How to Find and Enable/Disable Microsoft Active Directory / LDAP usernames that are members of the

03/26/2020 5 12149

DESCRIPTION:
How to Find and Enable/Disable Microsoft Active Directory / LDAP usernames that are members of the SonicWall administrator groups.

RESOLUTION:

SonicWall is offering some Visual Basic Scripts to help with managing Microsoft Active Directory / LDAP. They are useful in debugging LDAP problems related to SonicWall appliances. The script SonicWallLDAPAdminUserChk.vbs allows the inspection of Admin users on the Microsoft Active Directory / LDAP server and the script SonicWallLDAPAdminUserChk.vbs allows for the disabling and enabling of Admin users on the Microsoft Active Directory / LDAP server.

·         Use SonicWallLDAPAdminUserChk.vbs script to check LDAP/AD server

·         Usage Example for SonicWallLDAPAdminUserChk.vbs

·         SonicWallLDAPAdminUserChk.vbs Usage Options

·         Use SonicWallLDAPAdminGroups.vbs script to disable Admin users on LDAP/AD server

·         SonicWallLDAPAdminGroups.vbs Usage Options

Step 1. Are any AD / LDAP usernames members of the SonicWall administrator groups on the Microsoft LDAP/ Active Directory and in Local Users on the firewall?

Use SonicWallLDAPAdminUserChk.vbs script to help determine if any LDAP usernames in Active Directory are members of the SonicWall administrator groups (“SonicWall Administrators”, “Limited Administrators”, “SonicWall Read-Only Admins”, “Guest Administrators”).

This script can be download from: https://software.sonicwall.com/UtilityTools/SonicWallLDAPAdminUserChk.zip

To use the SonicwallLDAPAdminUserChk.vbs script requires:

1.     Access to Microsoft Active Directory Domain Controller or a System that is part of the Domain using a domain account with sufficient privileges to search Active Directory.

2.     SonicWallLDAPAdminUserChk.vbs script. 
(Download from: https://software.sonicwall.com/UtilityTools/SonicwallLDAPAdminUserChk.zip 
Save it in a convenient location and extract the script).

3.     Settings File from the appliance  
File can be Exported  after log on to SonicWall GUI and going to System > Settings and using export settings option (.exp file).

with these, files and access 
   Run the script to check if the Active Directory configuration contains any usernames which are members of the SonicWall Administrator groups.

       Note: This script only searches in the LDAP directory. It makes no changes to any objects in it.

If running the script on domain controller, the command is:

                  cscript SonicWallLDAPAdminUserChk.vbs <Name of the settings-file.exp>

Otherwise:

                cscript SonicWallLDAPAdminUserChk.vbs <Name of the settings-file.exp>  <domain-controller>

Replace <Name of the settings-file.exp> by the name of the settings file exported from the appliance, and <domain-controller>  by the DNS name or IP address of the domain controller.

Step 2. Usage Example for SonicWallLDAPAdminUserChk.vbs

When you run the SonicwallLDAPAdminUserChk.vbs script, the output may be similar to the following example:

: cscript SonicwallLDAPAdminUserChk.vbs sonicwall.exp ad.example.com

Microsoft (R) Windows Script Host Version 5.8

Copyright (C) Microsoft Corporation. All rights reserved.

SonicWall Administrative User Check Script Version 1.1

Reading the export file...

...

Decoding the export file (this may take a while)...

...

Found a local administrative user group: SW Admins

Found a local administrative user: john_smith

Found a local administrative user: bob_jones

Found a local administrative user: bob_local

An LDAP search will now be made to check if those users/groups exist in the LDAP directory.

Press enter to continue

Searching under domain DN: DC=example,DC=com

Searching for the administrative users found in the SonicWall settings

Found 4 users