Previous Page
Next Page

Working with ADSI

In this section, you use ADSI and Microsoft Visual Basic, Scripting Edition (VBScript) to perform basic network administration tasks. The following list summarizes some high-level uses of ADSI and VBScript:

  • Importing a list of names and creating user accounts

  • Importing a list and changing user passwords

  • Importing a list and creating an entire organizational unit structure following an upgrade to Microsoft Windows Server 2003

  • Reading the Microsoft Exchange 5.x directory and setting the display name in Active Directory with the value from Exchange 5.x

  • Reading the Exchange 5.x directory for a default personalized Simple Mail Transfer Protocol (SMTP) address and setting it in Active Directory

  • Reading the computer name or Internet Protocol (IP) address and mapping local printers to users

  • Creating personalized shortcuts for users at logon time based on group memberships

  • Mapping drives based on OU membership

Just the Steps

To connect to Active Directory

1.
Implement a connection to Active Directory.

2.
Use the appropriate provider.

3.
Specify the path to the appropriate object in Active Directory.

4.
Use SetInfo to write changes to Active Directory.


In a basic fashion, the following script, CreateOU.vbs, uses each of the four steps in the preceding Just the Steps feature. CreateOU.vbs uses variables for each of the four main steps to maintain portability.

Note

When running the CreateOU.vbs script to create an OU, ensure you have access to a Windows Server 2003 running Active Directory, and make sure you change the name of the strDomain, strOU, and strOUname variables to reflect your actual configuration.


CreateOU.vbs

Option Explicit
On Error Resume Next
Dim strProvider 'defines how will talk to Active Directory
Dim strOU 'path to where new object will be created
Dim strDomain 'name of Domain connecting to
Dim strClass 'the class of object we are creating
Dim strOUname 'name of object are creating
Dim objDomain 'holds connection to adsi
Dim objOU 'holds handle to create method

strProvider = "LDAP://"
strOU = "" 'When supplying a value here, a trailing comma is required.
strDomain = "dc=nwtraders,dc=msft"
strClass = "organizationalunit"
strOUname = "OU=mred"

Set objDomain = GetObject(strProvider & strOU & strDomain)
WScript.Echo strProvider & strOU & strDomain 'debug
Set objOU = objDomain.create(strClass, strOUname)
WScript.Echo strClass & "," & strOUname 'debug
objOU.SetInfo
If Err.number = 0 Then
WScript.Echo(strOUname & " was created")
Else If Err.number = "-2147019886" Then
WScript.Echo strOUname & " already exists"
Else
WScript.Echo " error on the play " & Err.Number
End If
End If

Reference Information

The Reference information section of the script configures the connection to Active Directory and specifies the path and target of the operation. The first decision to make is which provider to use. Let's talk about ADSI providers prior to looking at the remainder of the Reference information section.

ADSI Providers

Table 11-1 lists four providers available to users of ADSI. Connecting to a Microsoft Windows NT 4 system requires using the special WinNT provider. During Active Directory migrations, consultants often write a script that copies users from a Windows NT 4 domain to a Microsoft Windows Server 2003 Active Directory OU or domain. In some situations (such as with customized naming schemes), writing a script is easier than using the Active Directory Migration Tool (ADMT).

Table 11-1. ADSI Supported Providers

Provider

Purpose

WinNT:

To communicate with Windows NT 4.0 Primary Domain Controllers (PDCs) and Backup Domain Controllers (BDCs), and with local account databases for Windows 2000 and newer workstations

LDAP:

To communicate with Lightweight Directory Access Protocol (LDAP) servers, including Exchange 5.x directory and Windows 2000 Active Directory

NDS:

To communicate with Novell Directory Services servers

NWCOMPAT:

To communicate with Novell NetWare servers


The first time I tried using ADSI to connect to a machine running Windows NT, I had a very frustrating experience because of the way the provider was implemented. Type the WinNT provider name exactly as shown in Table 11-1. It cannot be typed using all lowercase letters or all uppercase letters. All other provider names must be all uppercase letters, but the WinNT name is Pascal-cased, that is, it is partially uppercase and partially lowercase. Remembering this will save a lot of grief later. In addition, if you don't type this in the correct case, you don't get an error message telling you that your provider name is "spelled wrong"rather, the bind operation simply fails to connect.

Warning

The ADSI provider names are case-sensitive. LDAP, NWCOMPAT, and NDS are all caps. WinNT is Pascal-cased and must not be typed in all caps. Keep this in mind to save time in troubleshooting.


Once the ADSI provider is specified, you need to identify the path to the directory target. This is where a little knowledge of Active Directory comes in handy because of the way the hierarchical naming space is structured. When connecting to an LDAP service provider, you must specify where in the LDAP directory hierarchy to make the connection, because the hierarchy is a structure of the directory itself and not the protocol or the provider. For instance, in the CreateOU.vbs script, you create an OU that resides off the root of the domain, which is called the MrEd OU. This can get confusing, until you realize that the MrEd OU is contained in a domain that is called nwtraders.msft. It is vital, therefore, that you understand the hierarchy with which you are working. One tool you can use to make sure you understand the hierarchy of your domain is ADSI Edit.

Note

Perhaps the hardest part of using ADSI is finding out what things are called in the directory. This is because the names defined in the Active Directory schema often bear no relationship to the display names you see in tools such as Active Directory Users And Computers. To see an example of this, refer to Appendix B, "ADSI Documentation."


ADSI Edit is included in the support tools on the Windows Server 2003 disk. It is in the support\tools directory and is installed by clicking Suptools.msi. Installation requires Help and other programs to be closed. The installation takes only a couple of minutes and does not require a reboot. After the support tools are installed, you open a blank Microsoft Management Console (MMC) and add the ADSI Edit snap-in. After you install the snap-in, right-click the ADSI Edit icon, select Connect To, and specify your domain using the drop-down box, as illustrated in Figure 11-1.

Figure 11-1. Explore the hierarchy of a forest to ensure correct path information for your script


LDAP Names

When specifying the OU and the domain name, you have to use the LDAP naming convention, in which the namespace is described as a series of naming parts called relative distinguished names (RDNs). The relative distinguished name will always be a name part that assigns a value by using the equal sign. When you put together all the relative distinguished names, and the RDNs of each of the ancestors all the way back to the root, you end up with a single globally unique distinguished name.

The relative distinguished names are usually made up of an attribute, an equal sign, and a string value. Table 11-2 lists some of the attribute types you will see when working with Active Directory.

Table 11-2. Common Relative Distinguished Name Attribute Types

Attribute

Description

DC

Domain Component

CN

Common Name

OU

Organizational Unit

O

Organization Name

Street

Street Address

C

Country Name

UID

User ID


Worker Information

The Worker information section of the script includes two lines of code: The first line performs the binding (we talk about binding later in this section), and the second creates the OU. To perform these tasks, you need to build the distinguished name, which entails creating the OU after connecting to the appropriate level in the Active Directory hierarchy.

In the CreateOU.vbs script, the distinguished name is a concatenation of two separate variables. The variables and their associated values are listed here:

strOU = ""
strDomain = "dc=nwtraders,dc=msft"

You can verify that you are connecting to the correct OU by using ADSI Edit. To do this, right-click the target OU, select Properties, and choose Distinguished Name from the list of available properties. A dialog box like the one shown in Figure 11-2 appears.

Figure 11-2. Use the String Attribute Editor in ADSI Edit to quickly verify the distinguished name of a potential target for ADSI scripting


The next line in the Reference information section specifies the object class with which you are working. When you get to the Worker section and you use the Create method, you will need to specify what type of object you are creating. In CreateOU.vbs, you use code that looks like the following line:

strClass = "organizationalUnit"

IADsContainer

In your script, you are actually using the Create method of a well-known interface called IADsContainer. It is used to enable an ADSI container object to create, delete, or otherwise manage ADSI objects. All container objects in Active Directory implement IADsContainer. IADsContainer supports five methods, listed in Table 11-3, that can be used on any ADSI container object in Active Directory. Each of these methods is used in scripts later in this book.

Table 11-3. IADsContainer Methods

Method

Meaning

GetObject

Binds the directory item with the specified ADsPath to a named variable.

Create

Creates a new object of a specified class in the current container.

Delete

Removes an object of the specified class from the current container.

CopyHere

Creates a copy of the object with a specified ADsPath in the current container. Be aware that the object must be in the same directory namespace. For example, you cannot copy an object from an LDAP: namespace to a WinNT: namespace.

MoveHere

Moves the object with a specified ADsPath from its original location to the current container. The same namespace restrictions that apply to the CopyHere method also apply to the MoveHere method.


In the CreateOU.vbs script, you implement the IADsContainer Create method to create the OU. Two variables do this. The first variable is called oOU, which holds the class of the object you want to create. This time, oOU is set to equal OU. The second variable used is called oOUname. It looks like it could hold the name of the OU because it does. The variable objOU holds the connection to the Create method once you implement the connection using the Set command, as shown in this line of code:

Set objOU = objDomain.create(strClass, strOUname)

Binding

Whenever you want to do anything with ADSI, you must connect to an object in Active Directory, a process also known as binding. Think of binding as being like tying a rope around an object to enable you to work with it. (In Texas, they'd call it lassoing.) Before you can do any work with an object in Active Directory, you must supply binding information. The binding string enables you to use various ADSI elements, including methods and properties. The target of the proposed action is specified as a computer, a domain controller, a user, or another element that resides within the directory structure. A binding string consists of five parts. These parts are illustrated in the following binding string from a sample script:

Keyword

Variable

Command

Provider

ADsPath

Set

objDomain

GetObject

LDAP://

OU=hr, dc=a, dc=com


Note

Avoid a mistake I made early on: Make sure that when you finish connecting and creating, you actually commit your changes to Active Directory. Changes to Active Directory are transactional in nature, so your change will roll back if you don't commit it. Committing the change requires you to use the SetInfo method, as illustrated in the following line from the CreateOU.vbs script: objOU.SetInfo.



Previous Page
Next Page