Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
116 lines (89 sloc) 4.09 KB
-- Script: Get-SQLDomainUser-Example.sql
-- Description: Use OLE DB ADSI connections to grab a list of domain users via SQL Server links (OpenQuery) and adhoc queries (OpenRowSet).
-- Author: Scott Sutherland, NetSPI 2017
--------------------------------------
-- Create SQL Server link to ADSI
--------------------------------------
IF (SELECT count(*) FROM master..sysservers WHERE srvname = 'ADSI') = 0
EXEC master.dbo.sp_addlinkedserver @server = N'ADSI',
@srvproduct=N'Active Directory Service Interfaces',
@provider=N'ADSDSOObject',
@datasrc=N'adsdatasource'
ELSE
SELECT 'The target SQL Server link already exists.'
GO
-- Verify the link was created
SELECT * FROM master..sysservers WHERE providername = 'ADSDSOObject'
-- Configure ADSI link to Authenticate as current user
EXEC sp_addlinkedsrvlogin
@rmtsrvname=N'ADSI',
@useself=N'True',
@locallogin=NULL,
@rmtuser=NULL,
@rmtpassword=NULL
GO
--------------------------------------
-- Create SQL Server link to ADSI2
--------------------------------------
IF (SELECT count(*) FROM master..sysservers WHERE srvname = 'ADSI2') = 0
EXEC master.dbo.sp_addlinkedserver @server = N'ADSI2',
@srvproduct=N'Active Directory Service Interfaces',
@provider=N'ADSDSOObject',
@datasrc=N'adsdatasource'
ELSE
SELECT 'The target SQL Server link already exists.'
-- EXEC master.dbo.sp_dropserver @server=N'ADSI', @droplogins='droplogins'
GO
-- Verify the link was created
SELECT * FROM master..sysservers WHERE providername = 'ADSDSOObject'
-- Configure the ADSI2 link to Authenticate as provided domain user
EXEC sp_addlinkedsrvlogin
@rmtsrvname=N'ADSI2',
@useself=N'False',
@locallogin=NULL,
@rmtuser=N'Domain\User',
@rmtpassword=N'Password123!'
GO
--------------------------------------
-- Run basic LDAP queries - OpenQuery
--------------------------------------
-- sa as current failed, but sysadmin domain user works
SELECT * FROM OpenQuery(ADSI,'<LDAP://domain>;(&(objectCategory=Person)(objectClass=user));samaccountname,name,admincount,whencreated,whenchanged,adspath;subtree')
-- provided domain user works
SELECT * FROM OpenQuery(ADSI2,'<LDAP://domain>;(&(objectCategory=Person)(objectClass=user));samaccountname,name,admincount,whencreated,whenchanged,adspath;subtree')
-- sa as current failed, but sysadmin domain user works
SELECT * FROM OpenQuery(ADSI, 'SELECT samaccountname,name,admincount,whencreated,whenchanged,adspath FROM ''LDAP://domain'' WHERE objectClass = ''User'' ') AS tblADSI
-- provided domain user works
SELECT * FROM OpenQuery(ADSI2, 'SELECT samaccountname,name,admincount,whencreated,whenchanged,adspath FROM ''LDAP://domain'' WHERE objectClass = ''User'' ') AS tblADSI
--------------------------------------
-- Remove links and login mappings
--------------------------------------
EXEC master.dbo.sp_dropserver @server=N'ADSI', @droplogins='droplogins'
EXEC master.dbo.sp_dropserver @server=N'ADSI2', @droplogins='droplogins'
--------------------------------------
-- Enabled adhoc queries on the server
--------------------------------------
EXEC master.sys.sp_configure 'Show Advanced Options',1
reconfigure
go
EXEC master.sys.sp_configure 'Ad Hoc Distributed Queries',1
reconfigure
go
--------------------------------------
-- Run basic LDAP queries - OpenRowSet
--------------------------------------
-- Need to confirm which scenario run as service account.
-- Run without credential in syntax option 1 - works as sa
SELECT *
FROM OPENROWSET('ADSDSOOBJECT','adsdatasource','SELECT samaccountname,name,admincount,whencreated,whenchanged,adspath
FROM ''LDAP://domain''
WHERE objectClass = ''User'' ')
-- Run with credential in syntax option 1 - works as sa
SELECT *
FROM OPENROWSET('ADSDSOOBJECT','User ID=domain\user; Password=Password123!;','SELECT samaccountname,name,admincount,whencreated,whenchanged,adspath
FROM ''LDAP://domain''
WHERE objectClass = ''User'' ')
-- Run with credential in synatx option 2 - works as sa login
SELECT *
FROM OPENROWSET('ADSDSOOBJECT','User ID=domain\user; Password=Password123!;',
'<LDAP://domain>;(&(objectCategory=Person)(objectClass=user));samaccountname,name,admincount,whencreated,whenchanged,adspath;subtree')