Saturday, 13 June 2015

VBScript to list the Active Directory security groups a user belongs to

This is a little script that queries the Active Directory domain and returns the AD security group memberships that the given user belong to by querying the MemberOf  property of the user.

Note:
  • The computer that the script is run on has to be joined to a domain, as it is querying the root DSE.

'Response.Write GetADGroups("tallitguy")    'ASP
MsgBox GetADGroups("tallitguy")             'VBScript

Function GetADGroups (ADUserName)
    
    Const ADS_SCOPE_SUBTREE = 2
    
    Dim objRootDSE, strDNSDomain, strTarget
    Dim objConnection, objCmd, objRecordSet
    Dim tmp, Ctr, i, Grp, strList
    
    ' Connect to the LDAP server's root object
    Set objRootDSE = GetObject("LDAP://RootDSE")
    strDNSDomain = objRootDSE.Get("defaultNamingContext")
    strTarget = "LDAP://" & strDNSDomain

    ' Connect to AD Provider
    Set objConnection = CreateObject("ADODB.Connection")
    objConnection.Provider = "ADsDSOObject"
    ' Domain account credentials with read access to LDAP:
    objConnection.Properties("User ID") = "domain\username" 
    objConnection.Properties("Password") = "password" 
    ' Connect to AD
    objConnection.Open "Active Directory Provider"

    Set objCmd =   CreateObject("ADODB.Command")
    Set objCmd.ActiveConnection = objConnection 

    ' Query to get groups a user is a Member Of:
    objCmd.CommandText = "SELECT memberof " & _
                        " FROM '" & strTarget & "' " & _
                        " WHERE objectCategory = 'user' " & _
                        " and name='" & ADUserName & "' "
    ' Set up the command object before running it
    objCmd.Properties("Page Size") = 100
    objCmd.Properties("Timeout") = 30
    objCmd.Properties("Searchscope") = ADS_SCOPE_SUBTREE
    objCmd.Properties("Cache Results") = False
    
    ' Execute query
    Set objRecordSet = objCmd.Execute

    ' Initialize counter & return value
    Ctr = 0
    strList = ""
    
    ' Iterate through the query results    
    Do Until objRecordSet.EOF
        For i = 0 to objRecordSet.Fields.Count -1
            For each Grp in objRecordSet.Fields("memberof").value
                Ctr = Ctr + 1
                tmp = Replace(Split(Grp, ",")(0), "CN=", "") 
                
                strList = strList & tmp & "; " & vbcrlf
                
            Next
        Next
        objRecordSet.MoveNext
    Loop
    
    GetADGroups = strList
    End Function

Thursday, 4 September 2014

Allowing an IIS web page to execute permissions-restricted scripts using a Scheduled Task

What do you do if you need to make a webpage that runs batch files (For example .bat, .cmd, .vbs, .ps files)? And to run them with a different security context than IIS, or with access to resources that you don't want to expose to IIS directly?

A while back I had a task that I needed to be able to trigger from a web page. In this particular case the task involved running a few different scripts & command line operations – some of which had to be done with particular permissions (such as accessing a share on a different server).

What I didn’t want to do was give those permissions to the IIS process to allow the page to execute these commands directly, as I was worried that a mistake might happen that will allow the page to do a lot more than I wanted and become an easy attack vector.

Realizing that I could encapsulate all of the steps of the task and their necessary permissions into a Windows Scheduled Task, I then set out to see how I can kick off a specified task in the scheduler from an ASP page. This is what I came up with. It has three basic steps:
  • Create your scheduled task that calls the script(s) that you want to run.
  • Open up the folder where the task file is saved and change permissions on it so that the IIS process can run it.
  • Create the web page that will access & run your task.

It’s actually a very simple process, but I’ll spell it out in detail here – because of that it may seem more complicated than it really is.


Create the Scheduled Task


The first step is to create the scheduled task, so log into your IIS webserver and open up the Windows Task Scheduler.

image

In this example, I’ve created a separate sub-folder called “WebTasks” (select & then right-click on Task Scheduler Library” in the left panel –> New Folder) for organization purposes.

I have a prepared script that I want to run called “mytask.bat” located in a folder at “E:\Scripts\”. So lets start the Create Task dialog (right panel) to set up a task to run it, that we’ll call “IIS_Task

image
Enter the General parameters for the task, including setting up the appropriate user credentials that the task needs to run properly using the “Change User or Group” button. The sample is called IIS_Task
image
In the Triggers tab, we’ll leave this blank in the example. A Trigger is a schedule that will activate the task. We will only run this task manually, so this isn’t needed.
image
In the Actions tab, click the New button…
image
… and create an action to run the script we want – in this case “E:\Scripts\mytask.bat”
image
Switching to the Settings tab, make sure that the “Allow task to be run on demand” setting is checked. Click OK to save it.
image


Set Permissions on the Task


Next we have to change the permissions on this task so that the IIS process can run it. To do this go to the folder that the task files are saved in, by default that's:

C:\Windows\System32\Tasks\

In our case, since we earlier created this task in a sub-folder called “WebTasks”, we go here:

C:\Windows\System32\Tasks\WebTasks

You should see our new task in a file called “IIS_Task” (or whatever you named your version). Right-click on it & select Properties. Then add Read & Execute permissions for the IUSR account (the default account that IIS uses). If your install of IIS uses a different account, apply that one instead. Apply the change & close the dialog.

image

Now our task is created, and it’s permissions are changed so that the IIS process can call it, and IIS hasn’t been granted any unneeded permissions such as creating/changing tasks, or access to any of the resources that our task will use.

Create the web page


Finally, it’s time to create the web page that will do this.

I’ve actually looked to see how to call the Task Scheduler from .NET, but couldn’t find the reference in my brief poking around, but did see how to do it in VBScript, so this page is done in “Classic ASP”, rather than ASP.NET. Also, since it’s just an example, there is no security or controls on this demo page:

<% 
Dim vRun, vMsg

vMsg = ""
vRun = Trim(Request("run"))    'get form input

'If form value was submitted, run the task
If vRun = "Run Task" Then 
   RunJob 
End If  
 
'Routine to execute our task
Sub RunJob     
    Dim objTaskService, objRootFolder, objTask 

    'create instance of the scheduler service
    Set objTaskService = Server.CreateObject("Schedule.Service")    
    
    'connect to the service
    objTaskService.Connect            

    'go to our task folder, use just "\" if you saved it under the root folder
    Set objRootFolder = objTaskService.GetFolder("\WebTasks")    
    'reference our task
    Set objTask = objRootFolder.GetTask("IIS_Task")            

    'run it
    objTask.Run vbNull  
    vMsg = "Submitted"
    
    'clean up
    Set objTaskService = Nothing    
    Set objRootFolder = Nothing
    Set objTask = Nothing  
End Sub

%>
<html>
<body> 
<form method="post" action="runtask.asp"> 
  <p>Click to run the task: <input type="submit" value="Run Task" name="run" /></p> 
  <p>[<%= run %>]</p> 
  <p style="font-weight:bold; color:#006600;"><%= vMsg %></p>  
</form> 
</body>
</html>

Save that as runtask.asp in your wwwroot folder & try it out.

As you can see, the code to actually run our task is really simple, the real work is done in only five lines of code in the RunJob subroutine.

Hope this helps.

Wednesday, 27 August 2014

SQL Server: Inline Queries Across Linked Servers

I’ve had to run a scheduled T-SQL query from one database to another linked server for an import operation. I'm finding that I have to do some comparisons between the result of two subqueries in order to get the proper value for one column. So the results I want would correspond to something like this:

Insert into localTable (columns)

Select col1, col2, col3,

CASE 
      WHEN subquery1result > subquery2result THEN subquery1result
      ELSE subquery2result
END As col4 From server.schema.dbo.table1 Where [stuff]

Note the reference to the linked server… First you have to set up the Linked Server in SQL Server, then you can reference the external database table as [LinkedServerName].[SchemaName].[DataBaseOwner].[TableName]

To flesh that out a little more, if I filled in those subqueries in-line:

Insert into localTable (columns)Select col1, col2, col3,

CASE 
    WHEN (select MAX(T2.datecol) from server.schema.dbo.table2 T2 where T2.id = T1.id) > 
         (select MAX(T3.datecol) from server.schema.dbo.table3 T3 where T3.id = T1.id) 
    THEN (select MAX(datecol) from server.schema.dbo.table2 T2 where T2.id = T1.id) 
    ELSE (select MAX(T3.datecol) from server.schema.dbo.table3 T3 where T3.id = T1.id) 

END As col4

From server.schema.dbo.table1 T1

Where [stuff]


But that doesn’t work – using subqueries in a CASE statement like that won’t fly.
I would normally do these subqueries as user-defined scalar functions, but I can't seem to make one that queries tables in a linked server. And I'm not allowed to modify the schema of the database on the linked server (vendor system).

Any ideas on another way of doing this? I suppose I should copy all relevant values into a holding table (on the local server) & then run the import from there instead of importing directly from the linked server. I was just hoping I could keep it as a straight 'Insert Into... Select From' query in a single step.

I think I stumbled upon a "good enough" solution (which suitably horrify a proper SQL-Ninja):

Insert into localTable (columns)

Select col1, col2, col3,
(Select MAX(DC) From 
   (
      select MAX(T2.datecol) as DC from server.schema.dbo.table2 T2 where T2.id = T1.id
      UNION
      select MAX(T3.datecol) as DC from server.schema.dbo.table3 T3 where T3.id = T1.id 
   ) as U
) As col4

From server.schema.dbo.table1 T1

Where [stuff]

It seems to work, though the query is a bit on the slow side (7 seconds to return ~2K rows). Well within reason for a nightly batch job though. Basically the UNION of multiple inline queries forms a set of it’s own, which we can further query from. In this case we’re choosing the Maximum value returned from two different queries.

Friday, 1 August 2014

My .NET app is really slow on one PC, fine on all others

So I had this small .NET Windows Forms application that has been running on a large number of our lab computers with no issues. Not that it matters, but this program would run in the background and record logins to each lab computer against the booking system for reserving the labs.

One such computer was recently upgraded to Windows 7 from XP as a result of the end-of-life support of XP (and a bit of common sense, which is known to happen once in a while).

So once the computer was freshly wiped and had Windows 7 installed & patched, my little program was installed... and it was dog slow.

I mean it was really slow. Where it used to go from launch to actually doing anything (such as becoming visible) in under a second, it was now taking 10 to 15 minutes before there was any evidence of it running. On the same machine.

Looking at the installed .NET frameworks on a working PC and the problem one, they were both the same (at the time, 4.5.1), and earlier versions were not installed side-by-side on either machine. The application was written in Visual Studio 2010 and targeted the 4.0 .NET framework.

Now keep in mind that the older machines used to have older versions of the framework which were then upgraded over time (2.0 -> 3.0 -> 3.5 -> 4.0 -> 4.5). However, being a clean install, the re-installed machine was set up with just .NET 4.5.1 without having passed through any of the earlier versions.

Turns out that was the problem.

Removing .NET, then re-installing it with 4.0 only, and then allowing it to update to 4.5.1 afterward on the problem machine fixed it. I don't know what the mechanism is that causes this, but when a .NET app is targeting an earlier framework than was ever installed on the destination PC, problems like this can happen.



Thursday, 7 November 2013

IE11 is out - change in behaviour in Theatre Mode (F11)

We have some public display content (basically web-based slideshows on 42" screens around the building) that use Internet Explorer on Windows 7 in kiosk mode to render the content. And now IE11 for Win7 is out, so I figured I should test that out.

PS. The system was originally deployed with IE9, and the upgrade to IE10 caused no issues, and tests in IE11 show no rendering issues either.

However, when during the production cycle, to test content before deploying it I use IE in 'theatre mode' (F11) where the browser goes full-screen and the toolbars, window borders, etc are all hidden in order to have the same visual experience (on a monitor with t he same 1080p resolutions).

This is something I do often - and noticed that the behaviour in that mode has changed from IE10 to IE11: it used to be if you moved the mouse to the top edge of the screen the address bar etc will become visible, and then if you moved the mouse back down they will hide again.

No longer, now you have to right-click. Then it doesn't go away unless you exit F11 & then activate it again.

Anyone else seeing that? I haven't had a chance to test on multiple machines yet, so this may be some local oddity vs. a deliberate change in application behaviour.

Friday, 28 June 2013

Quick Byte: Script to set the homepage in IE

Quick Byte: VBScript to set the homepage in IE, possibly useful to set a standard setup for a corporate desktop, assuming you didn't have a better option like a GPO.

Dim WshShell

Set WshShell = CreateObject("Wscript.shell")

WshShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page", "http://parmedx.appspot.com", "REG_SZ"     


Set WshShell = Nothing
 

Wednesday, 20 February 2013

Quick Byte: Select all column names in a table

Quick Byte: T-SQL query to select all the field/column names from a given table:

Select COLUMN_NAME -- or Select * for all column attributes (ie data_type, default_value, ...)
From INFORMATION_SCHEMA.COLUMNS
Where TABLE_NAME = 'TableName'
Order By ORDINAL_POSITION


Applies to SQL Server.