Jump to content
xisto Community
Sign in to follow this  
Mr. Matt

Lightweight Directory Access Protocol (ldap) Interfacing Microsofts Active Directory over LDAP

Recommended Posts

This was a script I wrote for automating the creation of over 1000 some accounts within Active Directory over summer before the new fiscal year in 2007. It is not intended for direct use. Please make changes necessary to reflect your user management or production environment.

 

#!/usr/bin/perl

use strict;

# use Tk;

# use Tk::DialogBox;

# use Tk::Carp qw/cluck warningsToDialog fatalsToDialog/;

use Win32::FileSecurity qw(MakeMask Get Set);

use Win32::OLE;

 

/*

my $adp_acct = 'USERNAME';

 

use constant ADP_DOMAIN = 'DOMAIN';

use constant ADP_PARENT_OU => 'ou=Sub Organizational Unit, ou=Organizational Unit, dc=' . ADP_DOMAIN;

use constant ADP_GROUP_OU => 'cn=Group Name, dc=DOMAIN';

use constant CHANGE_PASSWORD_GUID => '{ab721a53-1e2f-11d0-9819-00aa0040529b}'; # User cannot change password

use constant ADS_UF_DONT_EXPIRE_PASSWD => 0x10000; # Password does not expire

use constant ADS_CUSTOM_ACCOUNT_ENABLED => 0x512; # Account is enabled

use constant ADS_RIGHT_DS_CONTROL_ACCESS => 0x100;

use constant ADS_ACETYPE_ACCESS_DENIED => 0x1;

use constant ADS_ACETYPE_ACCESS_ALLOWED_OBJECT => 0x5;

use constant ADS_ACETYPE_ACCESS_DENIED_OBJECT => 0x6;

use constant ADS_ACEFLAG_OBJECT_TYPE_PRESENT => 0x1;

 

my $ADP_USER_OU = "ou=Container, " . ADP_PARENT_OU;

my $adp_domain = 'DOMAIN';

 

print LOG "Adding $adp_acct...\n";

 

my $objDomain = Win32::OLE->GetObject("LDAP://$ADP_USER_OU;);

my $objUser = $objDomain->Create('user', 'cn=' . $adp_acct);

 

$objUser->Put('sAMAccountName', "$adp_acct");

$objUser->Put('userPrincipalName', "$adp_acct\@" . ADP_DOMAIN);

$objUser->Put('userAccountControl', ADS_UF_DONT_EXPIRE_PASSWD);

$objUser->SetInfo;

 

my %current_acl;

mkdir $adp_homedirectory;

my $acl_admin = MakeMask(qw(GENERIC_ALL FULL));

my $acl_user = MakeMask(qw(CHANGE GENERIC_WRITE GENERIC_READ GENERIC_EXECUTE));

 

$current_acl{Administrator} = $acl_admin;

$current_acl{$adp_acct} = $acl_user;

delete $current_acl{Everyone};

 

Set($adp_homedirectory, \%current_acl);

 

my $objGroup = Win32::OLE->GetObject('LDAP://' . ADP_GROUP_OU);

$objGroup->Add("LDAP://cn, " . $ADP_USER_OU);

 

my $objACESelf = Win32::OLE->new('AccessControlEntry');

my $objACEEveryone = Win32::OLE->new('AccessControlEntry');

$objACESelf->{Trustee} = 'NT AUTHORITY\SELF';

$objACEEveryone->{Trustee} = 'EVERYONE';

$objACESelf->{AceFlags} = 0;

$objACESelf->{AceType} = ADS_ACETYPE_ACCESS_DENIED_OBJECT;

$objACESelf->{Flags} = ADS_ACEFLAG_OBJECT_TYPE_PRESENT;

$objACESelf->{ObjectType} = CHANGE_PASSWORD_GUID;

$objACESelf->{AccessMask} = ADS_RIGHT_DS_CONTROL_ACCESS;

$objACEEveryone->{AceFlags} = 0;

$objACEEveryone->{AceType} = ADS_ACETYPE_ACCESS_DENIED_OBJECT;

$objACEEveryone->{Flags} = ADS_ACEFLAG_OBJECT_TYPE_PRESENT;

$objACEEveryone->{ObjectType} = CHANGE_PASSWORD_GUID;

$objACEEveryone->{AccessMask} = ADS_RIGHT_DS_CONTROL_ACCESS;

 

my $objACEUser = Win32::OLE->GetObject("LDAP://cn, $ADP_USER_OU");

my $objSecDescriptor = $objACEUser->Get('ntSecurityDescriptor');

my $objDACL = $objSecDescriptor->DiscretionaryAcl;

$objDACL->AddAce($objACESelf);

$objDACL->AddAce($objACEEveryone);

$objUser->Put('ntSecurityDescriptor', [$objSecDescriptor]);

$objUser->SetInfo;

*/

Edited by Mr. Matt (see edit history)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.