Open-AudIT

I am running OAv2 in a Windows AD environment. (AD 2008, Forest functional level 2003)
I installed the XAMPP beta3 and applied beta 4 & 5 successfully.
Got the latest audit_windows.vbs script (revision 26) from:
http://bazaar.launchpad.net/~mark-unwin ... indows.vbs

When auditing systems I get the error:
C:\xampplite\OAv2\other\audit_windows.vbs(693, 3) Active Directory: An invalid dn syntax has been specified.
Line 693:
[code] set objrecordset = objcommand.execute[/code]
I added some 'wscript.echo' to the block before and found that removing the code part (line 660 - 666) solves my issue:
[code]
stemp = split(strUserDN, ",")
stemp(0) = ""
ttemp = join(stemp, ",")
ttemp = mid(ttemp, 2)
strUserDN = ttemp
wscript.echo "After split and join: " & strUserDN
erase stemp
ttemp = NULL
[/code]

What this block of code seems to do is remove the part of the string before the first comma.

The problem in my case is that the strUserDN in my environment is like:
"CN=lastname\, firstname,OU=Office,OU=Users,OU=Western,OU=Europe,DC=domain,DC=com"
after the block of code this is:
" firstname,OU=Office,OU=Users,OU=Western,OU=Europe,DC=domain,DC=com"

When this is used in the LDAP query this now looks like:
[code]select name, physicalDeliveryOfficeName from 'GC:// firstname,OU=Office,OU=Users,OU=Western,OU=Europe,DC=domain,DC=com' where objectCategory = 'person' and sAMAccountName = 'useralias'[/code]
Note the space after GC://

I assume that there is a valid reason for this code block and want to be sure that I don't break anything by excluding this code piece.
Anyone else seen this? Or is this specific to my environment?

The code has changed a bit in the [url=http://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=5864]latest audit script[/url] but it's trying to strip the CN off of the distinguishedName to get the OU. You shouldn't remove this code if you want the correct OU value.

Rather than using split the code should just search for the first non-escaped comma and take everything to the right. Or less hacky it could bind to the object and get its parent then get the parents distinguishedName. Or super hacky it could replace the "\," pattern with something rare, do the splitting and removing and then revert.

Replacement code for version 6 audit script at line 679:
[code]
if error = 1 then
windows_active_directory_ou = full_ad_domain
else
windows_active_directory_ou = replace(windows_active_directory_ou, "\,","X!X")
stemp = split(windows_active_directory_ou, ",")
stemp(0) = ""
ttemp = join(stemp, ",")
ttemp = mid(ttemp, 2)
windows_active_directory_ou = replace(ttemp, "X!X",",")
erase stemp
ttemp = NULL
end if[/code]
The code above also handles the case where we've got commas in OU names as it unescapes any commas. This is okay as windows_active_directory_ou isn't used later in the script to bind to any ADSI objects. Also we shouldn't be doing any further processing of windows_active_directory_ou if we've encountered an error and the ou is just the full_ad_domain. Removal of the escaping for commas may be unwanted. Maybe we should leave all the escaping as we don't remove it for any other escaped characters.