I'm coding on top of some JNI libraries, and I don't really know the details about how they are doing it, but the output of lib is the windows domain user information with sid and sids... They look as shown below
sids: [
"S-1-5-21-2923429462-2395316905-2569861443-1123",
"S-1-5-32-545",
"S-1-5-2",
"S-1-5-5-0-79699478",
"S-1-5-11",
"S-1-1-0",
"S-1-5-15",
"S-1-18-1",
"S-1-5-21-2923429462-2395316905-2569861443-513"
],
sid: "S-1-5-21-2923429462-2395316905-2569861443-1123"
Issue
Can I get the information without a password but only with a user
id?
Is the information changeable?
What are SIDs... I thought there's only one secure identifier.
I'll take a stab at it:
I understand that you're using a Java Native Interface but I'm not sure what other language you're using. If it is with Active Directory, Powershell is perfect for it, though, I'm not sure how it would work with a JNI.
Anyway, here is what I can gather. Each account has a specific Security Identifier, called a SID. There are well-known SIDs for the common accounts (Administrator, for example). Even local account and groups have SIDs, as with any in Active Directory.
If you want to translate a SID to an account, that isn't a problem. If you aren't using Powershell, at least this may give you a starting point:
$SID = New-Object System.Security.Principal.SecurityIdentifier("SID_GOES_HERE")
$user = $SID.Translate([System.Security.Principal.NTAccount])
$user.Value
You could feed each line into these 3 steps by putting it into a function like so:
Function SIDtoUser($SIDint) {
$SID = New-Object System.Security.Principal.SecurityIdentifier($SIDint)
$user = $SID.Translate([System.Security.Principal.NTAccount])
return $user.Value
}
Gather all of the SIDs into an array and run through them like this:
$SIDArray | %{
SIDtoUser($_)
}
I hope this helps. Let me know if I can assist any further.
Related
I'm pretty new to Exchange Online and am writing a script which is supposed to give o365 calendar permission to members of an AD group which have been exported to a CSV. All members of this group need to be able to have Reviewer permission on each other's calendars.
After the initial connect to EOL via PS, the script I've created is as follows:
$Users = import-csv "C:\Scripts\UserList.csv"
Foreach ($User in $Users)
{Add-MailboxFolderPermission –identity ($user+':\calendar') –user "user#domain" –Accessrights Reviewer}
However I'm getting an error:
Method invocation failed because
[System.Management.Automation.PSObject] does not contain a method
named 'op_Addition'. At line:2 char:2
From what I've read it seems I'm not presenting the array correctly, but I'm not really sure how I should present it in this script. Can anyone advise? Any help would be greatly appreciated.
Thanks in advance!
I am trying to read an msExchMailboxSecurityDescriptor, to find whether it contains a Full Access to another person. The access control entries contain the trustees in the netbios format (DOMAIN\Username).
SecurityDescriptor secDesc = (SecurityDescriptor)userDirectoryEntry.Properties["msExchMailboxSecurityDescriptor"].Value;
AccessControlList usrAcl = (AccessControlList)secDesc.DiscretionaryAcl;
foreach (AccessControlEntry ace in (IEnumerable)usrAcl)
{
var netbiosDn = ace.Trustee.Split('\\')[0];
var netbiosUser = ace.Trustee.Split('\\')[1];
// now, the problem:
UserPrincipal user = UserPrincipal.FindByIdentity(
new PrincipalContext(ContextType.Domain, netbiosDn),
netbiosUser
);
This works until the last line, where I have to connect to the correct AD server and get some user info. Obviously, this fails when there is no server available for that domain, like any of the "NT AUTHORITY" or "BUILTIN" "domains". It does not only fail, it needs quite some time until it does.
How on earth would I distinguish which ones are AD domains, where I can connect to the AD server, and which ones aren't?
Some example users I may find in the Security Descriptor, just for you to get a feel for the problem:
CONTOSO\Alex
CONTOSO\Michael
SUBDOMAIN\Kirk
TRUSTED\George
NTPD\ChiefBrown
NT AUTHORITY\SELF
NT INSTANS\INTERAKTIV
BUILTIN\Администраторы
BUILDING2\Владимир
VORDEFINERT\Administrator
Take a look at SecurityIdentifier.IsWellKnown
You can pass various values, including WellKnownSidType.NTAuthoritySid to determine what kind of SID you have.
(See also this PowerShell code on translating into readable names.)
i'm looking for an easy way to export all active directory users info into unique vcards for each. there is some info i'd like to leave out of the vcard like home phone, and emergency contact. i've looked around the web and have little luck finding anything. any help would be appreciated.
I doubt there will be a very easy way. Ultimately, you need to
enumerate all your users (or a subset therefore)
iterate over the resulting list of users
export each user's data to a VCard
For the searching & iterating part, you can use a PrincipalSearcher to do your searching:
// create your domain context
using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain))
{
// define a "query-by-example" principal - here, we search for a UserPrincipal
// this "QBE" user would give you the ability to further limit what you get back
// as results from the searcher
UserPrincipal qbeUser = new UserPrincipal(ctx);
// create your principal searcher passing in the QBE principal
PrincipalSearcher srch = new PrincipalSearcher(qbeUser);
// find all matches
foreach(var found in srch.FindAll())
{
UserPrincipal foundUser = found as UserPrincipal;
if(foundUser != null)
{
ExportToVCard(foundUser);
}
}
}
And now all that's left to do is create the ExportToVCard function :-) See e.g. this blog post with code samples and further links for help.
If you haven't already - absolutely read the MSDN article Managing Directory Security Principals in the .NET Framework 3.5 which shows nicely how to make the best use of the new features in System.DirectoryServices.AccountManagement. Or see the MSDN documentation on the System.DirectoryServices.AccountManagement namespace.
If you just want the data itself, I would take a look at Softerra's free LDAP Browser, found here.
Setup a profile for your directory server - once it's connected in the browser, you'll see the default schema for the BaseDN you've provided during the initial setup. On the server icon, right click, and hit "Export Data".
The export wizard will walk you through most of the process, but the important part is Step 3. If you want to find all users, just set your search filter to (objectClass=user), make sure your search scope is SubTree, and then then edit what attributes you want to return.
You'll have to process the results into VCards, but this is the easiest\fastest way of getting all the users and attributes that you want.
I am using PowerBuilder PFC library to login to the database.
n_cst_appmanager/ pfc_open:
IF this.of_LogonDlg() > 0 THEN
Open(w_myapp_frame)
END IF
n_cst_appmanager/ pfc_logon:
SQLCA.DBMS = "ODBC"
SQLCA.AutoCommit = False
SQLCA.DBParm = "ConnectString='DSN=mytestdb;UID=" + as_userid + ";PWD=" + as_password + "'"
connect using SQLCA;
Now, once the user is logged in, there are few situations that I will need to connect to another database (for example, to copy some data there), so I would like to connect to the other database automatically, without displaying the login window again, therefore I would need to save the username and password of the user.
How can I save it? Do I need to save in the registry? Can you give some example please?
For example, I can get the user id in following way:
s_userid = gnv_app.of_GetUserID()
But I can not get the password. Can someone please help me how i can do it? Thanks a lot.
Actually, now that I'm paying attention to what you need instead of what you asked for <g>, and riffing off of Hugh's answer, why not just copy the transaction object?
n_cst_String lnv_String
ltr_NewConnect.DBMS = SQLCA.DBMS
ltr_NewConnect.AutoCommit = SQLCA.AutoCommit
ltr_NewConnect.DBParm = lnv_String.of_GlobalReplace (SQLCA.DBParm, "mytestdb", "myotherdb")
If I were doing this, I'd code a copy of all the transaction object fields, just in case the means of defining the connection changes.
I'm assuming the other database is the same type of database in order for this to make sense (so that it uses the same type of DBParm), but either way the principle may apply.
Good luck,
Terry.
There's nothing built into PFC and there's nothing automagic in PowerBuilder that will help you with this. Just create an instance variable and a function to access it. Maybe grab the n_cst_LogonAttrib from the Message.PowerObjectParm immediately after the call to of_LogonDlg() and grab the value from there. Or, further extend your n_cst_AppManager.pfc_Logon event. Or extend of_LogonDlg(), and model the capture after the way PFC does the user id.
Note that storing the password anywhere permanent and visible to other processes like the registry would be a security violation that many companies would not allow. Not a direction you want to go.
Good luck,
Terry.
You can parse them out of SQLCA.DBParm.
string ls_userID, ls_password
n_cst_string stringSrv
ls_userID = stringSrv.of_getKeyValue(SQLCA.DBParm, "UID", ";")
ls_password = stringSrv.of_getKeyValue(SQLCA.DBParm, "PWD", ";")
However, a good case can be made for capturing them in the appmanager if you know you will need them.
Having the same login credentials for different databases is a security concern. It's the sort of thing that leads to your company being in the news for the wrong reasons.
We already completed the site. The problem is The site is having 3 logins .
one is the main super admin for the client
another two is for college admin .(Colleges will login here)
& their students. All the works are completed.
For example:
College IP:
172.16.4.1
172.16.1.101
This college should not be able to login except from this IP.
And there might be many college and each college can login only from there static IP.
will it be possible.
Thanks
Since there is no language mentioned, I give a sample in php
function canLogin() {
$allowed = array ('172.16.4.1', '172.16.1.101');
if (in_array ($_SERVER['REMOTE_ADDR'], $allowed)) return 1;
else return 0;
}
All you have to do is find the REMOTE_ADDR (user IP) and check if it is in approved list.
Note: It is possible to spoof remote address. But the above sample is simpler solution and better than nothing.