Re: User account querry
- From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 5 Sep 2007 16:51:12 -0500
Here is a VBScript solution, but it's not very pretty. You must bind to
every user object and their security descriptor, then loop through all the
ACE's looking for the ones that deny permission to change the password. This
might be slow if you have a lot of users:
====================
Option Explicit
Const CHANGE_PASSWORD_GUID = "{AB721A53-1E2F-11D0-9819-00AA0040529B}"
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Dim objSecDescriptor, objDACL, objUser
Dim strDN, objACE, blnSelf, blnEveryone
Dim adoConnection, strBase, strFilter, strAttributes
Dim objRootDSE, strDNSDomain, strQuery, adoRecordset
' Setup ADO objects.
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoRecordset = CreateObject("ADODB.Recordset")
adoRecordset.ActiveConnection = adoConnection
' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE";)
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://"; & strDNSDomain & ">"
' Filter on user objects.
strFilter = "(&(objectCategory=person)(objectClass=user))"
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"
' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
' Run the query.
adoRecordset.Source = strQuery
adoRecordset.Open
' Enumerate the resulting recordset.
Wscript.Echo "Users that cannot change their password:"
Do Until adoRecordset.EOF
' Retrieve values.
strDN = adoRecordset.Fields("distinguishedName").Value
' Escape any slash characters.
strDN = Replace(strDN, "/", "\/")
' Bind to user.
Set objUser = GetObject("LDAP://"; & strDN)
' Bind to the user security objects.
Set objSecDescriptor = objUser.Get("ntSecurityDescriptor")
Set objDACL = objSecDescriptor.discretionaryAcl
' Search for ACE's for Change Password.
blnSelf = False
blnEveryone = False
For Each objACE In objDACL
If (UCase(objACE.objectType) = UCase(CHANGE_PASSWORD_GUID)) Then
If (UCase(objACE.Trustee) = "NT AUTHORITY\SELF") Then
If (objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) Then
blnSelf = True
End If
End If
If (UCase(objACE.Trustee) = "EVERYONE") Then
If (objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) Then
blnEveryone = True
End If
End If
End If
Next
' Check if ACE's found.
If (blnSelf = True) And (blnEveryone = True) Then
Wscript.Echo strDN
End If
adoRecordset.MoveNext
Loop
' Clean up.
adoRecordset.Close
adoConnection.Close
Wscript.Echo "Done"
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ufJ%23QX$7HHA.4712@xxxxxxxxxxxxxxxxxxxxxxx
Sure, but then you have to wade through the results and try to interpret
them. That isn't nearly as effective as writing a query which would tell
you exactly which ones have that setting which is why I said it was not
very elegant.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"net_admin" <netadmin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:CE684EE8-2202-42A2-80D5-65687D821FE4@xxxxxxxxxxxxxxxx
One can use DUMPSEC.exe to extract that and many other information from
AD.
--
NetAdmin <São Paulo, BR>
"Das ist nicht mein bier... arschloch."
.
- Follow-Ups:
- Re: User account querry
- From: Joe Kaplan
- Re: User account querry
- References:
- Re: User account querry
- From: Joe Kaplan
- Re: User account querry
- Prev by Date: Re: server rejecting replication requests
- Next by Date: Re: user directory permissions help needed
- Previous by thread: Re: User account querry
- Next by thread: Re: User account querry
- Index(es):
Relevant Pages
|
