Permalink
Cannot retrieve contributors at this time
| -- Script: Get-SQLDomainUser-Example.sql | |
| -- Description: Use OLE DB ADSI connections to grab a list of domain users via SQL Server links (OpenQuery) and adhoc queries (OpenRowSet). | |
| -- Author: Scott Sutherland, NetSPI 2017 | |
| -------------------------------------- | |
| -- Create SQL Server link to ADSI | |
| -------------------------------------- | |
| IF (SELECT count(*) FROM master..sysservers WHERE srvname = 'ADSI') = 0 | |
| EXEC master.dbo.sp_addlinkedserver @server = N'ADSI', | |
| @srvproduct=N'Active Directory Service Interfaces', | |
| @provider=N'ADSDSOObject', | |
| @datasrc=N'adsdatasource' | |
| ELSE | |
| SELECT 'The target SQL Server link already exists.' | |
| GO | |
| -- Verify the link was created | |
| SELECT * FROM master..sysservers WHERE providername = 'ADSDSOObject' | |
| -- Configure ADSI link to Authenticate as current user | |
| EXEC sp_addlinkedsrvlogin | |
| @rmtsrvname=N'ADSI', | |
| @useself=N'True', | |
| @locallogin=NULL, | |
| @rmtuser=NULL, | |
| @rmtpassword=NULL | |
| GO | |
| -------------------------------------- | |
| -- Create SQL Server link to ADSI2 | |
| -------------------------------------- | |
| IF (SELECT count(*) FROM master..sysservers WHERE srvname = 'ADSI2') = 0 | |
| EXEC master.dbo.sp_addlinkedserver @server = N'ADSI2', | |
| @srvproduct=N'Active Directory Service Interfaces', | |
| @provider=N'ADSDSOObject', | |
| @datasrc=N'adsdatasource' | |
| ELSE | |
| SELECT 'The target SQL Server link already exists.' | |
| -- EXEC master.dbo.sp_dropserver @server=N'ADSI', @droplogins='droplogins' | |
| GO | |
| -- Verify the link was created | |
| SELECT * FROM master..sysservers WHERE providername = 'ADSDSOObject' | |
| -- Configure the ADSI2 link to Authenticate as provided domain user | |
| EXEC sp_addlinkedsrvlogin | |
| @rmtsrvname=N'ADSI2', | |
| @useself=N'False', | |
| @locallogin=NULL, | |
| @rmtuser=N'Domain\User', | |
| @rmtpassword=N'Password123!' | |
| GO | |
| -------------------------------------- | |
| -- Run basic LDAP queries - OpenQuery | |
| -------------------------------------- | |
| -- sa as current failed, but sysadmin domain user works | |
| SELECT * FROM OpenQuery(ADSI,'<LDAP://domain>;(&(objectCategory=Person)(objectClass=user));samaccountname,name,admincount,whencreated,whenchanged,adspath;subtree') | |
| -- provided domain user works | |
| SELECT * FROM OpenQuery(ADSI2,'<LDAP://domain>;(&(objectCategory=Person)(objectClass=user));samaccountname,name,admincount,whencreated,whenchanged,adspath;subtree') | |
| -- sa as current failed, but sysadmin domain user works | |
| SELECT * FROM OpenQuery(ADSI, 'SELECT samaccountname,name,admincount,whencreated,whenchanged,adspath FROM ''LDAP://domain'' WHERE objectClass = ''User'' ') AS tblADSI | |
| -- provided domain user works | |
| SELECT * FROM OpenQuery(ADSI2, 'SELECT samaccountname,name,admincount,whencreated,whenchanged,adspath FROM ''LDAP://domain'' WHERE objectClass = ''User'' ') AS tblADSI | |
| -------------------------------------- | |
| -- Remove links and login mappings | |
| -------------------------------------- | |
| EXEC master.dbo.sp_dropserver @server=N'ADSI', @droplogins='droplogins' | |
| EXEC master.dbo.sp_dropserver @server=N'ADSI2', @droplogins='droplogins' | |
| -------------------------------------- | |
| -- Enabled adhoc queries on the server | |
| -------------------------------------- | |
| EXEC master.sys.sp_configure 'Show Advanced Options',1 | |
| reconfigure | |
| go | |
| EXEC master.sys.sp_configure 'Ad Hoc Distributed Queries',1 | |
| reconfigure | |
| go | |
| -------------------------------------- | |
| -- Run basic LDAP queries - OpenRowSet | |
| -------------------------------------- | |
| -- Need to confirm which scenario run as service account. | |
| -- Run without credential in syntax option 1 - works as sa | |
| SELECT * | |
| FROM OPENROWSET('ADSDSOOBJECT','adsdatasource','SELECT samaccountname,name,admincount,whencreated,whenchanged,adspath | |
| FROM ''LDAP://domain'' | |
| WHERE objectClass = ''User'' ') | |
| -- Run with credential in syntax option 1 - works as sa | |
| SELECT * | |
| FROM OPENROWSET('ADSDSOOBJECT','User ID=domain\user; Password=Password123!;','SELECT samaccountname,name,admincount,whencreated,whenchanged,adspath | |
| FROM ''LDAP://domain'' | |
| WHERE objectClass = ''User'' ') | |
| -- Run with credential in synatx option 2 - works as sa login | |
| SELECT * | |
| FROM OPENROWSET('ADSDSOOBJECT','User ID=domain\user; Password=Password123!;', | |
| '<LDAP://domain>;(&(objectCategory=Person)(objectClass=user));samaccountname,name,admincount,whencreated,whenchanged,adspath;subtree') |