See: http://msdn.microsoft.com/en-us/library/cc223637(PROT.13).aspx Global Const $SELF_MEMBERSHIP = "{bf9679c0-0de6-11d0-a285-00aa003049e2}" ; See: http://msdn.microsoft.com/en-us/library/cc223513(PROT.10).aspx Global Const $ALLOWED_TO_AUTHENTICATE = "{68B1D179-0D15-4d4f-AB71-46152E79A7BC}" ; See: http://msdn.microsoft.com/en-us/library/ms684300(VS.85).aspx Global Const $RECEIVE_AS = "{AB721A56-1E2f-11D0-9819-00AA0040529B}" ; See: http://msdn.microsoft.com/en-us/library/ms684402(VS.85).aspx Global Const $SEND_AS = "{AB721A54-1E2f-11D0-9819-00AA0040529B}" ; See: http://msdn.microsoft.com/en-us/library/ms684406(VS.85).aspx Global Const $USER_FORCE_CHANGE_PASSWORD = "{00299570-246D-11D0-A768-00AA006E0529}" ; See: http://msdn.microsoft.com/en-us/library/ms684414(VS.85).aspx Global Const $USER_ACCOUNT_RESTRICTIONS = "{4C164200-20C0-11D0-A768-00AA006E0529}" ; See: http://msdn.microsoft.com/en-us/library/ms684412(VS.85).aspx Global Const $VALIDATED_DNS_HOST_NAME = "{72E39547-7B18-11D1-ADEF-00C04FD8D5CD}" ; See: http://msdn.microsoft.com/en-us/library/ms684331(VS.85).aspx Global Const $VALIDATED_SPN = "{F3A64788-5306-11D1-A9C5-0000F80367C1}" ; See: http://msdn.microsoft.com/en-us/library/ms684417(VS.85).aspx ; =============================================================================================================================== ; #CURRENT# ===================================================================================================================== ;_AD_Open ;_AD_Close ;_AD_SamAccountNameToFQDN ;_AD_FQDNToSamAccountName ;_AD_FQDNToDisplayname ;_AD_ObjectExists ;_AD_GetObjectAttribute ;_AD_IsMemberOf ;_AD_HasFullRights ;_AD_HasUnlockResetRights ;_AD_HasRequiredRights ;_AD_HasGroupUpdateRights ;_AD_GetObjectClass ;_AD_GetUserGroups ;_AD_GetUserPrimaryGroup ;_AD_SetUserPrimaryGroup ;_AD_RecursiveGetMemberOf ;_AD_GetGroupMembers ;_AD_GetGroupMemberOf ;_AD_GetObjectsInOU ;_AD_GetAllOUs ;_AD_ListDomainControllers ;_AD_ListRootDSEAttributes ;_AD_ListRoleOwners ;_AD_GetLastLoginDate ;_AD_IsObjectDisabled ;_AD_IsObjectLocked ;_AD_IsPasswordExpired ;_AD_GetObjectsDisabled ;_AD_GetObjectsLocked ;_AD_GetPasswordExpired ;_AD_GetPasswordDontExpire ;_AD_GetObjectProperties ;_AD_CreateOU ;_AD_CreateUser ;_AD_SetPassword ;_AD_CreateGroup ;_AD_AddUserToGroup ;_AD_RemoveUserFromGroup ;_AD_CreateComputer ;_AD_ModifyAttribute ;_AD_RenameObject ;_AD_MoveObject ;_AD_DeleteObject ;_AD_SetAccountExpire ;_AD_DisablePasswordExpire ;_AD_EnablePasswordExpire ;_AD_EnablePasswordChange ;_AD_DisablePasswordChange ;_AD_UnlockObject ;_AD_DisableObject ;_AD_EnableObject ;_AD_GetPasswordInfo ;_AD_ListExchangeServers ;_AD_ListExchangeMailboxStores ;_AD_GetSystemInfo ;_AD_GetManagedBy ;_AD_GetManager ;_AD_GetGroupAdmins ;_AD_GroupManagerCanModify ;_AD_ListPrintQueues ;_AD_SetGroupManagerCanModify ;_AD_GroupAssignManager ;_AD_GroupRemoveManager ;_AD_AddEmailAddress ;_AD_JoinDomain ;_AD_UnjoinDomain ;_AD_SetPasswordExpire ;_AD_CreateMailbox ;_AD_DeleteMailbox ;_AD_MailEnableGroup ;_AD_IsAccountExpired ;_AD_GetAccountsExpired ;_AD_ListSchemaVersions ;_AD_ObjectExistsInSchema ;_AD_FixSpecialChars ;_AD_GetLastADSIError ;_AD_GetADOProperties ;_AD_SetADOProperties ; =============================================================================================================================== ; #INTERNAL_USE_ONLY#============================================================================================================ ;_AD_Int8ToSec ;_AD_LargeInt2Double ;_AD_ObjGet ;_AD_ErrorHandler ;_AD_ReorderACE ;_AD_GetLastLDAPError ; =============================================================================================================================== ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_Open ; Description ...: Opens a connection to Active Directory. ; Syntax.........: _AD_Open([$sAD_UserIdParam = "", $sAD_PasswordParam = ""[, $sAD_DNSDomainParam = "", $sAD_HostServerParam = "", $sAD_ConfigurationParam = ""[, $fAD_Security = 0]]]) ; Parameters ....: $sAD_UserIdParam - Optional: UserId credential for authentication. This has to be a valid domain user ; $sAD_PasswordParam - Optional: Password for authentication ; $sAD_DNSDomainParam - Optional: Active Directory domain name if you want to connect to an alternate domain ; $sAD_HostServerParam - Optional: Name of Domain Controller if you want to connect to a different domain ; $sAD_ConfigurationParam - Optional: Configuration naming context if you want to connect to a different domain ; $fAD_Security - Optional: Specifies the security settings to be used. Can be a combination of the following: ; |0: No security settings are used ; |1: Sets the connection property "Encrypt Password" to True to encrypt userid and password ; |2: The channel is encrypted using Secure Sockets Layer (SSL). AD requires that the Certificate Server be installed to support SSL ; Return values .: Success - 1 ; Failure - 0, sets @error to: ; |1 - Installation of the custom error handler failed. @extended returns error code from ObjEvent ; |2 - Creation of the COM object to the AD failed. @extended returns error code from ObjCreate ; |3 - Open the connection to AD failed. @extended returns error code of the COM error handler. ; | Generated if the User doesn't have query / modify access ; |4 - Creation of the RootDSE object failed. @extended returns the error code received by the COM error handler. ; | Generated when connection to the domain isn't successful. @extended returns -2147023541 (0x8007054B) ; |5 - Creation of the DS object failed. @extended returns the error code received by the COM error handler ; |6 - Parameter $sAD_HostServerParam and $sAD_ConfigurationParam are required when $sAD_DNSDomainParam is specified ; |7 - Parameter $sAD_PasswordParam is required when $sAD_UserIdParam is specified ; |8 - OpenDSObject method failed. @extended set to error code received by the COM error handler (decimal). ; | On Windows XP or lower this shows that $sAD_UserIdParam and/or $sAD_PasswordParam are invalid ; |x - For Windows Vista and later: Win32 error code (decimal). To get detailed error information call function _AD_GetLastADSIError ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: To close the connection to the Active Directory, use the _AD_Close function. ;+ ; _AD_Open will use the alternative credentials $sAD_UserIdParam and $sAD_PasswordParam if passed as parameters. ; $sAD_UserIdParam has to be in one of the following forms (assume the samAccountName = DJ) ; * Windows Login Name e.g. "DJ" ; * NetBIOS Login Name e.g. "\DJ" ; * User Principal Name e.g. "DJ@domain.com" ; All other name formats have NOT been successfully tested (see section "Link"). ;+ ; Connection to an alternate domain (not the domain your computer is a member of) or your computer is not a domain member ; requires $sAD_DNSDomainParam, $sAD_HostServerParam and $sAD_ConfigurationParam as FQDN as well as $sAD_UserIdParam and $sAD_PasswordParam. ; Example: ; $sAD_DNSDomainParam = "DC=subdomain,DC=example,DC=com" ; $sAD_HostServerParam = "servername.subdomain.example.com" ; $sAD_ConfigurationParam = "CN=Configuration,DC=subdomain,DC=example,DC=com" ;+ ; The COM error handler will be initialised if no error handler exists. ; Be aware that some functions will not work correctly because they handle error codes ($iAD_COMError) that are set by the error handler. ;+ ; If you specify $sAD_UserIdParam as NetBIOS Login Name or User Principal Name and the OS is Windows Vista or later then _AD_Open will try to ; verify the userid/password. ; @error will be set to the Win32 error code (decimal). To get detailed error information please call _AD_GetlastADSIError. ; For all other OS or if userid is specified as Windows Login Name @error=8. ; This is OS dependant because Windows XP doesn't return useful error information. ; For Windows Login Name all OS return success even when an error occures. This seems to be caused by secure authentification. ;+ ; $fAD_Security = 2 activates LDAP/SSL. LDAP/SSL uses port 636 by default. ; Note that an SSL server certificate must be configured properly in order to use SSL. ; Related .......: _AD_Close ; Link ..........: http://msdn.microsoft.com/en-us/library/cc223499(PROT.10).aspx (Simple Authentication), http://msdn.microsoft.com/en-us/library/aa746471(VS.85).aspx (ADO) ; Example .......: Yes ; =============================================================================================================================== Func _AD_Open($sAD_UserIdParam = "", $sAD_PasswordParam = "", $sAD_DNSDomainParam = "", $sAD_HostServerParam = "", $sAD_ConfigurationParam = "", $fAD_Security = 0) ; A COM error handler will be initialised only if one does not exist. If ObjEvent("AutoIt.Error") = "" Then $oAD_MyError = ObjEvent("AutoIt.Error", "_AD_ErrorHandler") ; Creates a custom error handler If @error <> 0 Then Return SetError(1, @error, 0) EndIf $iAD_COMError = 0 $oAD_Connection = ObjCreate("ADODB.Connection") ; Creates a COM object to AD If Not IsObj($oAD_Connection) Or @error <> 0 Then Return SetError(2, @error, 0) ; ConnectionString Property (ADO): http://msdn.microsoft.com/en-us/library/ms675810.aspx $oAD_Connection.ConnectionString = "Provider=ADsDSOObject" ; Sets Service providertype If $sAD_UserIdParam <> "" Then If $sAD_PasswordParam = "" Then Return SetError(7, 0, 0) $oAD_Connection.Properties("User ID") = $sAD_UserIdParam ; Authenticate User $oAD_Connection.Properties("Password") = $sAD_PasswordParam ; Authenticate User If BitAND($fAD_Security, 1) = 1 Then $oAD_Connection.Properties("Encrypt Password") = True ; Encrypts userid and password $bAD_BindFlags = $ADS_SERVER_BIND If BitAND($fAD_Security, 2) = 2 Then $bAD_BindFlags = BitOR($bAD_BindFlags, $ADS_USE_SSL) ; If userid is the Windows login name then set the flag for secure authentification If StringInStr($sAD_UserIdParam, "\") = 0 And StringInStr($sAD_UserIdParam, "@") = 0 Then _ $bAD_BindFlags = BitOR($bAD_BindFlags, $ADS_SECURE_AUTH) $oAD_Connection.Properties("ADSI Flag") = $bAD_BindFlags $sAD_UserId = $sAD_UserIdParam $sAD_Password = $sAD_PasswordParam EndIf ; ADO Open Method: http://msdn.microsoft.com/en-us/library/ms676505.aspx $oAD_Connection.Open() ; Open connection to AD If @error <> 0 Then Return SetError(3, @error, 0) ; Connect to another Domain if the Domain parameter is provided If $sAD_DNSDomainParam <> "" Then If $sAD_HostServerParam = "" Or $sAD_ConfigurationParam = "" Then Return SetError(6, 0, 0) $oAD_RootDSE = ObjGet("LDAP://" & $sAD_HostServerParam & "/RootDSE") If Not IsObj($oAD_RootDSE) Or @error <> 0 Then Return SetError(4, @error, 0) $sAD_DNSDomain = $sAD_DNSDomainParam $sAD_HostServer = $sAD_HostServerParam $sAD_Configuration = $sAD_ConfigurationParam Else $oAD_RootDSE = ObjGet("LDAP://RootDSE") If Not IsObj($oAD_RootDSE) Or @error <> 0 Then Return SetError(4, @error, 0) $sAD_DNSDomain = $oAD_RootDSE.Get("defaultNamingContext") ; Retrieve the current AD domain name $sAD_HostServer = $oAD_RootDSE.Get("dnsHostName") ; Retrieve the name of the connected DC $sAD_Configuration = $oAD_RootDSE.Get("ConfigurationNamingContext") ; Retrieve the Configuration naming context $oAD_RootDSE = ObjGet("LDAP://" & $sAD_HostServer & "/RootDSE") ; To guarantee a persistant binding EndIf ; Check userid/password if provided If $sAD_UserIdParam <> "" Then $oAD_OpenDS = ObjGet("LDAP:") If Not IsObj($oAD_OpenDS) Or @error <> 0 Then Return SetError(5, @error, 0) $oAD_Bind = $oAD_OpenDS.OpenDSObject("LDAP://" & $sAD_HostServer, $sAD_UserIdParam, $sAD_PasswordParam, $bAD_BindFlags) If Not IsObj($oAD_Bind) Or @error <> 0 Then ; login error occurred - get extended information Local $sAD_Hive = "HKLM" If @OSArch = "IA64" Or @OSArch = "X64" Then $sAD_Hive = "HKLM64" Local $sAD_OSVersion = RegRead($sAD_Hive & "\SOFTWARE\Microsoft\Windows NT\CurrentVersion", "CurrentVersion") $sAD_OSVersion = StringSplit($sAD_OSVersion, ".") If Int($sAD_OSVersion[1]) >= 6 Then ; Delivers detailed error information for Windows Vista and later if debugging is activated Local $aAD_Errors = _AD_GetLastADSIError() If $aAD_Errors[4] <> 0 Then If $iAD_Debug = 1 Then ConsoleWrite("_AD_Open: " & _ArrayToString($aAD_Errors, @CRLF, 1) & @CRLF) If $iAD_Debug = 2 Then MsgBox(64, "Active Directory Functions - Debug Info - _AD_Open", _ArrayToString($aAD_Errors, @CRLF, 1)) If $iAD_Debug = 3 Then FileWrite("AD_Debug.txt", @YEAR & "." & @MON & "." & @MDAY & " " & @HOUR & ":" & @MIN & ":" & @SEC & " " & @CRLF & _ "-------------------" & @CRLF & "_AD_Open: " & _ArrayToString($aAD_Errors, @CRLF, 1) & @CRLF & _ "========================================================" & @CRLF) Return SetError(Dec($aAD_Errors[4]), 0, 0) EndIf Return SetError(8, $iAD_COMErrorDec, 0) Else Return SetError(8, $iAD_COMErrorDec, 0) EndIf EndIf EndIf ; ADO Command object as global $oAD_Command = ObjCreate("ADODB.Command") $oAD_Command.ActiveConnection = $oAD_Connection $oAD_Command.Properties("Page Size") = 1000 Return 1 EndFunc ;==>_AD_Open ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_Close ; Description ...: Closes the connection established to Active Directory by _AD_Open. ; Syntax.........: _AD_Close() ; Parameters ....: None ; Return values .: Success - 1 ; Failure - 0, sets @error to: ; |1 - Closing the connection to the AD failed. @extended returns the error code received by the COM error handler ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: ; Related .......: _AD_Open ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_Close() $oAD_Connection.Close() ; Close Connection ; Reset all Global Variables $iAD_Debug = 0 $oAD_MyError = 0 $iAD_COMError = 0 $iAD_COMErrorDec = 0 $oAD_Connection = 0 $sAD_DNSDomain = "" $sAD_HostServer = "" $sAD_Configuration = "" $oAD_OpenDS = 0 $oAD_RootDSE = 0 $sAD_UserId = "" $sAD_Password = "" If @error <> 0 Then Return SetError(1, @error, 0) ; Error returned by connection close Return 1 EndFunc ;==>_AD_Close ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_SamAccountNameToFQDN ; Description ...: Returns a Fully Qualified Domain Name (FQDN) from a SamAccountName. ; Syntax.........: _AD_SamAccountNameToFQDN([$sAD_SamAccountName = @UserName]) ; Parameters ....: $sAD_SamAccountName - Optional: Security Accounts Manager (SAM) account name (default = @UserName) ; Return values .: Success - Fully Qualified Domain Name (FQDN) ; Failure - "", sets @error to: ; |1 - No record returned from Active Directory. $sAD_SamAccountName not found ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: A $ sign must be appended to the computer name to generate the FQDN for a sAMAccountName e.g. @ComputerName & "$". ; The function escapes the following special characters (# and /). Commas in CN= or OU= have to be escaped by you. ; Related .......: _AD_FQDNToSamAccountName ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_SamAccountNameToFQDN($sAD_SamAccountName = @UserName) $oAD_Command.CommandText = ";(sAMAccountName=" & $sAD_SamAccountName & ");distinguishedName;subtree" Local $oAD_RecordSet = $oAD_Command.Execute If Not IsObj($oAD_RecordSet) Or $oAD_RecordSet.RecordCount = 0 Then Return SetError(1, 0, "") Local $sAD_FQDN = $oAD_RecordSet.fields(0).value Return _AD_FixSpecialChars($sAD_FQDN, 0, "/#") EndFunc ;==>_AD_SamAccountNameToFQDN ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_FQDNToSamAccountName ; Description ...: Returns the SamAccountName of a Fully Qualified Domain Name (FQDN). ; Syntax.........: _AD_FQDNToSamAccountName($sAD_FQDN) ; Parameters ....: $sAD_FQDN - Fully Qualified Domain Name (FQDN) ; Return values .: Success - SamAccountName ; Failure - "", sets @error to: ; |1 - No record returned from Active Directory. $sAD_FQDN not found ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: You have to escape commas in $sAD_FQDN with a backslash. E.g. "CN=Lastname\, Firstname,OU=..." ; All other special characters (# and /) are escaped by the function. ; Related .......: _AD_SamAccountNameToFQDN, _AD_FQDNToDisplayname ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_FQDNToSamAccountName($sAD_FQDN) $sAD_FQDN = _AD_FixSpecialChars($sAD_FQDN, 0, "/#") ; Escape special characters in the FQDN Local $oAD_Object = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_FQDN) If Not IsObj($oAD_Object) Or $oAD_Object = 0 Then Return SetError(1, 0, "") Local $sAD_Result = $oAD_Object.sAMAccountName Return $sAD_Result EndFunc ;==>_AD_FQDNToSamAccountName ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_FQDNToDisplayname ; Description ...: Returns the Display Name of a Fully Qualified Domain Name (FQDN) object. ; Syntax.........: _AD_FQDNToDisplayname($sAD_FQDN) ; Parameters ....: $sAD_FQDN - Fully Qualified Domain Name (FQDN) ; Return values .: Success - Display Name ; Failure - "", sets @error to: ; |1 - No object returned from Active Directory. $sAD_FQDN not found ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: You must escape commas in $sAD_FQDN with a backslash. E.g. "CN=Lastname\, Firstname,OU=..." ; All other special characters (# and /) are escaped by the function. ; The function removes all escape characters (\) from the returned value. ; Related .......: _AD_FQDNToSamAccountName ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_FQDNToDisplayname($sAD_FQDN) $sAD_FQDN = _AD_FixSpecialChars($sAD_FQDN, 0, "/#") ; Escape special characters in the FQDN Local $oAD_Item = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_FQDN) If IsObj($oAD_Item) Then Local $sAD_Name = $oAD_Item.name Return _AD_FixSpecialChars(StringTrimLeft($sAD_Name, 3), 1) Else Return SetError(1, 0, "") EndIf EndFunc ;==>_AD_FQDNToDisplayname ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_ObjectExists ; Description ...: Returns 1 if exactly one object exists for the given property in the local Active Directory Tree. ; Syntax.........: _AD_ObjectExists([$sAD_Object = @UserName[, $sAD_Property = ""]]) ; Parameters ....: $sAD_Object - Optional: Object (user, computer, group, OU) to check (default = @UserName) ; $sAD_Property - Optional: Property to check. If omitted the function tries to determine whether to use sAMAccountname or FQDN ; Return values .: Success - 1, Exactly one object exists for the given property in the local Active Directory Tree ; Failure - 0, sets @error to: ; |1 - No object found for the specified property ; |x - More than one object found for the specified property. x is the number of objects found ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: Checking on a computer account requires a "$" (dollar) appended to the sAMAccountName. ; To check the existence of an OU use the FQDN of the OU as first parameter because an OU has no SamAccountName. ; Related .......: ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_ObjectExists($sAD_Object = @UserName, $sAD_Property = "") If $sAD_Property = "" Then $sAD_Property = "samAccountName" If StringMid($sAD_Object, 3, 1) = "=" Then $sAD_Property = "distinguishedName" EndIf $oAD_Command.CommandText = ";(" & $sAD_Property & "=" & $sAD_Object & ");ADsPath;subtree" Local $oAD_RecordSet = $oAD_Command.Execute ; Retrieve the ADsPath for the object, if it exists If IsObj($oAD_RecordSet) Then If $oAD_RecordSet.RecordCount = 1 Then Return 1 ElseIf $oAD_RecordSet.RecordCount > 1 Then Return SetError($oAD_RecordSet.RecordCount, 0, 0) Else Return SetError(1, 0, 0) EndIf Else Return SetError(1, 0, 0) EndIf EndFunc ;==>_AD_ObjectExists ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_GetObjectAttribute ; Description ...: Returns the specified attribute for the named object. ; Syntax.........: _AD_GetObjectAttribute($sAD_Object, $sAD_Attribute) ; Parameters ....: $sAD_Object - sAMAccountName or FQDN of the object the attribute should be retrieved from ; $sAD_Attribute - Attribute to be retrieved ; Return values .: Success - Value for the given attribute ; Failure - "", sets @error to: ; |1 - $sAD_Object does not exist ; |2 - $sAD_Attribute does not exist for $sAD_Object ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: If the attribute is a single-value the function returns a string otherwise it returns an array. ; To get decrypted attributes (GUID, SID, dates etc.) please see _AD_GetObjectProperties. ; Related .......: _AD_ModifyAttribute, _AD_GetObjectProperties ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_GetObjectAttribute($sAD_Object, $sAD_Attribute) Local $sAD_Property = "sAMAccountName" If StringMid($sAD_Object, 3, 1) = "=" Then $sAD_Property = "distinguishedName" ; FQDN provided If _AD_ObjectExists($sAD_Object, $sAD_Property) = 0 Then Return SetError(1, 0, "") $oAD_Command.CommandText = ";(" & $sAD_Property & "=" & $sAD_Object & ");ADsPath;subtree" Local $oAD_RecordSet = $oAD_Command.Execute ; Retrieve the ADsPath for the object If Not IsObj($oAD_RecordSet) Or $oAD_RecordSet.RecordCount = 0 Then Return SetError(2, 0, "") Local $sAD_LDAPEntry = $oAD_RecordSet.fields(0).value Local $oAD_Object = _AD_ObjGet($sAD_LDAPEntry) ; Retrieve the COM Object for the object Local $sAD_Result = $oAD_Object.Get($sAD_Attribute) $oAD_Object.PurgePropertyList If $iAD_COMError = 3 Then $iAD_COMError = 0 Return SetError(2, 0, "") EndIf If IsArray($sAD_Result) Then _ArrayInsert($sAD_Result, 0, UBound($sAD_Result, 1)) Return $sAD_Result EndFunc ;==>_AD_GetObjectAttribute ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_IsMemberOf ; Description ...: Returns 1 if the object (user, group, computer) is an immediate member of the group. ; Syntax.........: _AD_IsMemberOf($sAD_Group[, $sAD_Object = @Username[, $fAD_IncludePrimaryGroup = 0]]) ; Parameters ....: $sAD_Group - Group to be checked for membership. Can be specified as sAMAccountName or Fully Qualified Domain Name (FQDN) ; $sAD_Object - Optional: Object type (user, group, computer) to check for membership of $sAD_Group. Can be specified as sAMAccountName or Fully Qualified Domain Name (FQDN) (default = @UserName) ; $fAD_IncludePrimaryGroup - Optional: Additionally checks the primary group for object membership (default = 0) ; Return values .: Success - 1, Specified object (user, group, computer) is a member of the specified group ; Failure - 0, @error set ; |0 - $sAD_Object is not a member of $sAD_Group ; |1 - $sAD_Group does not exist ; |2 - $sAD_Object does not exist ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: Determines if the object is an immediate member of the group. This function does not verify membership in any nested groups. ; Related .......: _AD_GetUserGroups, _AD_GetUserPrimaryGroup, _AD_RecursiveGetMemberOf ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_IsMemberOf($sAD_Group, $sAD_Object = @UserName, $fAD_IncludePrimaryGroup = False) If _AD_ObjectExists($sAD_Group) = 0 Then Return SetError(1, 0, 0) If _AD_ObjectExists($sAD_Object) = 0 Then Return SetError(2, 0, 0) If StringMid($sAD_Object, 3, 1) <> "=" Then $sAD_Object = _AD_SamAccountNameToFQDN($sAD_Object) ; sAMAccountName provided If StringMid($sAD_Group, 3, 1) <> "=" Then $sAD_Group = _AD_SamAccountNameToFQDN($sAD_Group) ; sAMAccountName provided Local $oAD_Group = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_Group) Local $iAD_Result = $oAD_Group.IsMember("LDAP://" & $sAD_HostServer & "/" & $sAD_Object) ; Check Primary Group if $sAD_Oject isn't a member of the specified group and the flag is set If $iAD_Result = 0 And $fAD_IncludePrimaryGroup Then $iAD_Result = (_AD_GetUserPrimaryGroup($sAD_Object) = $sAD_Group) ; Abs is necessary to make it work for AutoIt versions < 3.3.2.0 with bug #1068 Return Abs($iAD_Result) EndFunc ;==>_AD_IsMemberOf ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_HasFullRights ; Description ...: Returns 1 if the given user has full rights over the given group or user. ; Syntax.........: _AD_HasFullRights($sAD_Object[, $sAD_User = @UserName]) ; Parameters ....: $sAD_Object - Group or User to be checked. Can be specified as Fully Qualified Domain Name (FQDN) or sAMAccountName ; $sAD_User - Optional: User to be checked. Can be specified as Fully Qualified Domain Name (FQDN) or SamAccountName (default = @UserName) ; Return values .: Success - 1, Specified user has full rights over the given group or user ; Failure - 0, @error set ; |0 - $sAD_User does not have full rights over $sAD_Object ; |1 - $sAD_User does not exist ; |2 - $sAD_Object does not exist ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: ; Related .......: _AD_HasUnlockResetRights, _AD_HasRequiredRights, _AD_HasGroupUpdateRights ; Link ..........: http://msdn.microsoft.com/en-us/library/aa772285(VS.85).aspx (ADS_RIGHTS_ENUM Enumeration) ; Example .......: Yes ; =============================================================================================================================== Func _AD_HasFullRights($sAD_Object, $sAD_User = @UserName) If _AD_ObjectExists($sAD_User) = 0 Then Return SetError(1, 0, 0) If _AD_ObjectExists($sAD_Object) = 0 Then Return SetError(2, 0, 0) If StringMid($sAD_Object, 3, 1) <> "=" Then $sAD_Object = _AD_SamAccountNameToFQDN($sAD_Object) ; sAMAccountName provided Local $aAD_MemberOf, $aAD_TrusteeArray, $sAD_TrusteeGroup $aAD_MemberOf = _AD_GetUserGroups($sAD_User, 1) Local $oAD_Object = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_Object) If IsObj($oAD_Object) Then Local $oAD_Security = $oAD_Object.Get("ntSecurityDescriptor") Local $oAD_DACL = $oAD_Security.DiscretionaryAcl For $oAD_ACE In $oAD_DACL $aAD_TrusteeArray = StringSplit($oAD_ACE.Trustee, "\") $sAD_TrusteeGroup = $aAD_TrusteeArray[$aAD_TrusteeArray[0]] For $iCount1 = 0 To UBound($aAD_MemberOf) - 1 If StringInStr($aAD_MemberOf[$iCount1], "CN=" & $sAD_TrusteeGroup & ",") And _ $oAD_ACE.AccessMask = $ADS_FULL_RIGHTS Then Return 1 Next Next EndIf Return 0 EndFunc ;==>_AD_HasFullRights ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_HasUnlockResetRights ; Description ...: Returns 1 if the given user has unlock and password reset rights on the object. ; Syntax.........: _AD_HasUnlockResetRights($sAD_Object[, $sAD_User = @UserName]) ; Parameters ....: $sAD_Object - Group or User to be checked. Can be specified as Fully Qualified Domain Name (FQDN) or sAMAccountName ; $sAD_User - Optional: User to be checked. Can be specified as Fully Qualified Domain Name (FQDN) or SamAccountName (default = @UserName) ; Return values .: Success - 1, Specified user has unlock and password reset rights over the given group or user ; Failure - 0, @error set ; |0 - $sAD_User does not have unlock and password reset rights over $sAD_Object ; |1 - $sAD_User does not exist ; |2 - $sAD_Object does not exist ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: ; Related .......: _AD_HasFullRights, _AD_HasRequiredRights, _AD_HasGroupUpdateRights ; Link ..........: http://msdn.microsoft.com/en-us/library/aa772285(VS.85).aspx (ADS_RIGHTS_ENUM Enumeration) ; Example .......: Yes ; =============================================================================================================================== Func _AD_HasUnlockResetRights($sAD_Object, $sAD_User = @UserName) If _AD_ObjectExists($sAD_User) = 0 Then Return SetError(1, 0, 0) If _AD_ObjectExists($sAD_Object) = 0 Then Return SetError(2, 0, 0) If StringMid($sAD_Object, 3, 1) <> "=" Then $sAD_Object = _AD_SamAccountNameToFQDN($sAD_Object) ; sAMAccountName provided Local $aAD_MemberOf, $aAD_TrusteeArray, $sAD_TrusteeGroup $aAD_MemberOf = _AD_GetUserGroups($sAD_User, 1) Local $oAD_Object = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_Object) If IsObj($oAD_Object) Then Local $oAD_Security = $oAD_Object.Get("ntSecurityDescriptor") Local $oAD_DACL = $oAD_Security.DiscretionaryAcl For $oAD_ACE In $oAD_DACL $aAD_TrusteeArray = StringSplit($oAD_ACE.Trustee, "\") $sAD_TrusteeGroup = $aAD_TrusteeArray[$aAD_TrusteeArray[0]] For $iCount1 = 0 To UBound($aAD_MemberOf) - 1 If StringInStr($aAD_MemberOf[$iCount1], "CN=" & $sAD_TrusteeGroup & ",") And _ BitAND($oAD_ACE.AccessMask, $ADS_USER_UNLOCKRESETACCOUNT) = $ADS_USER_UNLOCKRESETACCOUNT Then Return 1 Next Next EndIf Return 0 EndFunc ;==>_AD_HasUnlockResetRights ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_HasRequiredRights ; Description ...: Returns 1 if the given user has the required rights on the object. ; Syntax.........: _AD_HasRequiredRights($sAD_Object[, $iAD_Right = 983551[, $sAD_User = @UserName]]) ; Parameters ....: $sAD_Object - Group or User to be checked. Can be specified as Fully Qualified Domain Name (FQDN) or sAMAccountName ; $sAD_Right - Optional: Access mask constant to be checked (default = 983551 (Full rights)). ; |Full rights is the combination of the following rights: ; |ADS_RIGHT_DELETE = 0x10000 ; |ADS_RIGHT_READ_CONTROL = 0x20000 ; |ADS_RIGHT_WRITE_DAC = 0x40000 ; |ADS_RIGHT_WRITE_OWNER = 0x80000 ; |ADS_RIGHT_DS_CREATE_CHILD = 0x1 ; |ADS_RIGHT_DS_DELETE_CHILD = 0x2 ; |ADS_RIGHT_ACTRL_DS_LIST = 0x4 ; |ADS_RIGHT_DS_SELF = 0x8 ; |ADS_RIGHT_DS_READ_PROP = 0x10 ; |ADS_RIGHT_DS_WRITE_PROP = 0x20 ; |ADS_RIGHT_DS_DELETE_TREE = 0x40 ; |ADS_RIGHT_DS_LIST_OBJECT = 0x80 ; |ADS_RIGHT_DS_CONTROL_ACCESS = 0x100 ; $sAD_User - Optional: User to be checked. Can be specified as Fully Qualified Domain Name (FQDN) or SamAccountName (default = @UserName) ; Return values .: Success - 1, Specified user has the required rights over the given group or user ; Failure - 0, @error set ; |0 - $sAD_User does not have the required rights over $sAD_Object ; |1 - $sAD_User does not exist ; |2 - $sAD_Object does not exist ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: ; Related .......: _AD_HasFullRights, _AD_HasUnlockResetRights, _AD_HasGroupUpdateRights ; Link ..........: http://msdn.microsoft.com/en-us/library/aa772285(VS.85).aspx (ADS_RIGHTS_ENUM Enumeration) ; Example .......: Yes ; =============================================================================================================================== Func _AD_HasRequiredRights($sAD_Object, $iAD_Right = 983551, $sAD_User = @UserName) If _AD_ObjectExists($sAD_User) = 0 Then Return SetError(1, 0, 0) If _AD_ObjectExists($sAD_Object) = 0 Then Return SetError(2, 0, 0) If StringMid($sAD_Object, 3, 1) <> "=" Then $sAD_Object = _AD_SamAccountNameToFQDN($sAD_Object) ; sAMAccountName provided Local $aAD_MemberOf, $aAD_TrusteeArray, $sAD_TrusteeGroup $aAD_MemberOf = _AD_GetUserGroups($sAD_User, 1) Local $oAD_Object = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_Object) If IsObj($oAD_Object) Then Local $oAD_Security = $oAD_Object.Get("ntSecurityDescriptor") Local $oAD_DACL = $oAD_Security.DiscretionaryAcl For $oAD_ACE In $oAD_DACL $aAD_TrusteeArray = StringSplit($oAD_ACE.Trustee, "\") $sAD_TrusteeGroup = $aAD_TrusteeArray[$aAD_TrusteeArray[0]] For $iCount1 = 0 To UBound($aAD_MemberOf) - 1 If StringInStr($aAD_MemberOf[$iCount1], "CN=" & $sAD_TrusteeGroup & ",") And _ BitAND($oAD_ACE.AccessMask, $iAD_Right) = $iAD_Right Then Return 1 Next Next EndIf Return 0 EndFunc ;==>_AD_HasRequiredRights ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_HasGroupUpdateRights ; Description ...: Returns 1 if the given user has rights to update the group membership of the object. ; Syntax.........: _AD_HasGroupUpdateRights($sAD_Object[, $sAD_User = @UserName]) ; Parameters ....: $sAD_Object - Group to be checked. Can be specified as Fully Qualified Domain Name (FQDN) or sAMAccountName ; $sAD_User - Optional: User to be checked. Can be specified as Fully Qualified Domain Name (FQDN) or SamAccountName (default = @UserName) ; Return values .: Success - 1, Specified user has the rights to update the group membership on the given group ; Failure - 0, @error set ; |0 - $sAD_User does not have the rights to update the group membership on $sAD_Object ; |1 - $sAD_User does not exist ; |2 - $sAD_Object does not exist ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: ; Related .......: _AD_HasFullRights, _AD_HasUnlockResetRights, _AD_HasRequiredRights ; Link ..........: http://msdn.microsoft.com/en-us/library/aa772285(VS.85).aspx (ADS_RIGHTS_ENUM Enumeration) ; Example .......: Yes ; =============================================================================================================================== Func _AD_HasGroupUpdateRights($sAD_Object, $sAD_User = @UserName) If _AD_ObjectExists($sAD_User) = 0 Then Return SetError(1, 0, 0) If _AD_ObjectExists($sAD_Object) = 0 Then Return SetError(2, 0, 0) If StringMid($sAD_Object, 3, 1) <> "=" Then $sAD_Object = _AD_SamAccountNameToFQDN($sAD_Object) ; sAMAccountName provided Local $aAD_MemberOf, $aAD_TrusteeArray, $sAD_TrusteeGroup $aAD_MemberOf = _AD_GetUserGroups($sAD_User, 1) Local $oAD_Object = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_Object) If IsObj($oAD_Object) Then Local $oAD_Security = $oAD_Object.Get("ntSecurityDescriptor") Local $oAD_DACL = $oAD_Security.DiscretionaryAcl For $oAD_ACE In $oAD_DACL $aAD_TrusteeArray = StringSplit($oAD_ACE.Trustee, "\") $sAD_TrusteeGroup = $aAD_TrusteeArray[$aAD_TrusteeArray[0]] For $iCount1 = 0 To UBound($aAD_MemberOf) - 1 If StringInStr($aAD_MemberOf[$iCount1], "CN=" & $sAD_TrusteeGroup & ",") And _ BitAND($oAD_ACE.AccessMask, $ADS_OBJECT_READWRITE_ALL) = $ADS_OBJECT_READWRITE_ALL Then Return 1 Next Next EndIf Return 0 EndFunc ;==>_AD_HasGroupUpdateRights ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_GetObjectClass ; Description ...: Returns the main class (also called structural class) of an object ("user", "group" etc.). ; Syntax.........: _AD_GetObjectClass($sAD_Object[, $fAD_All = 0]) ; Parameters ....: $sAD_Object - Object for which the main class should be returned. Can be specified as Fully Qualified Domain Name (FQDN) or sAMAccountName ; $fAD_All - Optional: Returns the main class plus the superior classes from which the main class is deduced hierarchically (default = 0) ; Return values .: Success - Main class of the specified object if $fAD_All = 0 or an zero-based array of the main plus the superior classes if $fAD_All = 1 ; Failure - "", sets @error to: ; |1 - Specified object does not exist ; |2 - The LDAP query returned no record ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: ; Related .......: ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_GetObjectClass($sAD_Object, $fAD_All = 0) If _AD_ObjectExists($sAD_Object) = 0 Then Return SetError(1, 0, "") Local $sAD_Property = "sAMAccountName" If StringMid($sAD_Object, 3, 1) = "=" Then $sAD_Property = "distinguishedName" ; FQDN provided $oAD_Command.CommandText = ";(" & $sAD_Property & "=" & $sAD_Object & ");ADsPath;subtree" Local $oAD_RecordSet = $oAD_Command.Execute ; Retrieve the ADsPath for the object If Not IsObj($oAD_RecordSet) Then Return SetError(2, 0, "") Local $sAD_LDAPEntry = $oAD_RecordSet.fields(0).value Local $oAD_Object = _AD_ObjGet($sAD_LDAPEntry) ; Retrieve the COM Object for the object If $fAD_All Then Return $oAD_Object.ObjectClass Return $oAD_Object.Class EndFunc ;==>_AD_GetObjectClass ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_GetUserGroups ; Description ...: Returns an array of group names that the user is immediately a member of. ; Syntax.........: _AD_GetUserGroups([$sAD_User = @UserName[, $fAD_IncludePrimaryGroup = 0]]) ; Parameters ....: $sAD_User - Optional: User for which the group membership is to be returned (default = @Username). Can be specified as Fully Qualified Domain Name (FQDN) or sAMAccountName ; $fAD_IncludePrimaryGroup - Optional: include the primary group to the return list (default = 0) ; Return values .: Success - One-based one dimensional array of group names (FQDN) the user is a member of ; Failure - "", sets @error to: ; |1 - Specified user does not exist ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: Works for computers or groups as well. ; Related .......: _AD_IsMemberOf, _AD_GetUserPrimaryGroup, _AD_RecursiveGetMemberOf ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_GetUserGroups($sAD_User = @UserName, $fAD_IncludePrimaryGroup = 0) If _AD_ObjectExists($sAD_User) = 0 Then Return SetError(1, 0, "") Local $sAD_Property = "sAMAccountName" If StringMid($sAD_User, 3, 1) = "=" Then $sAD_Property = "distinguishedName" ; FQDN provided $oAD_Command.CommandText = ";(" & $sAD_Property & "=" & $sAD_User & ");ADsPath;subtree" Local $oAD_RecordSet = $oAD_Command.Execute ; Retrieve the FQDN for the logged on user Local $sAD_LDAPEntry = $oAD_RecordSet.fields(0).value Local $oAD_Object = _AD_ObjGet($sAD_LDAPEntry) ; Retrieve the COM Object for the logged on user Local $aAD_Groups = $oAD_Object.GetEx("memberof") If $fAD_IncludePrimaryGroup Then _ArrayAdd($aAD_Groups, _AD_GetUserPrimaryGroup($sAD_User)) _ArrayInsert($aAD_Groups, 0, UBound($aAD_Groups)) Return $aAD_Groups EndFunc ;==>_AD_GetUserGroups ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_GetUserPrimaryGroup ; Description ...: Returns the primary group the user is assigned to. ; Syntax.........: _AD_GetUserPrimaryGroup([$sAD_User = @UserName]) ; Parameters ....: $sAD_User - Optional: User for which the primary group is to be returned (default = @Username). Can be specified as Fully Qualified Domain Name (FQDN) or sAMAccountName ; Return values .: Success - Primary group (FQDN) the user is assigned to. ; Failure - "", sets @error to: ; |1 - Specified user does not exist ; |2 - A primary group couldn't be found for the specified user ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: ; Related .......: _AD_IsMemberOf, _AD_GetUserGroups, _AD_RecursiveGetMemberOf, _AD_SetUserPrimaryGroup ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_GetUserPrimaryGroup($sAD_User = @UserName) If _AD_ObjectExists($sAD_User) = 0 Then Return SetError(1, 0, "") Local $sAD_Property = "samAccountName" If StringMid($sAD_User, 3, 1) = "=" Then $sAD_Property = "distinguishedName" $oAD_Command.CommandText = ";(" & $sAD_Property & "=" & $sAD_User & ");ADsPath;subtree" Local $oAD_RecordSet = $oAD_Command.Execute ; Retrieve the FQDN for the logged on user Local $sAD_LDAPEntry = $oAD_RecordSet.fields(0).value Local $oAD_Object = _AD_ObjGet($sAD_LDAPEntry) ; Retrieve the COM Object for the logged on user $oAD_Command.CommandText = ";(objectCategory=group);cn,primaryGroupToken,DistinguishedName;subtree" $oAD_RecordSet = $oAD_Command.Execute While Not $oAD_RecordSet.EOF If $oAD_RecordSet.Fields("primaryGroupToken" ).Value = $oAD_Object.primaryGroupID Then _ Return $oAD_RecordSet.Fields("DistinguishedName" ).Value $oAD_RecordSet.MoveNext WEnd Return SetError(2, 0, "") EndFunc ;==>_AD_GetUserPrimaryGroup ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_SetUserPrimaryGroup ; Description ...: Sets the users primary group. ; Syntax.........: _AD_SetUserPrimaryGroup($sAD_User, $sAD_Group) ; Parameters ....: $sAD_User - User for which the primary group is to be set. Can be specified as Fully Qualified Domain Name (FQDN) or sAMAccountName ; $sAD_Group - Group to be set as the primary group for the specified user. Can be specified as Fully Qualified Domain Name (FQDN) or sAMAccountName ; Return values .: Success - 1 ; Failure - 0, sets @error to: ; |1 - $sAD_User does not exist ; |2 - $sAD_Group does not exist ; |3 - $sAD_User must be a member of $sAD_Group ; |x - Error returned by SetInfo function (Missing permission etc.) ; Author ........: Tim Alderweireldt ; Modified.......: ; Remarks .......: ; Related .......: _AD_AddUserToGroup, _AD_GetUserPrimaryGroup ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_SetUserPrimaryGroup($sAD_User, $sAD_Group) If Not _AD_ObjectExists($sAD_User) Then Return SetError(1, 0, 0) If Not _AD_ObjectExists($sAD_Group) Then Return SetError(2, 0, 0) If Not _AD_IsMemberOf($sAD_Group, $sAD_User) Then Return SetError(3, 0, 0) If StringMid($sAD_Group, 3, 1) <> "=" Then $sAD_Group = _AD_SamAccountNameToFQDN($sAD_Group) ; sAMACccountName provided If StringMid($sAD_User, 3, 1) <> "=" Then $sAD_User = _AD_SamAccountNameToFQDN($sAD_User) ; sAMACccountName provided Local $oAD_User = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_User) ; Retrieve the COM Object for the user Local $oAD_Group = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_Group) ; Retrieve the COM Object for the group $oAD_Group.GetInfoEx(_ArrayCreate("primaryGroupToken"), 0) $oAD_User.primaryGroupID = $oAD_Group.primaryGroupToken $oAD_User.SetInfo() If @error <> 0 Then Return SetError(@error, 0, 0) Return 1 EndFunc ;==>_AD_SetUserPrimaryGroup ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_RecursiveGetMemberOf ; Description ...: Takes a group, user or computer and recursively returns a list of groups the object is a member of. ; Syntax.........: _AD_RecursiveGetMemberOf($sAD_Object[, $iAD_Depth = 10[, $fAD_ListInherited = TRUE[, $fAD_FQDN = TRUE]]]) ; Parameters ....: $sAD_Object - User, group or computer for which the group membership is to be returned. Can be specified as Fully Qualified Domain Name (FQDN) or sAMAccountName ; $iAD_Depth - Optional: Maximum depth of recursion (default = 10) ; $fAD_ListInherited - Optional: Defines if the function returns the group(s) it was inherited from (default = TRUE) ; $fAD_FQDN - Optional: Specifies the attribute to be returned. TRUE = distinguishedName (FQDN), FALSE = SamAccountName (default = TRUE) ; Return values .: Success - One-based one dimensional array of group names (FQDN or sAMAccountName) the user or group is a member of ; Failure - "", sets @error to: ; |1 - Specified user, group or computer does not exist ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: This function traverses the groups that the object is immediately a member of while also checking its group membership. ; For groups that are inherited, the return is the FQDN or sAMAccountname of the group, user or computer, and the FQDN(s) or sAMAccountname(s) of the group(s) it ; was inherited from, seperated by '|'(s) if flag $fAD_ListInherited is set to TRUE. ;+ ; If flag $fAD_ListInherited is set to FALSE then the group names are sorted and only unique groups are returned. ; Related .......: _AD_IsMemberOf, _AD_GetUserGroups, _AD_GetUserPrimaryGroup ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_RecursiveGetMemberOf($sAD_Object, $iAD_Depth = 10, $fAD_ListInherited = True, $fAD_FQDN = True) If _AD_ObjectExists($sAD_Object) = 0 Then Return SetError(1, 0, "") If StringMid($sAD_Object, 3, 1) <> "=" Then $sAD_Object = _AD_SamAccountNameToFQDN($sAD_Object) ; sAMAccountName provided Local $iCount1, $iCount2 Local $sAD_Field = "distinguishedName" If Not $fAD_FQDN Then $sAD_Field = "samaccountname" $oAD_Command.CommandText = ";(member=" & $sAD_Object & ");" & $sAD_Field & ";subtree" Local $oAD_RecordSet = $oAD_Command.Execute Local $aAD_Groups[$oAD_RecordSet.RecordCount + 1] = [0] If $oAD_RecordSet.RecordCount = 0 Then Return $aAD_Groups $oAD_RecordSet.MoveFirst $iCount1 = 1 Local $aAD_TempMemberOf[1] Do $aAD_Groups[$iCount1] = $oAD_RecordSet.Fields(0).Value $aAD_TempMemberOf = _AD_RecursiveGetMemberOf($aAD_Groups[$iCount1], $iAD_Depth - 1, $fAD_ListInherited, $fAD_FQDN) If $fAD_ListInherited Then For $iCount2 = 1 To $aAD_TempMemberOf[0] $aAD_TempMemberOf[$iCount2] &= "|" & $aAD_Groups[$iCount1] Next EndIf _ArrayDelete($aAD_TempMemberOf, 0) _ArrayConcatenate($aAD_Groups, $aAD_TempMemberOf) $iCount1 += 1 $oAD_RecordSet.MoveNext Until $oAD_RecordSet.EOF $oAD_RecordSet.Close If $fAD_ListInherited = False Then _ArraySort($aAD_Groups, 0, 1) $aAD_Groups = _ArrayUnique($aAD_Groups, 1, 1) EndIf $aAD_Groups[0] = UBound($aAD_Groups) - 1 Return $aAD_Groups EndFunc ;==>_AD_RecursiveGetMemberOf ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_GetGroupMembers ; Description ...: Returns an array of group members. ; Syntax.........: _AD_GetGroupMembers($sAD_FQDN) ; Parameters ....: $sAD_Group - Group to retrieve members from. Can be specified as Fully Qualified Domain Name (FQDN) or sAMAccountName ; Return values .: Success - One-based one dimensional array of names (FQDN) that are members of the specified group ; Failure - "", sets @error to: ; |1 - Specified group does not exist ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: If the group has no members, _AD_GetGroupMembers returns an array with one element (row count) set to 0 ; Related .......: _AD_GetGroupMemberOf ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_GetGroupMembers($sAD_Group) If _AD_ObjectExists($sAD_Group) = 0 Then Return SetError(1, 0, "") If StringMid($sAD_Group, 3, 1) <> "=" Then $sAD_Group = _AD_SamAccountNameToFQDN($sAD_Group) ; sAMAccountName provided Local $sAD_Range, $iAD_RangeModifier, $oAD_RecordSet Local $aAD_Members[1] Local $iCount1 = 0 Local $aAD_Membersadd While 1 $iAD_RangeModifier = $iCount1 * 1000 $sAD_Range = "Range=" & $iAD_RangeModifier & "-" & $iAD_RangeModifier + 999 $oAD_Command.CommandText = ";;member;" & $sAD_Range & ";base" $oAD_RecordSet = $oAD_Command.Execute $aAD_Membersadd = $oAD_RecordSet.fields(0).Value If $aAD_Membersadd = 0 Then ExitLoop ReDim $aAD_Members[UBound($aAD_Members) + 1000] For $iCount2 = $iAD_RangeModifier + 1 To $iAD_RangeModifier + 1000 $aAD_Members[$iCount2] = $aAD_Membersadd[$iCount2 - $iAD_RangeModifier - 1] Next $iCount1 += 1 $oAD_RecordSet.Close $oAD_RecordSet = 0 WEnd $iAD_RangeModifier = $iCount1 * 1000 $sAD_Range = "Range=" & $iAD_RangeModifier & "-*" $oAD_Command.CommandText = ";;member;" & $sAD_Range & ";base" $oAD_RecordSet = $oAD_Command.Execute $aAD_Membersadd = $oAD_RecordSet.fields(0).Value ReDim $aAD_Members[UBound($aAD_Members) + UBound($aAD_Membersadd)] For $iCount2 = $iAD_RangeModifier + 1 To $iAD_RangeModifier + UBound($aAD_Membersadd) $aAD_Members[$iCount2] = $aAD_Membersadd[$iCount2 - $iAD_RangeModifier - 1] Next $oAD_RecordSet.Close $aAD_Members[0] = UBound($aAD_Members) - 1 Return $aAD_Members EndFunc ;==>_AD_GetGroupMembers ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_GetGroupMemberOf ; Description ...: Returns an array of group membership. ; Syntax.........: _AD_GetGroupMemberOf($sAD_Group) ; Parameters ....: $sAD_Group - Group for which membership in other groups is to be retrieved. Can be specified as Fully Qualified Domain Name (FQDN) or sAMAccountName ; Return values .: Success - One-based one dimensional array of group names (FQDN) that the specified group is a member of ; Failure - "", sets @error to: ; |1 - Specified group does not exist ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: ; Related .......: _AD_GetGroupMembers ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_GetGroupMemberOf($sAD_Group) If _AD_ObjectExists($sAD_Group) = 0 Then Return SetError(1, 0, "") If StringMid($sAD_Group, 3, 1) <> "=" Then $sAD_Group = _AD_SamAccountNameToFQDN($sAD_Group) ; sAMAccountName provided Local $iAD_RangeModifier, $sAD_Range, $oAD_RecordSet, $aAD_Membersadd Local $aAD_MemberOf[1] Local $iCount1 = 0 While 1 $iAD_RangeModifier = $iCount1 * 1000 $sAD_Range = "Range=" & $iAD_RangeModifier & "-" & $iAD_RangeModifier + 999 $oAD_Command.CommandText = ";;memberof;" & $sAD_Range & ";base" $oAD_RecordSet = $oAD_Command.Execute $aAD_Membersadd = $oAD_RecordSet.fields(0).Value If $aAD_Membersadd = 0 Then ExitLoop ReDim $aAD_MemberOf[UBound($aAD_MemberOf) + 1000] For $iCount2 = $iAD_RangeModifier + 1 To $iAD_RangeModifier + 1000 $aAD_MemberOf[$iCount2] = $aAD_Membersadd[$iCount2 - $iAD_RangeModifier - 1] Next $iCount1 += 1 $oAD_RecordSet.Close WEnd $iAD_RangeModifier = $iCount1 * 1000 $sAD_Range = "Range=" & $iAD_RangeModifier & "-*" $oAD_Command.CommandText = ";;memberof;" & $sAD_Range & ";base" $oAD_RecordSet = $oAD_Command.Execute $aAD_Membersadd = $oAD_RecordSet.fields(0).Value ReDim $aAD_MemberOf[UBound($aAD_MemberOf) + UBound($aAD_Membersadd)] For $iCount2 = $iAD_RangeModifier + 1 To $iAD_RangeModifier + UBound($aAD_Membersadd) $aAD_MemberOf[$iCount2] = $aAD_Membersadd[$iCount2 - $iAD_RangeModifier - 1] Next $oAD_RecordSet.Close $aAD_MemberOf[0] = UBound($aAD_MemberOf) - 1 Return $aAD_MemberOf EndFunc ;==>_AD_GetGroupMemberOf ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_GetObjectsInOU ; Description ...: Returns a filtered array of objects and attributes for a given OU or just the number of records if $fAD_COunt is True. ; Syntax.........: _AD_GetObjectsInOU($sAD_OU[, $sAD_Filter = "(name=*)"[, $iAD_SearchScope = 2[, $sAD_DataToRetrieve = "sAMAccountName"[, $sAD_SortBy = "sAMAccountName"[, $fAD_Count = False]]]]]) ; Parameters ....: $sAD_OU - The OU to retrieve from (FQDN) (default = "", equals "search the whole AD tree") ; $sAD_Filter - Optional: An additional LDAP filter if required (default = "(name=*)") ; $iAD_SearchScope - Optional: 0 = base, 1 = one-level, 2 = sub-tree (default) ; $sAD_DataToRetrieve - Optional: A comma-seperated list of attributes to retrieve (default = "sAMAccountName"). ; |More than one attribute will create a 2-dimensional array ; $sAD_SortBy - Optional: name of the attribute the resulting array will be sorted upon (default = "sAMAccountName"). ; |To completely suppress sorting (even the default sort) set this parameter to "". This improves performance when doing large queries ; $fAD_Count - Optional: If set to True only returns the number of records returned by the query (default = False") ; Return values .: Success - One or two dimensional array of objects and attributes in the given OU. First entry is for the given OU itself ; Failure - "", sets @error to: ; |1 - Specified OU does not exist ; |2 - No records returned from Active Directory. $sAD_DataToRetrieve is invalid (attribute may not exist) ; |3 - No records returned from Active Directory. $sAD_Filter didn't return a record ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: Multi-value attributes are returned as string with the pipe character (|) as separator. ;+ ; The default filter returns an array including one record for the OU itself. To exclude the OU use a different filter that doesn't include the OU ; e.g. "(&(objectcategory=person)(objectclass=user)(name=*))" ;+ ; To make sure that all properties you specify in $sAD_DataToRetrieve exist in the AD you can use _AD_ObjectExistsInSchema. ;+ ; The following examples illustrate the use of the escaping mechanism in the LDAP filter: ; (o=Parens R Us \28for all your parenthetical needs\29) ; (cn=*\2A*) ; (filename=C:\5cMyFile) ; (bin=\00\00\00\04) ; (sn=Lu\c4\8di\c4\87) ; The first example shows the use of the escaping mechanism to represent parenthesis characters. ; The second shows how to represent a "*" in a value, preventing it from being interpreted as a substring indicator. ; The third illustrates the escaping of the backslash character. ; The fourth example shows a filter searching for the four-byte value 0x00000004, illustrating the use of the escaping mechanism to ; represent arbitrary data, including NUL characters. ; The final example illustrates the use of the escaping mechanism to represent various non-ASCII UTF-8 characters. ; Related .......: _AD_GetAllOUs ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_GetObjectsInOU($sAD_OU = "", $sAD_Filter = "(name=*)", $iAD_SearchScope = 2, $sAD_DataToRetrieve = "sAMAccountName", $sAD_SortBy = "sAMAccountName", $fAD_Count = False) If $sAD_OU = "" Then $sAD_OU = $sAD_DNSDomain Else If _AD_ObjectExists($sAD_OU, "distinguishedName") = 0 Then Return SetError(1, 0, "") EndIf Local $iCount2, $aAD_DataToRetrieve, $aTemp $sAD_DataToRetrieve = StringStripWS($sAD_DataToRetrieve, 8) $oAD_Command.Properties("Searchscope") = $iAD_SearchScope $oAD_Command.CommandText = ";" & $sAD_Filter & ";" & $sAD_DataToRetrieve $oAD_Command.Properties("Sort On") = $sAD_SortBy Local $oAD_RecordSet = $oAD_Command.Execute If Not IsObj($oAD_RecordSet) Then Return SetError(2, 0, "") Local $iCount1 = $oAD_RecordSet.RecordCount If $iCount1 = 0 Then Return SetError(3, 0, "") If $fAD_Count Then Return $oAD_RecordSet.RecordCount If StringInStr($sAD_DataToRetrieve, ",") Then $aAD_DataToRetrieve = StringSplit($sAD_DataToRetrieve, ",") Local $aAD_Objects[$iCount1 + 1][$aAD_DataToRetrieve[0]] $aAD_Objects[0][0] = $iCount1 $aAD_Objects[0][1] = $aAD_DataToRetrieve[0] $iCount2 = 1 $oAD_RecordSet.MoveFirst Do For $iCount1 = 1 To $aAD_DataToRetrieve[0] If IsArray($oAD_RecordSet.Fields($aAD_DataToRetrieve[$iCount1] ).Value) Then $aTemp = $oAD_RecordSet.Fields($aAD_DataToRetrieve[$iCount1] ).Value $aAD_Objects[$iCount2][$iCount1 - 1] = _ArrayToString($aTemp) Else $aAD_Objects[$iCount2][$iCount1 - 1] = $oAD_RecordSet.Fields($aAD_DataToRetrieve[$iCount1] ).Value EndIf Next $oAD_RecordSet.MoveNext $iCount2 += 1 Until $oAD_RecordSet.EOF Else Local $aAD_Objects[$iCount1 + 1] $aAD_Objects[0] = UBound($aAD_Objects) - 1 $iCount2 = 1 $oAD_RecordSet.MoveFirst Do If IsArray($oAD_RecordSet.Fields($sAD_DataToRetrieve).Value) Then $aTemp = $oAD_RecordSet.Fields($sAD_DataToRetrieve).Value $aAD_Objects[$iCount2] = _ArrayToString($aTemp) Else $aAD_Objects[$iCount2] = $oAD_RecordSet.Fields($sAD_DataToRetrieve).Value EndIf $oAD_RecordSet.MoveNext $iCount2 += 1 Until $oAD_RecordSet.EOF EndIf $oAD_Command.Properties("Sort On") = "" ; Reset sort property Return $aAD_Objects EndFunc ;==>_AD_GetObjectsInOU ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_GetAllOUs ; Description ...: Retrieves an array of OUs. The paths are separated by the '\' character. ; Syntax.........: _AD_GetAllOUs([$sAD_Root = ""[, $sAD_Separator = "\"]]) ; Parameters ....: $sAD_Root - Optional: OU (FQDN) where to start in the AD tree (default = "", equals "start at the AD root") ; $sAD_Separator - Optional: Single character to separate the OU names (default = "\") ; Return values .: Success - One-based two dimensional array of OUs starting with the given OU. The paths are separated by "\" ; |1 - ... \name of grandfather OU\name of father OU\name of son OU ; |2 - Distinguished Name (FQDN) of the son OU ; Failure - "", sets @error to: ; |1 - No OUs found ; |2 - Specified $sAD_Root does not exist ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: ; Related .......: _AD_GetObjectsInOU ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_GetAllOUs($sAD_Root = "", $sAD_Separator = "\") If $sAD_Root = "" Then $sAD_Root = $sAD_DNSDomain Else If _AD_ObjectExists($sAD_Root, "distinguishedName") = 0 Then Return SetError(2, 0, "") EndIf If $sAD_Separator <= " " Or StringLen($sAD_Separator) > 1 Then $sAD_Separator = "\" $oAD_Command.CommandText = ";" & "(objectCategory=organizationalUnit)" & ";distinguishedName;subtree" Local $oAD_RecordSet = $oAD_Command.Execute Local $iCount1 = $oAD_RecordSet.RecordCount If $iCount1 = 0 Then Return SetError(1, 0, "") Local $aAD_OUs[$iCount1 + 1][2] Local $iCount2 = 1, $aAD_TempOU $oAD_RecordSet.MoveFirst Do $aAD_OUs[$iCount2][1] = $oAD_RecordSet.Fields("distinguishedName" ).Value $aAD_OUs[$iCount2][0] = "," & StringTrimRight($aAD_OUs[$iCount2][1], StringLen($sAD_DNSDomain) + 1) $aAD_TempOU = StringSplit($aAD_OUs[$iCount2][0], ",OU=", 1) _ArrayReverse($aAD_TempOU) $aAD_OUs[$iCount2][0] = StringTrimRight(_ArrayToString($aAD_TempOU, $sAD_Separator), 3) $iCount2 += 1 $oAD_RecordSet.MoveNext Until $oAD_RecordSet.EOF _ArraySort($aAD_OUs) $aAD_OUs[0][0] = UBound($aAD_OUs, 1) - 1 $aAD_OUs[0][1] = 2 Return $aAD_OUs EndFunc ;==>_AD_GetAllOUs ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_ListDomainControllers ; Description ...: Enumerates all Domain Controllers, their distinguished name, their DNS host name, and the name of the site they reside in. ; Syntax.........: _AD_ListDomainControllers([$fAD_ListRO = FALSE]) ; Parameters ....: $fAD_ListRO - Optional: If set to TRUE only returns RODC (read only domain controllers). Default = FALSE ; Return values .: Success - One-based two dimensional array with the following information: ; |1 - Domain Controller: Name ; |2 - Domain Controller: Distinguished Name (FQDN) ; |3 - Domain Controller: DNS host name ; |4 - Site: Name ; |5 - Site: Distinguished Name (FQDN) ; |6 - Site: List of subnets that can connect to the site using this DC in the format x.x.x.x/mask - multiple subnets are separated by comma ; Failure - "", sets @error to: ; |1 - No Domain Controllers found ; Author ........: Richard L. Mueller ; Modified.......: water ; Remarks .......: This function only lists writeable DCs (default). To list RODC (read only DCs) use parameter $fAD_ListRO ; Related .......: ; Link ..........: http://www.rlmueller.net/Enumerate%20DCs.htm ; Example .......: Yes ; =============================================================================================================================== Func _AD_ListDomainControllers($fAD_ListRO = False) Local $oAD_DC, $oAD_Site, $oAD_Result $oAD_Command.CommandText = ";(objectClass=nTDSDSA);ADsPath;subtree" If $fAD_ListRO Then $oAD_Command.CommandText = ";(objectClass=nTDSDSARO);ADsPath;subtree" Local $oAD_RecordSet = $oAD_Command.Execute If Not IsObj($oAD_RecordSet) Or $oAD_RecordSet.RecordCount = 0 Then Return SetError(1, 0, "") ; The parent object of each object with objectClass=nTDSDSA is a Domain ; Controller. The parent of each Domain Controller is a "Servers" ; container, and the parent of this container is the "Site" container. $oAD_RecordSet.MoveFirst Local $aAD_Result[1][6], $iCount1 = 1, $aAD_SubNet, $aAD_Temp, $sAD_Temp Do ReDim $aAD_Result[$iCount1 + 1][6] $oAD_Result = _AD_ObjGet($oAD_RecordSet.Fields("AdsPath" ).Value) $oAD_DC = _AD_ObjGet($oAD_Result.Parent) $aAD_Result[$iCount1][0] = $oAD_DC.Get("Name") $aAD_Result[$iCount1][1] = $oAD_DC.serverReference $aAD_Result[$iCount1][2] = $oAD_DC.DNSHostName $oAD_Result = _AD_ObjGet($oAD_DC.Parent) $oAD_Site = _AD_ObjGet($oAD_Result.Parent) $aAD_Result[$iCount1][3] = StringMid($oAD_Site.Name, 4) $aAD_Result[$iCount1][4] = $oAD_Site.distinguishedName $aAD_SubNet = $oAD_Site.GetEx("siteObjectBL") For $iCount2 = 0 To UBound($aAD_SubNet) - 1 $aAD_Temp = StringSplit($aAD_SubNet[$iCount2], ",") $sAD_Temp = StringMid($aAD_Temp[1], 4) If $iCount2 = 0 Then $aAD_Result[$iCount1][5] = $sAD_Temp Else $aAD_Result[$iCount1][5] = $aAD_Result[$iCount1][5] & "," & $sAD_Temp EndIf Next $oAD_RecordSet.MoveNext $iCount1 += 1 Until $oAD_RecordSet.EOF $oAD_RecordSet.Close $aAD_Result[0][0] = UBound($aAD_Result, 1) - 1 $aAD_Result[0][1] = UBound($aAD_Result, 2) Return $aAD_Result EndFunc ;==>_AD_ListDomainControllers ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_ListRootDSEAttributes ; Description ...: Returns a one-based array of the RootDSE Atributes. ; Syntax.........: _AD_ListRootDSEAttributes() ; Parameters ....: ; Return values .: Success - One dimensional array of the following RootDSE attributes. Multi-valued attributes are as multiple lines. ; |1 - configurationNamingContext: Specifies the distinguished name for the configuration container. ; |2 - currentTime: Specifies the current time set on this directory server in Coordinated Universal Time format. ; |3 - defaultNamingContext: Specifies the distinguished name of the domain that this directory server is a member. ; |4 - dnsHostName: Specifies the DNS address for this directory server. ; |5 - domainControllerFunctionality: Specifies the functional level of this domain controller. Values can be: ; 0 - Windows 2000 Mode ; 2 - Windows Server 2003 Mode ; 3 - Windows Server 2008 Mode ; 4 - Windows Server 2008 R2 Mode ; |6 - domainFunctionality: Specifies the functional level of the domain. Values can be: ; 0 - Windows 2000 Domain Mode ; 1 - Windows Server 2003 Interim Domain Mode ; 2 - Windows Server 2003 Domain Mode ; 3 - Windows Server 2008 Domain Mode ; 4 - Windows Server 2008 R2 Domain Mode ; |7 - dsServiceName: Specifies the distinguished name of the NTDS settings object for this directory server. ; |8 - forestFunctionality: Specifies the functional level of the forest. Values can be: ; 0 - Windows 2000 Forest Mode ; 1 - Windows Server 2003 Interim Forest Mode ; 2 - Windows Server 2003 Forest Mode ; 3 - Windows Server 2008 Forest Mode ; 4 - Windows Server 2008 R2 Forest Mode ; |9 - highestCommittedUSN: Specifies the highest update sequence number (USN) on this directory server. Used by directory replication. ; |10 - isGlobalCatalogReady: Specifies Global Catalog operational status. Values can be either "TRUE" or "FALSE". ; |11 - isSynchronized: Specifies directory server synchronisation status. Values can be either "TRUE" or "FALSE". ; |12 - LDAPServiceName: Specifies the Service Principal Name (SPN) for the LDAP server. Used for mutual authentication. ; |13 - namingContexts: A multi-valued attribute that specifies the distinguished names for all naming contexts stored on this directory server. ; +By default, a Windows 2000 domain controller has at least three naming contexts: Schema, Configuration, and the domain which the server is a member of. ; |14 - rootDomainNamingContext: Specifies the distinguished name for the first domain in the forest that this directory server is a member of. ; |15 - schemaNamingContext: Specifies the distinguished name for the schema container. ; |16 - serverName: Specifies the distinguished name of the server object for this directory server in the configuration container. ; |17 - subschemaSubentry: Specifies the distinguished name for the subSchema object. The subSchema object specifies properties that expose the supported attributes ; +(in the attributeTypes property) and classes (in the objectClasses property). ; |18 - supportedCapabilities: multi-valued attribute that specifies the capabilities supported by this directory server. ; |19 - supportedControl: A multi-valued attribute that specifies the extension control OIDs supported by this directory server. ; |20 - supportedLDAPPolicies: A multi-valued attribute that specifies the names of the supported LDAP management policies. ; |21 - supportedLDAPVersion: A multi-valued attribute that specifies the LDAP versions (specified by major version number) supported by this directory server. ; |22 - supportedSASLMechanisms: Specifies the security mechanisms supported for SASL negotiation (see LDAP RFCs). By default, GSSAPI is supported. ; Author ........: water ; Modified.......: ; Remarks .......: In LDAP 3.0, rootDSE is defined as the root of the directory data tree on a directory server. ; The rootDSE is not part of any namespace. The purpose of the rootDSE is to provide data about the directory server. ; Related .......: ; Link ..........: http://msdn.microsoft.com/en-us/library/cc223254(v=PROT.13).aspx ; Example .......: Yes ; =============================================================================================================================== Func _AD_ListRootDSEAttributes() Return _AD_GetObjectProperties($oAD_RootDSE) EndFunc ;==>_AD_ListRootDSEAttributes ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_ListRoleOwners ; Description ...: Returns a one-based array of FSMO (Flexible Single Master Operation) Role Owners. ; Syntax.........: _AD_ListRoleOwners() ; Parameters ....: ; Return values .: Success - One dimensional array of FSMO Role Owners. The array contains: ; |1 - Domain PDC FSMO ; |2 - Domain Rid FSMO ; |3 - Domain Infrastructure FSMO ; |4 - Forest-wide Schema FSMO ; |5 - Forest-wide Domain naming FSMO ; Author ........: water ; Modified.......: ; Remarks .......: ; Related .......: ; Link ..........: http://www.tools4net.de/doc/ad2.htm ; Example .......: Yes ; =============================================================================================================================== Func _AD_ListRoleOwners() Local $aAD_Roles[6] ; PDC FSMO $oAD_Command.CommandText = ";(&(objectClass=domainDNS)(fSMORoleOwner=*));adsPath;subtree" Local $oAD_RecordSet = $oAD_Command.Execute Local $oAD_FSM = ObjGet($oAD_RecordSet.fields(0).value) Local $oAD_CompNTDS = ObjGet("LDAP://" & $sAD_HostServer & "/" & $oAD_FSM.FSMORoleOwner) Local $oAD_Comp = ObjGet($oAD_CompNTDS.Parent) $aAD_Roles[1] = $oAD_Comp.dnsHostname ; Rid FSMO $oAD_Command.CommandText = ";(&(objectClass=rIDManager) (fSMORoleOwner=*));adsPath;subtree" $oAD_RecordSet = $oAD_Command.Execute $oAD_FSM = ObjGet($oAD_RecordSet.fields(0).value) $oAD_CompNTDS = ObjGet("LDAP://" & $sAD_HostServer & "/" & $oAD_FSM.FSMORoleOwner) $oAD_Comp = ObjGet($oAD_CompNTDS.Parent) $aAD_Roles[2] = $oAD_Comp.dnsHostname ; Infrastructure FSMO $oAD_Command.CommandText = ";(&(objectClass=infrastructureUpdate) (fSMORoleOwner=*));adsPath;subtree" $oAD_RecordSet = $oAD_Command.Execute $oAD_FSM = ObjGet($oAD_RecordSet.fields(0).value) $oAD_CompNTDS = ObjGet("LDAP://" & $sAD_HostServer & "/" & $oAD_FSM.FSMORoleOwner) $oAD_Comp = ObjGet($oAD_CompNTDS.Parent) $aAD_Roles[3] = $oAD_Comp.dnsHostname ; Schema FSMO $oAD_Command.CommandText = ";(&(objectClass=dMD) (fSMORoleOwner=*));adsPath;subtree" $oAD_RecordSet = $oAD_Command.Execute $oAD_FSM = ObjGet($oAD_RecordSet.fields(0).value) $oAD_CompNTDS = ObjGet("LDAP://" & $sAD_HostServer & "/" & $oAD_FSM.FSMORoleOwner) $oAD_Comp = ObjGet($oAD_CompNTDS.Parent) $aAD_Roles[4] = $oAD_Comp.dnsHostname ; Domain Naming FSMO $oAD_Command.CommandText = ";(&(objectClass=crossRefContainer)(fSMORoleOwner=*));adsPath;subtree" $oAD_RecordSet = $oAD_Command.Execute $oAD_FSM = ObjGet($oAD_RecordSet.fields(0).value) $oAD_CompNTDS = ObjGet("LDAP://" & $sAD_HostServer & "/" & $oAD_FSM.FSMORoleOwner) $oAD_Comp = ObjGet($oAD_CompNTDS.Parent) $aAD_Roles[5] = $oAD_Comp.dnsHostname $aAD_Roles[0] = 5 Return $aAD_Roles EndFunc ;==>_AD_ListRoleOwners ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_GetLastLoginDate ; Description ...: Returns the lastlogin information from all DCs using the SamAccountName. ; Syntax.........: _AD_GetLastLoginDate([$sAD_User = @Username[, $sAD_Site]]) ; Parameters ....: $sAD_User - Optional: SamAccountName of a user account to get the last login date (default = @Username). ; $sAD_Site - Optional: Only query DCs that belong to this site (default = all sites). ; Return values .: Success - Last login date returned as YYYYMMDDHHMMSS. @extended is set to the total number of Domain Controllers. ; +@error could be > 0 and contains the number of DCs that could not be reached or returns no data ; Failure - 0, sets @error to: ; |1 - $sAD_User could not be found. @extended = 0 ; |2 - $sAD_User has never logged in to the domain. @extended = 0 ; Warning - Last login date returned as YYYYMMDDHHMMSS (see Success), sets @error and @extended to: ; |x - Number of DCs which could not be reached. Result is returned from all available DCs. @extended is set to the total number of Domain Controllers ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: If it takes (too) long to get a result either some DCs are down or you have too many DCs in your AD. ; +Case one: Please check @error and @extended as described above ; +Case two: Specify parameter $sAD_Site to reduce the number of DCs to query ; Related .......: ; Link ..........: http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx ; Example .......: Yes ; =============================================================================================================================== Func _AD_GetLastLoginDate($sAD_User = @UserName, $sAD_Site = "") If _AD_ObjectExists($sAD_User) = 0 Then Return SetError(1, 0, 0) Local $aAD_DCList = _AD_ListDomainControllers() ; Delete all DCs not belonging to the specified site If $sAD_Site <> "" Then For $iAD_Count1 = $aAD_DCList[0][0] To 1 Step -1 If $aAD_DCList[$iAD_Count1][3] <> $sAD_Site Then _ArrayDelete($aAD_DCList, $iAD_Count1) Next $aAD_DCList[0][0] = UBound($aAD_DCList, 1) - 1 EndIf ; Get LastLogin from all DCs Local $aAD_Result[$aAD_DCList[0][0] + 1] Local $sAD_LDAPEntry, $oAD_Object, $oAD_RecordSet Local $iAD_Error1 = 0, $iAD_Error2 = 0 For $iCount1 = 1 To $aAD_DCList[0][0] If Ping($aAD_DCList[$iCount1][2]) = 0 Then $iAD_Error1 += 1 ContinueLoop EndIf $oAD_Command.CommandText = ";(sAMAccountName=" & $sAD_User & ");ADsPath;subtree" $oAD_RecordSet = $oAD_Command.Execute ; Retrieve the ADsPath for the object ; -2147352567 or 0x80020009 is returned when the service is not operational If @error = -2147352567 Or $oAD_RecordSet.RecordCount = 0 Then $iAD_Error1 += 1 Else $sAD_LDAPEntry = $oAD_RecordSet.fields(0).value $oAD_Object = _AD_ObjGet($sAD_LDAPEntry) ; Retrieve the COM Object for the object $aAD_Result[$iCount1] = $oAD_Object.LastLogin ; -2147352567 or 0x80020009 is returned when the attribute "LastLogin" isn't defined on this DC If @error = -2147352567 Then $iAD_Error2 += 1 $oAD_Object.PurgePropertyList EndIf Next _ArraySort($aAD_Result, 1, 1) ; If error count equals the number of DCs then the user has never logged in If $iAD_Error2 = $aAD_DCList[0][0] Then Return SetError(2, 0, 0) Return SetError($iAD_Error1, $aAD_DCList[0][0], $aAD_Result[1]) EndFunc ;==>_AD_GetLastLoginDate ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_IsObjectDisabled ; Description ...: Returns 1 if the object (user account, computer account) is disabled. ; Syntax.........: _AD_IsObjectDisabled([$sAD_Object = @Username]) ; Parameters ....: $sAD_Object - Optional: Object to check (default = @Username). Can be specified as Fully Qualified Domain Name (FQDN) or sAMAccountName ; Return values .: Success - 1, Specified object is disabled ; Failure - 0, sets @error to: ; |0 - $sAD_Object is not disabled ; |1 - $sAD_Object could not be found ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: A $ sign must be appended to the computer name to create a correct sAMAccountName e.g. @ComputerName & "$" ; Related .......: _AD_DisableObject, _AD_EnableObject, _AD_GetObjectsDisabled ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_IsObjectDisabled($sAD_Object = @UserName) If _AD_ObjectExists($sAD_Object) = 0 Then Return SetError(1, 0, 0) Local $iAD_UAC = _AD_GetObjectAttribute($sAD_Object, "userAccountControl") If BitAND($iAD_UAC, $ADS_UF_ACCOUNTDISABLE) = $ADS_UF_ACCOUNTDISABLE Then Return 1 Return 0 EndFunc ;==>_AD_IsObjectDisabled ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_IsObjectLocked ; Description ...: Returns 1 if the object (user account, computer account) is locked. ; Syntax.........: _AD_IsObjectLocked([$sAD_Object = @Username]) ; Parameters ....: $sAD_Object - Optional: Object to check (default = @Username). Can be specified as Fully Qualified Domain Name (FQDN) or sAMAccountName ; Return values .: Success - 1, Specified object is locked, sets @error to: ; |x - number of minutes till the account is unlocked. -1 means the account has to be unlocked manually by an admin ; Failure - 0, sets @error to: ; |0 - $sAD_Object is not locked ; |1 - $sAD_Object could not be found ; Author ........: water ; Modified.......: ; Remarks .......: A $ sign must be appended to the computer name to create a correct sAMAccountName e.g. @ComputerName & "$" ; LockoutTime contains the timestamp when the object was locked. This value is not reset until the user/computer logs on again. ; LockoutTime could be > 0 even when the lockout already has expired. ; Related .......: _AD_GetObjectsLocked, _AD_UnlockObject ; Link ..........: http://www.pcreview.co.uk/forums/thread-1350048.php, http://www.rlmueller.net/IsUserLocked.htm, http://technet.microsoft.com/en-us/library/cc780271%28WS.10%29.aspx ; Example .......: Yes ; =============================================================================================================================== Func _AD_IsObjectLocked($sAD_Object = @UserName) ;------------------------------------------------------------- ; HINT: To enhance performance this can also be written as: ; $oUser = ObjGet("WinNT:///") ; ConsoleWrite("Locked: " & $oUser.IsAccountLocked & @CRLF) ;------------------------------------------------------------- If Not _AD_ObjectExists($sAD_Object) Then Return SetError(1, 0, 0) Local $sAD_Property = "sAMAccountName" If StringMid($sAD_Object, 3, 1) = "=" Then $sAD_Property = "distinguishedName"; FQDN provided $oAD_Command.CommandText = ";(" & $sAD_Property & "=" & $sAD_Object & ");ADsPath;subtree" Local $oAD_RecordSet = $oAD_Command.Execute ; Retrieve the ADsPath for the object Local $sAD_LDAPEntry = $oAD_RecordSet.fields(0).value Local $oAD_Object = _AD_ObjGet($sAD_LDAPEntry) ; Retrieve the COM Object for the object Local $oAD_LockoutTime = $oAD_Object.LockoutTime ; Object is not locked out If Not IsObj($oAD_LockoutTime) Then Return ; Calculate lockout time (UTC) Local $sAD_LockoutTime = _DateAdd("s", Int(_AD_LargeInt2Double($oAD_LockoutTime.LowPart, $oAD_LockoutTime.HighPart) / (10000000)), "1601/01/01 00:00:00") ; Object is not locked out If $sAD_LockoutTime = "1601/01/01 00:00:00" Then Return ; Get password info - Account Lockout Duration Local $aAD_Temp = _AD_GetPasswordInfo($sAD_Object) ; if lockout duration is 0 (= unlock manually by admin needed) then no calculation is necessary. Set @error to -1 (minutes till the account is unlocked) If $aAD_Temp[5] = 0 Then Return SetError(-1, 0, 1) ; Calculate when the lockout will be reset Local $sAD_ResetLockoutTime = _DateAdd("n", $aAD_Temp[5], $sAD_LockoutTime) ; Compare to current date/time (UTC) Local $sAD_Now = _Date_Time_GetSystemTime() $sAD_Now = _Date_Time_SystemTimeToDateTimeStr($sAD_Now, 1) If $sAD_ResetLockoutTime >= $sAD_Now Then Return SetError(_DateDiff("n", $sAD_Now, $sAD_ResetLockoutTime), 0, 1) Return EndFunc ;==>_AD_IsObjectLocked ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_IsPasswordExpired ; Description ...: Returns 1 if the users password has expired. ; Syntax.........: _AD_IsPasswordExpired([$sAD_User = @Username]) ; Parameters ....: $sAD_User - Optional: Object to check (default = @Username). Can be specified as Fully Qualified Domain Name (FQDN) or sAMAccountName ; Return values .: Success - 1, The password of the specified user has expired ; Failure - 0, sets @error to: ; |0 - Password for $sAD_User has not expired ; |1 - $sAD_User could not be found ; |x - Error as returned by function _AD_GetPasswordInfo ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: ; Related .......: _AD_GetPasswordExpired, _AD_GetPasswordDontExpire, _AD_SetPassword, _AD_DisablePasswordExpire, _AD_EnablePasswordExpire, _AD_EnablePasswordChange, _AD_DisablePasswordChange, _AD_GetPasswordInfo ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_IsPasswordExpired($sAD_User = @UserName) If Not _AD_ObjectExists($sAD_User) Then Return SetError(1, 0, 0) Local $aAD_Temp = _AD_GetPasswordInfo($sAD_User) If @error <> 0 Then SetError(@error, 0, 0) If $aAD_Temp[11] <= _NowCalc() Then Return 1 Return EndFunc ;==>_AD_IsPasswordExpired ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_GetObjectsDisabled ; Description ...: Returns an array with FQDNs of disabled objects (user accounts, computer accounts). ; Syntax.........: _AD_GetObjectsDisabled([$sAD_Class = "user"]) ; Parameters ....: $sAD_Class - Optional: Specifies if disabled user accounts or computer accounts should be returned (default = "user"). ; "user" - Returns objects of category "user" ; "computer" - Returns objects of category "computer" ; Return values .: Success - array of user or computer account FQDNs ; Failure - "", sets @error to: ; |1 - $sAD_Class is invalid. Values can be "computer" or "user" ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: ; Related .......: _AD_IsObjectDisabled, _AD_DisableObject, _AD_EnableObject ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_GetObjectsDisabled($sAD_Class = "user") If $sAD_Class <> "user" And $sAD_Class <> "computer" Then Return SetError(1, 0, "") $oAD_Command.CommandText = ";(&(objectcategory=" & $sAD_Class & ")(userAccountControl:1.2.840.113556.1.4.803:=" & _ $ADS_UF_ACCOUNTDISABLE & "));distinguishedName,objectcategory;subtree" Local $oAD_RecordSet = $oAD_Command.Execute Local $aAD_FQDN[$oAD_RecordSet.RecordCount + 1] $aAD_FQDN[0] = $oAD_RecordSet.RecordCount Local $iCount1 = 1 While Not $oAD_RecordSet.EOF $aAD_FQDN[$iCount1] = $oAD_RecordSet.Fields(0).Value $iCount1 += 1 $oAD_RecordSet.MoveNext WEnd Return $aAD_FQDN EndFunc ;==>_AD_GetObjectsDisabled ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_GetObjectsLocked ; Description ...: Returns an array of FQDNs of locked (user and/or, computer accounts), lockout time and minutes remaining in locked state. ; Syntax.........: _AD_GetObjectsLocked([$sAD_Class = "user"]) ; Parameters ....: $sAD_Class - Optional: Specifies if locked user accounts or computer accounts should be returned (default = "user"). ; "user" - Returns objects of category "user" ; "computer" - Returns objects of category "computer" ; Return values .: Success - Returns a one-based two dimensional array with the following information: ; |1 - FQDN of the locked object ; |2 - lockout time YYYY/MM/DD HH:MM:SS in local time of the calling user ; |3 - Minutes until the object will be unlocked ; Failure - "", sets @error to: ; |1 - $sAD_Class is invalid. Should be "computer" or "user" ; |2 - No locked objects found ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: LockoutTime contains the timestamp when the object was locked. This value is not reset until the user/computer logs on again. ; LockoutTime could be > 0 even when the lockout has already expired. ; Related .......: _AD_IsObjectLocked, _AD_UnlockObject ; Link ..........: http://technet.microsoft.com/en-us/library/cc780271%28WS.10%29.aspx ; Example .......: Yes ; =============================================================================================================================== Func _AD_GetObjectsLocked($sAD_Class = "user") If $sAD_Class <> "user" And $sAD_Class <> "computer" Then Return SetError(1, 0, "") ; Get all objects with lockouttime>=1 $oAD_Command.CommandText = ";(&(objectcategory=" & $sAD_Class & ")(lockouttime>=1));distinguishedName;subtree" Local $oAD_RecordSet = $oAD_Command.Execute If Not IsObj($oAD_RecordSet) Or $oAD_RecordSet.RecordCount = 0 Then Return SetError(2, 0, "") Local $aAD_FQDN[$oAD_RecordSet.RecordCount + 1][3] = [[$oAD_RecordSet.RecordCount, 3]] Local $iCount1 = 1 Local $aAD_Result While Not $oAD_RecordSet.EOF $aAD_FQDN[$iCount1][0] = $oAD_RecordSet.Fields(0).Value $iCount1 += 1 $oAD_RecordSet.MoveNext WEnd ; check if lockouttime has expired. If yes, delete from table For $iCount1 = $aAD_FQDN[0][0] To 1 Step -1 If Not _AD_IsObjectLocked($aAD_FQDN[$iCount1][0]) Then _ArrayDelete($aAD_FQDN, $iCount1) Else $aAD_FQDN[$iCount1][2] = @error $aAD_Result = _AD_GetObjectProperties($aAD_FQDN[$iCount1][0], "lockouttime") $aAD_FQDN[$iCount1][1] = $aAD_Result[1][1] EndIf Next $aAD_FQDN[0][0] = UBound($aAD_FQDN) - 1 If $aAD_FQDN[0][0] = 0 Then Return SetError(2, 0, "") Return $aAD_FQDN EndFunc ;==>_AD_GetObjectsLocked ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_GetPasswordExpired ; Description ...: Returns an array of FQDNs of user account with expired passwords. ; Syntax.........: _AD_GetPasswordExpired() ; Parameters ....: None ; Return values .: Success - One-based two dimensional array of FQDNs of user accounts with expired passwords ; |1 - FQDNs of user accounts with expired password ; |2 - password last set YYYY/MM/DD HH:NMM:SS UTC ; |3 - password last set YYYY/MM/DD HH:NMM:SS local time of calling user ; Failure - "", sets @error to: ; |1 - No expired passwords found ; Author ........: water ; Modified.......: ; Remarks .......: ; Related .......: _AD_IsPasswordExpired, _AD_GetPasswordDontExpire, _AD_SetPassword, _AD_DisablePasswordExpire, _AD_EnablePasswordExpire, _AD_EnablePasswordChange, _AD_DisablePasswordChange, _AD_GetPasswordInfo ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_GetPasswordExpired() Local $aAD_Temp = _AD_GetPasswordInfo() Local $sAD_DTExpire = _Date_Time_GetSystemTime() ; Get current date/time $sAD_DTExpire = _Date_Time_SystemTimeToDateTimeStr($sAD_DTExpire, 1) ; convert to system time $sAD_DTExpire = _DateAdd("D", $aAD_Temp[1] * - 1, $sAD_DTExpire) ; substract maximum password age Local $iAD_DTExpire = _DateDiff("s", "1601/01/01 00:00:00", $sAD_DTExpire) * 10000000 ; convert to Integer8 Local $sAD_DTStruct = DllStructCreate("dword low;dword high") Local $sAD_Temp, $iAD_Temp $oAD_Command.CommandText = ";(&(objectCategory=person)(objectClass=user)" & _ "(pwdLastSet<=" & Int($iAD_DTExpire) & ")(pwdLastSet>=110133216000000001" & "));distinguishedName,pwdlastset,useraccountcontrol;subtree" Local $oAD_RecordSet = $oAD_Command.Execute If Not IsObj($oAD_RecordSet) Or $oAD_RecordSet.RecordCount = 0 Then Return SetError(1, 0, "") Local $aAD_FQDN[$oAD_RecordSet.RecordCount + 1][3] $aAD_FQDN[0][0] = $oAD_RecordSet.RecordCount Local $iAD_Count = 1 While Not $oAD_RecordSet.EOF $aAD_FQDN[$iAD_Count][0] = $oAD_RecordSet.Fields(0).Value $iAD_Temp = $oAD_RecordSet.Fields(1).Value If BitAND($oAD_RecordSet.Fields(2).Value, $ADS_UF_DONT_EXPIRE_PASSWD) <> $ADS_UF_DONT_EXPIRE_PASSWD Then DllStructSetData($sAD_DTStruct, "Low", $iAD_Temp.LowPart) DllStructSetData($sAD_DTStruct, "High", $iAD_Temp.HighPart) $sAD_Temp = _Date_Time_FileTimeToSystemTime(DllStructGetPtr($sAD_DTStruct)) $aAD_FQDN[$iAD_Count][1] = _Date_Time_SystemTimeToDateTimeStr($sAD_Temp, 1) $sAD_Temp = _Date_Time_SystemTimeToTzSpecificLocalTime(DllStructGetPtr($sAD_Temp)) $aAD_FQDN[$iAD_Count][2] = _Date_Time_SystemTimeToDateTimeStr($sAD_Temp, 1) EndIf $iAD_Count += 1 $oAD_RecordSet.MoveNext WEnd ; Delete records with UAC set to password not expire $aAD_FQDN[0][0] = UBound($aAD_FQDN) - 1 For $iAD_Count = $aAD_FQDN[0][0] To 1 Step -1 If $aAD_FQDN[$iAD_Count][1] = "" Then _ArrayDelete($aAD_FQDN, $iAD_Count) Next $aAD_FQDN[0][0] = UBound($aAD_FQDN) - 1 Return $aAD_FQDN EndFunc ;==>_AD_GetPasswordExpired ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_GetPasswordDontExpire ; Description ...: Returns an array of user account FQDNs where the password does not expire. ; Syntax.........: _AD_GetPasswordDontExpire() ; Parameters ....: None ; Return values .: Success - Array with FQDNs of user accounts for which the password does not expire ; Failure - "", sets @error to: ; |1 - No user accounts for which the password does not expire ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: ; Related .......: _AD_IsPasswordExpired, _AD_GetPasswordExpired, _AD_SetPassword, _AD_DisablePasswordExpire, _AD_EnablePasswordExpire, _AD_EnablePasswordChange, _AD_DisablePasswordChange, _AD_GetPasswordInfo ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_GetPasswordDontExpire() $oAD_Command.CommandText = ";(&(objectcategory=user)(userAccountControl:1.2.840.113556.1.4.803:=" & _ $ADS_UF_DONT_EXPIRE_PASSWD & "));distinguishedName;subtree" Local $oAD_RecordSet = $oAD_Command.Execute If Not IsObj($oAD_RecordSet) Or $oAD_RecordSet.RecordCount = 0 Then Return SetError(1, 0, "") Local $aAD_FQDN[$oAD_RecordSet.RecordCount + 1] $aAD_FQDN[0] = $oAD_RecordSet.RecordCount Local $iCount1 = 1 While Not $oAD_RecordSet.EOF $aAD_FQDN[$iCount1] = $oAD_RecordSet.Fields(0).Value $iCount1 += 1 $oAD_RecordSet.MoveNext WEnd Return $aAD_FQDN EndFunc ;==>_AD_GetPasswordDontExpire ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_GetObjectProperties ; Description ...: Returns a two-dimensional array of all or selected properties and their values of an object in readable form. ; Syntax.........: _AD_GetObjectProperties([$sAD_Object = @UserName[, $sAD_Properties = ""]]) ; Parameters ....: $sAD_Object - Optional: SamAccountName or FQDN of the object properties from (e.g. computer, user, group ...) (default = @Username) ; |Can be of type object as well. Useful to get properties for a schema or configuration object (see _AD_ListRootDSEAttributes) ; $sAD_Properties - Optional: Comma separated list of properties to return (default = "" = return all properties) ; Return values .: Success - Returns a two-dimensional array with all properties and their values of an object in readable form ; Failure - "" or property name, sets @error to: ; |1 - $sAD_Object could not be found ; |2 - No values for the specified property. The property in error is returned as the function result ; Author ........: Sundance ; Modified.......: water ; Remarks .......: Dates are returned in format: YYYY/MM/DD HH:MM:SS local time of the calling user (AD stores all dates in UTC - Universal Time Coordinated) ; Exception: AD internal dates like "whenCreated", "whenChanged" and "dSCorePropagationData". They are returned as UTC ; NT Security Descriptors are returned as: Control:nn, Group:Domain\Group, Owner:Domain\Group, Revision:nn ; No error is returned if there are properties in $sAD_Properties that are not available for the selected object ; Related .......: ; Link ..........: http://www.autoitscript.com/forum/index.php?showtopic=49627&view=findpost&p=422402, http://msdn.microsoft.com/en-us/library/ms675090(VS.85).aspx ; Example .......: Yes ; =============================================================================================================================== Func _AD_GetObjectProperties($sAD_Object = @UserName, $sAD_Properties = "") Local $aAD_ObjectProperties[1][2], $oAD_Object Local $oAD_Item, $oAD_PropertyEntry, $oAD_Value, $iCount3, $xAD_Dummy ; Data Type Mapping between Active Directory and LDAP ; http://msdn.microsoft.com/en-us/library/aa772375(VS.85).aspx Local Const $ADSTYPE_DN_STRING = 1 Local Const $ADSTYPE_CASE_IGNORE_STRING = 3 Local Const $ADSTYPE_BOOLEAN = 6 Local Const $ADSTYPE_INTEGER = 7 Local Const $ADSTYPE_OCTET_STRING = 8 Local Const $ADSTYPE_UTC_TIME = 9 Local Const $ADSTYPE_LARGE_INTEGER = 10 Local Const $ADSTYPE_NT_SECURITY_DESCRIPTOR = 25 Local Const $ADSTYPE_UNKNOWN = 26 Local $aAD_SAMAccountType[12][2] = [["DOMAIN_OBJECT", 0x0],["GROUP_OBJECT", 0x10000000],["NON_SECURITY_GROUP_OBJECT", 0x10000001], _ ["ALIAS_OBJECT", 0x20000000],["NON_SECURITY_ALIAS_OBJECT", 0x20000001],["USER_OBJECT", 0x30000000],["NORMAL_USER_ACCOUNT", 0x30000000], _ ["MACHINE_ACCOUNT", 0x30000001],["TRUST_ACCOUNT", 0x30000002],["APP_BASIC_GROUP", 0x40000000],["APP_QUERY_GROUP", 0x40000001], _ ["ACCOUNT_TYPE_MAX", 0x7fffffff]] Local $aAD_UAC[21][2] = [[0x00000001, "SCRIPT"],[0x00000002, "ACCOUNTDISABLE"],[0x00000008, "HOMEDIR_REQUIRED"],[0x00000010, "LOCKOUT"],[0x00000020, "PASSWD_NOTREQD"], _ [0x00000040, "PASSWD_CANT_CHANGE"],[0x00000080, "ENCRYPTED_TEXT_PASSWORD_ALLOWED"],[0x00000100, "TEMP_DUPLICATE_ACCOUNT"],[0x00000200, "NORMAL_ACCOUNT"], _ [0x00000800, "INTERDOMAIN_TRUST_ACCOUNT"],[0x00001000, "WORKSTATION_TRUST_ACCOUNT"],[0x00002000, "SERVER_TRUST_ACCOUNT"],[0x00010000, "DONT_EXPIRE_PASSWD"], _ [0x00020000, "MNS_LOGON_ACCOUNT"],[0x00040000, "SMARTCARD_REQUIRED"],[0x00080000, "TRUSTED_FOR_DELEGATION"],[0x00100000, "NOT_DELEGATED"], _ [0x00200000, "USE_DES_KEY_ONLY"],[0x00400000, "DONT_REQUIRE_PREAUTH"],[0x00800000, "PASSWORD_EXPIRED"],[0x01000000, "TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION"]] $sAD_Properties = "," & StringReplace($sAD_Properties, " ", "") & "," If Not IsObj($sAD_Object) Then If _AD_ObjectExists($sAD_Object) = 0 Then Return SetError(1, 0, "") Local $sAD_Property = "sAMAccountName" If StringMid($sAD_Object, 3, 1) = "=" Then $sAD_Property = "distinguishedName"; FQDN provided $oAD_Command.CommandText = ";(" & $sAD_Property & "=" & $sAD_Object & ");ADsPath;subtree" Local $oAD_RecordSet = $oAD_Command.Execute ; Retrieve the ADsPath for the object Local $sAD_LDAPEntry = $oAD_RecordSet.fields(0).value $oAD_Object = _AD_ObjGet($sAD_LDAPEntry) ; Retrieve the COM Object Else $oAD_Object = $sAD_Object EndIf $oAD_Object.GetInfo() Local $iCount1 = $oAD_Object.PropertyCount() For $iCount2 = 0 To $iCount1 - 1 $oAD_Item = $oAD_Object.Item($iCount2) If Not ($sAD_Properties = ",," Or StringInStr($sAD_Properties, "," & $oAD_Item.Name & ",") > 0) Then ContinueLoop $oAD_PropertyEntry = $oAD_Object.GetPropertyItem($oAD_Item.Name, $ADSTYPE_UNKNOWN) If IsObj($oAD_PropertyEntry) = 0 Then Return SetError(2, 0, $oAD_Item.Name) Else For $vAD_PropertyValue In $oAD_PropertyEntry.Values ReDim $aAD_ObjectProperties[UBound($aAD_ObjectProperties, 1) + 1][2] $iCount3 = UBound($aAD_ObjectProperties, 1) - 1 $aAD_ObjectProperties[$iCount3][0] = $oAD_Item.Name If $oAD_Item.ADsType = $ADSTYPE_CASE_IGNORE_STRING Then $aAD_ObjectProperties[$iCount3][1] = $vAD_PropertyValue.CaseIgnoreString ElseIf $oAD_Item.ADsType = $ADSTYPE_INTEGER Then If $oAD_Item.Name = "sAMAccountType" Then For $iCount4 = 0 To 11 If $vAD_PropertyValue.Integer = $aAD_SAMAccountType[$iCount4][1] Then $aAD_ObjectProperties[$iCount3][1] = $aAD_SAMAccountType[$iCount4][0] ExitLoop EndIf Next ElseIf $oAD_Item.Name = "userAccountControl" Then $aAD_ObjectProperties[$iCount3][1] = $vAD_PropertyValue.Integer & " = " For $iCount4 = 0 To 20 If BitAND($vAD_PropertyValue.Integer, $aAD_UAC[$iCount4][0]) = $aAD_UAC[$iCount4][0] Then $aAD_ObjectProperties[$iCount3][1] &= $aAD_UAC[$iCount4][1] & " - " EndIf Next If StringRight($aAD_ObjectProperties[$iCount3][1], 3) = " - " Then $aAD_ObjectProperties[$iCount3][1] = StringTrimRight($aAD_ObjectProperties[$iCount3][1], 3) Else $aAD_ObjectProperties[$iCount3][1] = $vAD_PropertyValue.Integer EndIf ElseIf $oAD_Item.ADsType = $ADSTYPE_LARGE_INTEGER Then If $oAD_Item.Name = "pwdLastSet" Or $oAD_Item.Name = "accountExpires" Or $oAD_Item.Name = "lastLogonTimestamp" Or $oAD_Item.Name = "badPasswordTime" Or $oAD_Item.Name = "lastLogon" Or $oAD_Item.Name = "lockoutTime" Then If $vAD_PropertyValue.LargeInteger.LowPart = 0 And $vAD_PropertyValue.LargeInteger.HighPart = 0 Then $aAD_ObjectProperties[$iCount3][1] = "1601/01/01 00:00:00" Else Local $sAD_Temp = DllStructCreate("dword low;dword high") DllStructSetData($sAD_Temp, "Low", $vAD_PropertyValue.LargeInteger.LowPart) DllStructSetData($sAD_Temp, "High", $vAD_PropertyValue.LargeInteger.HighPart) Local $sAD_Temp2 = _Date_Time_FileTimeToSystemTime(DllStructGetPtr($sAD_Temp)) Local $sAD_Temp3 = _Date_Time_SystemTimeToTzSpecificLocalTime(DllStructGetPtr($sAD_Temp2)) $aAD_ObjectProperties[$iCount3][1] = _Date_Time_SystemTimeToDateTimeStr($sAD_Temp3, 1) EndIf Else $aAD_ObjectProperties[$iCount3][1] = _AD_LargeInt2Double($vAD_PropertyValue.LargeInteger.LowPart, $vAD_PropertyValue.LargeInteger.HighPart) EndIf ElseIf $oAD_Item.ADsType = $ADSTYPE_OCTET_STRING Then $xAD_Dummy = DllStructCreate("byte[56]") DllStructSetData($xAD_Dummy, 1, $vAD_PropertyValue.OctetString) ; objectSID etc. See: http://msdn.microsoft.com/en-us/library/aa379597(VS.85).aspx ; objectGUID etc. See: http://www.autoitscript.com/forum/index.php?showtopic=106163&view=findpost&p=767558 If _Security__IsValidSid(DllStructGetPtr($xAD_Dummy)) Then $aAD_ObjectProperties[$iCount3][1] = _Security__SidToStringSid(DllStructGetPtr($xAD_Dummy)) ; SID Else $aAD_ObjectProperties[$iCount3][1] = _WinAPI_StringFromGUID(DllStructGetPtr($xAD_Dummy)) ; GUID EndIf ElseIf $oAD_Item.ADsType = $ADSTYPE_DN_STRING Then $aAD_ObjectProperties[$iCount3][1] = $vAD_PropertyValue.DNString ElseIf $oAD_Item.ADsType = $ADSTYPE_UTC_TIME Then Local $iAD_DateTime = $vAD_PropertyValue.UTCTime $aAD_ObjectProperties[$iCount3][1] = StringLeft($iAD_DateTime, 4) & "/" & StringMid($iAD_DateTime, 5, 2) & "/" & StringMid($iAD_DateTime, 7, 2) & _ " " & StringMid($iAD_DateTime, 9, 2) & ":" & StringMid($iAD_DateTime, 11, 2) & ":" & StringMid($iAD_DateTime, 13, 2) ElseIf $oAD_Item.ADsType = $ADSTYPE_BOOLEAN Then If $vAD_PropertyValue.Boolean = 0 Then $aAD_ObjectProperties[$iCount3][1] = "False" Else $aAD_ObjectProperties[$iCount3][1] = "True" EndIf ElseIf $oAD_Item.ADsType = $ADSTYPE_NT_SECURITY_DESCRIPTOR Then $oAD_Value = $vAD_PropertyValue.SecurityDescriptor $aAD_ObjectProperties[$iCount3][1] = "Control:" & $oAD_Value.Control & ", " & _ "Group:" & $oAD_Value.Group & ", " & _ "Owner:" & $oAD_Value.Owner & ", " & _ "Revision:" & $oAD_Value.Revision Else $aAD_ObjectProperties[$iCount3][1] = "Has the unknown ADsType: " & $oAD_Item.ADsType EndIf Next EndIf Next $aAD_ObjectProperties[0][0] = UBound($aAD_ObjectProperties, 1) - 1 _ArraySort($aAD_ObjectProperties, 0, 1) Return $aAD_ObjectProperties EndFunc ;==>_AD_GetObjectProperties ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_CreateOU ; Description ...: Creates a child OU in the specified parent OU. ; Syntax.........: _AD_CreateOU($sAD_ParentOU, $sAD_OU) ; Parameters ....: $sAD_ParentOU - Parent OU where the new OU will be created (FQDN) ; $sAD_OU - OU to create in the the parent OU (Name without leading "OU=") ; Return values .: Success - 1 ; Failure - 0, sets @error to: ; |1 - $sAD_ParentOU does not exist ; |2 - $sAD_OU in $sAD_ParentOU already exists ; |3 - $sAD_OU is missing ; |x - Error returned by SetInfo function (Missing permission etc.) ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: This does not create any attributes for the OU. Use function _AD_ModifyAttribute. ; Related .......: _AD_CreateUser, _AD_CreateGroup, _AD_AddUserToGroup, _AD_RemoveUserFromGroup ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_CreateOU($sAD_ParentOU, $sAD_OU) If Not _AD_ObjectExists($sAD_ParentOU, "distinguishedName") Then Return SetError(1, 0, 0) If _AD_ObjectExists("OU=" & $sAD_OU & "," & $sAD_ParentOU, "distinguishedName") Then Return SetError(2, 0, 0) If $sAD_OU = "" Then Return SetError(3, 0, 0) Local $oAD_ParentOU = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_ParentOU) Local $oAD_OU = $oAD_ParentOU.Create("organizationalUnit", "OU=" & $sAD_OU) $oAD_OU.SetInfo If @error <> 0 Then Return SetError(@error, 0, 0) Return 1 EndFunc ;==>_AD_CreateOU ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_CreateUser ; Description ...: Creates and activates a user in the specified OU. ; Syntax.........: _AD_CreateUser($sAD_OU, $sAD_User, $sAD_CN) ; Parameters ....: $sAD_OU - OU to create the user in. Form is "OU=sampleou,OU=sampleparent,DC=sampledomain1,DC=sampledomain2" ; $sAD_User - Username, form is SamAccountName without leading 'CN=' ; $sAD_CN - Common Name (without CN=) or RDN (Relative Distinguished Name) like "Lastname Firstname" ; Return values .: Success - 1 ; Failure - 0, sets @error to: ; |1 - $sAD_User already exists ; |2 - $sAD_OU does not exist ; |3 - $sAD_CN is missing ; |4 - $sAD_User is missing ; |x - Error returned by SetInfo function (Missing permission etc.) ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: This function only sets sAMAccountName (= $sAD_User) and userPrincipalName (e.g. $sAD_User@microsoft.com). ; All other attributes have to be set using function _AD_ModifyAttribute ; Related .......: _AD_CreateOU, _AD_CreateGroup, _AD_AddUserToGroup, _AD_RemoveUserFromGroup ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_CreateUser($sAD_OU, $sAD_User, $sAD_CN) If _AD_ObjectExists($sAD_User) Then Return SetError(1, 0, 0) If Not _AD_ObjectExists($sAD_OU, "distinguishedName") Then Return SetError(2, 0, 0) If $sAD_CN = "" Then Return SetError(3, 0, 0) If $sAD_User = "" Then Return SetError(4, 0, 0) Local $oAD_OU = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_OU) Local $oAD_User = $oAD_OU.Create("User", "CN=" & $sAD_CN) $oAD_User.sAMAccountName = $sAD_User $oAD_User.postalCode = "20359" $oAD_User.l = "Hamburg" $oAD_User.facsimileTelephoneNumber = "+494063602130" $oAD_User.company = "LichtBlick AG" $oAD_User.userPrincipalName = $sAD_User & "@" & StringTrimLeft(StringReplace($sAD_DNSDomain, ",DC=", "."), 3) $oAD_User.pwdLastSet = -1 $oAD_User.SetInfo If @error <> 0 Then Return SetError(@error, 0, 0) $oAD_User.AccountDisabled = False ; Activate User $oAD_User.SetInfo If @error <> 0 Then Return SetError(@error, 0, 0) Return 1 EndFunc ;==>_AD_CreateUser ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_SetPassword ; Description ...: Sets a user's password, or clears it if no password is passed to the function. ; Syntax.........: _AD_SetPassword($sAD_User[, $sAD_Password=""[, $iAD_Expired = 0]]) ; Parameters ....: $sAD_User - User for which to set the password (FQDN or sAMAccountName) ; $sAD_Password - Optional: Password to be set for $sAD_User. If $sAD_Password is "" then the password will be cleared (default) ; $iAD_Expired - Optional: 1 = the password has to be changed at next logon (Default = 0) ; Return values .: Success - 1 ; Failure - 0, sets @error to: ; |1 - $sAD_User does not exist ; |x - Error returned by SetInfo function (Missing permission etc.) ; Author ........: KenE ; Modified.......: water ; Remarks .......: ; Related .......: _AD_IsPasswordExpired, _AD_GetPasswordExpired, _AD_GetPasswordDontExpire, _AD_DisablePasswordExpire, _AD_EnablePasswordExpire, _AD_EnablePasswordChange, _AD_DisablePasswordChange, _AD_GetPasswordInfo ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_SetPassword($sAD_User, $sAD_Password = "", $iAD_Expired = 0) If Not _AD_ObjectExists($sAD_User) Then Return SetError(1, 0, 0) If StringMid($sAD_User, 3, 1) <> "=" Then $sAD_User = _AD_SamAccountNameToFQDN($sAD_User) ; sAMACccountName provided Local $oAD_User = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_User) $oAD_User.SetPassword($sAD_Password) If $iAD_Expired Then $oAD_User.Put("pwdLastSet", 0) $oAD_User.SetInfo() If @error <> 0 Then Return SetError(@error, 0, 0) Return 1 EndFunc ;==>_AD_SetPassword ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_CreateGroup ; Description ...: Creates a group in the specified OU. ; Syntax.........: _AD_CreateGroup($sAD_OU, $sAD_Group[, $iAD_Type = $ADS_GROUP_TYPE_GLOBAL_SECURITY]) ; Parameters ....: $sAD_OU - OU to create the group in. Form is "OU=sampleou,OU=sampleparent,DC=sampledomain1,DC=sampledomain2" (FQDN) ; $sAD_Group - Groupname, form is SamAccountName without leading 'CN=' ; $iAD_Type - Optional: Group type (default = $ADS_GROUP_TYPE_GLOBAL_SECURITY). NOTE: Global security must be 'BitOr'ed with a scope. ; Return values .: Success - 1 ; Failure - 0, sets @error to: ; |1 - $sAD_Group already exists ; |2 - $sAD_OU does not exist ; |x - Error returned by SetInfo function (Missing permission etc.) ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: This function only sets sAMAccountName and grouptype. All other attributes have to be set using ; function _AD_ModifyAttribute ; Related .......: _AD_CreateOU, _AD_CreateUser, _AD_AddUserToGroup, _AD_RemoveUserFromGroup ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_CreateGroup($sAD_OU, $sAD_Group, $iAD_Type = $ADS_GROUP_TYPE_GLOBAL_SECURITY) If _AD_ObjectExists($sAD_Group) Then Return SetError(1, 0, 0) If Not _AD_ObjectExists($sAD_OU, "distinguishedName") Then Return SetError(2, 0, 0) Local $sAD_CN = "CN=" & _AD_FixSpecialChars($sAD_Group) Local $oAD_OU = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_OU) Local $oAD_Group = $oAD_OU.Create("Group", $sAD_CN) Local $sAD_SamAccountName = StringReplace($sAD_Group, ",", "") $sAD_SamAccountName = StringReplace($sAD_SamAccountName, "#", "") $sAD_SamAccountName = StringReplace($sAD_SamAccountName, "/", "") $oAD_Group.sAMAccountName = $sAD_SamAccountName $oAD_Group.grouptype = $iAD_Type $oAD_Group.SetInfo If @error <> 0 Then Return SetError(@error, 0, 0) Return 1 EndFunc ;==>_AD_CreateGroup ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_AddUserToGroup ; Description ...: Adds the user to the specified group. ; Syntax.........: _AD_AddUserToGroup($sAD_Group, $sAD_User) ; Parameters ....: $sAD_Group - Groupname (FQDN or sAMAccountName) ; $sAD_User - Username (FQDN or sAMAccountName) ; Return values .: Success - 1 ; Failure - 0, sets @error to: ; |1 - $sAD_Group does not exist ; |2 - $sAD_User does not exist ; |3 - $sAD_User is already a member of $sAD_Group ; |x - Error returned by SetInfo function (Missing permission etc.) ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: Works for both computers and groups. The sAMAccountname of a computer requires a trailing "$" before converting it to a FQDN. ; Related .......: _AD_CreateOU, _AD_CreateUser, _AD_CreateGroup, _AD_RemoveUserFromGroup ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_AddUserToGroup($sAD_Group, $sAD_User) If Not _AD_ObjectExists($sAD_Group) Then Return SetError(1, 0, 0) If Not _AD_ObjectExists($sAD_User) Then Return SetError(2, 0, 0) If _AD_IsMemberOf($sAD_Group, $sAD_User) Then Return SetError(3, 0, 0) If StringMid($sAD_Group, 3, 1) <> "=" Then $sAD_Group = _AD_SamAccountNameToFQDN($sAD_Group) ; sAMACccountName provided If StringMid($sAD_User, 3, 1) <> "=" Then $sAD_User = _AD_SamAccountNameToFQDN($sAD_User) ; sAMACccountName provided Local $oAD_User = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_User) ; Retrieve the COM Object for the user Local $oAD_Group = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_Group) ; Retrieve the COM Object for the group $oAD_Group.Add($oAD_User.AdsPath) $oAD_Group.SetInfo If @error <> 0 Then Return SetError(@error, 0, 0) Return 1 EndFunc ;==>_AD_AddUserToGroup ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_RemoveUserFromGroup ; Description ...: Removes the user from the specified group. ; Syntax.........: _AD_RemoveUserFromGroup($sAD_Group, $sAD_User) ; Parameters ....: $sAD_Group - Groupname (FQDN or sAMAccountName) ; $sAD_User - Username (FQDN or sAMAccountName) ; Return values .: Success - 1 ; Failure - 0, sets @error to: ; |1 - $sAD_Group does not exist ; |2 - $sAD_User does not exist ; |3 - $sAD_User is not a member of $sAD_Group ; |x - Error returned by SetInfo Function(Missing permission etc.) ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: Works for computer objects as well. Remember that the sAMAccountname of a computer needs a trailing "$" before converting it to a FQDN. ; Related .......: _AD_CreateOU, _AD_CreateUser, _AD_CreateGroup, _AD_AddUserToGroup ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _AD_RemoveUserFromGroup($sAD_Group, $sAD_User) If Not _AD_ObjectExists($sAD_Group) Then Return SetError(1, 0, 0) If Not _AD_ObjectExists($sAD_User) Then Return SetError(2, 0, 0) If Not _AD_IsMemberOf($sAD_Group, $sAD_User) Then Return SetError(3, 0, 0) If StringMid($sAD_Group, 3, 1) <> "=" Then $sAD_Group = _AD_SamAccountNameToFQDN($sAD_Group) ; sAMACccountName provided If StringMid($sAD_User, 3, 1) <> "=" Then $sAD_User = _AD_SamAccountNameToFQDN($sAD_User) ; sAMACccountName provided Local $oAD_User = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_User) ; Retrieve the COM Object for the user Local $oAD_Group = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_Group) ; Retrieve the COM Object for the group $oAD_Group.Remove($oAD_User.AdsPath) $oAD_Group.SetInfo If @error <> 0 Then Return SetError(@error, 0, 0) Return 1 EndFunc ;==>_AD_RemoveUserFromGroup ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_CreateComputer ; Description ...: Creates and enables a computer account. A specific, authenticated user/group can then use this account to add his or her workstation to the domain. ; Syntax.........: _AD_CreateComputer($sAD_OU, $sAD_Computer, $sAD_User) ; Parameters ....: $sAD_OU - OU to create the computer in. Form is "OU=sampleou,OU=sampleparent,DC=sampledomain1,DC=sampledomain2" (FQDN) ; $sAD_Computer - Computername, form is SamAccountName without trailing "$" ; $sAD_User - User or group that will be allowed to add the computer to the domain (SamAccountName) ; Return values .: Success - 1 ; Failure - 0, sets @error to: ; |1 - $sAD_OU does not exist ; |2 - $sAD_Computer already defined in $sAD_OU ; |3 - $sAD_User does not exist ; |x - Error returned by SetInfo Function(Missing permission etc.) ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: By default, any authenticated user can create up to 10 computer accounts in the domain. ; (see: http://technet.microsoft.com/en-us/library/cc780195(WS.10).aspx) ; To create the Access Control List you need further rights. If this right is missing you might be able to add the ; computer to the domain but the function will exit with failure and the ACL is not set. ; The specified user/group has the following rights on the defined computer: ; Related .......: _AD_CreateOU, _AD_JoinDomain ; Link ..........: http://www.wisesoft.co.uk/scripts/vbscript_create_a_computer_account_for_a_specific_user.aspx ; Example .......: Yes ; =============================================================================================================================== Func _AD_CreateComputer($sAD_OU, $sAD_Computer, $sAD_User) If Not _AD_ObjectExists($sAD_OU) Then Return SetError(1, 0, 0) If _AD_ObjectExists("CN=" & $sAD_Computer & "," & $sAD_OU) Then Return SetError(2, 0, 0) If Not _AD_ObjectExists($sAD_User) Then Return SetError(3, 0, 0) If StringMid($sAD_OU, 3, 1) <> "=" Then $sAD_OU = _AD_SamAccountNameToFQDN($sAD_OU) ; sAMACccountName provided If StringMid($sAD_User, 3, 1) = "=" Then $sAD_User = _AD_FQDNToSamAccountName($sAD_User) ; FQDN provided Local $oAD_Container = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_OU) Local $oAD_Computer = $oAD_Container.Create("Computer", "cn=" & $sAD_Computer) $oAD_Computer.Put("sAMAccountName", $sAD_Computer & "$") $oAD_Computer.Put("userAccountControl", BitOR($ADS_UF_PASSWD_NOTREQD, $ADS_UF_WORKSTATION_TRUST_ACCOUNT)) $oAD_Computer.SetInfo If @error <> 0 Then Return SetError(@error, 0, 0) Local $oAD_SD = $oAD_Computer.Get("ntSecurityDescriptor") Local $oAD_DACL = $oAD_SD.DiscretionaryAcl Local $oAD_ACE1 = ObjCreate("AccessControlEntry") $oAD_ACE1.Trustee = $sAD_User $oAD_ACE1.AccessMask = $ADS_RIGHT_GENERIC_READ $oAD_ACE1.AceFlags = 0 $oAD_ACE1.AceType = $ADS_ACETYPE_ACCESS_ALLOWED Local $oAD_ACE2 = ObjCreate("AccessControlEntry") $oAD_ACE2.Trustee = $sAD_User $oAD_ACE2.AccessMask = $ADS_RIGHT_DS_CONTROL_ACCESS $oAD_ACE2.AceFlags = 0 $oAD_ACE2.AceType = $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT $oAD_ACE2.Flags = $ADS_FLAG_OBJECT_TYPE_PRESENT $oAD_ACE2.ObjectType = $ALLOWED_TO_AUTHENTICATE Local $oAD_ACE3 = ObjCreate("AccessControlEntry") $oAD_ACE3.Trustee = $sAD_User $oAD_ACE3.AccessMask = $ADS_RIGHT_DS_CONTROL_ACCESS $oAD_ACE3.AceFlags = 0 $oAD_ACE3.AceType = $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT $oAD_ACE3.Flags = $ADS_FLAG_OBJECT_TYPE_PRESENT $oAD_ACE3.ObjectType = $RECEIVE_AS Local $oAD_ACE4 = ObjCreate("AccessControlEntry") $oAD_ACE4.Trustee = $sAD_User $oAD_ACE4.AccessMask = $ADS_RIGHT_DS_CONTROL_ACCESS $oAD_ACE4.AceFlags = 0 $oAD_ACE4.AceType = $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT $oAD_ACE4.Flags = $ADS_FLAG_OBJECT_TYPE_PRESENT $oAD_ACE4.ObjectType = $SEND_AS Local $oAD_ACE5 = ObjCreate("AccessControlEntry") $oAD_ACE5.Trustee = $sAD_User $oAD_ACE5.AccessMask = $ADS_RIGHT_DS_CONTROL_ACCESS $oAD_ACE5.AceFlags = 0 $oAD_ACE5.AceType = $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT $oAD_ACE5.Flags = $ADS_FLAG_OBJECT_TYPE_PRESENT $oAD_ACE5.ObjectType = $USER_CHANGE_PASSWORD Local $oAD_ACE6 = ObjCreate("AccessControlEntry") $oAD_ACE6.Trustee = $sAD_User $oAD_ACE6.AccessMask = $ADS_RIGHT_DS_CONTROL_ACCESS $oAD_ACE6.AceFlags = 0 $oAD_ACE6.AceType = $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT $oAD_ACE6.Flags = $ADS_FLAG_OBJECT_TYPE_PRESENT $oAD_ACE6.ObjectType = $USER_FORCE_CHANGE_PASSWORD Local $oAD_ACE7 = ObjCreate("AccessControlEntry") $oAD_ACE7.Trustee = $sAD_User $oAD_ACE7.AccessMask = $ADS_RIGHT_DS_WRITE_PROP $oAD_ACE7.AceFlags = 0 $oAD_ACE7.AceType = $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT $oAD_ACE7.Flags = $ADS_FLAG_OBJECT_TYPE_PRESENT $oAD_ACE7.ObjectType = $USER_ACCOUNT_RESTRICTIONS Local $oAD_ACE8 = ObjCreate("AccessControlEntry") $oAD_ACE8.Trustee = $sAD_User $oAD_ACE8.AccessMask = $ADS_RIGHT_DS_SELF $oAD_ACE8.AceFlags = 0 $oAD_ACE8.AceType = $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT $oAD_ACE8.Flags = $ADS_FLAG_OBJECT_TYPE_PRESENT $oAD_ACE8.ObjectType = $VALIDATED_DNS_HOST_NAME Local $oAD_ACE9 = ObjCreate("AccessControlEntry") $oAD_ACE9.Trustee = $sAD_User $oAD_ACE9.AccessMask = $ADS_RIGHT_DS_SELF $oAD_ACE9.AceFlags = 0 $oAD_ACE9.AceType = $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT $oAD_ACE9.Flags = $ADS_FLAG_OBJECT_TYPE_PRESENT $oAD_ACE9.ObjectType = $VALIDATED_SPN $oAD_DACL.AddAce($oAD_ACE1) $oAD_DACL.AddAce($oAD_ACE2) $oAD_DACL.AddAce($oAD_ACE3) $oAD_DACL.AddAce($oAD_ACE4) $oAD_DACL.AddAce($oAD_ACE5) $oAD_DACL.AddAce($oAD_ACE6) $oAD_DACL.AddAce($oAD_ACE7) $oAD_DACL.AddAce($oAD_ACE8) $oAD_DACL.AddAce($oAD_ACE9) $oAD_SD.DiscretionaryAcl = $oAD_DACL $oAD_Computer.Put("ntSecurityDescriptor", $oAD_SD) $oAD_Computer.SetInfo If @error <> 0 Then Return SetError(@error, 0, 0) Return 1 EndFunc ;==>_AD_CreateComputer ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_ModifyAttribute ; Description ...: Modifies an attribute of the given object to the value specified. ; Syntax.........: _AD_ModifyAttribute($sAD_Object, $sAD_Attribute[, $sAD_Value = ""[, $iAD_Option = 1]]) ; Parameters ....: $sAD_Object - Object (user, group ...) to add/delete/modify an attribute (sAMAccountName or FQDN) ; $sAD_Attribute - Attribute to add/delete/modify ; $sAD_Value - Optional: Value to modify the attribute to. Use a blank string ("") to delete the attribute (default). ; +$sAD_Value can be a single value (as a string) or a multi-value (as a one-dimensional array) ; $iAD_Option - Optional: Indicates the mode of modification: Append, Replace, Remove, and Delete ; |1 - CLEAR: remove all the property value(s) from the object (default) ; |2 - UPDATE: replace the current value(s) with the specified value(s) ; |3 - APPEND: append the specified value(s) to the existing values(s) ; |4 - DELETE: delete the specified value(s) from the object ; Return values .: Success - 1 ; Failure - 0, sets @error to: ; |1 - $sAD_Object does not exist ; |x - Error returned by SetInfo function (Missing permission etc.) ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: ; Related .......: _AD_GetObjectAttribute, _AD_GetObjectProperties ; Link ..........: http://msdn.microsoft.com/en-us/library/aa746353(VS.85).aspx (ADS_PROPERTY_OPERATION_ENUM Enumeration) ; Example .......: Yes ; =============================================================================================================================== Func _AD_ModifyAttribute($sAD_Object, $sAD_Attribute, $sAD_Value = "", $iAD_Option = 1) If Not _AD_ObjectExists($sAD_Object) Then Return SetError(1, 0, 0) Local $sAD_Property = "sAMAccountName" If StringMid($sAD_Object, 3, 1) = "=" Then $sAD_Property = "distinguishedName"; FQDN provided $oAD_Command.CommandText = ";(" & $sAD_Property & "=" & $sAD_Object & ");ADsPath;subtree" Local $oAD_RecordSet = $oAD_Command.Execute ; Retrieve the ADsPath for the object Local $sAD_LDAPEntry = $oAD_RecordSet.fields(0).value Local $oAD_Object = _AD_ObjGet($sAD_LDAPEntry) ; Retrieve the COM Object for the object $oAD_Object.GetInfo If $sAD_Value = "" Then $oAD_Object.PutEx(1, $sAD_Attribute, 0) ; CLEAR: remove all the property value(s) from the object ElseIf $iAD_Option = 3 Then $oAD_Object.PutEx(3, $sAD_Attribute, $sAD_Value) ; APPEND: append the specified value(s) to the existing values(s) ElseIf IsArray($sAD_Value) Then $oAD_Object.PutEx(2, $sAD_Attribute, $sAD_Value) ; UPDATE: replace the current value(s) with the specified value(s) Else $oAD_Object.Put($sAD_Attribute, $sAD_Value) ; sets the value(s) of an attribute EndIf $oAD_Object.SetInfo If @error <> 0 Then Return SetError(@error, 0, 0) Return 1 EndFunc ;==>_AD_ModifyAttribute ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_RenameObject ; Description ...: Renames an object within an OU. ; Syntax.........: _AD_RenameObject($sAD_Object, $sAD_CN) ; Parameters ....: $sAD_Object - Object (user, group, computer) to rename (FQDN or sAMAccountName) ; $sAD_CN - New Name (relative name) of the object in the current OU without CN= ; Return values .: Success - 1 ; Failure - 0, sets @error to: ; |1 - $sAD_Object does not exist ; |x - Error returned by MoveHere function (Missing permission etc.) ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: Renames an object within the same OU. You can not move objects to another OU with this function. ; Related .......: _AD_MoveObject, _AD_DeleteObject ; Link ..........: http://msdn.microsoft.com/en-us/library/aa705991(v=VS.85).aspx ; Example .......: Yes ; =============================================================================================================================== Func _AD_RenameObject($sAD_Object, $sAD_CN) If Not _AD_ObjectExists($sAD_Object) Then Return SetError(1, 0, 0) If StringMid($sAD_Object, 3, 1) <> "=" Then $sAD_Object = _AD_SamAccountNameToFQDN($sAD_Object) ; sAMAccountName provided Local $oAD_Object = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_Object) Local $oAD_OU = _AD_ObjGet($oAD_Object.Parent) ; Get the object of the OU/CN where the object resides $sAD_CN = "CN=" & _AD_FixSpecialChars($sAD_CN) ; escape all special characters $oAD_OU.MoveHere("LDAP://" & $sAD_HostServer & "/" & $sAD_Object, $sAD_CN) If @error <> 0 Then Return SetError(@error, 0, 0) Return 1 EndFunc ;==>_AD_RenameObject ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_MoveObject ; Description ...: Moves an object to another OU. ; Syntax.........: _AD_MoveObject($sAD_OU, $sAD_Object[, $sAD_DisplayName = ""]) ; Parameters ....: $sAD_OU - Target OU for the object move (FQDN) ; $sAD_Object - Object (user, group, computer) to move (FQDN or sAMAccountName) ; $sAD_CN - Optional: New Name of the object in the target OU. Common Name or RDN (Relative Distinguished Name) like "Lastname Firstname" without leading "CN=" ; Return values .: Success - 1 ; Failure - 0, sets @error to: ; |1 - $sAD_OU does not exist ; |2 - $sAD_Object does not exist ; |3 - Object already exists in the target OU ; |x - Error returned by MoveHere function (Missing permission etc.) ; Author ........: water ; Modified.......: ; Remarks .......: You must escape commas in $sAD_Object with a backslash. E.g. "CN=Lastname\, Firstname,OU=..." ; Related .......: _AD_RenameObject, _AD_DeleteObject ; Link ..........: http://msdn.microsoft.com/en-us/library/aa705991(v=VS.85).aspx ; Example .......: Yes ; =============================================================================================================================== Func _AD_MoveObject($sAD_OU, $sAD_Object, $sAD_CN = "") If Not _AD_ObjectExists($sAD_OU, "distinguishedName") Then Return SetError(1, 0, 0) If Not _AD_ObjectExists($sAD_Object) Then Return SetError(2, 0, 0) If StringMid($sAD_Object, 3, 1) <> "=" Then $sAD_Object = _AD_SamAccountNameToFQDN($sAD_Object) ; sAMAccountName provided If $sAD_CN = "" Then $sAD_CN = "CN=" & _AD_GetObjectAttribute($sAD_Object, "cn") Else $sAD_CN = "CN=" & _AD_FixSpecialChars($sAD_CN) ; escape all special characters EndIf If _AD_ObjectExists($sAD_CN & "," & $sAD_OU, "distinguishedName") Then Return SetError(3, 0, 0) Local $oAD_OU = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_OU) ; Pointer to the destination container $oAD_OU.MoveHere("LDAP://" & $sAD_HostServer & "/" & $sAD_Object, $sAD_CN) If @error <> 0 Then Return SetError(@error, 0, 0) Return 1 EndFunc ;==>_AD_MoveObject ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_DeleteObject ; Description ...: Deletes the specified object. ; Syntax.........: _AD_DeleteObject($sAD_Object, $sAD_Class) ; Parameters ....: $sAD_Object - Object (user, group, computer) to delete (FQDN or sAMAccountName) ; $sAD_Class - The schema class object to delete ("user", "computer", "group", "contact" etc). Can be derived using _AD_GetObjectClass(). ; Return values .: Success - 1 ; Failure - 0, sets @error to: ; |1 - $sAD_Object does not exist ; |x - Error returned by Delete function (Missing permission etc.) ; Author ........: Jonathan Clelland ; Modified.......: water ; Remarks .......: ; Related .......: _AD_RenameObject, _AD_MoveObject ; Link ..........: http://msdn.microsoft.com/en-us/library/aa705988(v=VS.85).aspx ; Example .......: Yes ; =============================================================================================================================== Func _AD_DeleteObject($sAD_Object, $sAD_Class) If Not _AD_ObjectExists($sAD_Object) Then Return SetError(1, 0, 0) If StringMid($sAD_Object, 3, 1) <> "=" Then $sAD_Object = _AD_SamAccountNameToFQDN($sAD_Object) ; sAMAccountName provided Local $oAD_Object = _AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sAD_Object) Local $oAD_OU = _AD_ObjGet($oAD_Object.Parent) ; Get the object of the OU/CN where the object resides Local $sAD_CN = "CN=" & _AD_GetObjectAttribute($sAD_Object, "cn") $oAD_OU.Delete($sAD_Class, $sAD_CN) If @error <> 0 Then Return SetError(@error, 0, 0) Return 1 EndFunc ;==>_AD_DeleteObject ; #FUNCTION# ==================================================================================================================== ; Name...........: _AD_SetAccountExpire ; Description ...: Modifies the specified user or computer account expiration date/time or sets the account to never expire. ; Syntax.........: _AD_SetAccountExpire($sAD_Object, $sAD_DateTime) ; Parameters ....: $sAD_Object - User or computer account to set expiration date/time (sAMAccountName or FQDN) ; $sAD_DateTime - Expiration date/time in format: yyyy-mm-dd hh:mm:ss (local time) or "01/01/1970" to never expire ; Return values .: Success - 1 ; Failure - 0, sets @error to: ; |1 - $sAD_Object does not exist ; |x - Error returned by SetInfo function (Missing permission etc.) ; Author ........: KenE ; Modified.......: water ; Remarks .......: Use the following syntax for the date/time: ; 01/01/1970 = never expire ; yyyy-mm-dd hh:mm:ss= "international format" - always works ; xx/xx/xx