'*
'* Double Hop Check
'*
'* sytax:
'* cscript dhcheck.vbs account1 [account2 [account [...]]]
'*
'* note: if the account is a computer account add the $ after the name.
'*
'*
'*

CONST NORMAL_ACCOUNT = 512   '(hex) 0x0200  (dec) 512 
CONST WORKSTATION_TRUST_ACCOUNT = 4096  '(hex) 0x1000  (dec) 4096  
CONST SERVER_TRUST_ACCOUNT = 8192  '(hex) 0x2000  (dec) 8192  
CONST TRUSTED_FOR_DELEGATION = 524288  '(hex) 0x80000  (dec) 524288
CONST NOT_DELEGATED = 1048576    '(hex) 0x100000  (dec) 1048576
CONST TRUSTED_TO_AUTH_FOR_DELEGATION = 16777216 '(hex) 0x1000000 (dec) 16777216

'* Check for arguments
if wscript.arguments.count < 1 or InStr(1,WScript.FullName, "cscript.exe", vbTextCompare) = 0 then
     wscript.echo "Usage:" & vb_crlf & _
                  "cscript dhcheck.vbs account1 [account2 [account3 [...]]]" & vbcrlf & _
                  vbcrlf & _
                  "Note: for comupter accounts put a $ on the end."
     wscript.quit
end if

'* Get the default naming context
Set RootDSE = GetObject("LDAP://rootDSE")
strDomainDN = RootDSE.Get("defaultNamingContext")
wscript.echo "Context: " & strDomainDN
strConnectedHost = rootdse.get("dnsHostName")
wscript.echo "Connected to: " & strconnectedhost
wscript.echo
set RootDSE = nothing

'* Get Account Information
Set objConnect = CreateObject("ADODB.Connection")
objConnect.Provider = "ADsDSOObject"
objConnect.Open "Active Directory Provider"
Set objCommand = CreateObject("ADODB.Command")
Set objcommand.ActiveConnection = objConnect


for curarg = 0 to wscript.arguments.count - 1

     if curarg > 0 then wscript.echo vbCRLF & "<" & string(35, "=") & ">" & vbCRLF
     strAcctName = wscript.arguments(curarg)

objCommand.commandtext = "<LDAP://"& strDomainDN &">;(samAccountName=" & strAcctName & ");AdsPath, cn; subTree"
set objRS = objCommand.Execute

' If no records returned try for a computer account
if objrs.EOF then
     objCommand.commandtext = "<LDAP://"& strDomainDN &">;(samAccountName=" & strAcctName & "$);AdsPath, cn; subTree"
     set objRS = objCommand.Execute
end if

if objrs.EOF then
     wscript.echo "WARNING: no accounts found with samAccountName of '" & strAcctName & "' or '" & strAcctname & "$'"
end if

If objrs.recordcount > 1 then
     wscript.echo "WARNING: multiple accounts have samAccountName of '" & strAcctname & "' or '" & strAcctname & "$'" 
end if

While not objRS.EOF
     Set oAcct = GetObject(objRs.Fields("AdsPath").value)
     oAcct.GetInfo

     wscript.echo "Distinguished name..............: " & oAcct.distinguishedname

     UAC = oAcct.userAccountControl
     if (uac and NORMAL_ACCOUNT) then strAcctType = "User"
     if (uac and WORKSTATION_TRUST_ACCOUNT) then strAcctType = "Computer"
     if (uac and SERVER_TRUST_ACCOUNT) then strAcctType = "Domain Controller"
     wscript.echo "Account type....................: " & strAcctType
     wscript.echo "User Account control............: " & UAC & "(DEC) " & HEX(uac) & "(HEX)"
     wscript.echo "Account Trusted for delegation..: " & ((UAC and TRUSTED_FOR_DELEGATION) > 0)
     wscript.echo "Account sensitive for delegation: " & ((UAC and NOT_DELEGATED) > 0)
'     wscript.echo "Account Trusted for Auth. del...: " & ((UAC and TRUSTED_TO_AUTH_FOR_DELEGATION) > 0)

     ' Check for contrained delegation
     on error resume next
     arrConstrainedDel = oAcct.get("msDS-AllowedToDelegateTo")
     savederr = err.number
     on error goto 0
     if savederr = 0 then
          wscript.echo "Constrained delegation is enabled for:"
          on error resume next
          for x = lbound(arrConstrainedDel) to ubound(arrConstrainedDel)
               wscript.echo space(5) & arrconstraineddel(x)
          next
          on error goto 0
     end if

     ' Get service principle name (SPN)
     wscript.echo "Registered Service Principal Names:"
     on error resume next
     tarrSPN = oAcct.Get("servicePrincipalName")
     savederr = err.number
     on error goto 0
     if not isarray(tarrSPN) then 
          arrSPN = array(tarrSPN)
     else
          arrSPN = tarrSPN
     end if
     if savederr = 0 then
          for x = lbound(arrSPN) to ubound(arrSPN)
               wscript.echo space(5) & arrspn(x)
          next

          ' Check for duplicate SPNs
          wscript.echo "Checking for Duplicate SPNs..."
          bDupFound = False
          for x = lbound(arrSPN) to ubound(arrSPN)
               objCommand.commandtext = "<LDAP://"& strDomainDN &">;(servicePrincipalName=" & arrspn(x) & "); AdsPath, cn; subTree"
               set objRSSPN = objcommand.execute
               if objRSSPN.recordcount > 1 then
                    bDupFound = true
                    wscript.echo "Duplicate SPN found: " & arrspn(x)
                    while not objRSSPN.EOF
                         set objDupAcct = Getobject(objrsspn.fields("AdsPath").value)
                         objDupAcct.getinfo
                         wscript.echo space(5) & objDupAcct.samaccountname & "," & objDupAcct.distinguishedname
                         set objDupAcct = nothing
                         objrsspn.movenext
                    wend
               end if
               set objRsspn = nothing
          next
          if not bDupFound then wscript.echo "No Duplicate SPNs found."
     end if

     objRS.Movenext
wend

next