Lightweight Directory Access Protocol (ldap) Interfacing Microsofts Active Directory over LDAP

[Mr. Matt 0]

This was a script I wrote for automating the creation of over 1000 some accounts within Active Directory over summer before the new fiscal year in 2007. It is not intended for direct use. Please make changes necessary to reflect your user management or production environment.

 

#!/usr/bin/perl

use strict;

# use Tk;

# use Tk::DialogBox;

# use Tk::Carp qw/cluck warningsToDialog fatalsToDialog/;

use Win32::FileSecurity qw(MakeMask Get Set);

use Win32::OLE;

 

/*

my $adp_acct = 'USERNAME';

 

use constant ADP_DOMAIN = 'DOMAIN';

use constant ADP_PARENT_OU => 'ou=Sub Organizational Unit, ou=Organizational Unit, dc=' . ADP_DOMAIN;

use constant ADP_GROUP_OU => 'cn=Group Name, dc=DOMAIN';

use constant CHANGE_PASSWORD_GUID => '{ab721a53-1e2f-11d0-9819-00aa0040529b}'; # User cannot change password

use constant ADS_UF_DONT_EXPIRE_PASSWD => 0x10000; # Password does not expire

use constant ADS_CUSTOM_ACCOUNT_ENABLED => 0x512; # Account is enabled

use constant ADS_RIGHT_DS_CONTROL_ACCESS => 0x100;

use constant ADS_ACETYPE_ACCESS_DENIED => 0x1;

use constant ADS_ACETYPE_ACCESS_ALLOWED_OBJECT => 0x5;

use constant ADS_ACETYPE_ACCESS_DENIED_OBJECT => 0x6;

use constant ADS_ACEFLAG_OBJECT_TYPE_PRESENT => 0x1;

 

my $ADP_USER_OU = "ou=Container, " . ADP_PARENT_OU;

my $adp_domain = 'DOMAIN';

 

print LOG "Adding $adp_acct...\n";

 

my $objDomain = Win32::OLE->GetObject("LDAP://$ADP_USER_OU;);

my $objUser = $objDomain->Create('user', 'cn=' . $adp_acct);

 

$objUser->Put('sAMAccountName', "$adp_acct");

$objUser->Put('userPrincipalName', "$adp_acct\@" . ADP_DOMAIN);

$objUser->Put('userAccountControl', ADS_UF_DONT_EXPIRE_PASSWD);

$objUser->SetInfo;

 

my %current_acl;

mkdir $adp_homedirectory;

my $acl_admin = MakeMask(qw(GENERIC_ALL FULL));

my $acl_user = MakeMask(qw(CHANGE GENERIC_WRITE GENERIC_READ GENERIC_EXECUTE));

 

$current_acl{Administrator} = $acl_admin;

$current_acl{$adp_acct} = $acl_user;

delete $current_acl{Everyone};

 

Set($adp_homedirectory, \%current_acl);

 

my $objGroup = Win32::OLE->GetObject('LDAP://' . ADP_GROUP_OU);

$objGroup->Add("LDAP://cn, " . $ADP_USER_OU);

 

my $objACESelf = Win32::OLE->new('AccessControlEntry');

my $objACEEveryone = Win32::OLE->new('AccessControlEntry');

$objACESelf->{Trustee} = 'NT AUTHORITY\SELF';

$objACEEveryone->{Trustee} = 'EVERYONE';

$objACESelf->{AceFlags} = 0;

$objACESelf->{AceType} = ADS_ACETYPE_ACCESS_DENIED_OBJECT;

$objACESelf->{Flags} = ADS_ACEFLAG_OBJECT_TYPE_PRESENT;

$objACESelf->{ObjectType} = CHANGE_PASSWORD_GUID;

$objACESelf->{AccessMask} = ADS_RIGHT_DS_CONTROL_ACCESS;

$objACEEveryone->{AceFlags} = 0;

$objACEEveryone->{AceType} = ADS_ACETYPE_ACCESS_DENIED_OBJECT;

$objACEEveryone->{Flags} = ADS_ACEFLAG_OBJECT_TYPE_PRESENT;

$objACEEveryone->{ObjectType} = CHANGE_PASSWORD_GUID;

$objACEEveryone->{AccessMask} = ADS_RIGHT_DS_CONTROL_ACCESS;

 

my $objACEUser = Win32::OLE->GetObject("LDAP://cn, $ADP_USER_OU");

my $objSecDescriptor = $objACEUser->Get('ntSecurityDescriptor');

my $objDACL = $objSecDescriptor->DiscretionaryAcl;

$objDACL->AddAce($objACESelf);

$objDACL->AddAce($objACEEveryone);

$objUser->Put('ntSecurityDescriptor', [$objSecDescriptor]);

$objUser->SetInfo;

*/

Edited March 24, 2008 by Mr. Matt (see edit history)