archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/admin/dsutils/migrate/scripts/clonepr.vbi

903 lines
27 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. ' clonepr.vbi start
  3. // VB Script "Include" file for CloneSecurityPrincipal scripts
  4. //
  5. // contains code common to all the scripts
  6. //
  7. // Copyright (C) 1999 Microsoft Corporation.
  11. ' various manifest constants
  12. const CLASS_USER = 0
  13. const CLASS_LOCAL_GROUP = 1
  14. const CLASS_GLOBAL_GROUP = 2
  15. const CLASS_OTHER = 3
  17. ' the elements of this array are indexed by the above constants
  18. dim classNames(2)
  19. classNames(CLASS_USER) = "User"
  20. classNames(CLASS_LOCAL_GROUP) = "Group"
  21. classNames(CLASS_GLOBAL_GROUP) = "Group"
  23. ' from iads.h
  24. const ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = &H4
  25. const ADS_GROUP_TYPE_GLOBAL_GROUP = &H2
  26. const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &H8
  27. const ADS_GROUP_TYPE_SECURITY_ENABLED = &H80000000
  28. const ADS_NAME_INITTYPE_DOMAIN = 1
  29. const ADS_NAME_INITTYPE_SERVER = 2
  30. const ADS_NAME_TYPE_1779 = 1
  31. const ADS_NAME_TYPE_NT4 = 3
  32. const ADS_NAME_TYPE_SID_OR_SID_HISTORY_NAME = 12
  33. const ADS_PROPERTY_APPEND = 3
  34. const ADS_PROPERTY_DELETE = 4
  35. const ADS_PROPERTY_UPDATE = 2
  37. ' from lmaccess.h
  38. const UF_TEMP_DUPLICATE_ACCOUNT = &H0100
  39. const UF_NORMAL_ACCOUNT = &H0200
  41. ' from andyhar's adsi reskit
  42. const ADS_SID_RAW = 0
  43. const ADS_SID_HEXSTRING = 1
  44. const ADS_SID_SDDL = 4
  45. const ADS_SID_WINNT_PATH = 5
  46. const ADS_SID_ACTIVE_DIRECTORY_PATH = 6
  48. const E_ADS_UNKNOWN_OBJECT = &H80005004
  49. const E_ADS_ERROR_DS_NO_SUCH_OBJECT = &H80072030
  50. const E_ADS_ERROR_DS_NAME_NOT_FOUND = &H80072116
  54. ' create the COM object implementing ICloneSecurityPrincipal
  55. dim clonepr
  56. set clonepr = CreateObject("DSUtils.ClonePrincipal")
  57. if Err.Number then DumpErrAndQuit
  59. ' create the COM object implementing IADsNameTranslate
  60. dim nameTranslate
  61. set nameTranslate = CreateObject("NameTranslate")
  62. if Err.Number then DumpErrAndQuit
  64. ' create the COM object implementing IADsPathname
  65. dim adsPathname
  66. set adsPathname = CreateObject("Pathname")
  67. if Err.Number then DumpErrAndQuit
  69. ' create the COM object implementing IADsError
  70. dim adsError
  71. set adsError = CreateObject("DSUtils.ADsError")
  72. if Err.Number then DumpErrAndQuit
  74. ' create the COM object implementing IADsSID
  75. dim sid
  76. set sid = CreateObject("DSUtils.ADsSID")
  77. if Err.Number then DumpErrAndQuit
  81. '
  82. ' functions and subroutines follow
  83. '
  86. sub CloneSecurityPrincipal(byref srcObject, byval srcSam, byval dstDom, byval dstDC, byval dstSam, byval dstDN)
  87. on error resume next
  89. ' verify that the source object is of a type that we support
  90. dim srcObjectClass
  91. srcObjectClass = ObjectClass(srcObject)
  93. select case srcObjectClass
  94. case CLASS_USER
  95. if srcObject.UserFlags and UF_TEMP_DUPLICATE_ACCOUNT then
  96. Echo "Source object is a temporary local user account, which is not supported."
  97. wscript.quit(0)
  98. end if
  99. case CLASS_LOCAL_GROUP
  100. case CLASS_GLOBAL_GROUP
  101. ' do nothing
  102. case else
  103. ' not a supported object class
  104. Echo "Source object is of type " & srcObject.Class & ", which is not supported by this tool."
  105. wscript.quit(0)
  106. end select
  108. ' bind to the destination object
  110. ' we attempt to locate the destination object by it's sam account name, in
  111. ' order to determine if that name is already in use by a security principal
  112. ' in the destination domain.
  114. dim dstObjectSamPath
  115. dstObjectSamPath = "WinNT://" & dstDom & "/" & dstDC & "/" & dstSam
  117. dim dstObjectDNPath
  118. dstObjectDNPath = "LDAP://" & dstDC & "/" & dstDN
  120. dim dstObjectClass
  121. dim dstObject
  123. Err.Clear
  124. set dstObject = GetObject(dstObjectSamPath)
  125. dim errnum1
  126. errnum1 = Err.Number
  127. select case errnum1
  128. case E_ADS_UNKNOWN_OBJECT
  129. ' destination is not found
  131. Echo "Destination object " & dstSam & " not found (by SAM name) path used: " & dstObjectSamPath
  133. ' bind to the DN of the object, then
  134. Err.Clear
  135. set dstObject = GetObject(dstObjectDNPath)
  136. dim errnum2
  137. errnum2 = Err.Number
  138. select case errnum2
  139. case E_ADS_ERROR_DS_NO_SUCH_OBJECT
  140. Echo "Destination object " & dstDN & " not found (by DN) path used: " & dstObjectDNPath
  142. ' create the dstDN object of the same type as the source
  143. Err.Clear
  144. set dstObject = CreateDestinationDN(dstSam, dstDN, dstDC, srcObjectClass)
  146. case 0
  147. ' dstDN found
  149. Echo "Destination DN found"
  151. dstObjectClass = ObjectClass(dstObject)
  153. if dstObjectClass <> srcObjectClass then
  154. Bail "Source and destination objects differ in class type."
  155. end if
  157. if UCase(dstObject.SamAccountName) <> UCase(dstSam) then
  158. ' sam name of the object is not the same as the sam name
  159. ' specified on the command line
  160. Bail "SAM account name of " & dstDN & " is " & dstObject.SamAccountName & " not " & dstSam
  161. end if
  163. case else
  164. Echo "Error attempting to bind to " & dstObjectDNPath
  165. DumpErrAndQuit
  167. end select
  169. case 0
  170. ' dstSam found. Find the DN of the object it refers to
  172. Echo "Destination SAM name found"
  174. nameTranslate.Init ADS_NAME_INITTYPE_SERVER, dstDC
  175. if Err.Number then DumpErrAndQuit
  177. nameTranslate.Set ADS_NAME_TYPE_NT4, dstDom & "\" & dstSam
  178. if Err.Number then DumpErrAndQuit
  180. dim foundDN
  181. foundDN = nameTranslate.Get(ADS_NAME_TYPE_1779) ' aka full DN
  182. if Err.Number then DumpErrAndQuit
  184. Echo dstSam & " refers to " & foundDN
  186. if UCase(dstDN) <> UCase(foundDN) then
  187. ' sam name is in use by another object than the one the user
  188. ' indicated.
  189. Bail "SAM account name " & dstSam & " is in use by object " & foundDN & ", not " & dstDN
  190. end if
  192. ' at this point, we've verified that the sam name specified by the
  193. ' user matches the DN. Now verify that the DN refers to an object
  194. ' of the same type as the source
  196. set dstObject = GetObject("LDAP://" & dstDC & "/" & foundDN)
  197. if Err.Number then DumpErrAndQuit
  199. dstObjectClass = ObjectClass(dstObject)
  200. if dstObjectClass <> srcObjectClass then
  201. Bail "Source and destination objects differ in class type."
  202. end if
  204. case else
  205. Echo "Error attempting to bind to destination object " & dstObjectSamPath
  206. DumpErrAndQuit
  207. end select
  209. ' at this point, dstObject is bound to the object onto which we
  210. ' should clone the source object
  212. ' copy the source object's properties
  213. Echo "Setting properties for target " & dstObject.Class & " " & dstObject.Name
  214. select case srcObjectClass
  215. case CLASS_USER
  217. ' copy the properties of the source user to the destination user
  218. clonepr.CopyDownlevelUserProperties srcSam, dstSam, 0
  219. if Err.Number then DumpErrAndQuit
  221. Echo "Downlevel properties set."
  223. ' fixup the destination user's group memberships
  225. FixupUserGroupMemberships srcObject, dstObject, dstDC
  226. if Err.Number then DumpErrAndQuit
  228. Echo "User's Group memberships restored."
  230. ' commit the changes
  231. dstObject.SetInfo
  232. if Err.Number then DumpErrAndQuit
  234. Echo "User changes commited."
  236. case CLASS_LOCAL_GROUP
  237. ' copy the source group's description
  238. if srcObject.Description <> "" then
  239. dstObject.Put "Description", srcObject.Description
  240. dstObject.SetInfo
  241. if Err.Number then DumpErrAndQuit
  242. end if
  244. Echo "Local group description set."
  246. ' copy the source local group's membership
  247. CopyLocalGroupMembership srcObject, dstObject
  248. if Err.Number then DumpErrAndQuit
  250. Echo "Local group membership copied."
  252. ' commit the changes
  253. dstObject.SetInfo
  254. if Err.Number then DumpErrAndQuit
  256. Echo "Local group changes commited."
  258. case CLASS_GLOBAL_GROUP
  259. ' copy the source group's description
  260. if srcObject.Description <> "" then
  261. dstObject.Put "Description", srcObject.Description
  262. dstObject.SetInfo
  263. if Err.Number then DumpErrAndQuit
  264. end if
  266. Echo "Global group description set."
  268. ' fixup the destination group's members
  269. FixupGlobalGroupMembers srcObject, dstObject, dstDC
  270. if Err.Number then DumpErrAndQuit
  272. Echo "Global group memberships restored."
  274. ' commit the change
  275. dstObject.SetInfo
  276. if Err.Number then DumpErrAndQuit
  278. Echo "Global group changes commited."
  280. case else
  281. ' why are we here? what is my purpose in life?
  282. wscript "illegal code path"
  283. wscript.quit(0)
  285. end select
  287. ' Add the SID of the source principal to the sid history of the destination
  288. ' principal.
  289. Echo "Adding SID for source " & srcObject.Class & " " & srcObject.Name & " to SID history of target " & dstObject.Class & " " & dstObject.Name
  290. clonepr.AddSidHistory srcSam, dstSam, 0
  291. if Err.Number then DumpErrAndQuit
  293. Echo "SID history set successfully."
  295. ' all done
  296. Echo srcObject.Name & " cloned successfully."
  297. end sub
  301. ' Create a DS security principal object, and return a bound reference to it.
  302. '
  303. ' samName - in, sam account name of object-to-be
  304. '
  305. ' DN - in, full DN of the object to be created
  306. '
  307. ' DC - in, name of domain controller on which the object is to be created
  308. '
  309. ' objectClass - in, CLASS_ constant for the type of object to create
  311. function CreateDestinationDN(byval samName, byval DN, byval DC, byval objectClass)
  312. on error resume next
  313. Echo "Creating " & DN
  315. ' determine the name of the container to place the new object by removing
  316. ' the leaf-most portion of the DN
  317. dim p
  318. p = InStr(1, DN, ",", 1)
  320. dim dstCN
  321. dstCN = Mid(DN, 1, p - 1) ' - 1 to omit the comma
  323. dim ouDN, ouDNPath
  324. ouDN = Mid(DN, p + 1) ' + 1 to skip the comma
  325. ouDNPath = "LDAP://" & DC & "/" & ouDN
  327. dim container, errnum3
  328. set container = GetObject(ouDNPath)
  329. select case Err.Number
  330. case E_ADS_ERROR_DS_NO_SUCH_OBJECT
  331. Bail "Container " & ouDN & " not found"
  332. case 0
  333. ' do nothing
  334. case else
  335. Echo "Error attempting to bind to " & ouDN
  336. DumpErrAndQuit
  337. end select
  339. dim dstObject
  340. set dstObject = container.Create(classNames(objectClass), dstCN)
  341. if Err.Number then
  342. Echo "Error attempting to create " & DN
  343. DumpErrAndQuit
  344. end if
  346. dstObject.Put "samAccountName", samName
  347. if Err.Number then
  348. Echo "Error attempting to set samAccountName for " & DN
  349. DumpErrAndQuit
  350. end if
  352. select case objectClass
  353. case CLASS_USER
  354. ' nothing more to add
  356. case CLASS_LOCAL_GROUP
  357. ' set group type to local
  358. dstObject.Put "groupType", ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP + ADS_GROUP_TYPE_SECURITY_ENABLED
  359. if Err.Number then
  360. Echo "Error attempting to set local group type for " & DN
  361. DumpErrAndQuit
  362. end if
  364. case CLASS_GLOBAL_GROUP
  365. ' set group type to global
  366. dstObject.Put "groupType", ADS_GROUP_TYPE_GLOBAL_GROUP + ADS_GROUP_TYPE_SECURITY_ENABLED
  367. if Err.Number then
  368. Echo "Error attempting to set global group type for " & DN
  369. DumpErrAndQuit
  370. end if
  372. end select
  374. dstObject.SetInfo
  375. if Err.Number then
  376. Echo "Error attempting to commit create of " & DN
  377. DumpErrAndQuit
  378. end if
  380. Echo "Created " & DN
  382. set CreateDestinationDN = dstObject
  383. end function
  387. ' for each group to which the source user object belongs, look for that
  388. ' group's sid in the sid histories of objects in the destination forest
  389. ' (domain?). If found, add the destination user as a member of the located
  390. ' group. Thus, when a user is cloned, the clone becomes a member of all the
  391. ' existing cloned groups corresponding to the original groups the
  392. ' orignal user belonged to.
  394. sub FixupUserGroupMemberships(byref srcObject, byref dstObject, byval dstDC)
  395. on error resume next
  396. Echo "Fixing group memberships for " & dstObject.Class & " " & dstObject.Name
  398. nameTranslate.Init ADS_NAME_INITTYPE_SERVER, dstDC
  399. if Err.Number then DumpErrAndQuit
  401. dim group
  402. dim sidString
  403. for each group in srcObject.Groups
  404. if (ObjectClass(group) = CLASS_GLOBAL_GROUP) then
  405. Echo " Found global group " & group.ADsPath
  407. sid.SetAs ADS_SID_WINNT_PATH, group.AdsPath & "," & group.Class
  408. if Err.Number then DumpErrAndQuit
  410. sidString = sid.GetAs(ADS_SID_SDDL)
  411. if Err.Number then DumpErrAndQuit
  413. if IsBuiltInSid(sidString) then
  414. Echo " " & group.ADsPath & " is a built-in group"
  416. ' built-ins are present in every domain with the same sid. So we
  417. ' can't search for the corresponding destination object by sid, or
  418. ' we may be multiple matches (if there is more than 1 domain in the
  419. ' destination forest, and the destination DC also happens to be
  420. ' a global catalog). So, here we compose a sid-style LDAP path
  421. ' for the built-in destination object.
  423. sidString = "<sid=" & sid.GetAs(ADS_SID_HEXSTRING) & ">"
  424. if Err.Number then DumpErrAndQuit
  426. dim mypath
  427. mypath = "LDAP://" & dstDC & "/" & sidString
  429. dim mygroup
  430. set mygroup = GetObject(mypath)
  431. if Err.Number then DumpErrAndQuit
  433. if not IsUserMemberOfGroup(mygroup, dstObject) then
  434. Echo " Adding " & dstObject.Name & " to group " & mygroup.Name
  435. mygroup.Add dstObject.AdsPath
  436. else
  437. Echo " " & dstObject.Name & " is already member of " & mygroup.Name
  438. end if
  439. if Err.Number then DumpErrAndQuit
  440. else
  442. ' find the DN of the object with that sid as its object sid or in
  443. ' its sid history (the sid history is where it will be, if the object
  444. ' is a clone).
  446. nameTranslate.Set ADS_NAME_TYPE_SID_OR_SID_HISTORY_NAME, sidString
  447. select case Err.Number
  448. case E_ADS_ERROR_DS_NAME_NOT_FOUND
  449. ' do nothing: skip this member; it hasn't been cloned yet
  451. Echo " Skipping " & group.ADsPath & " -- not cloned yet"
  453. case 0
  454. ' found!
  455. dim foundDN
  456. foundDN = ""
  457. foundDN = nameTranslate.Get(ADS_NAME_TYPE_1779) ' aka full DN
  459. select case Err.Number
  460. case E_ADS_ERROR_DS_NAME_NOT_FOUND
  461. ' do nothing: skip this member; it hasn't been cloned yet
  462. case 0
  463. AddUserToGroup dstObject, foundDN, dstDC
  464. case else
  465. DumpErrAndQuit
  466. end select
  468. case else
  469. DumpErrAndQuit
  471. end select
  472. end if
  473. else
  474. Echo " Skipping group " & group.AdsPath & " -- not global group"
  475. end if
  477. ' need to clear this so next iteration won't choke.
  478. Err.Clear
  479. next
  480. end sub
  484. ' for each member of the source local group, obtain the member's SID and add
  485. ' that SID as a member of the destination local group. If that SID does not
  486. ' refer to a security principal in the destination domain, then the SAM will
  487. ' create a Foreign Principal Object (FPO) to represent that SID. then SAM
  488. ' will replace the reference to the SID in the group membership with the DN
  489. ' of the FPO. An FPO acts like a proxy for the SID.
  491. sub CopyLocalGroupMembership(byref srcObject, byref dstObject)
  492. on error resume next
  494. Echo "Copying local group membership"
  496. ' get the sids in string form of each of the members of the source
  497. ' group. collect them in an array
  498. dim member
  499. dim sidString
  500. dim sidStringArray()
  501. dim i
  502. i = 0
  504. dim dn
  505. dn = dstObject.Get("distinguishedName")
  506. if Err.Number then DumpErrAndQuit
  508. Echo " Getting destination group membership as SIDs"
  510. dim dstExistingMemberSIDs
  511. dstExistingMemberSIDs = clonepr.GetMembersSIDs(dn)
  512. if Err.Number then DumpErrAndQuit
  514. dim numExistingMembers
  515. numExistingMembers = 0
  516. dim x
  517. for each x in dstExistingMemberSIDs
  518. numExistingMembers = numExistingMembers + 1
  519. next
  521. for each member in srcObject.Members
  522. dim sidDeletedAccount
  523. if IsDeletedAccount(member.AdsPath, sidDeletedAccount) then
  524. Echo " Considering deleted account: " & sidDeletedAccount
  525. sid.SetAs ADS_SID_SDDL, sidDeletedAccount
  526. else
  527. Echo " Considering normal account: " & member.AdsPath
  528. sid.SetAs ADS_SID_WINNT_PATH, member.AdsPath & "," & member.Class
  529. end if
  530. if Err.Number then DumpErrAndQuit
  532. sidString = "<sid=" & sid.GetAs(ADS_SID_HEXSTRING) & ">"
  533. if Err.Number then DumpErrAndQuit
  535. if (0 = numExistingMembers) Or (not SidStringExists(sidString, dstExistingMemberSIDs)) then
  536. Echo " Adding " & sidString
  537. redim preserve sidStringArray(i)
  538. sidStringArray(i) = sidString
  539. i = i + 1
  540. end if
  541. next
  543. ' use the array to update the destination group in one whack.
  544. if i then
  545. if 0 = numExistingMembers then
  546. dstObject.PutEx ADS_PROPERTY_UPDATE, "member", sidStringArray
  547. else
  548. dstObject.PutEx ADS_PROPERTY_APPEND, "member", sidStringArray
  549. end if
  550. if Err.Number then DumpErrAndQuit
  552. dstObject.SetInfo
  553. if Err.Number then DumpErrAndQuit
  554. end if
  555. end sub
  559. function IsDeletedAccount(byref AdsPath, byref sidDeletedAccount)
  560. dim pos0, pos1
  561. pos0 = InStr(1, AdsPath, "://", 1)
  562. pos1 = InStr(pos0 + 3, AdsPath, "/", 1)
  564. if 0 = pos1 then
  565. IsDeletedAccount = True
  566. sidDeletedAccount = Mid(AdsPath, pos0 + 3)
  567. else
  568. IsDeletedAccount = False
  569. end if
  571. end function
  575. function SidStringExists(byref sidString, byref dstExistingMemberSIDs)
  576. dim sid
  577. sid = UCase(sidString)
  579. SidStringExists = False
  581. dim x
  582. For each x in dstExistingMemberSIDs
  583. if UCase(x) = sid then
  584. Echo " Skipping existing sid " & x
  585. SidStringExists = True
  586. exit function
  587. end if
  588. next
  590. end function
  594. ' for each member of the source global group, look for that member's sid in
  595. ' the sid histories of objects the destination forest (domain?). If found,
  596. ' add that located object as a member of the destination group. Thus,
  597. ' when a global group is cloned, the existing clones of all users that belong
  598. ' to the original group will belong to the cloned group.
  600. sub FixupGlobalGroupMembers(byref srcObject, byref dstObject, byval dstDC)
  601. on error resume next
  602. Echo "Fixing group membership for " & dstObject.Class & " " & dstObject.Name
  604. nameTranslate.Init ADS_NAME_INITTYPE_SERVER, dstDC
  605. if Err.Number then DumpErrAndQuit
  607. dim member
  608. dim sidString
  609. for each member in srcObject.Members
  611. if member.UserFlags and UF_NORMAL_ACCOUNT then
  613. ' extract the sid of the account
  614. sid.SetAs ADS_SID_WINNT_PATH, member.AdsPath & "," & member.Class
  615. if Err.Number then DumpErrAndQuit
  617. sidString = sid.GetAs(ADS_SID_SDDL)
  618. if Err.Number then DumpErrAndQuit
  620. ' find the DN of the member with that sid as its object sid or in
  621. ' its sid history (the sid history is where it will be, if the member
  622. ' is a clone).
  623. nameTranslate.Set ADS_NAME_TYPE_SID_OR_SID_HISTORY_NAME, sidString
  624. select case Err.Number
  625. case E_ADS_ERROR_DS_NAME_NOT_FOUND
  626. ' do nothing: skip this member; it hasn't been cloned yet
  628. case 0
  629. ' found!
  630. dim foundDN
  631. foundDN = ""
  632. foundDN = nameTranslate.Get(ADS_NAME_TYPE_1779) ' aka full DN
  634. select case Err.Number
  635. case E_ADS_ERROR_DS_NAME_NOT_FOUND
  636. ' do nothing: skip this member; it hasn't been cloned yet
  637. case 0
  638. ' add the dn to the members property of the dst object
  639. dim path
  640. path = "LDAP://" & dstDC & "/" & foundDN
  641. Dim tempObj
  642. set tempObj = GetObject(path)
  643. if Err.Number then DumpErrAndQuit
  644. if NOT IsUserMemberOfGroup( dstObject, tempObj ) then
  645. Echo " adding " & foundDN & " to group " & dstObject.Name
  646. dstObject.Add path
  647. end if
  648. if Err.Number then DumpErrAndQuit
  650. case else
  651. DumpErrAndQuit
  652. end select
  654. case else
  655. DumpErrAndQuit
  656. end select
  658. ' need to clear this so the next iteration doesn't choke
  659. Err.Clear
  661. else
  663. ' skip computer, temp and trust accounts
  664. Echo " Skipping non-user account " & member.Name
  665. end if
  666. next
  667. end sub
  671. ' user - in, reference to user object, bound with LDAP provider.
  672. '
  673. ' groupDN - in, full DN of the group to which the user is to be added
  674. '
  675. ' dstDC - in, name of destination domain controller
  677. sub AddUserToGroup(byref user, byval groupDN, byval dstDC)
  678. on error resume next
  680. dim path
  681. path = "LDAP://" & dstDC & "/" & groupDN
  683. dim group
  684. set group = GetObject(path)
  685. if Err.Number then DumpErrAndQuit
  687. if not IsUserMemberOfGroup(group,user) then
  688. Echo " Adding " & user.Name & " to group " & group.Name
  689. group.Add user.AdsPath
  690. else
  691. Echo " " & user.Name & " is already member of " & group.Name
  692. end if
  693. if Err.Number then DumpErrAndQuit
  694. end sub
  698. function IsUserMemberOfGroup( byref group, byref user )
  699. if group.IsMember(user.AdsPath) then
  700. IsUserMemberOfGroup = True
  701. exit function
  702. end if
  704. sid.SetAs ADS_SID_ACTIVE_DIRECTORY_PATH, group.AdsPath
  705. if Err.Number then DumpErrAndQuit
  707. dim sidString
  708. sidString = sid.GetAs(ADS_SID_SDDL)
  709. if Err.Number then DumpErrAndQuit
  710. if Len(sidString) > 9 then
  711. dim lastDash
  712. lastDash = InStrRev(sidString, "-", -1, 1)
  713. if lastDash then
  714. dim ridString
  715. ridString = Mid(sidString, lastDash + 1)
  716. if StrComp(ridString,user.PrimaryGroupId,1) = 0 then
  717. IsUserMemberOfGroup = True
  718. exit function
  719. end if
  720. end if
  721. end if
  723. IsUserMemberOfGroup = False
  724. end function
  728. ' based on the class of the object, return one of CLASS_USER,
  729. ' CLASS_LOCAL_GROUP, CLASS_GLOBAL_GROUP, CLASS_OTHER
  731. function ObjectClass(object)
  732. dim cls
  733. cls = UCase(object.Class)
  735. if cls = "GROUP" then
  736. if (object.GroupType and ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP) then
  737. ' type is local group
  738. ObjectClass = CLASS_LOCAL_GROUP
  739. exit function
  740. else
  741. if ((object.GroupType and ADS_GROUP_TYPE_GLOBAL_GROUP) or (object.GroupType and ADS_GROUP_TYPE_UNIVERSAL_GROUP)) then
  742. ' type is global group
  743. ObjectClass = CLASS_GLOBAL_GROUP
  744. exit function
  745. end if
  746. end if
  747. else
  748. if cls = "USER" then
  749. ' type is user
  750. ObjectClass = CLASS_USER
  751. exit function
  752. end if
  753. end if
  755. ' type is not recognized
  756. ObjectClass = CLASS_OTHER
  757. exit function
  758. end function
  762. ' returns non-zero if the stringized SID refers to a well-known rid, zero
  763. ' otherwise
  765. function HasWellKnownRid(byval sidString)
  766. ' a SID refers to a well-known account if the first sub-authority (aka
  767. ' RID) is < 1000. The first subauthority is the last portion of the
  768. ' stringized SID
  770. if Len(sidString) > 9 then
  771. dim lastDash
  772. lastDash = InStrRev(sidString, "-", -1, 1)
  773. if lastDash then
  774. dim ridString
  775. ridString = Mid(sidString, lastDash + 1)
  776. if CLng(ridString) < 1000 then
  777. HasWellKnownRid = True
  778. exit function
  779. end if
  780. end if
  781. end if
  783. HasWellKnownRid = False
  784. end function
  788. ' returns non-zero if the stringized SID refers to a builtin sid, zero
  789. ' otherwise
  791. function IsBuiltInSid(byval sidString)
  792. ' a SID refers to builtin account or group if it has prefix S-1-5-32-
  794. if Len(sidString) > 9 then
  795. dim prefixString
  796. prefixString = Mid(sidString, 1, 9)
  797. if StrComp( prefixString, "S-1-5-32-", 1 ) = 0 then
  798. IsBuiltInSid = true
  799. exit function
  800. end if
  801. end if
  803. IsBuiltInSid = False
  804. end function
  808. ' searches for and returns the value of a command line argument of the form
  809. ' /argName:value from the supplied array. erases the entry in the array so
  810. ' that only untouched entries remain.
  812. function GetArgValue(argName, args())
  813. dim a
  814. dim v
  815. dim argNameLength
  816. dim x
  817. dim argCount
  818. dim fullArgName
  820. fullArgName = "/" & argName & ":"
  821. argCount = Ubound(args)
  823. ' Get the length of the argname we are looking for
  824. argNameLength = Len(fullArgName)
  825. GetArgValue = "" ' default to nothing
  827. for x = 0 To argCount
  828. if Len(args(x)) >= argNameLength then
  830. a = Mid(args(x), 1, argNameLength)
  831. if UCase(a) = UCase(fullArgName) then
  833. ' erase it so we can look for unknown args later
  834. v = args(x)
  835. args(x) = ""
  837. if Len(v) > argNameLength then
  838. GetArgValue = Mid(v, argNameLength + 1)
  839. exit function
  840. else
  841. GetArgValue = ""
  842. exit function
  843. end if
  844. end if
  845. end if
  846. next
  847. end function
  851. ' walks thru the array searching for any non-empty element. if at least one
  852. ' is found, then return non-zero. Otherwise return 0.
  854. function CheckForBadArgs(byref args())
  855. dim i
  856. for i = 0 to UBound(args)
  857. if Len(args(i)) > 0 then
  858. CheckForBadArgs = 1
  859. exit function
  860. end if
  861. next
  863. CheckForBadArgs = 0
  864. end function
  868. sub DumpErrAndQuit
  869. dim errnum
  870. errnum = Err.Number
  872. Echo "Error 0x" & CStr(Hex(errnum)) & " occurred."
  873. if len(Err.Description) then
  874. Echo "Error Description: " & Err.Description
  875. end if
  876. if len(Err.Source) then
  877. Echo "Error Source : " & Err.Source
  878. end if
  879. Echo "ADsError Description: "
  880. Echo adsError.GetErrorMsg(errnum)
  881. wscript.quit(0)
  882. end sub
  886. sub Bail(byref message)
  887. Echo "Error: " & message
  888. wscript.quit(0)
  889. end sub
  893. sub Echo(byref message)
  894. wscript.echo message
  895. end sub
  899. ' clonepr.vbi end