Cross-forest Authenticate in VBS

 

So the problem:

All mailboxes of the users are migrated to a central Exchange server, comming from various Exchange 5.5/2003/2003 mailservers (contact me if you want to know how ūüôā ) . and mailboxes where cloned.. now the client needs to be pointed to the new exchange server else Outlook will not work. The challenge, how do you change your mapi profile.

We had 4 scenario’s

1: The domain is NT4 no trust or no domain at all!
2: The domain the user is in, has a trust with the Exchange domain
3 The domain the user is in is a Windows 2000/2003/2008 domain no trust
4: The user is in the domain

I’ve created a script that takes into account these 4 different options and uses them to determine the actual authentication path. To migrate the MAPI profile itself we used the program EXPROFRE.exe.

ExprofRe has to be called like: ExprofRe.exe /logfile=  /targetGc=

Problem is, the authentication to the targetGC..

 

1: When there is no trust and the source domain is NT4 or a standalone machine, we use NTLM passthrough authentication. Inside the script we create a new local user, with the same username and password as a user in the target domain. To add this user (while a regular user is logged in) we do a runas:

Sub CreateProfmigAccount()
ÔŅĹ
¬†ExtDiag ” Running in NT migration mode, user account must exist”
¬†strWindir = WshShell.ExpandEnvironmentStrings(“%Windir%”)
ÔŅĹ
 On Error Resume Next
ÔŅĹ
¬†Set objUser = GetObject(“WinNT://” & gstrClient & “/” & strMigUser)
 If err=0 Then
¬†¬†Out ” Account already exists.”
  Exit Sub
 Else
  Set objUser = Nothing
  err.clear
 End If
ÔŅĹ
¬†Diag ” Admin account : ” & strLocalAdmin
¬†Diag ” Account to create : ” & strMigUser
ÔŅĹ
 Call MigrationAccountCheck
ÔŅĹ
¬†strProg = “CMD /C NET USER ” & strMigUser & ” ” & Unscramble(strMigPass) & ” /ADD”
¬†strCmd = “runas /env /user:” & Unscramble(strLocalAdmin) & ” “”” & strProg & “”””
 ExtDiag strCmd
 rc=WshShell.Run(strCmd,2,False)
¬†strWindowTitle = strWindir & “System32runas.exe”
 ExtDiag strWindowTitle
 bolResult = False
 bolResult = WshShell.AppActivate(strWindowTitle)
 while bolResult = False
¬†¬†StdOut.WriteLine ” Focus Failed, retrying.”
  WScript.Sleep 50
  bolResult = WshShell.AppActivate(strWindowTitle)
 Wend
¬†StdOut.WriteLine ” Focus succeeded.”
 strLocalAdminPass2=Unscramble(strLocalAdminPass)
¬†WshShell.SendKeys(strLocalAdminPass2 & “~”)
 wscript.sleep 1000
 bolCreated = false
 Retry = 0
 Do While bolCreated = False And Retry < 10
  WScript.Sleep 1000
¬†¬†Set objUser = GetObject(“WinNT://” & gstrClient & “/” &¬† strMigUser)
  If err=0 Then
¬†¬†¬†Diag ” Account created.”
   Exit Sub
  Else
   Set objUser = Nothing
   retry = retry + 1
¬†¬†¬†Diag “Did not find user, rechecking (” & tetry & “)”
   err.clear
  End If
 Loop
ÔŅĹ
End Sub

 

After the local user is created we do roughly the same thing, kicking off the exprofRe with a /netonly option and with the newly created user. Because of the /netonly the GC will be reached with an account that has the same username/password as an account in the target domain. Offcourse the accounts is also deleted afterwards.

2: When there is no trust between the domains, we can use UPN Suffixes. Add a new UPN suffix to the target domain (migrations.local for example). Create a new user on the target domain (GC@migrations.local) and create the exact same on the Windows 2000/2003/2008 domain of the source.

On the client side we can now do a runas /netonly /user:GC@migrations.local Exprof….blabla

3: When there is a trust, just use runas /netonly /user:<targetdomain>username Exprof blabal

4: just run Exprof  with the options

So basically, there are numerous ways to script around authentication, use your imagination to see which one fits your requirements

Sub RunExprofRE(strValue2)
¬†‘ *********ExProfRedirector runner************************
¬†‘ Runs ExprofRe with MigUser credentials in RunAs /Netonly
¬†‘¬† First sets command ready and creates CMD object
¬†‘¬† then runs cmd window with command
¬†‘¬† finally enters the password using sendkey’s
¬†‘*********************************************************

 Set StdOut = WScript.StdOut
¬†strLogonServer = WshShell.ExpandEnvironmentStrings(“%LogonServer%”)

 If useRPC=0 Then
¬†¬†strProg = strExprofRe & ” /logfile=” & strLogLocation &¬† “” & WshNetwork.ComputerName & “-” & “%USERNAME%” & “-” & strValue2 & “.log /q /targetgc=” & strGCServer
¬†¬†Diag strExprofRe & ” /logfile=”¬† & strLogLocation & “” & WshNetwork.ComputerName & “-” & “%USERNAME%” & “-” & strValue2 & “.log /q /targetgc=” & strGCServer
¬†ElseÔŅĹ
¬†¬†strProg = strExprofRe & ” /logfile=” & Chr(34) & strLogLocation & “” & WshNetwork.ComputerName & “-” & “%USERNAME%” & “-” & strValue2 & “.log /q /targetgc=” & strGCServer & ” /p=” & strRpcPath
¬†¬†Diag strExprofRe & ” /logfile=” & strLogLocation & “” & WshNetwork.ComputerName & “-” & “%USERNAME%” & “-” & strValue2 & “.log /q /targetgc=” & strGCServer & ” /p=” & strRpcPath
 End If

 If ScriptMode=4 Then
¬†¬†‘Using only simple command
¬†¬†Diag “Running Mode 4 of script, running:”
¬†¬†Diag strProg¬†¬†ÔŅĹ
¬†¬†stdOut.WriteLine ” Command initialized”
  rc=WshShell.Run(strProg,2,False)
 Else
¬†¬†‘Set command ready
  Select Case ScriptMode
¬†¬†¬†Case 1 ‘NT4
¬†¬†¬†strCmd = “runas /env /netonly /user:” & gstrClient & “” & strMigUser & ” ” & chr(34) & strProg & chr(34)
¬†¬†¬†Diag “==> COMMAND THAT WILL BE RAN <===== NT4 Mode”
   Diag strCmd
¬†¬†¬†Case 2 ‘ UPN migration
¬†¬†¬†strCmd = “runas /env /netonly /user:” & strMigUser & ” ” & chr(34) & strProg & chr(34)
¬†¬†¬†Diag “==> COMMAND THAT WILL BE RAN <===== UPN Mode”
   Diag strCmd
¬†¬†¬†Case 3 ‘ Trusted Domain Migration
¬†¬†¬†strCmd = “runas /env /netonly /user:” & strMigUser & ” ” & chr(34) & strProg & chr(34)
¬†¬†¬†Diag “==> COMMAND THAT WILL BE RAN <===== TRUST Mode”
   Diag strCmd
  End Select
¬†ÔŅĹ
¬†¬†Diag “Command initialized”
  rc=WshShell.Run(strCmd,2,False)
¬†ÔŅĹ
¬†¬†strWindowTitle = strWindir & “System32runas.exe”
¬†¬†‘Wait for command window
  bolResult = False
  bolResult = WshShell.AppActivate(strWindowTitle)
  while bolResult = False
¬†¬†¬†ExtDiag ” Preparing Command for Execution”
   Wscript.sleep 50
   bolResult = WshShell.AppActivate(strWindowTitle)
  Wend
ÔŅĹ
¬†¬†stdOut.WriteLine ” Executing command”
¬†¬†‘Sending Password
  strMigpass2=Unscramble(strMigPass)
  ExtDiag strMigPass
¬†¬†WshShell.SendKeys(strMigpass2 & “~”)
 End If
ÔŅĹ
End Sub