Indented! » VbScript

Building LDAP filters for date based attributes

Chris — Thu, 27 Aug 2009 10:33:34 +0000

Active Directory contains a number of attributes which hold date information. This article shows how to generate LDAP Filters for these attributes in both VbScript and PowerShell.

Date attributes

This LDAP Filter format can be used for the following attributes:

createTimeStamp
dsCorePropagationData
expirationTime
modifyTimeStamp
whenChanged
whenCreated

VbScript

' The date the filter is supposed to find
dtmDate = Now() - 1

arrDateParts = Array("yyyy", "m", "d", "h", "n", "s")

For Each strInterval in arrDateParts
  intDatePart = DatePart(strInterval, dtmDate)
  If intDatePart < 10 Then
    strDateTime = strDateTime & "0" & intDatePart
  Else
    strDateTime = strDateTime & intDatePart
  End If
Next
strDateTime = strDateTime & ".0Z"

' WhenCreated is after strDateTime. i.e. objects created since strDateTime.
WScript.Echo "(whenCreated>=" & strDateTime & ")"

This will produce a filter like “(whenCreated>=20090826110816.0Z)”. Accuracy is based on the source date, using Date() instead of Now() would result in accuracy to a day (e.g. “(whenCreated>=20090826000000.0Z)”).

PowerShell

# Convert yesterday to a Universal date-time string
$DateString = (Get-Date).AddDays(-1).ToString("u") -Replace "-|:|\s"
$DateString = $DateString -Replace "Z", ".0Z"

Write-Host "(whenCreated>=$DateString)"

As with the VbScript version this returns a string accurate to seconds. Accuracy can be modified by using (Get-Date).Date.AddDays(-1).

Interger8 attributes

An Interger8 date is represented by the number of 100-nanosecond intervals since the Microsoft epoch (01/01/1601 00:00:00). This format applies to the following attributes:

accountExpires
badPasswordTime
lastLogon
lastLogonTimeStamp
lockoutTime
pwdLastSet

Note that lastLogoff also uses this format but the value for the attribute is not maintained by Active Directory.

VbScript

' The number of days to remove from the current date
Const DAYS_TO_REMOVE = 1

dblInt8 = CDbl(DateDiff("s", CDate("01/01/1601 00:00:00"), Now - DAYS_TO_REMOVE))
' Earlier than the current date. i.e. Passwords set before the generated date
WScript.Echo "(&(pwdLastSet<=" & CStr(dblInt8) & "0000000)(!pwdLastSet=0))"

This produces a filter like “(&(pwdLastSet<=128957595350000000)(!pwdLastSet=0))". As with the previous filter this is accurate to seconds, that can be modified by changing the source date in the same way as before.

PowerShell

$DaysToRemove = 1
$Int8Date = [Math]::Round(( `
  New-TimeSpan $(Get-Date("01/01/1601 00:00:00")) `
  ((Get-Date).AddDays(-$DaysToRemove))).TotalSeconds, 0)

$Int8Date = "$($Int8Date.ToString())0000000"

$LdapFilter = "(&(pwdLastSet<=$Int8Date)(!pwdLastSet=0))"

accountExpires

Certain attributes, such as accountExpires, have default values that can make filtering using a date string difficult.

The following LDAP filter can be used to return all accounts that are set to expire.

"(accountExpires<=9223372032559810000)(!accountExpires=0))"

Where 9223372032559810000 is the default attribute value in most cases, and 0 is the default in the rest.

accountExpires exhibits inconsistent behaviour depending on how it is accessed. If using iADSUser.AccountExpirationDate an account that does not expire is denoted by the date “01/01/1970 00:00:00″. This epoch date differs from the epoch used with the underlying attribute, “01/01/1601 00:00:00″.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Listing Trusts

Chris — Thu, 27 Aug 2009 10:01:11 +0000

A script to enumerate trust information from an Active Directory forest.

Const ADS_SCOPE_SUBTREE = 2

' Trust Type
' http://msdn.microsoft.com/en-us/library/cc223771(PROT.10).aspx
Dim objTrustTypes
Set objTrustTypes = CreateObject("Scripting.Dictionary")
objTrustTypes.Add 4, "DCE"
objTrustTypes.Add 3, "MIT"
objTrustTypes.Add 2, "UpLevel"
objTrustTypes.Add 1, "DownLevel"

' Trust Attributes
' http://msdn.microsoft.com/en-us/library/cc223779(PROT.10).aspx
Dim objTrustAttributes
Set objTrustAttributes = CreateObject("Scripting.Dictionary")
objTrustAttributes.Add 128, "UsesRC4Encryption"
objTrustAttributes.Add 64, "TreatAsExternal"
objTrustAttributes.Add 32, "WithinForest"
objTrustAttributes.Add 16, "CrossOrganisation"
objTrustAttributes.Add 8, "ForestTransitive"
objTrustAttributes.Add 4, "QuarantinedDomain"
objTrustAttributes.Add 2, "UpLevelOnly"
objTrustAttributes.Add 1, "NonTransitive"

' Trust Direction
' http://msdn.microsoft.com/en-us/library/cc223768(PROT.10).aspx
Dim objTrustDirection
Set objTrustDirection = CreateObject("Scripting.Dictionary")
objTrustDirection.Add 3, "BiDirectional"
objTrustDirection.Add 2, "Outbound"
objTrustDirection.Add 1, "Inbound"
objTrustDirection.Add 0, "Disabled"

Dim objConnection : Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Dim objCommand : Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection

Dim objRootDSE : Set objRootDSE = GetObject("LDAP://RootDSE")
objCommand.CommandText = "SELECT distinguishedName, name, trustType, " & _
  "trustAttributes, trustDirection, trustPartner, whenCreated " & _
  "FROM 'GC://" & objRootDSE.Get("rootDomainNamingContext") & _
  "' WHERE objectClass='trustedDomain'"

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 600
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False

Dim objRecordSet : Set objRecordSet = objCommand.Execute

While Not objRecordSet.EOF
  WScript.Echo "Trusted Domain: " & objRecordSet.Fields("name").Value
  WScript.Echo "Trust Type: " & _
    objTrustTypes(objRecordSet.Fields("trustType").Value)

  Dim dblFlag
  Dim strFlags : strFlags = ""
  For Each dblFlag in objTrustAttributes
    If objRecordSet.Fields("trustAttributes").Value And dblFlag Then
      strFlags = strFlags & objTrustAttributes(dblFlag) & " "
    End If
  Next
  WScript.Echo "Trust Attributes: " & strFlags

  WScript.Echo "Trust Direction: " & _
    objTrustDirection(objRecordSet.Fields("trustDirection").Value)
  WScript.Echo "Trust Partner: " & objRecordSet.Fields("trustPartner").Value
  WScript.Echo "Distinguished Name: " & _
    objRecordSet.Fields("distinguishedName").Value
  WScript.Echo "Created: " & objRecordSet.Fields("whenCreated").Value

  objRecordSet.MoveNext
Wend

objConnection.Close

Usage example

In the past I have used the script above to monitor trust settings across a forest. The following script uses the trust information to build a text file storing trust configuration sends an e-mail if that configuration changes.

Option Explicit

' Script to get trusts, compare with stored configuration and notify if changed

Sub ShowUsage
  Dim strUsage
  strUsage = "Usage:" & vbCrLf & vbCrLf & _
    WScript.ScriptName & _
    " /Command:[Update | Notify] [/MailServer:] " & _
    "[/Recipient:]" & vbCrLf & vbCrLf & _
    "Arguments:" & vbCrLf & vbCrLf & _
    "    Command      Update - Updates the contents of the text " & _
    "file with data from the global catalog" & vbCrLf & _
    "                 Notify - Notifies the recipient using mailserver " & _
    "if the trust data changes" & vbCrLf & _
    "    MailServer   Server used to send mail. Default: localhost" & vbCrLf & _
    "    Recipient    Email address of person or group to notify" & vbCrLf

  WScript.Echo strUsage
  WScript.Quit
End Sub

Function GetTrusts
  ' Returns a Scripting.Dictionary object containing details of the Trust
  ' Format:
  ' Key: DistinguishedName
  ' Data: Array(
  '           Trusted Domain,
  '           Type,
  '           Attributes,
  '           Direction,
  '           Partner,
  '           Created,
  '           Changed )

  Const ADS_SCOPE_SUBTREE = 2

  ' Trust Type
  ' http://msdn.microsoft.com/en-us/library/cc223771(PROT.10).aspx
  Dim objTrustTypes
  Set objTrustTypes = CreateObject("Scripting.Dictionary")
  objTrustTypes.Add 4, "DCE"
  objTrustTypes.Add 3, "MIT"
  objTrustTypes.Add 2, "UpLevel"
  objTrustTypes.Add 1, "DownLevel"

  ' Trust Attributes
  ' http://msdn.microsoft.com/en-us/library/cc223779(PROT.10).aspx
  Dim objTrustAttributes
  Set objTrustAttributes = CreateObject("Scripting.Dictionary")
  objTrustAttributes.Add 128, "UsesRC4Encryption"
  objTrustAttributes.Add 64, "TreatAsExternal"
  objTrustAttributes.Add 32, "WithinForest"
  objTrustAttributes.Add 16, "CrossOrganisation"
  objTrustAttributes.Add 8, "ForestTransitive"
  objTrustAttributes.Add 4, "QuarantinedDomain"
  objTrustAttributes.Add 2, "UpLevelOnly"
  objTrustAttributes.Add 1, "NonTransitive"

  ' Trust Direction
  ' http://msdn.microsoft.com/en-us/library/cc223768(PROT.10).aspx
  Dim objTrustDirection
  Set objTrustDirection = CreateObject("Scripting.Dictionary")
  objTrustDirection.Add 3, "BiDirectional"
  objTrustDirection.Add 2, "Outbound"
  objTrustDirection.Add 1, "Inbound"
  objTrustDirection.Add 0, "Disabled"

  Dim objConnection : Set objConnection = CreateObject("ADODB.Connection")
  objConnection.Provider = "ADsDSOObject"
  objConnection.Open "Active Directory Provider"

  Dim objCommand : Set objCommand = CreateObject("ADODB.Command")
  objCommand.ActiveConnection = objConnection

  Dim objRootDSE : Set objRootDSE = GetObject("LDAP://RootDSE")
  objCommand.CommandText = "SELECT distinguishedName, name, " & _
    "trustType, trustAttributes, trustDirection, trustPartner, " & _
    "whenCreated, whenChanged " & _
    "FROM 'GC://" & objRootDSE.Get("rootDomainNamingContext") & _
    "' WHERE objectClass='trustedDomain'"

  objCommand.Properties("Page Size") = 1000
  objCommand.Properties("Timeout") = 600
  objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
  objCommand.Properties("Cache Results") = False

  Dim objRecordSet : Set objRecordSet = objCommand.Execute

  Dim objTrusts : Set objTrusts = CreateObject("Scripting.Dictionary")

  While Not objRecordSet.EOF
    Dim dblFlag
    Dim strAttributes : strAttributes = ""
    For Each dblFlag in objTrustAttributes
      If objRecordSet.Fields("trustAttributes").Value And dblFlag Then
        strAttributes = strAttributes & objTrustAttributes(dblFlag) & " "
      End If
    Next

    objTrusts.Add objRecordSet.Fields("distinguishedName").Valuem, Array( _
      objRecordSet.Fields("name").Value, _
      objTrustTypes(objRecordSet.Fields("trustType").Value), _
      strAttributes, _
      objTrustDirection(objRecordSet.Fields("trustDirection").Value), _
      objRecordSet.Fields("trustPartner").Value, _
      objRecordSet.Fields("whenCreated").Value, _
      objRecordSet.Fields("whenChanged").Value)

    objRecordSet.MoveNext
  Wend

  objConnection.Close

  Set objRecordSet = Nothing
  Set objCommand = Nothing
  Set objConnection = Nothing

  Set GetTrusts = objTrusts
End Function

Sub SendMail(strRecipient, strBody, strMailServer)

  Set objMail = CreateObject("CDO.Message")
  objMail.Subject = "Trust monitor"

  objMail.From = strRecipient
  objMail.To = strRecipient

  objMail.TextBody = strBody

  objMail.Configuration.Fields.Item _
    ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
  objMail.Configuration.Fields.Item _
    ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = _
    strMailServer
  objMail.Configuration.Fields.Item _
    ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25

  objMail.Configuration.Fields.Update
  objMail.Send
End Sub

'
' Main Code
'

Dim objFileSystem
Set objFileSystem = CreateObject("Scripting.FileSystemObject")
Dim objFile

Dim objTrusts : Set objTrusts = GetTrusts

If LCase(WScript.Arguments.Named("command")) = "update" Then
  Set objFile = objFileSystem.OpenTextFile("Trusts.txt", 2, True, 0)

  Dim strDN
  For Each strDN in objTrusts
    objFile.WriteLine strDN & vbTab & Join(objTrusts(strDN), vbTab)
  Next

ElseIf LCase(WScript.Arguments.Named("command")) = "notify" Then

  strRecipient = WScript.Arguments.Named("recipient")

  If strRecipient = "" Then
    WScript.Echo "ERROR: No recipient defined"
    ShowUsage
  End If

  strMailServer = WScript.Arguments.Named("mailserver")

  If strMailServer = "" Then
    strMailServer = "localhost"
  End If

  If objFileSystem.FileExists("Trusts.txt") Then
    Set objFile = objFileSystem.OpenTextFile("Trusts.txt", 1, False, 0)

    Dim objTrustsInFile
    Set objTrustsInFile = CreateObject("Scripting.Dictionary")

    Dim arrTrustData()
    Do While Not objFile.AtEndOfStream
      Dim arrTrustInFile : arrTrustInFile = Split(objFile.ReadLine, vbTab)

      ReDim arrTrustData(0)
      Dim i
      For i = 1 to UBound(arrTrustInFile)
        ReDim Preserve arrTrustData(i - 1)
        arrTrustData(i - 1) = arrTrustInFile(i)
      Next

      objTrustsInFile.Add arrTrustInFile(0), arrTrustData
    Loop
  End If

  Dim strTrust

  ' Comparison - Check for new Trusts

  Dim objNewTrusts : Set objNewTrusts = CreateObject("Scripting.Dictionary")

  For Each strTrust in objTrusts
    If Not objTrustsInFile.Exists(strTrust) Then
      objNewTrusts.Add strTrust, objTrusts(strTrust)
    End If
  Next

  ' Comparison - Check for removed Trusts

  Dim objRemovedTrusts
  Set objRemovedTrusts = CreateObject("Scripting.Dictionary")

  For Each strTrust in objTrustsInFile
    If Not objTrusts.Exists(strTrust) Then
      objRemovedTrusts.Add strTrust, objTrustsInFile(strTrust)
    End If
  Next

  ' Data: Array(
  '           Trusted Domain,
  '           Type,
  '           Attributes,
  '           Direction,
  '           Partner,
  '           Created,
  '           Changed )

  Dim strMessageBody
  Dim booNotify : booNotify = False
  If objNewTrusts.Count > 0 Then
    booNotify = True
    strMessageBody = "New Trusts:" & vbCrLf & vbCrLf
    For Each strTrust in objNewTrusts
      strMessageBody = strMessageBody & "DN: " & strTrust & vbCrLf & _
        "Trusted Domain: " & objNewTrusts(strTrust)(0) & vbCrLf & _
        "Type: " & objNewTrusts(strTrust)(1) & vbCrLf & _
        "Attributes: " & objNewTrusts(strTrust)(2) & vbCrLf & _
        "Direction: " & objNewTrusts(strTrust)(3) & vbCrLf & _
        "Partner: " & objNewTrusts(strTrust)(4) & vbCrLf & _
        "Created: " & objNewTrusts(strTrust)(5) & vbCrLf & _
        "Changed: " & objNewTrusts(strTrust)(6) & vbCrLf & vbCrLf
    Next
  End If
  If objRemovedTrusts.Count > 0 Then
    booNotify = True
    For Each strTrust in objRemovedTrusts
      strMessageBody = strMessageBody & "DN: " & strTrust & vbCrLf & _
        "Trusted Domain: " & objRemovedTrusts(strTrust)(0) & vbCrLf & _
        "Type: " & objRemovedTrusts(strTrust)(1) & vbCrLf & _
        "Attributes: " & objRemovedTrusts(strTrust)(2) & vbCrLf & _
        "Direction: " & objRemovedTrusts(strTrust)(3) & vbCrLf & _
        "Partner: " & objRemovedTrusts(strTrust)(4) & vbCrLf & _
        "Created: " & objRemovedTrusts(strTrust)(5) & vbCrLf & _
        "Changed: " & objRemovedTrusts(strTrust)(6) & vbCrLf & vbCrLf
    Next
  End If
  If booNotify = True Then
    strMessageBody = strMessageBody & _
      "If these trusts are correct please run " & _
      WScript.ScriptName & " /Command:Update"

    SendMail strRecipient, strMessageBody, strMailServer
  End If
Else

  ShowUsage

End If

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Reading NTFS and Share security with VbScript

Chris — Thu, 19 Feb 2009 17:25:25 +0000

NTFS (File System) and Share security can be enumerated using the Win32_LogicalFileSecuritySetting and Win32_LogicalShareSecuritySetting WMI classes. This post demonstrates how to use each class to read the security descriptors.

In each case the WMI class contains a GetSecurityDescriptor method used to retrieve the Security Descriptor (as a Win32_SecurityDescriptor).

The references section at the bottom of this article include details of sources for all constants. A little PowerShell creeps in to show how the numeric values were retrieved and checked.

DACLs and SACLs

A DACL or Discretionary Access Control List is the most heavily used, it contains Access Control Entries that define who can, and who cannot, access a resource or object. These are seen when viewing the Security tab of an object.

An SACL or System Access Control List defines which actions will be audited when accessing an a resource or object. Seen by accessing the Audit tab through Security and Advanced.

NTFS security vs Share security

Both the NTFS and the Share security descriptor can be read in exactly the same way. However, there are important differences between them.

NTFS security descriptor

Supports inheritance on descriptor and on individual Access Control Entries
Can hold a Discretionary Access Control List and an System Access Control List

Share security descriptor

Has no owner or Primary Group
Control flags will be set (and usually limited) to SelfRelative and DiscretionaryACLPresent
Access Control Entry (ACE) Flags will not be set
Can hold a Discretionary Access Control List only
Supports a sub-set of Access Masks (rights) on each ACE

Getting the security descriptor

NTFS

Dim strComputer : strComputer = "."
' Connect to WMI on strComputer
Dim objWMI : Set objWMI = GetObject("winmgmts://" & strComputer & "/root/cimv2")
' Get an instance of LogicalFileSecuritySetting for C:\
Dim objSecuritySettings : Set objSecuritySettings = _
  objWMI.Get("Win32_LogicalFileSecuritySetting='C:\'")
Dim intReturnValue : Dim objSD
' Request the Security Descriptor as objSD
intReturnValue = objSecuritySettings.GetSecurityDescriptor objSD

Dim strComputer : strComputer = "."
' Connect to WMI on strComputer
Dim objWMI : Set objWMI = GetObject("winmgmts://" & strComputer & "/root/cimv2")
' Get an instance of LogicalShareSecuritySetting for ShareName
Dim objSecuritySettings : Set objSecuritySettings = _
  objWMI.Get("Win32_LogicalShareSecuritySetting='ShareName'")
Dim intReturnValue : Dim objSD
' Request the Security Descriptor as objSD
intReturnValue = objSecuritySettings.GetSecurityDescriptor objSD

Error handling

The GetSecurityDescriptor method of each WMI class (Win32_LogicalFileSecuritySetting and Win32_LogicalShareSecuritySetting) has a return value to allow errors to be handled. The return codes are represented by the constants below.

Const SUCCESS = 0
Const ACCESS_DENIED = 2
Const UNKNOWN_FAILURE = 8
Const PRIVILEGE_MISSING = 9
Const INVALID_PARAMETER = 21

Values in the security descriptor

The security descriptor contains three fields in addition to the DACL and SACL which are described later.

Control flags

Each security descriptor has a ControlFlags field which dictates how the descriptor behaves. This includes settings such as DACLProtected which indicates that the DACL cannot inherit values from a parent.

The script loads the values above into a Scripting.Dictionary object to simplify enumeration.

Dim objControlFlags : Set objControlFlags = CreateObject("Scripting.Dictionary")
objControlFlags.Add 32768, "SelfRelative"
objControlFlags.Add 16384, "RMControlValid"
objControlFlags.Add 8192, "SystemAclProtected"
objControlFlags.Add 4096, "DiscretionaryAclProtected"
objControlFlags.Add 2048, "SystemAclAutoInherited"
objControlFlags.Add 1024, "DiscretionaryAclAutoInherited"
objControlFlags.Add 512, "SystemAclAutoInheritRequired"
objControlFlags.Add 256, "DiscretionaryAclAutoInheritRequired"
objControlFlags.Add 32, "SystemAclDefaulted"
objControlFlags.Add 16, "SystemAclPresent"
objControlFlags.Add 8, "DiscretionaryAclDefaulted"
objControlFlags.Add 4, "DiscretionaryAclPresent"
objControlFlags.Add 2, "GroupDefaulted"
objControlFlags.Add 1, "OwnerDefaulted"

Note that they are intentionally entered in order from highest to lowest. A For Each loop will start with the highest value (because it was added first), then compare it to the ControlFlags value. In bitwise comparison, if the integer value can be there, then it must be there, that would all go wrong unless it starts with the highest possible value.

The values and names were taken from the .NET Framework, they can be displayed in PowerShell with the following command.

[Enum]::GetValues([System.Security.AccessControl.ControlFlags]) | `
  Select-Object @{ n='Name';e={[String]$_} }, @{ n='Value';e={$_.value__} }

That logic is applied within the code as follows.

' Read the value of Control Flags from the descriptor
dblControlFlags = objSD.ControlFlags
WScript.Echo "Control Flags:"
' For each possible flag
For Each dblFlag in objControlFlags
  ' If it is possible for the flag to be there, then it must be there
  ' Something like bitwise AND
  If dblControlFlags >= dblFlag Then
    ' Echo the flag, indicating it is present
    WScript.Echo "  " & objControlFlags(dblFlag)
    ' Remove this value from the control flag value,
    ' already found this flag
    dblControlFlags = dblControlFlags - dblFlag
  End If
Next

Primary group

The Primary Group is not very interesting unless Services for Unix is in use. In many cases it will be blank.

If set, it can be enumerated as a Win32_Trustee, an object containing a Domain, Username, SID array, SID length and SIDString.

Owner

As with the Primary Group, the owner is stored as a Win32_Trustee object. It can be read from the descriptor as follows.

WScript.Echo "Domain: " & objSD.Owner.Domain
WScript.Echo "Username: " & objSD.Owner.Name
WScript.Echo "SID: " & objSD.Owner.SIDString

Access control entries in the DACL and SACL

Both the DACL and SACL, if present, consist of one or more Access Control Entries (ACE). The ACE, like the security descriptor, breaks down into a number of different fields.

Access Mask

The access mask defines which rights should be used by the Access Control Entry. In the case of System ACL it defines which actions should be audited.

A number of the right names are omitted from the list below as they carry the same numeric value (mask the same bit), the meaning only changes in the context the right is applied.

Dim objAccessRights : Set objAccessRights = CreateObject("Scripting.Dictionary")
objAccessRights.Add 2032127, "FullControl"
objAccessRights.Add 1048576, "Synchronize"
objAccessRights.Add 524288, "TakeOwnership"
objAccessRights.Add 262144, "ChangePermissions"
objAccessRights.Add 197055, "Modify"
objAccessRights.Add 131241, "ReadAndExecute"
objAccessRights.Add 131209, "Read"
objAccessRights.Add 131072, "ReadPermissions"
objAccessRights.Add 65536, "Delete"
objAccessRights.Add 278, "Write"
objAccessRights.Add 256, "WriteAttributes"
objAccessRights.Add 128, "ReadAttributes"
objAccessRights.Add 64, "DeleteSubdirectoriesAndFiles"
objAccessRights.Add 32, "ExecuteFile"
objAccessRights.Add 16, "WriteExtendedAttributes"
objAccessRights.Add 8, "ReadExtendedAttributes"
objAccessRights.Add 4, "AppendData"
objAccessRights.Add 2, "CreateFiles"
objAccessRights.Add 1, "ReadData"

Note that a number of the rights in the list are composites of simpler rights, including Read, FullControl, Write and Modify.

The list can be retrieved, using PowerShell again, with the following command:

[Enum]::GetValues([System.Security.AccessControl.FileSystemRights]) | `
  Select-Object @{n='Name';e={[String]$_} }, @{n='Value';e={$_.value__} }

Holding the flags in this fashion allows the Access Mask to be converted to a friendly form in the same way as the Control Flags were displayed.

' For each access control entry in the discretionary access control list
For Each objACE in objSD.DACL
  WScript.Echo "Access Mask:"
  ' Read the value of the access mask from the Access Control Entry
  dblAccessMask = objACE.AccessMask
  ' For each possible Right
  For Each dblAccess in objAccessRights
    ' If the right can be there then it must...
    If dblAccessMask >= dblAccess Then
      ' Echo the right name
      WScript.Echo "  " & objAccessRights(dblAccess)
      ' Remove the value from the access mask,
      ' already found this right.
      dblAccessMask = dblAccessMask - dblAccess
    End If
  Next
Next

Flags

The flags on an Access Control Entry defines whether the entry applies to Leaf or Container objects, how it behaves when inheritance is calculated, and whether or not the ACE is inherited or explicit.

Dim objAceFlags : Set objAceFlags = CreateObject("Scripting.Dictionary")
objAceFlags.Add 128, "FailedAccess"
objAceFlags.Add 64, "SuccessfulAccess"
objAceFlags.Add 16, "Inherited"
objAceFlags.Add 8, "InheritOnly"
objAceFlags.Add 4, "NoPropagateInherit"
objAceFlags.Add 2, "ContainerInherit"
objAceFlags.Add 1, "ObjectInherit"

Heading back to PowerShell again we can find the the names and values for these.

[Enum]::GetValues([System.Security.AccessControl.AceFlags]) | `
  Select-Object @{n='Name';e={[String]$_} }, @{n='Value';e={$_.value__} }

A few are intentionally left out as they are composites of values more interesting to display separately.

Enumeration of the Access Control Entry flags is performed as follows.

' For each access control entry in the discretionary access control list
For Each objACE in objSD.DACL
  WScript.Echo "ACE Flags:"
    ' Read the value of ACE Flags from the Access Control Entry
  dblAceFlags = objAce.AceFlags
  ' For each possible flag
  For Each dblFlag in objAceFlags
    ' If the flag can be there then it must...
    If dblAceFlags >= dblFlag Then
      ' Echo the name of the flag
      WScript.Echo "  " & objAceFlags(dblFlag)
      ' Found it, remove it to note that it has been found.
      dblAceFlags = dblAceFlags - dblFlag
    End If
  Next
Next

Trustee

The value for the trustee (Win32_Trustee), the security principal (user, group, computer, etc) the right applies to is enumerated in the same way as the Owner above.

For Each objACE in objDACL
  WScript.Echo "Domain: " & objACE.Trustee.Domain
  WScript.Echo "User: " & objACE.Trustee.Name
  WScript.Echo "SID: " & objACE.Trustee.SIDString
Next

Type

Finally, the ACEType consists of three values which define whether the ACE permits access, denies access or is an audit control.

Dim objAceTypes : Set objAceTypes = CreateObject("Scripting.Dictionary")
objAceTypes.Add 0, "Allow"
objAceTypes.Add 1, "Deny"
objAceTypes.Add 2, "Audit"

Once again, we can discover all of the possible values for AceFlags using PowerShell.

[Enum]::GetValues([System.Security.AccessControl.AceType]) | `
  Select-Object @{n='Name';e={[String]$_} }, @{n='Value';e={$_.value__} }

However, this time the only values that are used in the script are 0 (Allow), 1 (Deny), and 2 (Audit).

' For each access control entry in the discretionary access control list
For Each objACE in objDACL
  ' Echo the type: Allow, Deny or Audit.
  WScript.Echo "ACE Type: " & objAceTypes(objAce.AceType)
Next

Listing permissions for all Shares

Time to put all of that together. This sample lists the NTFS and Share permissions for each share configured on strComputer.

Option Explicit

' WMI Constants

Const WBEM_RETURN_IMMEDIATELY = &h10
Const WBEM_FORWARD_ONLY = &h20

' Constants and storage arrays for security settings

' GetSecurityDescriptor Return values

Dim objReturnCodes : Set objReturnCodes = CreateObject("Scripting.Dictionary")
Const SUCCESS = 0
Const ACCESS_DENIED = 2
Const UNKNOWN_FAILURE = 8
Const PRIVILEGE_MISSING = 9
Const INVALID_PARAMETER = 21

' Security Descriptor Control Flags

Dim objControlFlags : Set objControlFlags = CreateObject("Scripting.Dictionary")
objControlFlags.Add 32768, "SelfRelative"
objControlFlags.Add 16384, "RMControlValid"
objControlFlags.Add 8192, "SystemAclProtected"
objControlFlags.Add 4096, "DiscretionaryAclProtected"
objControlFlags.Add 2048, "SystemAclAutoInherited"
objControlFlags.Add 1024, "DiscretionaryAclAutoInherited"
objControlFlags.Add 512, "SystemAclAutoInheritRequired"
objControlFlags.Add 256, "DiscretionaryAclAutoInheritRequired"
objControlFlags.Add 32, "SystemAclDefaulted"
objControlFlags.Add 16, "SystemAclPresent"
objControlFlags.Add 8, "DiscretionaryAclDefaulted"
objControlFlags.Add 4, "DiscretionaryAclPresent"
objControlFlags.Add 2, "GroupDefaulted"
objControlFlags.Add 1, "OwnerDefaulted"

' ACE Access Right

Dim objAccessRights : Set objAccessRights = CreateObject("Scripting.Dictionary")
objAccessRights.Add 2032127, "FullControl"
objAccessRights.Add 1048576, "Synchronize"
objAccessRights.Add 524288, "TakeOwnership"
objAccessRights.Add 262144, "ChangePermissions"
objAccessRights.Add 197055, "Modify"
objAccessRights.Add 131241, "ReadAndExecute"
objAccessRights.Add 131209, "Read"
objAccessRights.Add 131072, "ReadPermissions"
objAccessRights.Add 65536, "Delete"
objAccessRights.Add 278, "Write"
objAccessRights.Add 256, "WriteAttributes"
objAccessRights.Add 128, "ReadAttributes"
objAccessRights.Add 64, "DeleteSubdirectoriesAndFiles"
objAccessRights.Add 32, "ExecuteFile"
objAccessRights.Add 16, "WriteExtendedAttributes"
objAccessRights.Add 8, "ReadExtendedAttributes"
objAccessRights.Add 4, "AppendData"
objAccessRights.Add 2, "CreateFiles"
objAccessRights.Add 1, "ReadData"

' ACE Types

Dim objAceTypes : Set objAceTypes = CreateObject("Scripting.Dictionary")
objAceTypes.Add 0, "Allow"
objAceTypes.Add 1, "Deny"
objAceTypes.Add 2, "Audit"

' ACE Flags

Dim objAceFlags : Set objAceFlags = CreateObject("Scripting.Dictionary")
objAceFlags.Add 128, "FailedAccess"
objAceFlags.Add 64, "SuccessfulAccess"
objAceFlags.Add 16, "Inherited"
objAceFlags.Add 8, "InheritOnly"
objAceFlags.Add 4, "NoPropagateInherit"
objAceFlags.Add 2, "ContainerInherit"
objAceFlags.Add 1, "ObjectInherit"

Sub ReadNTFSSecurity(objWMI, strPath)
  WScript.Echo "  Displaying NTFS Security"

  Dim objSecuritySettings : Set objSecuritySettings = _
    objWMI.Get("Win32_LogicalFileSecuritySetting='" & strPath & "'")
  Dim objSD : objSecuritySettings.GetSecurityDescriptor objSD

  Dim strDomain : strDomain = objSD.Owner.Domain
  If strDomain <> "" Then strDomain = strDomain & "\"
  WScript.Echo "  Owner: " & strDomain & objSD.Owner.Name
  WScript.Echo "  Owner SID: " & objSD.Owner.SIDString

  WScript.Echo "  Basic Control Flags Value: " & objSD.ControlFlags
  WScript.Echo "  Control Flags:"

  DisplayValues objSD.ControlFlags, objControlFlags

  WScript.Echo

  Dim objACE

  ' Display the DACL

  WScript.Echo "  Discretionary Access Control List:"
  For Each objACE in objSD.DACL
    DisplayACE objACE
  Next

  ' Display the SACL (if there is one)

  If Not IsNull(objSD.SACL) Then
    WScript.Echo "  System Access Control List:"
    For Each objACE in objSD.SACL
      DisplayACE objACE
    Next
  End If
End Sub

Sub ReadShareSecurity(objWMI, strName)
  WScript.Echo "  Displaying Share Security"

  Dim objSecuritySettings : Set objSecuritySettings = _
    objWMI.Get("Win32_LogicalShareSecuritySetting='" & strName & "'")

  Dim objSD : objSecuritySettings.GetSecurityDescriptor objSD

  WScript.Echo "  Basic Control Flags Value: " & objSD.ControlFlags
  WScript.Echo "  Control Flags:"

  DisplayValues objSD.ControlFlags, objControlFlags

  WScript.Echo

  Dim objACE

  ' Display the DACL

  WScript.Echo "  Discretionary Access Control List:"
  For Each objACE in objSD.DACL
    DisplayACE objACE
  Next
End Sub

Sub DisplayValues(dblValues, objSecurityEnumeration)

  Dim dblValue
  For Each dblValue in objSecurityEnumeration
    If dblValues >= dblValue Then
      WScript.Echo "      " & objSecurityEnumeration(dblValue)
      dblValues = dblValues - dblValue
    End If
  Next
End Sub

Sub DisplayACE(objACE)

  Dim strDomain : strDomain = objAce.Trustee.Domain
  If strDomain <> "" Then strDomain = strDomain & "\"
  WScript.Echo "    Trustee: " & UCase(strDomain & objAce.Trustee.Name)
  WScript.Echo "    SID: " & objAce.Trustee.SIDString

  WScript.Echo "    Basic Access Mask Value: " & objACE.AccessMask

  WScript.Echo "    Access Rights: "
  DisplayValues objACE.AccessMask, objAccessRights

  WScript.Echo "    Type: " & objAceTypes(objACE.AceType)

  WScript.Echo "    Basic ACE Flags Value: " & objACE.AceFlags

  WScript.Echo "    ACE Flags: "
  DisplayValues objACE.AceFlags, objAceFlags
  WScript.Echo
End Sub

'
' Main Code
'

' The system to execute this script against
Dim strComputer : strComputer = "."

' Connect to WMI
Dim objWMI : Set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")

' Return all of the shares (Type = 0 means File Shares only, exclude
' are Administrative, Printer, etc)
Dim colItems : Set colItems = _
  objWMI.ExecQuery("SELECT * FROM Win32_Share WHERE Type='0'", "WQL", _
  WBEM_RETURN_IMMEDIATELY + WBEM_FORWARD_ONLY)

Dim objItem
For Each objItem in colItems
  WScript.Echo
  WScript.Echo "Security for " & objItem.Path & _
    " (Shared as " & objItem.Name & ")"

  ReadNTFSSecurity objWMI, objItem.Path
  ReadShareSecurity objWMI, objItem.Name
Next

References

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Setting desktop wallpaper

Chris — Tue, 23 Dec 2008 13:27:50 +0000

Group Policy will, by default, only set the desktop wallpaper using Active Desktop. It is also possible to set the wallpaper using the logon script, or using a custom Group Policy template.

Custom Group Policy Template

The first thing to note about the custom policy is that it is an Unmanaged Policy. That means that any setting change will not revert if the policy is set to Disabled or Not Configured. The setting would have to be manually reversed or removed.

The second thing to note is that Unmanaged Policies are not displayed by default. After adding this template select the Administrative Templates folder under User Configuration, then View and Filtering. Remove the tick from “Show only policy settings that can be fully managed”. The policy will appear with a red icon instead of the regular blue icon.

This is a template that can be used to set the wallpaper on a client. It must be saved as a Administrative Template (.adm) file and manually added into a policy.

CLASS USER

CATEGORY "Desktop"
  CATEGORY "Custom Policies"

    KEYNAME "Control Panel\Desktop"

    POLICY "Desktop Wallpaper"

      EXPLAIN !!ExplainText

      PART !!WallpaperPathText EDITTEXT REQUIRED
        VALUENAME "Wallpaper"
      END PART

      PART !!WallpaperStyleText DROPDOWNLIST
        VALUENAME "WallpaperStyle"

        ITEMLIST
          NAME "Centre" VALUE NUMERIC 0 DEFAULT
          NAME "Stretch" VALUE NUMERIC 2
        END ITEMLIST
      END PART

      PART !!TileWallpaperText DROPDOWNLIST
        VALUENAME "TileWallpaper"

        ITEMLIST
          NAME "No" VALUE NUMERIC 0 DEFAULT
          NAME "Yes" VALUE NUMERIC 1
        END ITEMLIST
      END PART

    END POLICY

  END CATEGORY
END CATEGORY

[Strings]
ExplainText="Specifies the desktop background (wallpaper) displayed on all users' desktops.\n\nThe wallpaper image must be in bitmap (bmp) format.\n\nTo use this setting, type the fully qualified path and name of the file that stores the wallpaper image. You can type a local path, such as C:\Windows\web\wallpaper\home.bmp or a UNC path, such as \\Server\Share\Corp.bmp. If the specified file is not available when the user logs on, no wallpaper is displayed. You can also use this setting to specify that the wallpaper image be centered, tiled, or stretched.\n\nTo set wallpaper to Centre Tile must be disabled. To set wallpaper to Tiled both Centre and Tiled must be selected."
WallpaperPathText="Full UNC or path to Bitmap (bmp) file:"
WallpaperStyleText="Centre or Stretch Wallpaper:"
TileWallpaperText="Tile Wallpaper (if centre is selected):"

VbScript

Alternatively, the same registry entries can be set using VbScript. This has the potential to be more flexible depending on the environment. It will run under a standard user, no need to grant extra rights on the PC.

Option Explicit

' Network and local locations for the wallpaper file.
' Must be BMP for the screen refresh to work
Const WALLPAPER_SOURCE = "\\server01\netlogon\Wallpaper.bmp"

Sub SetWallpaper
  ' Copies and sets the client wallpaper

  Const REG_HKCU = &H80000001

  Dim objShell, objFileSystem, objFile, objRegistry
  Dim strWallpaperDestination, strKeyPath, strCommand

  ' Get the current user profile so we can copy the wallpaper there.
  Set objShell = CreateObject("WScript.Shell")
  strWallpaperDestination = objShell.ExpandEnvironmentStrings("%USERPROFILE%")

  ' Get the wallpaper file from the source
  Set objFileSystem = CreateObject("Scripting.FileSystemObject")
  Set objFile = objFileSystem.GetFile(WALLPAPER_SOURCE)

  ' Update the destination path to include the file name
  strWallpaperDestination = strWallpaperDestination & "\" & objFile.Name
  objFile.Copy strWallpaperDestination, True
  Set objFileSystem = Nothing

  ' Connect to the Registry on the local machine
  Set objRegistry = GetObject("winmgmts:\\.\root\default:StdRegProv")

  ' Set the values for the Wallpaper
  strKeyPath = "Control Panel\Desktop"
  objRegistry.SetStringValue REG_HKCU, strKeyPath, "Wallpaper", _
    strWallpaperDestination

  ' Set the Position to Stretch
  objRegistry.SetStringValue REG_HKCU, strKeyPath, "TileWallpaper", "0"
  objRegistry.SetStringValue REG_HKCU, strKeyPath, "WallpaperStyle", "2"
  Set objRegistry = Nothing

  ' Update the system settings (refresh)
  strCommand = "RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters"
  objShell.Run strCommand, 1, True
  Set objShell = Nothing
End Sub

SetWallpaper

Random wallpaper with VbScript

I once had to deploy one of a selection of wallpapers to client computers on a network. It had to change (or at least attempt to change) each time the user logged on. This snippet uses the Randomize function in VbScript to generate a random number and pick a random file.

Option Explicit

Sub SetWallpaper
  ' Copies and sets the client wallpaper

  Const REG_HKCU = &H80000001

  Dim objShell, objFileSystem, objFile, objRegistry
  Dim strWallpaperSource, strWallpaperDestination, strKeyPath, strCommand

  ' Get the current user profile so we can copy the wallpaper there.
  Set objShell = CreateObject("WScript.Shell")
  strWallpaperDestination = objShell.ExpandEnvironmentStrings("%USERPROFILE%")

  ' Get the source path
  strWallpaperSource = RandomizeWallpaper

  ' Get the wallpaper file from the source
  Set objFileSystem = CreateObject("Scripting.FileSystemObject")
  Set objFile = objFileSystem.GetFile(strWallpaperSource)

  ' Update the destination path to include the file name
  strWallpaperDestination = strWallpaperDestination & "\" & objFile.Name
  objFile.Copy strWallpaperDestination, True
  Set objFileSystem = Nothing

  ' Connect to the Registry on the local machine
  Set objRegistry = GetObject("winmgmts:\\.\root\default:StdRegProv")

  ' Set the values for the Wallpaper
  strKeyPath = "Control Panel\Desktop"
  objRegistry.SetStringValue REG_HKCU, strKeyPath, "Wallpaper", strWallpaperDestination

  ' Set the Position to Stretch
  objRegistry.SetStringValue REG_HKCU, strKeyPath, "TileWallpaper", "0"
  objRegistry.SetStringValue REG_HKCU, strKeyPath, "WallpaperStyle", "2"
  Set objRegistry = Nothing

  ' Update the system settings (refresh)
  strCommand = "RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters"
  objShell.Run strCommand, 1, True
  Set objShell = Nothing
End Sub

Function RandomizeWallpaper
  Dim objShell, objFolder, objSubFolder, objFile
  Dim  strLogonServer
  Dim arrWallpaper()
  Dim i

  ' Get the current user profile so we can copy the wallpaper there.
  Set objShell = CreateObject("WScript.Shell")
  strLogonServer = objShell.ExpandEnvironmentStrings("%LOGONSERVER%")
  Set objShell = Nothing

  Set objFolder = objFileSystem.GetFolder(strLogonServer & "\NetLogon\Wallpaper")
  i = 0

  ' Get all the files beneath the folder
  For Each objFile in objFolder.Files
    ReDim Preserve arrWallpaper(i)
    arrWallpaper(i) = objFile.Path
    i = i + 1
  Next
  Randomize()

  ' Choose a random file
  i = Int(UBound(arrWallpaper) * Rnd())
  RandomizeWallpaper = arrWallpaper(i)
End Function

SetWallpaper

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Returning the OU for an object in AD

Chris — Mon, 08 Dec 2008 11:42:47 +0000

Occasionally it can be useful to know how to retrieve the parent, or OU holding an object, from Active Directory.
Perhaps the easiest way to do this is using the Parent property.

VbScript: Getting the OU for a user

Set objUser = GetObject( _
  "LDAP://CN=Chris Dent,OU=Somewhere,DC=internal,DC=highorbit,DC=co,DC=uk")
strParent = objUser.Parent

WScript.Echo strParent

In VbScript the value returned is a string, to get the name of the OU either connect to the object then get the name attribute or parse the name out of the string (Split, or Mid, etc). The example below shows connecting to the parent object and echoing the name.

Set objParent = GetObject(strParent)
WScript.Echo objParent.Get("name")

PowerShell: Getting the OU for a user

$DN = "CN=Chris Dent,OU=Somewhere,DC=internal,DC=highorbit,DC=co,DC=uk"
$User = [ADSI]"LDAP://$DN"
$Parent = $User.PSBase.Parent

PowerShell is a little different, the returned value is a DirectoryEntry, that means we can directly access any other property or attribute without connecting again.

$DN = "CN=Chris Dent,OU=Somewhere,DC=internal,DC=highorbit,DC=co,DC=uk"
$User = [ADSI]"LDAP://$DN"
$Name = ($User.PSBase.Parent).Name

Example: Getting the OU for all members of a group

These examples assume that the group path is known, no searches are involved.

VbScript

Set objGroup = GetObject( _
  "LDAP://CN=Domain Admins,CN=Users,DC=internal,DC=highorbit,DC=co,DC=uk")

Set objFileSystem = CreateObject("Scripting.FileSystemObject")
Set objFile = objFileSystem.OpenTextFile( _
  objGroup.Get("name") & " - Members.txt", 2, True, 0)

For Each objMember in objGroup.Members
  objFile.WriteLine objMember.Get("sAMAccountName") & VbTab & _
    objMember.Get("cn") & VbTab & _
    objMember.Parent
Next

Set objFile = Nothing
Set objFileSystem = Nothing

Set objGroup = Nothing

PowerShell

The note above about Parent returning a DirectoryEntry does not apply if using the Members method in PowerShell. The object returned is a COM Object and will not work in quite the same way. This is the equivalent of the VbScript above.

$DN = "CN=Domain Admins,CN=Users,DC=internal,DC=highorbit,DC=co,DC=uk"
$Group = [ADSI]"LDAP://$DN"
$Group.PSBase.Invoke("Members") `
  | Select-Object `
    @{n="sAMAccountName";e={
      $_.GetType().InvokeMember("sAMAccountName", "GetProperty", `
        $Null, $_, $Null)}}, `
    @{n="CN";e={
      $_.GetType().InvokeMember("cn", "GetProperty", `
        $Null, $_, $Null)}}, `
    @{n="Parent";e={
      $_.GetType().InvokeMember("parent", "GetProperty", `
        $Null, $_, $Null)}}

Changing the Primary Group with PowerShell Exactly as the title says, an example of how to...
Get-DsAcl The goal of this PowerShell function is to create a...

Related posts brought to you by Yet Another Related Posts Plugin.

Exchange 2003: Returning mailbox sizes

Chris — Tue, 28 Oct 2008 12:13:20 +0000

This script uses WMI and Active Directory queries to return information about mailbox sizes from Exchange and the limits set in Active Directory.

Download GetMailboxStatistics.vbs

A number of people have been looking for Get-MailboxStatistics for Exchange 2003. I have a PowerShell version of this script for exactly that reason here.

This script is only intended for use with Exchange 2003. Exchange 2000 must use MAPI, Exchange 2007 has a PowerShell cmdlet, Get-MailboxStatistics, which can much more easily return this information.

It requires access to WMI on each Exchange Server, but does not require any of the Exchange System Tools. legacyExchangeDN is used to match accounts between AD and Exchange.

The script performs a number of searches in Active Directory. The largest number if multiple Admin Groups are selected (/a:”Admin Group*”). It can be instructed to use a single DC by specifying a name with the /dc switch. For forest-wide searches that must be a Global Catalog. If no DC is specified the script executes a DNS query for Global Catalog service records on the current forest name to attempt to find a (responding) GC in the current site, failing back to any GC in the forest otherwise.

Usage

cscript GetMailboxStatistics.vbs [/o] [/s:]
        [/a:""] [/d:]
        [/dc:] [/f:]

One of the following parameters must be specified:

/o      Get statistics from all Exchange Servers in the organisation
        This option overrides all others
/s      Get statistics for this Exchange Server only
        This option overrides all except /o
/a      Get statistics from all Exchange Servers in the specified Administrative Group
/d      Get statistics from all Exchange Servers in the specified Domain

The following parameters are optional:

/dc     A Domain Controller to use for this process. Must be a Global Catalog
        for reporting that covers a Forest. The script will attempt to find a
        GC in the current site if not specified.
/f      File Name for the output. Default file name is MailboxReport.csv

The following details are returned by this script:

Name
DN
AccountStatus (Enabled / Disabled)
UseDefaultQuotas (True / False)
Warn (in Mb, Warning Limit if specified on User Account)
ProhibitSend (in Mb, if specified on User Account)
ProhibitSendAndReceive (in Mb, if specified on User Account)
Size (in Mb)
TotalItems
MailboxStatus (BelowLimit, IssueWarning, ProhibitSend, NoChecking, MailboxDisabled)
AssocContentCount (Total Number of messages associated with the mailbox folders)
DeletedMessageSize (in Mb)
LastLoggedOnUser
LastLogon
LastLogoff
DateDeleted (for mailboxes which have been disconnected, waiting to be purged)
MailboxDisplayName
MailboxGuid
ServerName (Exchange Server)
StorageGroup
Store
legacyExchangeDN

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Finding a user in Exchange mailbox security

Chris — Tue, 28 Oct 2008 11:33:59 +0000

A script to read the mailbox security descriptor from Active Directory with the intention of finding a particular user or security principal. It will not display the security descriptor, it simply displays whether or not the account is present in the access control list.

The script works best when run with cscript as the script uses WScript.Echo to write back whether or not it finds a match.

It can be used against Exchange 2000 or Exchange 2003. Exchange 2007 can use Get-MailboxPermission to query the same information.

MailboxRights is used to retrieve the mailbox security descriptor. As part of CDOEXM (Collaboration Data Objects for Exchange Management) the Exchange System Tools must be installed on the system executing the script.

Option Explicit

' FindMailboxAccess.vbs
'
' Short Script to Find and Enumerate Mailbox Access for the specified
' security principal. Searches current domain, must be run as an Exchange Admin
' account to invoke MailboxRights method.
'
' This script is slow, it's speed is unavoidable as MailboxRights cannot be
' executed until connected to an individual user. That means we have to connect
' to every user account to determine whether or not the security principal is
' present within the ACL.
'
' Author: Chris Dent
' Modified: 04/01/2008

Sub UsageText
  Dim strMessage

  strMessage = "Usage:" & VbCrLf & VbCrLf
  strMessage = strMessage & "cscript " & WScript.ScriptName & _
    " " & VbCrLf
  strMessage = strmessage & VbCrLf
  strMessage = strMessage & "Note: This script must be executed as Exchange " & _
    "Administrator to enumerate" & VbCrLf
  strMessage = strMessage & "the Mailbox Security Descriptor" & VbCrLf
  WScript.Echo strMessage
  WScript.Quit
End Sub

Sub SortArgv
  Dim objArgv

  Set objArgv = WScript.Arguments
  If objArgv.Count < 1 Then
    UsageText
  End If

  strSearchString = objArgv(0)

  Set objArgv = Nothing
End Sub

Sub SearchAD
  Const ADS_SCOPE_SUBTREE = 2

  Dim objConnection, objCommand, objRootDSE, objRecordSet, objUser
  Dim objMailboxSD, objDACL, objACE

  Set objConnection = CreateObject("ADODB.Connection")
  objConnection.Provider = "ADsDSOObject"
  objConnection.Open "Active Directory Provider"

  Set objCommand = CreateObject("ADODB.Command")
  objCommand.ActiveConnection = objConnection

  Set objRootDSE = GetObject("LDAP://RootDSE")
  objCommand.CommandText = "SELECT distinguishedName, homeMDB " &_
    "FROM 'LDAP://" & objRootDSE.Get("defaultNamingContext") &_
    "' WHERE objectClass='user' AND objectCategory='person'"
  WScript.Echo "Searching: " & objRootDSE.Get("defaultNamingContext")
  Set objRootDSE = Nothing

  objCommand.Properties("Page Size") = 1000
  objCommand.Properties("Timeout") = 600
  objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
  objCommand.Properties("Cache Results") = False

  Set objRecordSet = objCommand.Execute

  While Not objRecordSet.EOF
    On Error Resume Next
    If Not IsNull(objRecordSet.Fields("homeMDB")) Then
      ' Can't avoid connecting to the user, need to call the MailboxRights method

      Set objUser = _
        GetObject("LDAP://" & objRecordSet.Fields("distinguishedName").Value)

      Err.Clear
      Set objMailboxSD = objUser.MailboxRights
      Set objDACL = objMailboxSD.DiscretionaryAcl
      If Err.Number <> 0 Then
        ' Ignore It
      Else
        For Each objACE in objDACL
          If InStr(1, objACE.Trustee, strSearchString, VbTextCompare) Then
            WScript.Echo "Found In Mailbox ACL: " & objUser.Name
          End If
        Next
      End If
      On Error Goto 0
    End If

    objRecordSet.MoveNext
  Wend
  objConnection.Close

  Set objRecordSet = Nothing
  Set objCommand = Nothing
  Set objConnection = Nothing
End Sub

'
' Main Code
'

Dim strSearchString

SortArgv

WScript.Echo "Search String: " & strSearchString

SearchAD

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

VbScript: GetADSubnets

Chris — Sat, 25 Oct 2008 10:46:37 +0000

The VbScript below demonstrates how subnet information might be retrieved from Active Directory. It is possible to use a search using to return this information (for objectClass=subnet). This method connects to the subnets container and loops through the contents returning the network address and mask length in a Dictionary object.

Function GetADSubnets
  ' Return Type: Array

  Dim objRootDSE : Set objRootDSE = GetObject("LDAP://RootDSE")
  Dim objSubnets : Set objSubnets = GetObject("LDAP://CN=Subnets,CN=Sites," & _
    objRootDSE.GEt("configurationNamingContext"))

  Dim arrSubnets() : Dim i : i = 0
  For Each objSubnet in objSubnets
    ReDim Preserve arrSubnets(i)
    arrSubnets(i) = objSubnet.Get("name")
    i = i + 1
  Next

  GetADSubnets = arrSubnets
End Function

Usage example

WScript.Echo Join(GetADSubnets, vbCrlf)

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Modifying DNS records with WMI

Chris — Thu, 23 Oct 2008 11:40:19 +0000

Using WMI it is possible to modify any existing record hosted on a Microsoft DNS Server. The method used varies slightly depending on which record type we want to change.

References for each version of the Modify method can be found in the DNS WMI Provider Reference. These are the most common:

The examples below show modification of Host or A records, but it is possible to extend the example to use any of the types above.

Using VbScript to modify records

This example demonstrates the use of WMI in VbScript to modify a record. The first value for Modify is the TTL, by using objItem.TTL we just reinsert the existing value, only changing the IP address.

' Connect to the WMI Service
Set objWMIService = GetObject("winmgmts:\\dc01\root\MicrosoftDNS")
' Run a query to get the record we want to change
Set colItems = objWMIService.ExecQuery("SELECT * FROM MicrosoftDNS_AType" & _
  " WHERE ContainerName='thezone.net' AND OwnerName='test.thezone.net'",,48)

' Loop through the results
For Each objItem in colItems
  ' Modify the record
  objItem.Modify objItem.TTL, "1.2.3.4"
Next

If the TTL must be changed it is important to exclude the IP Address parameter, failure to do so will result in the record being deleted. Any attempt to use Modify without making any changes will result in a “SWbemObjectEx: Generic failure” exception.

Using PowerShell to modify records

The same failure reasons and restrictions apply with PowerShell (including the obscure deletion). Otherwise changing the record can be performed like this.

$ServerName = "dns01"
$ContainerName = "somedomain.example"
$RecordName = "test.somedomain.example"

$Record = Get-WMIObject -Computer $ServerName `
  -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_AType" `
  -Filter "ContainerName='$ContainerName' AND OwnerName='$RecordName'"
# Using the existing TTL value (in seconds)
$ModifiedRecord = $Record.Modify($Record.TTL, "2.3.4.5")

In both VbScript and PowerShell the method call returns an object representing the updated record if further processing is required.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Auditing userAccountControl with VbScript

Chris — Wed, 22 Oct 2008 19:23:51 +0000

This VbScript searches the current domain for all users with “User cannot change password”, “Password never expires”, or “Trusted for delegation” set, the results of the search are written to a tab delimited text file.

' UserAccountControl.vbs
'
' Script to report User Account Control Flag usage within the current domain.
'
' Author: Chris Dent
' Modified: 06/03/2008

Option Explicit

Const REPORT_FILE = "Users.txt"

' userAccountControl flag values
Const ADS_UF_PASSWD_CANT_CHANGE = &H40
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
Const ADS_UF_TRUSTED_FOR_DELEGATION = &H80000
Const ADS_SCOPE_SUBTREE = 2

Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const CHANGE_PASSWORD_GUID  = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"

'
' Main Code
'

Dim objFileSystem, objFile, objConnection, objCommand
Dim objRootDSE, objRecordSet, objUser
Dim objSD, objDACL, objACE
Dim strPwdCantChange, strPwdDontExpire, strTrustedForDelegation
Dim strDisplayName, strUsername, strDN
Dim intUAC
Dim booList

' Create report file
Set objFileSystem = CreateObject("Scripting.FileSystemObject")
Set objFile = objFileSystem.OpenTextFile(REPORT_FILE, 2, True, 0)

' Write header
objFile.WriteLine "Display Name" & VbTab & "Username" & VbTab &_
  "Distinguished Name" & VbTab & "Password Cannot Change" &_
  VbTab & "Password Never Expires" & VbTab & "Trusted for Delegation"

Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection

' Configure search
Set objRootDSE = GetObject("LDAP://RootDSE")
objCommand.CommandText = "SELECT displayName, distinguishedName, " &_
  "sAMAccountName, userAccountControl, nTSecurityDescriptor FROM 'LDAP://" &_
  objRootDSE.Get("defaultNamingContext") &_
  "' WHERE objectClass='user' AND objectCategory='person'"
Set objRootDSE = Nothing

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 600
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute

While Not objRecordSet.EOF
  strPwdCantChange = "False" : strPwdDontExpire = "False"
  strTrustedForDelegation = "False"
  booList = False

  intUAC = objRecordSet.Fields("userAccountControl")

  ' Check for Password Cannot Change Flag

  Set objUser = GetObject("LDAP://" & objRecordSet.Fields("distinguishedName"))
  Set objSD = objUser.Get("nTSecurityDescriptor")
  Set objDACL = objSD.DiscretionaryAcl

  For Each objACE in objDACL
    If objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT And _
        LCase(objACE.ObjectType) = CHANGE_PASSWORD_GUID Then

      strPwdCantChange = "True" : booList = True
      Exit For
    End If
  Next

  Set objDACL = Nothing
  Set objSD = Nothing
  Set objUser = Nothing

  ' Check for password never expires

  If intUAC And ADS_UF_DONT_EXPIRE_PASSWD Then
    strPWDDontExpire = "True" : booList = True
  End If

  ' Check for trusted for delegation

  If intUAC And ADS_UF_TRUSTED_FOR_DELEGATION Then
    strTrustedForDelegation = "True" : booList = True
  End If

  If booList = True Then
    strDisplayName = objRecordSet.Fields("displayName")
    strUsername = objRecordSet.Fields("sAMAccountName")
    strDN = objRecordSet.Fields("distinguishedName")

    objFile.WriteLine strDisplayName & VbTab & strUsername & VbTab &_
    strDN & VbTab & strPwdCantChange & VbTab & strPwdDontExpire &_
    VbTab & strTrustedForDelegation
  End If

  objRecordSet.MoveNext
Wend

objConnection.Close

Set objRecordSet = Nothing
Set objCommand = Nothing
Set objConnection = Nothing

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.