Cross-forest Authenticate in VBS

So the problem:

All mailboxes of the users are migrated to a central Exchange server, comming from various Exchange 5.5/2003/2003 mailservers (contact me if you want to know how 🙂 ) . and mailboxes where cloned.. now the client needs to be pointed to the new exchange server else Outlook will not work. The challenge, how do you change your mapi profile.

We had 4 scenario’s

1: The domain is NT4 no trust or no domain at all!
2: The domain the user is in, has a trust with the Exchange domain
3 The domain the user is in is a Windows 2000/2003/2008 domain no trust
4: The user is in the domain

I’ve created a script that takes into account these 4 different options and uses them to determine the actual authentication path. To migrate the MAPI profile itself we used the program EXPROFRE.exe.

ExprofRe has to be called like: ExprofRe.exe /logfile=  /targetGc=

Problem is, the authentication to the targetGC..

1: When there is no trust and the source domain is NT4 or a standalone machine, we use NTLM passthrough authentication. Inside the script we create a new local user, with the same username and password as a user in the target domain. To add this user (while a regular user is logged in) we do a runas:

Sub CreateProfmigAccount()
�
 ExtDiag ” Running in NT migration mode, user account must exist”
 strWindir = WshShell.ExpandEnvironmentStrings(“%Windir%”)
�
 On Error Resume Next
�
 Set objUser = GetObject(“WinNT://” & gstrClient & “/” & strMigUser)
 If err=0 Then
  Out ” Account already exists.”
  Exit Sub
 Else
  Set objUser = Nothing
  err.clear
 End If
�
 Diag ” Admin account : ” & strLocalAdmin
 Diag ” Account to create : ” & strMigUser
�
 Call MigrationAccountCheck
�
 strProg = “CMD /C NET USER ” & strMigUser & ” ” & Unscramble(strMigPass) & ” /ADD”
 strCmd = “runas /env /user:” & Unscramble(strLocalAdmin) & ” “”” & strProg & “”””
 ExtDiag strCmd
 rc=WshShell.Run(strCmd,2,False)
 strWindowTitle = strWindir & “System32runas.exe”
 ExtDiag strWindowTitle
 bolResult = False
 bolResult = WshShell.AppActivate(strWindowTitle)
 while bolResult = False
  StdOut.WriteLine ” Focus Failed, retrying.”
  WScript.Sleep 50
  bolResult = WshShell.AppActivate(strWindowTitle)
 Wend
 StdOut.WriteLine ” Focus succeeded.”
 strLocalAdminPass2=Unscramble(strLocalAdminPass)
 WshShell.SendKeys(strLocalAdminPass2 & “~”)
 wscript.sleep 1000
 bolCreated = false
 Retry = 0
 Do While bolCreated = False And Retry < 10
  WScript.Sleep 1000
  Set objUser = GetObject(“WinNT://” & gstrClient & “/” &  strMigUser)
  If err=0 Then
   Diag ” Account created.”
   Exit Sub
  Else
   Set objUser = Nothing
   retry = retry + 1
   Diag “Did not find user, rechecking (” & tetry & “)”
   err.clear
  End If
 Loop
�
End Sub

After the local user is created we do roughly the same thing, kicking off the exprofRe with a /netonly option and with the newly created user. Because of the /netonly the GC will be reached with an account that has the same username/password as an account in the target domain. Offcourse the accounts is also deleted afterwards.

2: When there is no trust between the domains, we can use UPN Suffixes. Add a new UPN suffix to the target domain (migrations.local for example). Create a new user on the target domain (GC@migrations.local) and create the exact same on the Windows 2000/2003/2008 domain of the source.

On the client side we can now do a runas /netonly /user:GC@migrations.local Exprof….blabla

3: When there is a trust, just use runas /netonly /user:<targetdomain>username Exprof blabal

4: just run Exprof  with the options

So basically, there are numerous ways to script around authentication, use your imagination to see which one fits your requirements

Sub RunExprofRE(strValue2)
 ‘ *********ExProfRedirector runner************************
 ‘ Runs ExprofRe with MigUser credentials in RunAs /Netonly
 ‘  First sets command ready and creates CMD object
 ‘  then runs cmd window with command
 ‘  finally enters the password using sendkey’s
 ‘*********************************************************

 Set StdOut = WScript.StdOut
 strLogonServer = WshShell.ExpandEnvironmentStrings(“%LogonServer%”)

 If useRPC=0 Then
  strProg = strExprofRe & ” /logfile=” & strLogLocation &  “” & WshNetwork.ComputerName & “-” & “%USERNAME%” & “-” & strValue2 & “.log /q /targetgc=” & strGCServer
  Diag strExprofRe & ” /logfile=”  & strLogLocation & “” & WshNetwork.ComputerName & “-” & “%USERNAME%” & “-” & strValue2 & “.log /q /targetgc=” & strGCServer
 Else�
  strProg = strExprofRe & ” /logfile=” & Chr(34) & strLogLocation & “” & WshNetwork.ComputerName & “-” & “%USERNAME%” & “-” & strValue2 & “.log /q /targetgc=” & strGCServer & ” /p=” & strRpcPath
  Diag strExprofRe & ” /logfile=” & strLogLocation & “” & WshNetwork.ComputerName & “-” & “%USERNAME%” & “-” & strValue2 & “.log /q /targetgc=” & strGCServer & ” /p=” & strRpcPath
 End If

 If ScriptMode=4 Then
  ‘Using only simple command
  Diag “Running Mode 4 of script, running:”
  Diag strProg  ï¿½
  stdOut.WriteLine ” Command initialized”
  rc=WshShell.Run(strProg,2,False)
 Else
  ‘Set command ready
  Select Case ScriptMode
   Case 1 ‘NT4
   strCmd = “runas /env /netonly /user:” & gstrClient & “” & strMigUser & ” ” & chr(34) & strProg & chr(34)
   Diag “==> COMMAND THAT WILL BE RAN <===== NT4 Mode”
   Diag strCmd
   Case 2 ‘ UPN migration
   strCmd = “runas /env /netonly /user:” & strMigUser & ” ” & chr(34) & strProg & chr(34)
   Diag “==> COMMAND THAT WILL BE RAN <===== UPN Mode”
   Diag strCmd
   Case 3 ‘ Trusted Domain Migration
   strCmd = “runas /env /netonly /user:” & strMigUser & ” ” & chr(34) & strProg & chr(34)
   Diag “==> COMMAND THAT WILL BE RAN <===== TRUST Mode”
   Diag strCmd
  End Select
 ï¿½
  Diag “Command initialized”
  rc=WshShell.Run(strCmd,2,False)
 ï¿½
  strWindowTitle = strWindir & “System32runas.exe”
  ‘Wait for command window
  bolResult = False
  bolResult = WshShell.AppActivate(strWindowTitle)
  while bolResult = False
   ExtDiag ” Preparing Command for Execution”
   Wscript.sleep 50
   bolResult = WshShell.AppActivate(strWindowTitle)
  Wend
�
  stdOut.WriteLine ” Executing command”
  ‘Sending Password
  strMigpass2=Unscramble(strMigPass)
  ExtDiag strMigPass
  WshShell.SendKeys(strMigpass2 & “~”)
 End If
�
End Sub

Tagged , ,