ADsSecurity (ADsSID) Against an Exchange 5.5 Server
Exchange Server Forum Index Exchange Server
Discussion forums for Microsoft Exchange Server users.
Microsoft Outlook
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web ExchangeServerHelp.com
ADsSecurity (ADsSID) Against an Exchange 5.5 Server

 
Post new topic   Reply to topic    Exchange Server Forum Index -> Development
Author Message
Shahir A. Ahang
Guest
Posted: Wed Aug 10, 2005 12:59 am    Post subject: ADsSecurity (ADsSID) Against an Exchange 5.5 Server Reply with quote
All,

My apologies for the cross-posting but this query touches on ADSI, Exchange,
and VB Scripting. I am trying to query an Exchange 5.5 directory in order
to obtain the Assoc-NT-Account attribute of a mailbox. It is my
understanding that the Assoc-NT-Account, like other SIDs, is a byte array
which VBScript simply cannot handle.

What I had done previously with Active Directory accounts was to use two
functions in VB Script to first convert the byte array to hex string, and
then convert the hex string to a decimal string which displayed the SID in a
readable format, i.e., S-15-... This works for all my accounts in AD

When I used the same functions against the Assoc-NT-Account in Exchange 5.5,
I do get a conversion but it looks like:

48-49-...

This was obviously not correct so I am lead to believe that maybe Exchange
stores the SIDs in a different way than AD does. (BTW, when I counted the
length of the byte array using the Len() function, it was 14 for an AD SID
and 28 for Assoc-NT-Account from Exchange????)

So I did some reasearch and it looked as if the ADsSecurity.dll module might
do the trick. After spending a few hours hacking away, I come up with the
following script. The problem is the the script works if it is run against
against an NT or AD domain. However, if I run it against the Exchange 5.5
directory, it does not work.

My questions are the following:

1. Is it possible to extract the SID and the Domain\Username associated
with a mailbox in Exchange 5.5 using VB Script?

2. Will ADsSID work with Exchange or does it only work with NT or AD
domains?

Regards,

Shahir Ahang


' ADS_SID_RAW ( VT_ARRAY | VT_U1 )
' ADS_SID_HEXSTRING (VT_BSTR), for example,
010500000000000515000000093A2A24358A021ADBEB0C508E040000
' ADS_SID_SAM (VT_BSTR ), for example, ARCADIABAY\jsmith
' ADS_SID_UPN (VT_BSTR), for example, jsmith@arcadiabay.com ( Windows 2000
Only )
' ADS_SID_SDDL (VT_BSTR), for example,
S-1-5-21-606747145-436374069-1343024091-1166 (Windows 2000 Only)
' ADS_SID_WINNT_PATH (VT_BSTR), for example, WinNT://ARCADIABAY/jsmith
' ADS_SID_ACTIVE_DIRECTORY_PATH (VT_BSTR), for example, LDAP://CN=John
Smith,OU=NTDSys,DC=ArcadiaBay,DC=com
' ADS_SID_SID_BINDING (VT_BSTR), for example,
GC://<SID=010500000000000515000000093A2A24358A021ADBEB0C508E040000>

Const ADS_SID_SAM = 2
Const ADS_SID_SDDL = 4
Const ADS_SID_WINNT_PATH = 5
Const ADS_SID_ACTIVE_DIRECTORY_PATH = 6

strMailbox = InputBox("Please enter the Username:", "Username")

strADOQuery =
"<LDAP://Exchange-Server:389>;(&(objectClass=organizationalPerson)rdn=" &
strMailbox & ");ADSPath;subTree"
'strADOQuery =
"<LDAP://AD-DomainController:389>;(&(objectClass=organizationalPerson)sAMAccountName="
& strMailbox & ");ADSPath;subTree"
Set objConn = CreateObject("ADODB.Connection")
Set objRS = CreateObject("ADODB.Recordset")
Set objCommand = CreateObject("ADODB.Command")
objConn.Provider = "ADSDSOObject"
objConn.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConn
objCommand.CommandText = strADOQuery
Set objRS = objCommand.Execute

While Not objRS.EOF
strADSPath = objRS.Fields(0)
objRS.MoveNext
Wend

objRS.Close
Set objconn = Nothing
Set objRS = Nothing

WScript.Echo strADSPath

Set objSID = CreateObject("ADsSID")
objSID.SetAS ADS_SID_ACTIVE_DIRECTORY_PATH, CStr(strADSPath)
strSID = objSID.GetAS(ADS_SID_SDDL)
strAccountName = objSID.GetAS(ADS_SID_SAM)

Set objSID = Nothing

Wscript.Echo "ADSPath:" & VbTab & VbTab & strADSPath & VbCrLf &_
"SID:" & VbTab & VbTab & strSID & VbCrLf &_
"Account Name:" & VbTab & strAccountName

Back to top
Dan Mitchell
Guest
Posted: Wed Aug 10, 2005 12:59 am    Post subject: Re: ADsSecurity (ADsSID) Against an Exchange 5.5 Server Reply with quote
"Shahir A. Ahang" <shahir@nospam.com> wrote in
news:94533$42f931ce$c61dbf94$5445@msgid.meganewsservers.com:
Quote:
This was obviously not correct so I am lead to believe that maybe
Exchange stores the SIDs in a different way than AD does. (BTW, when
I counted the length of the byte array using the Len() function, it
was 14 for an AD SID and 28 for Assoc-NT-Account from Exchange????)

I suspect what you're getting with your code is a string representing the
SID -- with binary data, instead of getting the four-byte array
(hex values) {0x12, 0x34, 0xfe, 0xa0 }, you get the string "1234fea0".
That's why the length is doubling/

The string you have "48-49-..." makes sense; 48 is ascii for "0", 49 is
ascii for "1", etc. You said already have hex-to-string conversion
functions -- I suspect you just need to use them one more time, and if you
kept looking at the string, it would be"48-49-48-53..." ie "0105" encoded.

The raw data you're reading from Exchange is just
PR_EMS_AB_ASSOC_NT_ACCOUNT, which you'd pass to LookupAccountSID if you
were using C++ and the system lookup functions -- I don't know what the
ADSI equivalent of that is, or how to do this from vbscript, sorry, but it
sounds as if you're most of the way there already.

-- dan
Back to top
 
Post new topic   Reply to topic    Exchange Server Forum Index -> Development All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




Windows Server Dedicated Servers
Contact Us
New Topics Powered by phpBB