Creating Users
One trick you can do using ADSI is create users. Although using the graphical user interface (GUI) to create a single user is easy, using the GUI to create a dozen or more users would certainly not be. In addition, as you'll see, because there is a lot of similarity among ADSI scripts, deleting a dozen or more users is just as simple as creating them. And because you can use the same input text file for all the scripts, ADSI makes creating temporary accounts for use in a lab or school easy.
Just the Steps  | To create users
1. | Use the appropriate provider for your network.
| 2. | Connect to the container for your users.
| 3. | Specify the domain.
| 4. | Specify the User class of the object.
| 5. | Bind to Active Directory.
| 6. | Use the Create Method to create the user.
| 7. | Use the Put method to at least specify the sAMAccountName property.
| 8. | Use SetInfo to commit the user to Active Directory.
|
|
The CreateUser.vbs script, which follows, is very similar to the CreateOU.vbs script. In fact, CreateUser.vbs was created from CreateOU.vbs, so a detailed analysis of the script is unnecessary. The only difference is that oClass is equal to the "User" class instead of to an "organizationalUnit" class.
CreateUser.vbs
Option Explicit
On Error Resume Next
Dim strProvider 'defines how will talk to Active Directory
Dim strOU 'path to where new object will be created
Dim strDomain 'name of Domain connecting to
Dim strClass 'the class of object we are creating
Dim strOUname 'name of object are creating
Dim objDomain 'holds connection to adsi
Dim objOU 'holds handle to create method
strProvider = "LDAP://"
strOU = "OU=mred," 'when using is OU=mred, THE , would be required.
strDomain = "dc=nwtraders,dc=msft"
strClass = "User"
strOUname = "CN=MyNewUser"
Set objDomain = GetObject(strProvider & strOU & strDomain)
WScript.Echo strProvider & strOU & strDomain 'debug
Set objOU = objDomain.create(strClass, strOUname)
WScript.Echo strClass & "," & strOUname 'debug
objOU.Put "SAMAccountName", funfix(strOUname)
objOU.SetInfo
If Err.number = 0 Then
WScript.Echo(strOUname & " was created")
Else If Err.number = "-2147019886" Then
WScript.Echo strOUname & " already exists"
Else
WScript.Echo " error on the play " & Err.Number
End If
End If
Function funfix (strin)
funfix = Mid(strin,4) 'removes cn= from username
End function
Reference Information
The Reference information section is where you assign values to the variables that would normally be declared in a script of this type. The provider in this case is LDAP://. Remember that the provider name is case-sensitiveall caps is a requirement for the LDAP provider. You next specify the OU you'll use in the ADsPath portion of the binding string. You are targeting an OU called mred (which will exist if you ran the CreateOU.vbs script from the earlier section). The domain name is made up of two domain components, or DCs, separated by commas. The domain name is nwtraders.msft, so the first component is dc=nwtraders, and the second is dc=msft.
You must specify the user class when creating user accounts. When creating a user account, the user name is specified by a "cn=" prefix. In Table 11-2, you learned that cn actually stands for common name. For users, you must specify the common name property of the user object.
The user will at least need a sAMAccountName to be able to log on to the network. The sAMAccountName can be the same as the common name property, and in many cases it is. You are taking the defaults for everything else, including leaving the account disabled. In the Step-by-Step exercises, you'll create a user and assign values to more attributes, but for illustrative purposes, this suffices.
Worker Information
In the Worker information section of the script, the script starts to depart from other scripts you have looked at thus far. In this script are four lines of code, which follow:
Set objDomain = GetObject(strProvider & strOU & strDomain)
WScript.Echo strProvider & strOU & strDomain 'debug
Set objOU = objDomain.create(strClass, strOUname)
WScript.Echo strClass & "," & strOUname 'debug
objOU.Put "SAMAccountName", funfix(strOUname)
objOU.SetInfo
The binding to ADSI is exactly the same as in the previous script. You even use the same variable name. In the next line, however, when you call the Create method, you use different variables because you create a User instead of an OU. The strClass variable is equal to User, strOUName is equal to "CN=MyNewUser". You now utilize the Put method to specify the sAMAccountName property. In this script, you use funfix to trim the name, and you feed it the strOUname variable. Once all that work is done, you call SetInfo and write the data to Active Directory.
Output Information
After creating the user, it would be nice to have some type of feedback. You use the same methodology as in the previous script by evaluating the error object and printing out the approriate message. This is seen below:
If Err.number = 0 Then
WScript.Echo(strOUname & " was created")
Else If Err.number = "-2147019886" Then
WScript.Echo strOUname & " already exists"
Else
WScript.Echo " error on the play " & Err.Number
End If
End If
 |
Q. | To create a user, which class must be specified?
| A. | You need to specify the User class to create a user. | Q. | What is the Put method used for?
| A. | The Put method is used to write additional property data to the object that it is bound to. |
|
|
Creating groups
1. | Open the \My Documents\Microsoft Press\VBScriptSBS\ch11\CreateUser.vbs script in Microsoft Notepad or some other script editor and save it as YourNameCreateGroup.vbs.
| 2. | In the Header section of the script, declare a variable called intGroupType. This variable will be used to control the type of group to create. This is seen below.
Dim intGroupType 'controls type of group to create
| 3. | In the Reference section of the script, change the value of strClass from user to group. This variable is used to control the type of object that gets created in Active Directory. This is seen below.
| 4. | In the Reference section of the script, change the value of strOUname from "CN= MyNewUser" to " CN=MyNewGroup". The value of this variable is used to set several attributes on the new object. The code to do this is seen below.
strOUname = "CN=MyNewGroup"
| 5. | Under the strOUname line in the Reference section of the script, add a new line to assign the value to intGroupType. Use the number -2147483646 to create a security group.
intGroupType = -2147483646 '2= distribution Group
| 6. | Save and run the script. It should create a new group in your OU. If it does not, then compare the script to the \My Documents\Microsoft Press\VBScriptSBS\ch11\CreateGroup.vbs script.
|
Creating a computer account
1. | Open the \My Documents\Microsoft Press\VBScriptSBS\ch11\CreateUser.vbs script in Notepad or another script editor and save it as YourNameCreateComputer.vbs.
| 2. | Delete the value assigned to the strOU variable, "OU= mred" but keep the empty double quotation marks, as seen below:
| 3. | Modify the value of strDomain to include the OU where the computer account will be created. To do this, append OU=mred to dc=nwtraders,dc=msft. This is seen below:
strDomain = "OU=mred,dc=nwtraders,dc=msft"
| 4. | Change the class assignment to the strClass variable from "User" to "Computer", as seen below:
| 5. | Change the name supplied to the strOUname variable to the name of the computer account. Prefix it with "CN=". I used "CN= MyMredComputer", as seen below:
strOUname = "CN=MyMredComputer"
| 6. | After you call SetInfo to write the account to Active Directory, you will need to activate the account. To do this, put a special value in the userAccountControl attribute; 4128 will activate the account. Once again, call SetInfo to write it to Active Directory. This is seen below:
objOU.put "userAccountControl",4128 'enables the computer account
objOU.SetInfo
| 7. | Save and run the script. If an enabled computer account is not created in the target OU, check your script against \My Documents\Microsoft Press\VBScriptSBS\ch11\CreateComputer.vbs.
|
UserAccountControl is an attribute stored in Active Directory that is used to enable or disable a user account, computer account, or other object defined in Active Directory. It is not a single string attribute, rather it is a series of flags that gets computed from the values listed in the following table, Table 11-4. Because of the way the UserAccountControl attribute gets created, simply examining the numerical value is of little help unless you can decipher the individual numbers that make up the large number. These flags, when added together, control the behavior of the user account on the system. In the script CreateComputer.vbs, we set two user account control flags: the ADS_UF_PASSWD_NOTREQD flag and the ADS_UF_WORKSTATION_TRUST_ACCOUNT flag. The password not required flag has a hex value of 0x20, and the the trusted workstation flag has a hex value of 0x1000. When added together and turned into decimal value, they equal 4,128, which is the value actually seen in ADSI Edit. The use of these user account control values is seen in Figure 11-3.
Table 11-4. User Account Control ValuesAds Constant | Value |
---|
ADS_UF_SCRIPT | 0x0001 | ADS_UF_ACCOUNTDISABLE | 0x0002 | ADS_UF_HOMEDIR_REQUIRED | 0x0008 | ADS_UF_LOCKOUT | 0x0010 | ADS_UF_PASSWD_NOTREQD | 0x0020 | ADS_UF_PASSWD_CANT_CHANGE | 0x0040 | ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED | 0x0080 | ADS_UF_TEMP_DUPLICATE_ACCOUNT | 0x0100 | ADS_UF_NORMAL_ACCOUNT | 0x0200 | ADS_UF_INTERDOMAIN_TRUST_ACCOUNT | 0x0800 | ADS_UF_WORKSTATION_TRUST_ACCOUNT | 0x1000 | ADS_UF_SERVER_TRUST_ACCOUNT | 0x2000 | ADS_UF_DONT_EXPIRE_PASSWD | 0x10000 | ADS_UF_MNS_LOGON_ACCOUNT | 0x20000 | ADS_UF_SMARTCARD_REQUIRED | 0x40000 | ADS_UF_TRUSTED_FOR_DELEGATION | 0x80000 | ADS_UF_NOT_DELEGATED | 0x100000 | ADS_UF_USE_DES_KEY_ONLY | 0x200000 | ADS_UF_DONT_REQUIRE_PREAUTH | 0x400000 | ADS_UF_PASSWORD_EXPIRED | 0x800000 | ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION | 0x1000000 |

|
|