ms_active_directory

The primary components of this release are:

1. Support for moving users, computers, groups, and generic objects from one DN to another
2. Support for renaming groups and objects
3. Support for setting null values for attributes when overwriting them if desired
4. Support for deleting user and group objects (thanks @mrgum )
5. Support for creating DENY ACEs for security descriptors

Additionally, the following issues have been fixed:

1. Fixed an issue where machines with no ipv6 support would fail to discover domain resources due to failures to check reachability of kerberos servers
2. Fixed an issue when parsing results for groups with no users (thanks @Pinkbyte )

What's Changed

• Fix check for non-empty list and add mail attribute by @TrinityDevelopers in https://github.com/zorn96/ms_active_directory/pull/40
• Added ability to add DENY ACEs. by @zorn96 in https://github.com/zorn96/ms_active_directory/pull/41
• Added handling for unavailability of ip types by @zorn96 in https://github.com/zorn96/ms_active_directory/pull/64
• implement delete for users and groups by @mrgum in https://github.com/zorn96/ms_active_directory/pull/54
• Added functionality for moving and renaming AD objects. by @zorn96 in https://github.com/zorn96/ms_active_directory/pull/66
• Prevent exception while parsing group with no users by @Pinkbyte in https://github.com/zorn96/ms_active_directory/pull/65
• Allow null values to be specified if validation is skipped. by @zorn96 in https://github.com/zorn96/ms_active_directory/pull/67
• Dev to main in preparation for release by @zorn96 in https://github.com/zorn96/ms_active_directory/pull/68
• Make release 1.13.0 by @zorn96 in https://github.com/zorn96/ms_active_directory/pull/69

New Contributors

• @mrgum made their first contribution in https://github.com/zorn96/ms_active_directory/pull/54
• @Pinkbyte made their first contribution in https://github.com/zorn96/ms_active_directory/pull/65

Full Changelog: https://github.com/zorn96/ms_active_directory/compare/v1.12.1...v1.13.0

Fixed a regression in finding primary groups.

The primary component of this release is user principal name functionality. New features include:

1. Finding the user principal name suffixes for a domain, which can be helpful for searching or determining how to logon in cases where only a short username is known
2. Finding users and computers by principal name
3. Support for using user and computer principals in other functions, like group membership lookups, account disable/enable, password changes, etc.

Other small enhancements include:

1. Functionality to lookup the SID for a domain
2. Checking if a session is anonymous
3. ADObject now returns None for attributes that are not present in the response
4. The permissions a session needs to find primary group memberships has decreased, and the bandwidth used has also decreased, as the domain SID is now used in such lookups rather than querying the objectSID for all users every time.

Added the following functionality:

Getting the primary group for users
Options to speed up user/group/computer creation when location has been pre-validated

Contains fixes to the hash function for ADObjects and minor optimizations for user creation.

New functionality in 1.11.0 includes:

Ability to locally configure a windows, macOS, or linux device's kerberos client when creating an ADDomain object, or independently using one or more ADDomain objects
Ability to create groups (thanks @TrinityDevelopers )
Ability to create unmanaged users (thanks @TrinityDevelopers )
Ability to create managed users, which (just like managed computers) will automatically generate kerberos keys for the users to authenticate with, and support a variety of auxiliary functionality

Bug fix for an issue where trailing commas were left in the relative distinguished name of objects.

Added new functionality for discovering policies.

There's a new function to find all of the group policies within a domain, and their attributes.
There's also functionality added to ADObject objects, and all of their derivatives, to parse the linked group policy information and make it simple to see the list of the distinguished names of policies attached to the object. There have also been new ADObject derivatives added for group policy objects, organizational units, and domain objects, making it somewhat easier to work with container-type objects and their policies.

Primary release focus: added documentation and a documentation build system.
Find the docs at https://ms-active-directory.readthedocs.io/en/latest/

This release also added completed docstrings for all functions, as a few were missing them.
Type annotations were also added for the return types of all functions.
Minor tweaks to line lengths were made in the name of PEP8 compliance.

Added support for looking up members of groups.

There's now functions for the following:

• Find all of the direct members of a group, as well as requested attributes of those members.
• Find all of the direct members of multiple groups, as well as requested attributes of those members.
• Find all of the members of a group recursively, as well as requested attributes of those members. This can iterate downwards through nested groups to find all of the members of a group, both direct and indirect through groups that are direct members. There are options to specify a maximum depth, as well as an option to flatten the response.
• Find all of the members of multiple groups recursively, as well as requested attributes of those members. This can iterate downwards through nested groups to find all of the members the groups, both direct and indirect through groups that are direct members. There are options to specify a maximum depth.

For all of these, members will be cast to the most appropriate object type (e.g. ADUser or ADGroup) in the response, making it easy to tell what types the members are.

Added windows path support and made some performance improvements.

Previously, only LDAP distinguished names were supported for most operations.
However, not everyone is comfortable with that style of naming. Many people
on windows are familiar with canonical names (also called "windows path style"
naming).
For example, OU=nested-org,OU=org,CN=org-containers,DC=example,DC=com
would be example.com/org-containers/org/nested-org

The library now supports looking up these names and using them for things like
domain joining.

There's also some minor performance enhancements. There's now an option to
skip validation that names exist in the domain for many lookup operations and
other operations. This makes actions such as bulk addition of users to groups
or modifications of users/groups/computers more efficient when utilized, as
it removes all of the existence check queries. This is useful for those who are
planning to guarantee the existence of things externally.

Added extended multi-domain support - the library now supports transferring authenticated session from one AD Domain to other trusted domains.

This action can be taken on a trusted domain with a session.
If this is done, it transfers all connection attributes, including authentication
attributes, network attributes/strategies, and formatting-related
attributes, from the existing session and tries to authenticate a new
session with the trusted domain.

A function also exists in a session to create transfer sessions to
all trusted domains. This allows a caller to spin out their sessions
and create new sessions. It could even be done recursively to get
sessions for all of the domains that are connected in the trust web
that a user is trusted within.

Made a small enhancement to netbios name querying when subdomains
and parent domains exist.
Included minor README corrections.
Added a feature roadmap document to track plans for the library.

Added basic multi-domain support.

Added support for discovering trusted domains, of various types, and attributes about them such as whether the trust is transitive, whether it's bidirectional, whether SID filtering is in use, etc.
Added support for turning Active Directory domain trust objects into Active Directory domain objects.

Added a few more utility functions, like checking if a session's user if a member of the session's domain.
Beefed up type annotations.
Fixed a few small bugs around shared servers across sessions.

Changed the naming style for computer objects and added a lot of new computer functionality.

Renamed the ad_computers.py file to managed_ad_objects.py and renamed
ad_users_and_groups.py to ad_objects.py

Descendants of ADObject represent objects in AD that we've read and
may make modifications to, but that we did not create and cannot
act as.
ManagedADObject and its descendents are objects that we can act as,
and have a password defined for them at a minimum (and kerberos
keys can be generated for them too).

This rename is technically a breaking change, but the library only
has like 5 users so that's ok and we should pull the trigger sooner
rather than later.

A bunch of computer management functions have also been added.
The same style of functions that existed for users and groups now
exist for computers. Find by various names/attributes, find groups
for computers, modify attributes in various ways, etc.
The type annotations for functions to change passwords and whatnot
have been expanded to include the new ADComputer object type used
in these functions.

Also loosened how we accept authentication mechanisms when creating
sessions in order to make it easier to use SASL authentication without
knowing whether something is a sasl mech or an authentication mech.

Added support for modifying attributes of users, groups, and objects.

Added support for:

• Atomically append one or more values to a single attribute.
• Atomically append values to multiple different attributes.
• Atomically overwrite the value of a single attribute.
• Atomically overwrite the values of multiple attributes.

Both append and overwrite will succeed at setting values for fields that currently have no value.
Append will atomically add more values for a multi-valued attribute and will fail to update single-valued attributes that have a value already. The atomicity is done server-side - so there's no read and write-back. Whether duplicates are allowed and how values are validated depends on the attribute and server policies.
Overwrite will overwrite both single and multi-valued attributes with ease, regardless of their current values. The validation of the value used to overwrite is still done server side.

Added support for enabling and disabling accounts.

Many automated account de-provisioning systems will disable accounts before deleting them. This allows quick rollback in case of disruption by simply re-enabling the account.
This supports enabling/disabling both users and computers.

Added functionality to support joining an AD domain by taking over a pre-existing/pre-created computer account.

This can allow the permissions granted to the credentials used to join the domain to be greatly restricted.
Instead of general "create computers in this location" permissions, now joining is possible by just having permission to RESET PASSWORD on a single computer (or CHANGE PASSWORD if the current computer password is provided). This supports environments where the team joining machines to the domain is never supposed to create computers themselves, and just takes over ones provided by another team, and that other team sets up the services and hostnames and encryption types.

Added functionality for the following:

1. Find users, groups, and objects by SID
2. Tools for parsing and managing security descriptors
3. Find security descriptor for user, group, or object
4. Set security descriptor for user, group, or object
5. Add permissions to security descriptor for user, group, or object
6. Basic account management functions, such as reset password, change password, and unlock account
7. Support for specifying LDAP controls when performing find operations
8. Auto-pagination - where a page size can be set and potentially large queries will be paginated to allow for better use in multi-threaded applications

Fixed a bug related to looking up kerberos and LDAP servers in DNS

Version 1.1.0 is here!
It includes 1 user-requested enhancement, and new user/group management functionality.

The user-requested enhancement is de-duplication of SRV records for ldap/kerberos servers that have the same hostname and port. These duplicate SRV records can get created due to a bug in AD when upgrading from older versions to 2016/2019, and is recognized as a bug by microsoft. Just in case domain admins don't remove the duplicate records, the library now removes them to improve efficiency and functionality.

There's features for looking up users and groups in a variety of ways and getting attributes about them, looking up the groups that users belong to or the groups that groups belong to, and adding/removing users and groups to/from other groups.