Lightweight Directory Access Protocol (ldap) Interfacing Microsoft's Active Directory over LDAP

	Lightweight Directory Access Protocol (ldap) - Interfacing Microsoft's Active Directory over LDAP
	Discussion by Mr. Matt with 0 Replies. Last Update: March 24, 2008, 10:14 pm

Mr. Matt

This was a script I wrote for automating the creation of over 1000 some accounts within Active Directory over summer before the new fiscal year in 2007. It is not intended for direct use. Please make changes necessary to reflect your user management or production environment.

#!/usr/bin/perl
use strict;
# use Tk;
# use Tk::DialogBox;
# use Tk::Carp qw/cluck warningsToDialog fatalsToDialog/;
use Win32::FileSecurity qw(MakeMask Get Set);
use Win32::OLE;

/*
my $adp_acct = 'USERNAME';

use constant ADP_DOMAIN = 'DOMAIN';
use constant ADP_PARENT_OU => 'ou=Sub Organizational Unit, ou=Organizational Unit, dc=' . ADP_DOMAIN;
use constant ADP_GROUP_OU => 'cn=Group Name, dc=DOMAIN';
use constant CHANGE_PASSWORD_GUID => '{ab721a53-1e2f-11d0-9819-00aa0040529b}'; # User cannot change password
use constant ADS_UF_DONT_EXPIRE_PASSWD => 0x10000; # Password does not expire
use constant ADS_CUSTOM_ACCOUNT_ENABLED => 0x512; # Account is enabled
use constant ADS_RIGHT_DS_CONTROL_ACCESS => 0x100;
use constant ADS_ACETYPE_ACCESS_DENIED => 0x1;
use constant ADS_ACETYPE_ACCESS_ALLOWED_OBJECT => 0x5;
use constant ADS_ACETYPE_ACCESS_DENIED_OBJECT => 0x6;
use constant ADS_ACEFLAG_OBJECT_TYPE_PRESENT => 0x1;

my $ADP_USER_OU = "ou=Container, " . ADP_PARENT_OU;
my $adp_domain = 'DOMAIN';

print LOG "Adding $adp_acct...\n";

my $objDomain = Win32::OLE->GetObject("LDAP://$ADP_USER_OU");
my $objUser = $objDomain->Create('user', 'cn=' . $adp_acct);

$objUser->Put('sAMAccountName', "$adp_acct");
$objUser->Put('userPrincipalName', "$adp_acct\@" . ADP_DOMAIN);
$objUser->Put('userAccountControl', ADS_UF_DONT_EXPIRE_PASSWD);
$objUser->SetInfo;

my %current_acl;
mkdir $adp_homedirectory;
my $acl_admin = MakeMask(qw(GENERIC_ALL FULL));
my $acl_user = MakeMask(qw(CHANGE GENERIC_WRITE GENERIC_READ GENERIC_EXECUTE));

$current_acl{Administrator} = $acl_admin;
$current_acl{$adp_acct} = $acl_user;
delete $current_acl{Everyone};

Set($adp_homedirectory, \%current_acl);

my $objGroup = Win32::OLE->GetObject('LDAP://' . ADP_GROUP_OU);
$objGroup->Add("LDAP://cn=$adp_acct, " . $ADP_USER_OU);

my $objACESelf = Win32::OLE->new('AccessControlEntry');
my $objACEEveryone = Win32::OLE->new('AccessControlEntry');
$objACESelf->{Trustee} = 'NT AUTHORITY\SELF';
$objACEEveryone->{Trustee} = 'EVERYONE';
$objACESelf->{AceFlags} = 0;
$objACESelf->{AceType} = ADS_ACETYPE_ACCESS_DENIED_OBJECT;
$objACESelf->{Flags} = ADS_ACEFLAG_OBJECT_TYPE_PRESENT;
$objACESelf->{ObjectType} = CHANGE_PASSWORD_GUID;
$objACESelf->{AccessMask} = ADS_RIGHT_DS_CONTROL_ACCESS;
$objACEEveryone->{AceFlags} = 0;
$objACEEveryone->{AceType} = ADS_ACETYPE_ACCESS_DENIED_OBJECT;
$objACEEveryone->{Flags} = ADS_ACEFLAG_OBJECT_TYPE_PRESENT;
$objACEEveryone->{ObjectType} = CHANGE_PASSWORD_GUID;
$objACEEveryone->{AccessMask} = ADS_RIGHT_DS_CONTROL_ACCESS;

my $objACEUser = Win32::OLE->GetObject("LDAP://cn=$adp_acct, $ADP_USER_OU");
my $objSecDescriptor = $objACEUser->Get('ntSecurityDescriptor');
my $objDACL = $objSecDescriptor->DiscretionaryAcl;
$objDACL->AddAce($objACESelf);
$objDACL->AddAce($objACEEveryone);
$objUser->Put('ntSecurityDescriptor', [$objSecDescriptor]);
$objUser->SetInfo;
*/

Mon Mar 24, 2008 Reply New Discussion


Reply / Comment	Ask a Question?	Share / Bookmark	E-Mail a Friend	Print

Maximum Number Of Decimal Places In Perl Language (0)

Lightweight Directory Access Protocol (ldap) - Interfacing Microsoft's Active Directory over LDAP

Mr. Matt

CATEGORIES