Working with ADSIIn this section, you use ADSI and Microsoft Visual Basic, Scripting Edition (VBScript) to perform basic network administration tasks. The following list summarizes some high-level uses of ADSI and VBScript:
Just the Steps In a basic fashion, the following script, CreateOU.vbs, uses each of the four steps in the preceding Just the Steps feature. CreateOU.vbs uses variables for each of the four main steps to maintain portability. Note
CreateOU.vbs Option Explicit On Error Resume Next Dim strProvider 'defines how will talk to Active Directory Dim strOU 'path to where new object will be created Dim strDomain 'name of Domain connecting to Dim strClass 'the class of object we are creating Dim strOUname 'name of object are creating Dim objDomain 'holds connection to adsi Dim objOU 'holds handle to create method strProvider = "LDAP://" strOU = "" 'When supplying a value here, a trailing comma is required. strDomain = "dc=nwtraders,dc=msft" strClass = "organizationalunit" strOUname = "OU=mred" Set objDomain = GetObject(strProvider & strOU & strDomain) WScript.Echo strProvider & strOU & strDomain 'debug Set objOU = objDomain.create(strClass, strOUname) WScript.Echo strClass & "," & strOUname 'debug objOU.SetInfo If Err.number = 0 Then WScript.Echo(strOUname & " was created") Else If Err.number = "-2147019886" Then WScript.Echo strOUname & " already exists" Else WScript.Echo " error on the play " & Err.Number End If End If Reference InformationThe Reference information section of the script configures the connection to Active Directory and specifies the path and target of the operation. The first decision to make is which provider to use. Let's talk about ADSI providers prior to looking at the remainder of the Reference information section. ADSI ProvidersTable 11-1 lists four providers available to users of ADSI. Connecting to a Microsoft Windows NT 4 system requires using the special WinNT provider. During Active Directory migrations, consultants often write a script that copies users from a Windows NT 4 domain to a Microsoft Windows Server 2003 Active Directory OU or domain. In some situations (such as with customized naming schemes), writing a script is easier than using the Active Directory Migration Tool (ADMT).
The first time I tried using ADSI to connect to a machine running Windows NT, I had a very frustrating experience because of the way the provider was implemented. Type the WinNT provider name exactly as shown in Table 11-1. It cannot be typed using all lowercase letters or all uppercase letters. All other provider names must be all uppercase letters, but the WinNT name is Pascal-cased, that is, it is partially uppercase and partially lowercase. Remembering this will save a lot of grief later. In addition, if you don't type this in the correct case, you don't get an error message telling you that your provider name is "spelled wrong"rather, the bind operation simply fails to connect. Warning
Once the ADSI provider is specified, you need to identify the path to the directory target. This is where a little knowledge of Active Directory comes in handy because of the way the hierarchical naming space is structured. When connecting to an LDAP service provider, you must specify where in the LDAP directory hierarchy to make the connection, because the hierarchy is a structure of the directory itself and not the protocol or the provider. For instance, in the CreateOU.vbs script, you create an OU that resides off the root of the domain, which is called the MrEd OU. This can get confusing, until you realize that the MrEd OU is contained in a domain that is called nwtraders.msft. It is vital, therefore, that you understand the hierarchy with which you are working. One tool you can use to make sure you understand the hierarchy of your domain is ADSI Edit. Note
ADSI Edit is included in the support tools on the Windows Server 2003 disk. It is in the support\tools directory and is installed by clicking Suptools.msi. Installation requires Help and other programs to be closed. The installation takes only a couple of minutes and does not require a reboot. After the support tools are installed, you open a blank Microsoft Management Console (MMC) and add the ADSI Edit snap-in. After you install the snap-in, right-click the ADSI Edit icon, select Connect To, and specify your domain using the drop-down box, as illustrated in Figure 11-1. Figure 11-1. Explore the hierarchy of a forest to ensure correct path information for your script![]() LDAP NamesWhen specifying the OU and the domain name, you have to use the LDAP naming convention, in which the namespace is described as a series of naming parts called relative distinguished names (RDNs). The relative distinguished name will always be a name part that assigns a value by using the equal sign. When you put together all the relative distinguished names, and the RDNs of each of the ancestors all the way back to the root, you end up with a single globally unique distinguished name. The relative distinguished names are usually made up of an attribute, an equal sign, and a string value. Table 11-2 lists some of the attribute types you will see when working with Active Directory.
Worker InformationThe Worker information section of the script includes two lines of code: The first line performs the binding (we talk about binding later in this section), and the second creates the OU. To perform these tasks, you need to build the distinguished name, which entails creating the OU after connecting to the appropriate level in the Active Directory hierarchy. In the CreateOU.vbs script, the distinguished name is a concatenation of two separate variables. The variables and their associated values are listed here: strOU = "" strDomain = "dc=nwtraders,dc=msft" You can verify that you are connecting to the correct OU by using ADSI Edit. To do this, right-click the target OU, select Properties, and choose Distinguished Name from the list of available properties. A dialog box like the one shown in Figure 11-2 appears. Figure 11-2. Use the String Attribute Editor in ADSI Edit to quickly verify the distinguished name of a potential target for ADSI scripting
The next line in the Reference information section specifies the object class with which you are working. When you get to the Worker section and you use the Create method, you will need to specify what type of object you are creating. In CreateOU.vbs, you use code that looks like the following line: strClass = "organizationalUnit" IADsContainerIn your script, you are actually using the Create method of a well-known interface called IADsContainer. It is used to enable an ADSI container object to create, delete, or otherwise manage ADSI objects. All container objects in Active Directory implement IADsContainer. IADsContainer supports five methods, listed in Table 11-3, that can be used on any ADSI container object in Active Directory. Each of these methods is used in scripts later in this book.
In the CreateOU.vbs script, you implement the IADsContainer Create method to create the OU. Two variables do this. The first variable is called oOU, which holds the class of the object you want to create. This time, oOU is set to equal OU. The second variable used is called oOUname. It looks like it could hold the name of the OU because it does. The variable objOU holds the connection to the Create method once you implement the connection using the Set command, as shown in this line of code: Set objOU = objDomain.create(strClass, strOUname) BindingWhenever you want to do anything with ADSI, you must connect to an object in Active Directory, a process also known as binding. Think of binding as being like tying a rope around an object to enable you to work with it. (In Texas, they'd call it lassoing.) Before you can do any work with an object in Active Directory, you must supply binding information. The binding string enables you to use various ADSI elements, including methods and properties. The target of the proposed action is specified as a computer, a domain controller, a user, or another element that resides within the directory structure. A binding string consists of five parts. These parts are illustrated in the following binding string from a sample script:
Note
|