Working with UsersIn this section, you will use Active Directory Service Interfaces (ADSI) to modify user properties stored in Active Directory. The following list summarizes a few of the items you can change or configure:
User information that is stored in Active Directory can easily replace several pieces of disparate information in a single swoop. For instance, you might have an internal Web site that contains a telephone directory; you can put the phone number into Active Directory as an attribute of the User object. You might also have a Web site containing a social roster that includes employees and their hobbies; you can put hobby information in Active Directory as a custom attribute. By having the information stored in a single location (Active Directory), then updating the attributes in Active Directory would also update the Web sites. You can also add to Active Directory information such as an organizational chart. The problem, of course, is that during a migration, information such as a user's title is the last thing the harried mind of the network administrator thinks about. To leverage the investment in Active Directory, you need to enter this type of information because it quickly becomes instrumental in the daily lives of users. This is where the power of ADSI and Microsoft Visual Basic, Scripting Edition (VBScript) really begins to shine. We can update hundreds or even thousands of records easily and efficiently using scripting. Such a task would be unthinkable using conventional point-and-click methods. Just the Steps General User InformationOne of the more confusing issues when you use VBScript to modify information in Active Directory is that the field names displayed on the various tabs of the graphical administratative tools such as Active Directory Users And Computers (ADUC) do not correspond with the ADSI nomenclature. This was not done to make your life difficult; rather, the names you see in ADSI are derived from Lightweight Directory Access Protocol (LDAP) standard naming conventions. Although this naming convention makes traditional LDAP programmers happy, it does nothing for the network administrator who is a casual scripter. This is where the following script, ModifyUserProperties.vbs, comes in handy. The LDAP properties corresponding to each field in Figure 12-1 are used in this script. Some of the names make sense, but others appear to be rather obscure. Notice the series of objUser.Put statements. Each lines up with the corresponding fields in Figure 12-1. Use the values to see which display name maps to which LDAP attribute name. Figure 12-1. All the General User properties can be set by using ADSI and VBScript![]() ModifyUserProperties.vbs Option Explicit Dim provider 'defines how will talk to active directory Dim ou 'path to where object resides Dim domain 'name of domain connecting to Dim oCN 'name of object are creating Dim oUname 'user name Dim objUser 'holds connection to adsi provider = "LDAP://" ou = "ou=mred," domain = "dc=nwtraders,dc=msft" oCN = "CN=" oUname = "myNewUser," Set objUser = GetObject(provider & oCN & oUname & ou & domain) WScript.echo provider & oCN & oUname & ou & domain ' debug info objUser.put "SamaccountName", "myNewUser" objUser.put "givenName", "My" objUser.Put "initials", "f." objUser.Put "sn", "User" objUser.Put "DisplayName", "My New User" objUser.Put "description" , "simple new user" objUser.Put "physicalDeliveryOfficeName", "RQ2" objUser.Put "telephoneNumber", "999-222-1111" objUser.Put "mail", "fff@hotmail.com" objUser.Put "wwwHomePage", "http://www.fred.msn.com" objUser.SetInfo If Err.Number = 0 then WScript.Echo("User " & oUname & " was modified") Else WScript.echo "an error occurred. it was: " & Err.Number End if On the CD
Reference InformationThe Reference information section of the script assigns values to the variables used in the script. Here you assign the LDAP provider to the provider variable. You then assign the entire ou path to the ou variable. The variable called Domain gets assigned both of the domain components that are used for constructing a fully qualified name. These domain components are the "DC=" sections of the code. You use oCn to hold the "cn=" string and you end the section by equating oUname to the user name you plan to modify. If you were using a text file to supply the variable, you could still use this variable. The Reference section follows: provider = "LDAP://" ou = "ou=lab22," domain = "dc=nwtraders,dc=msft" oCn = "cn=" oUname = "labUser," Worker InformationThe Worker information section of the ModifyUserProperties.vbs script contains a lot of code because it modifies all the properties contained on the General tab of the user properties in Microsoft Windows Server 2003. The first line in the Worker information section performs the binding to Active Directory. In this instance, you bind not to an OU but to a specific user, as shown here: Set objUser = GetObject(provider & oCn & oUname & ou & domain) You assign "CN" to the variable oCn to keep it separate from the user name portion. In this way, you can more easily make changes to multiple users. In our particular situation, you connect to the ou created in the previous chapter, and the Lab 22 ou is off the root in the Active Directory hierarchy. If the ou were nested, you could still use the script, and in the Reference section specify something like ou ="ou=level1, ou=level2, ou=level3" (or whatever the actual namespace consisted of). The domain variable holds the entire domain component. CN, UserName, ou, and Domain make up the ADsPath portion of the binding string. Once you have the binding to Active Directory, you are ready to begin modifying user information. The nice part about using the Put method is that it overwrites any information already present in that property of the cached copy of the User object. You will see the effect only on the particular property being put until you call SetInfo to write the changes to Active Directory. If you don't specify a particular piece of information (that is, you leave the space between the quotation marks empty), you'll be greeted with an error message. Figure 12-2 shows this message. Figure 12-2. Error message received when a property value is left out of a Put command
To write information to a specific user property, use the Put method. This entails specifying both the ADSI field name and the desired value. The pertinent Worker information section of the ModifyUserProperties.vbs script follows: objUser.Put "givenName", "fred" objUser.Put "initials", "f." objUser.Put "sn", "flintstone" objUser.Put "DisplayName", "labUser" objUser.Put "description" , "funny looking dude" objUser.Put "physicalDeliveryOfficeName", "RQ2" objUser.Put "telephoneNumber", "9992221111" objUser.Put "mail", "fff@hotmail.com" objUser.Put "wwwHomePage", "http://www.fred.msn.com" The last item in the Worker information section is the SetInfo command. If SetInfo isn't called, the information isn't written to Active Directory. There will be no error messagemerely an absence of data. The ModifyUserProperties.vbs script uses the following SetInfo line to ensure changes are written to Active Directory: objUser.SetInfo Output InformationOnce all the changes are loaded into Active Directory, you include an output statement to let you know that the changes have been made to Active Directory. In the ModifyUserProperties.vbs script, you use a simple WScript.Echo statement. This echo statement is listed here: WScript.Echo("User " & oUname & " was modified")
|