Permalink
Cannot retrieve contributors at this time
Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign up
Fetching contributors…
Cannot retrieve contributors at this time
| -- Script: Get-SQLDomainUser-Example.sql | |
| -- Description: Use OLE DB ADSI connections to grab a list of domain users via SQL Server links (OpenQuery) and adhoc queries (OpenRowSet). | |
| -- Author: Scott Sutherland, NetSPI 2017 | |
| -------------------------------------- | |
| -- Create SQL Server link to ADSI | |
| -------------------------------------- | |
| IF (SELECT count(*) FROM master..sysservers WHERE srvname = 'ADSI') = 0 | |
| EXEC master.dbo.sp_addlinkedserver @server = N'ADSI', | |
| @srvproduct=N'Active Directory Service Interfaces', | |
| @provider=N'ADSDSOObject', | |
| @datasrc=N'adsdatasource' | |
| ELSE | |
| SELECT 'The target SQL Server link already exists.' | |
| GO | |
| -- Verify the link was created | |
| SELECT * FROM master..sysservers WHERE providername = 'ADSDSOObject' | |
| -- Configure ADSI link to Authenticate as current user | |
| EXEC sp_addlinkedsrvlogin | |
| @rmtsrvname=N'ADSI', | |
| @useself=N'True', | |
| @locallogin=NULL, | |
| @rmtuser=NULL, | |
| @rmtpassword=NULL | |
| GO | |
| -------------------------------------- | |
| -- Create SQL Server link to ADSI2 | |
| -------------------------------------- | |
| IF (SELECT count(*) FROM master..sysservers WHERE srvname = 'ADSI2') = 0 | |
| EXEC master.dbo.sp_addlinkedserver @server = N'ADSI2', | |
| @srvproduct=N'Active Directory Service Interfaces', | |
| @provider=N'ADSDSOObject', | |
| @datasrc=N'adsdatasource' | |
| ELSE | |
| SELECT 'The target SQL Server link already exists.' | |
| -- EXEC master.dbo.sp_dropserver @server=N'ADSI', @droplogins='droplogins' | |
| GO | |
| -- Verify the link was created | |
| SELECT * FROM master..sysservers WHERE providername = 'ADSDSOObject' | |
| -- Configure the ADSI2 link to Authenticate as provided domain user | |
| EXEC sp_addlinkedsrvlogin | |
| @rmtsrvname=N'ADSI2', | |
| @useself=N'False', | |
| @locallogin=NULL, | |
| @rmtuser=N'Domain\User', | |
| @rmtpassword=N'Password123!' | |
| GO | |
| -------------------------------------- | |
| -- Run basic LDAP queries - OpenQuery | |
| -------------------------------------- | |
| -- sa as current failed, but sysadmin domain user works | |
| SELECT * FROM OpenQuery(ADSI,'<LDAP://domain>;(&(objectCategory=Person)(objectClass=user));samaccountname,name,admincount,whencreated,whenchanged,adspath;subtree') | |
| -- provided domain user works | |
| SELECT * FROM OpenQuery(ADSI2,'<LDAP://domain>;(&(objectCategory=Person)(objectClass=user));samaccountname,name,admincount,whencreated,whenchanged,adspath;subtree') | |
| -- sa as current failed, but sysadmin domain user works | |
| SELECT * FROM OpenQuery(ADSI, 'SELECT samaccountname,name,admincount,whencreated,whenchanged,adspath FROM ''LDAP://domain'' WHERE objectClass = ''User'' ') AS tblADSI | |
| -- provided domain user works | |
| SELECT * FROM OpenQuery(ADSI2, 'SELECT samaccountname,name,admincount,whencreated,whenchanged,adspath FROM ''LDAP://domain'' WHERE objectClass = ''User'' ') AS tblADSI | |
| -------------------------------------- | |
| -- Remove links and login mappings | |
| -------------------------------------- | |
| EXEC master.dbo.sp_dropserver @server=N'ADSI', @droplogins='droplogins' | |
| EXEC master.dbo.sp_dropserver @server=N'ADSI2', @droplogins='droplogins' | |
| -------------------------------------- | |
| -- Enabled adhoc queries on the server | |
| -------------------------------------- | |
| EXEC master.sys.sp_configure 'Show Advanced Options',1 | |
| reconfigure | |
| go | |
| EXEC master.sys.sp_configure 'Ad Hoc Distributed Queries',1 | |
| reconfigure | |
| go | |
| -------------------------------------- | |
| -- Run basic LDAP queries - OpenRowSet | |
| -------------------------------------- | |
| -- Need to confirm which scenario run as service account. | |
| -- Run without credential in syntax option 1 - works as sa | |
| SELECT * | |
| FROM OPENROWSET('ADSDSOOBJECT','adsdatasource','SELECT samaccountname,name,admincount,whencreated,whenchanged,adspath | |
| FROM ''LDAP://domain'' | |
| WHERE objectClass = ''User'' ') | |
| -- Run with credential in syntax option 1 - works as sa | |
| SELECT * | |
| FROM OPENROWSET('ADSDSOOBJECT','User ID=domain\user; Password=Password123!;','SELECT samaccountname,name,admincount,whencreated,whenchanged,adspath | |
| FROM ''LDAP://domain'' | |
| WHERE objectClass = ''User'' ') | |
| -- Run with credential in synatx option 2 - works as sa login | |
| SELECT * | |
| FROM OPENROWSET('ADSDSOOBJECT','User ID=domain\user; Password=Password123!;', | |
| '<LDAP://domain>;(&(objectCategory=Person)(objectClass=user));samaccountname,name,admincount,whencreated,whenchanged,adspath;subtree') |