How to Find and Enable/Disable Microsoft Active Directory / LDAP usernames that are members of the
03/26/2020 5 12317
How to Find and Enable/Disable Microsoft Active Directory / LDAP usernames that are members of the SonicWall administrator groups.
RESOLUTION: Overview / Scenario:
This article provides information on How to manage Microsoft Active Directory / LDAP Admin users with SonicWall VBS scripts.
SonicWall is offering some Visual Basic Scripts to help with managing Microsoft Active Directory / LDAP. They are useful in debugging LDAP problems related to SonicWall appliances. The script SonicWallLDAPAdminUserChk.vbs allows the inspection of Admin users on the Microsoft Active Directory / LDAP server and the script SonicWallLDAPAdminUserChk.vbs allows for the disabling and enabling of Admin users on the Microsoft Active Directory / LDAP server.
· Use SonicWallLDAPAdminUserChk.vbs script to check LDAP/AD server
· Usage Example for SonicWallLDAPAdminUserChk.vbs
· SonicWallLDAPAdminUserChk.vbs Usage Options
· Use SonicWallLDAPAdminGroups.vbs script to disable Admin users on LDAP/AD server
· SonicWallLDAPAdminGroups.vbs Usage Options
Step 1. Are any AD / LDAP usernames members of the SonicWall administrator groups on the Microsoft LDAP/ Active Directory and in Local Users on the firewall?
Use SonicWallLDAPAdminUserChk.vbs script to help determine if any LDAP usernames in Active Directory are members of the SonicWall administrator groups (“SonicWall Administrators”, “Limited Administrators”, “SonicWall Read-Only Admins”, “Guest Administrators”).
This script can be download from: https://software.sonicwall.com/UtilityTools/SonicWallLDAPAdminUserChk.zip
To use the SonicwallLDAPAdminUserChk.vbs script requires:
1. Access to Microsoft Active Directory Domain Controller or a System that is part of the Domain using a domain account with sufficient privileges to search Active Directory.
2. SonicWallLDAPAdminUserChk.vbs script.
(Download from: https://software.sonicwall.com/UtilityTools/SonicwallLDAPAdminUserChk.zip
Save it in a convenient location and extract the script).
3. Settings File from the appliance
File can be Exported after log on to SonicWall GUI and going to System > Settings and using export settings option (.exp file).
with these, files and access
Run the script to check if the Active Directory configuration contains any usernames which are members of the SonicWall Administrator groups.
Note: This script only searches in the LDAP directory. It makes no changes to any objects in it.
If running the script on domain controller, the command is:
cscript SonicWallLDAPAdminUserChk.vbs <Name of the settings-file.exp>
cscript SonicWallLDAPAdminUserChk.vbs <Name of the settings-file.exp> <domain-controller>
Replace <Name of the settings-file.exp> by the name of the settings file exported from the appliance, and <domain-controller> by the DNS name or IP address of the domain controller.
Step 2. Usage Example for SonicWallLDAPAdminUserChk.vbs
When you run the SonicwallLDAPAdminUserChk.vbs script, the output may be similar to the following example:
: cscript SonicwallLDAPAdminUserChk.vbs sonicwall.exp ad.example.com
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
SonicWall Administrative User Check Script Version 1.1
Reading the export file...
Decoding the export file (this may take a while)...
Found a local administrative user group: SW Admins
Found a local administrative user: john_smith
Found a local administrative user: bob_jones
Found a local administrative user: bob_local
An LDAP search will now be made to check if those users/groups exist in the LDAP directory.
Press enter to continue
Searching under domain DN: DC=example,DC=com
Searching for the administrative users found in the SonicWall settings
Found 4 users