Decrypt my World : ADSI

How to get LastLogon property for all users in a Domain (VBScript)

alejacma — Thu, 12 Mar 2009 13:05:00 GMT

Hi all,

The following VBScript sample retrieves all users in Active Directory that haven't ever logged on the domain, or haven't logged on for at least maxDays (an argument passed to the script):

On Error Resume Next

' Constants
'
Const ONE_HUNDRED_NANOSECOND = .000000100
Const SECONDS_IN_DAY = 86400

' Get Max Days as an argument passed to the script
'
If Not Wscript.Arguments.Count() = 1 Then
  Wscript.Echo "Syntax error, argument required"
  Wscript.Quit
End If

maxDays = CInt(Wscript.Arguments(0))

' Create the log file
'
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objLogFile = objFSO.CreateTextFile(GetPath() & "log.txt", 8, true)

' Get the root of the domain
'
Set objRoot = Getobject("LDAP://RootDSE")
strRoot = objRoot.Get("defaultnamingcontext")
Set objRoot = Nothing

' Create connection
'
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"

' Create command
'
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000

' Execute command to get all DCs in the domain
'
objCommand.CommandText = "<LDAP://OU=Domain Controllers," & strRoot & ">;(objectcategory=computer);name;onelevel"
Set objRecordSet = objCommand.Execute

'LogData("INFO: There are " & objRecordSet.RecordCount & " Domain Controllers.")

' Execute command to get all users in the domain
'
objCommand.CommandText = "<LDAP://" & strRoot & ">;(&(objectclass=user)(objectcategory=person));adspath,distinguishedname,sAMAccountName;subtree"
Set objRecordSet2 = objCommand.Execute

'LogData("INFO: There are " & objRecordSet2.RecordCount & " users.")

' Get the LastLogon for each user in each DC
'
Do Until objRecordSet2.EOF

  ' Get the LastLogon for one user in each DC, and get the maximum
  '
  objRecordSet.MoveFirst
  maxDate = 0
  Do Until objRecordSet.EOF

    ' Execute command to get LastLogon for the user in one DC
    '
    LdapPath = "LDAP://" & objRecordSet.Fields("name").Value & "/" & Replace(objRecordSet2.Fields("distinguishedname").Value, "/", "\/")
    set objUser = GetObject(LdapPath)

    ' Check for errors executing the command
    '
    if Err.Number <> 0 Then
      ' Error
      '
      LogData("INFO: LDAP Path = " & LdapPath)
      Select Case Err.Number
        Case &H8007203A
          Err.Description = """The server is not operational"""
        Case &H80005000
          Err.Description = """An invalid ADSI pathname was passed"""
        Case Else
          Err.Description = ""
      End Select 
      LogData("ERROR: " & Err.Number & " " & Err.Description)
    Else
      ' No error
      '
      ' Get the LastLogon
      '
      set objLastLogon = objUser.LastLogon
      myDate = 0
      If Not(IsNull(objLastLogon) Or IsEmpty(objLastLogon)) Then
        myDate = MakeDate(objLastLogon)
      End If

      ' See if it's the maximum
      '
      If myDate > maxDate Then
        maxDate = myDate
      End If

    End If

    ' Move on to the next DC
    '
    Err.Clear
    set objUser = nothing
    set objLastLogon = nothing
    objRecordSet.MoveNext

  Loop

  ' Show the maximum LastLogon for the user
  '
  If maxDate = 0 Then
    LogData("INFO: User """ & objRecordSet2.Fields("sAMAccountName").Value & """ never logged on.")
  ElseIf (Date() - maxDate) > maxDays Then 
    LogData("INFO: User """ & objRecordSet2.Fields("sAMAccountName").Value & """ logged on " & maxDate)
  End If

  ' Move on to the next user
  '
  objRecordSet2.MoveNext

Loop


' Close everything
'
objRecordSet.Close
Set objRecordSet = Nothing
objRecordSet2.Close
Set objRecordSet2 = Nothing
Set objCommand = Nothing
objConnection.Close
Set objConnection = Nothing

' We are done!
'
Wscript.Echo "All Done!"


'================================================================
' HELPER FUNCTIONS
'================================================================

' Get script's path
'
Function GetPath()

  Dim path
  path = WScript.ScriptFullName
  GetPath = Left(path, InStrRev(path, "\"))

End Function


' Write data to log file
'
Sub LogData(data)

  objLogFile.writeline Now() & ", " & data

End Sub


' Convert long integer to a date
'
Function MakeDate(oLInt)

  Set objShell = CreateObject("Wscript.Shell")

  lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\Control\TimeZoneInformation\ActiveTimeBias")

  If UCase(TypeName(lngBiasKey)) = "LONG" Then
    glngBias = lngBiasKey

  ElseIf UCase(TypeName(lngBiasKey)) = "VARIANT()" Then
    glngBias = 0

    For k = 0 To UBound(lngBiasKey)
      glngBias = lngBias + (lngBiasKey(k) * 256^k)
    Next
  End If 

  dtmDate = #1/1/1601# + (((oLInt.HighPart * (2 ^ 32)) + oLInt.LowPart) / 600000000 - glngBias) / 1440

  MakeDate = dtmDate

End Function

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

How to get more than 1000 group members including foreign SAMs (VBScript)

alejacma — Tue, 05 Aug 2008 10:21:00 GMT

Hi all,

We may have a group in our Active Directory with members from a foreign domain. We may try to retrieve all those members with ADSI and a code like this: Using IADs::GetInfoEx for Range Retrieval. The issue with this code is that we will only be able to see the SID of foreign principals (i.e. CN=S-1-5-21-1234567890...-123,CN=ForeignSecurityPrincipals,DC=domain,DC=com), which may not be very useful for us.

The following sample (based on above Range Retrieval sample) will retrieve all members in a group (including foreign principals) and show their sAMAccountName:

' PARAMETERS.
'
strFileName = "c:\List.txt"
strGroupDN = "CN=groupName,CN=Users,DC=domainName,DC=com"

' Bind to the group with the current credentials.
'
Set oGroup = GetObject("LDAP://" & strGroupDN)

' Create file for results.
'
Set fs = CreateObject("Scripting.FileSystemObject")
Set usersFile = fs.CreateTextFile(strFileName, True)

' For compatibility with all operating systems, the number of objects
' retrieved by each query should not exceed 999. The number of objects
' to retrieve should be as close as possible to 999 to reduce the number
' of round trips to the server necessary to retrieve the objects.
rangeStep = 999
lowRange = 0
highRange = lowRange + rangeStep

Do
  ' Use the "member;range=<lowRange>-<highRange>" syntax.
  '
  strCommandText = "member;range=" & lowRange & "-" & highRange
  usersFile.WriteLine(vbCrLf & "Current search command: " & _
  strCommandText & vbCrLf)

  ' Load the specified range of members into the local cache. This 
  ' will throw an error if the range exceeds the properties contained 
  ' in the object. The "On Error GoTo quit" error handler will cause 
  ' the loop to terminate when this happens.
  '
  On Error Resume Next
  oGroup.GetInfoEx Array(strCommandText), 0
  If Err.Number = &H80072020 Then
    Exit Do
  End If
  On Error Goto 0

  ' Enumerate the retrieved members.
  '
  oMembers = oGroup.Get("member")
  If vbArray And VarType(oMembers) Then
    For Each oMember In oMembers
      ' Add the member.
      '            
      Set oUser = GetObject("LDAP://" & oMember)            
      If (oUser.Class = "foreignSecurityPrincipal") Then

        usersFile.WriteLine(GetForeignSAM(oUser))
      Else
        usersFile.WriteLine(oUser.sAMAccountName)
      End If 
      nRetrieved = nRetrieved + 1
    Next
  Else
    ' oGroup.Get returned only one member, so add it to the list.
    '
    Set oUser = GetObject("LDAP://" & oMembers)            
    If (oUser.Class = "foreignSecurityPrincipal") Then

      usersFile.WriteLine(GetForeignSAM(oUser))
    Else
      usersFile.WriteLine(oUser.sAMAccountName)
    End If 

    nRetrieved = nRetrieved + 1
  End If

  ' Increment the high and low ranges to query for the next block of 
  ' objects.
  '
  lowRange = highRange + 1
  highRange = lowRange + rangeStep
Loop While True

MsgBox "File """ & strFileName &  """ created"


'-----------------------------------------------------------------------
' HELPER FUNCTIONS
'-----------------------------------------------------------------------
function GetForeignSAM (oUser)
  ' CONSTANTS.
  '
  ADS_SID_RAW = 0
  ADS_SID_HEXSTRING = ADS_SID_RAW + 1
  ADS_SID_SAM = ADS_SID_HEXSTRING + 1
  ADS_SID_UPN = ADS_SID_SAM + 1
  ADS_SID_SDDL = ADS_SID_UPN + 1
  ADS_SID_WINNT_PATH = ADS_SID_SDDL + 1

  ' Get the SID
  '

  ' Now, resolve the SID into its sAMAcountName.
  '
  set oADsSID = CreateObject("ADsSID")
  oADsSID.SetAs ADS_SID_RAW, oUser.Get("objectSid")

  ' Requesting the Sam Account Name
  '
  GetForeignSAM = oADsSID.GetAs(ADS_SID_SAM)	

end function

Note: ADsSID object is implemented in ADsSecurity.dll.

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

System.DirectoryServices.DirectorySynchronization returns access denied with non-admin users

alejacma — Fri, 20 Jun 2008 10:46:00 GMT

Hi all,

You may get an Access Denied error (COMException 0x80070005) when using System.DirectoryServices.DirectorySynchronization in your .NET application with a non-admin user, but everything works fine with a domain administrator.

This issue will happen if we use DirectorySynchronization this way:

DirectorySearcher directorySearcher = new DirectorySearcher(rootPath);
directorySearcher.DirectorySynchronization = new DirectorySynchronization();

If we want to run this code as it is, we need to pass administrative credentials. If we are using standard user credentials we need to pass the right Flag saying that this is a normal user who do not have all the rights over Active Directory.

To understand this in detail please see this article which talks about the flags we can pass to DirectorySynchronization constructor:

DirectorySynchronizationOptions Enumeration

"
- ObjectSecurity: If this flag is not present, the caller must have the right to replicate changes. If this flag is present, the caller requires no rights, but is allowed to see only objects and attributes that are accessible to the caller.
"

So modify your code to use DirectorySynchronization in this way:

directorySearcher.DirectorySynchronization = new DirectorySynchronization(DirectorySynchronization.ObjectSecurity);

Code should not fail with Access Denied error anymore. Now a standard user will have access to all the objects that she usually has access to.

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

ChangePassword method may fail with TargetInvocationException (.NET)

alejacma — Tue, 29 Apr 2008 11:03:00 GMT

Hi all, welcome back,

When working with System.DirectoryServices.DirectoryEntry in .NET, we may change the password of the user with a code like the following (C#):

user.Invoke("ChangePassword", new object[] { oldPassword, newPassword }

But invoking ChangePassword may fail with the following System.Reflection.TargetInvocationException:

"Exception has been thrown by the target of an invocation"

This error is not very descriptive, I know. I've seen several causes for this error in the past:

1) Any of the passwords is incorrect.

2) The new password doesn't meet the domain complexity requirements.

3) Minimum Password Age is > 0.

4) WinNT provider is used instead of LDAP.

By using InnerException.ToString() from the TargetInvocationException we may get a more descriptive error message. We could even see the HResult value associated to the exception. But this property is protected, so we could try to parse it from the error message string, with a code like this:

string errorMessage;
Int32 errorCode = 0;
try
{
    ...
}
catch (TargetInvocationException e)
{
    errorMessage = e.InnerException.ToString();
    try
    {
        string HResult = errorMessage.Substring(errorMessage.IndexOf("0x") + 2, 8);
        errorCode = Int32.Parse(HResult, System.Globalization.NumberStyles.HexNumber);
    }
    catch
    {
        errorCode = -1;
    }
}

I hope this helps.

Cheers,

Alex (Alejandro Campos Magencio)

How to get a list of all users in an OU (VBScript)

alejacma — Wed, 23 Apr 2008 18:44:00 GMT

Hi all, welcome back,

Today I'll post a very straight forward sample which gets a list of all users in an Organizational Unit (OU) in Active Directory (AD) using VBScript:

' Get OU
'
strOU = "OU=Users,DC=domain,DC=com"

' Create connection to AD
'
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"

' Create command
'
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000

' Execute command to get all users in OU
'
objCommand.CommandText = _
  "<LDAP://" & strOU & ">;" & _
  "(&(objectclass=user)(objectcategory=person));" & _
  "adspath,distinguishedname,sAMAccountName;subtree"
Set objRecordSet = objCommand.Execute

' Show info for each user in OU
'
Do Until objRecordSet.EOF

  ' Show required info for a user
  '  
  WScript.Echo objRecordSet.Fields("adspath").Value
  WScript.Echo objRecordSet.Fields("distinguishedname").Value
  WScript.Echo objRecordSet.Fields("sAMAccountName").Value

  ' Move to the next user
  '
  objRecordSet.MoveNext

Loop

' Clean up
'
objRecordSet.Close
Set objRecordSet = Nothing
Set objCommand = Nothing
objConnection.Close
Set objConnection = Nothing

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

How to get ADs Providers list (C#)

alejacma — Tue, 25 Mar 2008 19:30:00 GMT

Hi, welcome back,

We may want to get the list of Active Directory Providers ("LDAP:", "WinNT:", "IIS:"...) with .NET the same way we do it with this VBScript:

Set ads = GetObject("ADs:")
For Each provider In ads
    Wscript.Echo provider.Name
Next

The information we need is here in the registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADs\Providers. So the following sample code will get the info we need:

using Microsoft.Win32;

...

    // Get the HKLM registry key
    RegistryKey RegKey = Registry.LocalMachine;

    // Open the sub-key which contains all the providers
    RegistryKey ProviderKey = RegKey.OpenSubKey(@"Software\Microsoft\ADs\Providers");

    // Get the list of the sub-keys
    string[] SubKeys = ProviderKey.GetSubKeyNames();

    // Create the string array which will hold the provider list
    string[] ListOfProviders = new string[SubKeys.Length];

    // Now add all providers to the array
    for (int Count = 0; Count < SubKeys.Length; Count++)
    {
        ListOfProviders[Count] = SubKeys[Count] + ":";
    }

    // Show the list of providers
    foreach (string providerName in ListOfProviders)
    {
        MessageBox.Show(providerName);
    }
...

I hope this helps.

Cheers,

Alex (Alejandro Campos Magencio)