Documente Academic
Documente Profesional
Documente Cultură
Table of Contents
Scenario It’s your first day on the job as IT Manager for Fabrikam, Inc., and you’ve just
discovered that your predecessor’s final project – to convert your organization’s
directory service to Active Directory – was never completed. She managed to
get Active Directory up and running, and even created a handful of user
accounts. However, she did not get all the required accounts created, nor did
she complete the rest of the Active Directory infrastructure: your domain
currently has no organizational units (OUs) and no security groups other than
the ones automatically created when you install Active Directory.
Consequently, you are faced with three major tasks:
Determining the current state of your Active Directory. For example, you
need to figure out which user accounts have been created and which ones
have not.
Setting up the rest of the Active Directory infrastructure. This includes such
things as creating additional user accounts; creating OUs and sub-OUs;
moving existing user accounts to the appropriate OUs; and creating and
populating security groups.
Making additional modifications as needed. As part of your day-to-day
management of Active Directory, you need to do such things as audit
existing user accounts to ensure that they are in compliance with Fabrikam
policies, as well as make changes to accounts to match changes in the
workplace. (For example, if a user acquires a second telephone number, that
number should be recorded in Active Directory.)
4 Active Directory Scripting
Fortunately, you can use ADSI scripts to help you with these tasks. Note that in
the exercises in this lab an argument can be made that a script is possibly less
efficient than simply carrying out a task using Active Directory Users and
Computers. For the most part, this is an artifact of the lab environment: in order
to keep the lab manageable, and in order to ensure that all the tasks can be
completed in a reasonable amount of time, you will often be asked to do
something to just one user account. When working with a single user account,
you might very well find it faster and easier to use Active Directory Users and
Computers. Scripting becomes a more useful alternative in situations such as
this:
You need to make a change to many user accounts at once. This lab offers a
few simple examples of working with multiple accounts at the same time;
for example, in one exercise you will use a script to move all the users in a
department to a specified OU, regardless of the current Active Directory
location of those user accounts. In the lab this involves moving a handful of
accounts; in real-life this might involve moving thousands of user accounts.
If you are working with thousands of user accounts at the same time, a script
might save you several days’ worth of effort.
You want to enforce standards. For example, you might want all your user
accounts to have a CN in the format First Name Last Name (e.g., Ken
Myer) and a logon name in the format First Initial Last Name (e.g.,
kmyer). Scripts can help enforce these standards by carrying out these tasks
for you; in one of the labs, you will write a script that reads user information
(in this case, first name and last name) from a text file and then creates
multiple user accounts, using your organization standards to automatically
create such things as the CN (common name) and the SAM Account (logon)
name.
You can either type in the full script, or you can open the template and replace
the X's with the required information; you would then only have to type the
items in bold:
Active Directory Scripting 5
If you cannot get a script to work no matter what you try, you can find complete
copies of all the scripts used in this lab in the C:\Solutions folder.
Estimated time to
complete this lab: 60
minutes
6 Active Directory Scripting
Exercise 1
Viewing existing accounts
Before you can finish setting up the new Active Directory, you need to determine how much your
predecessor managed to get done herself. In this exercise, you will use a simple ADSI script to view
the accounts currently in Active Directory. Because you have already been told that all the accounts
are in the Users container, the script binds to that container and enumerates only the items found
there. The resulting output will show the CN (common name) for each account, as well as the
account type. For example:
Administrator, user
Why CScript?
When you run a script in this lab, the instructions for starting that script will always be prefaced by
the word “cscript”:
cscript view_accounts.vbs
This ensures that the script runs under the CScript script host; in turn, that ensures that the output
will appear in the command window rather than in a seemingly-endless series of message boxes (as
would be the case using WScript, the default script host). If you do not want to type in the word
cscript each and every time, you can change the default script host to CScript by typing the
following at the command prompt, and then pressing ENTER:
cscript //H:cscript
If you want to change the default host back to WScript, then type this at the command prompt and
press ENTER:
cscript //H:wscript
Wscript.Echo objRecordSet.Fields("Name").Value
objRecordSet.MoveNext
Loop
If you run this script, you might notice a stray user account (David Hamilton) that did not appear
when you looked at the list of user accounts found in the Users container. That’s because this
account was mistakenly created in the Computers container rather than the Users container.
Active Directory Scripting 9
Exercise 2
Retrieving information from an individual user account
You were initially alerted to the fact that there was a problem when one of your users – Ken Myer –
called to say that he was enable to log on to the domain. In the previous exercise you noticed that an
account exists for Ken Myer; now all you need to do is figure out when he is unable to log on. In
this exercise, you will use an ADSI script to bind to the Ken Myer user account (found in the Users
container) and retrieve some basic account information, including the user’s first name, last name,
and middle initial, as well as the current account status (whether the account is enabled or disabled).
1. Retrieve information from a. Double-click the Notepad shortcut on the desktop and type the
an individual user account. following (To reduce the amount of typing required, you can use the
template C:\Scripts\Account_View.txt):
Set objUser = GetObject _
("LDAP://CN=Ken Myer, CN=Users, DC=fabrikam,
DC=com")
Wscript.Echo "First name: " & objUser.GivenName
Wscript.Echo "Middle initial: " & objUser.Initials
Wscript.Echo "Last name: " & objUser.SN
Wscript.Echo "Account disabled: " & _
objUser.AccountDisabled
b. Click File | Save As.
c. Save the script as bind_user.vbs, in the folder C:\Scripts. To ensure
that the .vbs file extension is used, enclose the file name in quotation
marks before clicking Save:
"bind_user.vbs"
d. Close Notepad.
e. In Command Prompt (Scripts Folder) type the following and press
ENTER:
cscript bind_user.vbs
f. Check the output to see the requested information for the Ken Myer
user account. Be sure to verify that this user account is disabled.
If you have CNs that include commas, you need to “escape” the comma by placing a \ before it, as
shown in this sample script (comma_in_cn.vbs):
Set objUser = GetObject("LDAP://CN=Penor\, Lori, CN=Users, DC=fabrikam,
DC=com")
Wscript.Echo objUser.CN
For more information on binding to user accounts when the account CN includes a comma, see this
edition of the Hey, Scripting Guy! column on TechNet.
Active Directory Scripting 11
Exercise 3
Enabling an individual user account
As it turns out, Ken Myer is unable to log on because his account is disabled. In this exercise, you
will use an ADSI script to enable the Ken Myer user account. Enabling an account is an important
task for script writers; by default, any account you create using a script is disabled, at least until you
explicitly enable it. Note the use of the SetInfo method in the last line of the script. SetInfo is
roughly equivalent to the Save command in an application; you can make any changes you want to
a user account, but those changes are not actually written to Active Directory until you call SetInfo.
1. Enable an individual user a. Double-click the Notepad shortcut on the desktop and type the
account. following (To reduce the amount of typing required, you can use the
template C:\Scripts\Account_Change.txt):
Set objUser = GetObject _
("LDAP://CN=Ken Myer, CN=Users, DC=fabrikam,
DC=com")
objUser.AccountDisabled = FALSE
objUser.SetInfo
b. Click File | Save As.
c. Save the script as enable_user.vbs in the folder C:\Scripts. To ensure
that the .vbs file extension is used, enclose the file name in quotation
marks before clicking Save:
"enable_user.vbs"
d. Close Notepad.
e. In Command Prompt (Scripts Folder) type the following and press
ENTER:
cscript enable_user.vbs
f. To verify that the account has been enabled, type the following and
press ENTER:
cscript bind_user.vbs
12 Active Directory Scripting
Exercise 4
Deleting an individual user account
When you looked over the user accounts back in Exercise 1, you noticed that an account for Pilar
Ackerman still exited. Pilar was your predecessor; it’s obviously a gaping security hole for her to
still have a valid domain administrator account. In this exercise, you will delete the user account for
Pilar Ackerman. Bear in mind that, when you call the Delete method, the account will immediately
be deleted from Active Directory; you will not be given a prompt along the lines of “Are you sure
you want to delete this user account?” However, you could include such a prompt as part of your
script code; you would simply need to make sure that the prompt occurred before you actually
called the Delete method.
1. Delete an individual user a. In Command Prompt (Scripts Folder) type the following and press
account. ENTER:
cscript view_accounts.vbs
b. Verify that the Pilar Ackerman user account exists in Active
Directory.
c. Double-click the Notepad shortcut on the desktop and type the
following (To reduce the amount of typing required, you can use the
template C:\Scripts\Container_Change.txt):
Set objOU = GetObject _
("LDAP://CN=Users, DC=fabrikam, DC=com")
objOU.Delete "user", "CN=Pilar Ackerman"
d. Click File | Save As.
e. Save the script as delete_user.vbs in the folder C:\Scripts. To ensure
that the .vbs file extension is used, enclose the file name in quotation
marks before clicking Save:
"delete_user.vbs"
f. Close Notepad.
g. In Command Prompt (Scripts Folder) type the following and press
ENTER:
cscript delete_user.vbs
h. To verify that the Pilar Ackerman user account has been deleted, type
the following and press ENTER:
cscript view_accounts.vbs.
Active Directory Scripting 13
Exercise 5
Creating a New OU
It’s now time to begin setting up the Active Directory infrastructure, and to start creating all the
outstanding user accounts. In this exercise, you will create a new organizational unit (OU) named
Finance. A “top-level” OU such as Finance is created by binding to the domain root, and then
calling the Create method.
Exercise 6
Moving a user account to a different OU
Ken Myer is a member of the Finance department; as such, it makes sense that his user account be
stored in the Finance OU rather than the Users container. In this exercise, you will move the Ken
Myer user account from the Users container to the Finance OU. This script requires just two lines
of code. In line 1, you bind to the OU where you want the account to be moved (in this example,
the Finance OU). In line 2, you call the MoveHere method, specifying the current ADsPath
(LDAP://CN=Ken Myer,CN=Users,DC=fabrikam,DC=com ) of the account being moved.
1. Move a user account to a a. Double-click the Notepad shortcut on the desktop and type the
different OU. following (To reduce the amount of typing required, you can use the
template C:\Scripts\Container_Change.txt):
Set objOU =
GetObject("LDAP://OU=Finance,DC=fabrikam,DC=com")
objOU.MoveHere _
"LDAP://CN=Ken
Myer,CN=Users,DC=fabrikam,DC=com", vbNullString
b. Click File | Save As.
c. Save the script as move_user.vbs in the folder C:\Scripts. To ensure
that the .vbs file extension is used, enclose the file name in quotation
marks before clicking Save:
"move_user.vbs"
d. Close Notepad.
e. In Command Prompt (Scripts Folder) type the following and press
ENTER:
cscript move_user.vbs
f. To verify that the user account has been moved, switch to Active
Directory Users and Computers.
g. Right-click fabrikam.com and then click Refresh.
h. Click the Finance OU.
You should see that the Ken Myer account is now in the Finance OU.
of those accounts is far faster, far easier, and far more reliable than trying to perform the same task
by hand.
The sample script shown below (move_multiple_users.vbs) searches Active Directory for all users
in the Finance department (department=’Finance’), and then moves each account to the Finance
OU:
On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2
Set objOU = GetObject("LDAP://OU=Finance,DC=fabrikam,DC=com")
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = _
"SELECT ADsPath FROM 'LDAP://DC=fabrikam,DC=com' WHERE
objectCategory='user' " & _
"AND Department='Finance'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
objOU.MoveHere objRecordSet.Fields("ADsPath").Value, vbNullString
objRecordSet.MoveNext
Loop
16 Active Directory Scripting
Exercise 7
Creating a new user account
You’ve also received a call this morning from Eszter Hidasi, who can’t log on to the domain either.
In this case, however, it’s not because the account is disabled, but because the account does not
exist. In this exercise, you will create a new user account with two mandatory properties: a CN of
Eszter Hidasi and a SAM Account Name of ehidasi. Note that these two property values must be
specified when creating a user account; hence the term mandatory attributes. The other attributes
specified in the script, including GivenName (first name), Initials, and SN (surname, or last name)
are optional; you can create a user account without specifying these values.
Note as well that you must call the SetInfo method to create the account before you can enable that
account; you will then need to call SetInfo a second time to enable the account. That’s because the
account must exist before it can be enabled. Likewise, the account must exist before you can assign
the user a password (a task covered in Exercise 18).
1. Create a new user account a. Double-click the Notepad shortcut on the desktop and type the
following (To reduce the amount of typing required, you can use the
template C:\Scripts\Container_Change.txt):
Set objOU = GetObject("LDAP://OU=Finance,
DC=fabrikam, DC=com")
Set objUser = objOU.Create("User", "CN=Eszter
Hidasi")
objUser.sAMAccountName = "ehidasi"
objUser.GivenName = "Eszter"
objUser.Initials = "A"
objUser.SN = "Hidasi"
objUser.SetInfo
objUser.AccountDisabled = FALSE
objUser.SetInfo
b. Click File | Save As.
c. Save the script as create_user.vbs in the folder C:\Scripts. To ensure
that the .vbs file extension is used, enclose the file name in quotation
marks before clicking Save:
"create_user.vbs"
d. Close Notepad.
e. In Command Prompt (Scripts Folder) type the following and press
ENTER:
cscript create_user.vbs
f. To verify that the user account has been created, switch to Active
Directory Users and Computers.
g. Right-click the Finance OUand then click Refresh.
You should now see a new user account for Eszter Hidasi.
Active Directory Scripting 17
Exercise 8
Creating multiple user accounts using a text file
After creating an account for Ezster Hidasi, you discovered that the Finance department has
prepared a text file that has the information needed to create the other user accounts for this
department. In this exercise, you will create multiple user accounts by reading information from a
text file (C:\Scripts\New_Users.txt). The text file is a simple comma-delimited file that looks like
this (first name, middle initial, last name, job title):
Amy,A,Recker,Administrator
Jamie,F,Reding,Accountant
Miles,M,Reid,Accountant
The script works by reading in the first line of the file and then using the VBScript Split function to
create an array consisting of the individual fields within the record:
Amy
A
Recker
Administrator
The script uses that array to set the appropriate property values; for example, the user’s GivenName
(first name) is assigned the value of item 0 in the array (the first item in an array is given the index
number 0, the second value is given the index number 1, and so on). In addition, the script
automatically generates a CN and a SAM Account Name for each user.
In a real-world situation you might find it easier to store information in Microsoft Excel rather than
in a text file. For information on creating user accounts based on information found in an Excel
spreadsheet, see this edition of the Scripting Clinic column on MSDN.
1. Create user accounts using a a. Double-click the Notepad shortcut on the desktop and type the
text file. following (To reduce the amount of typing required, you can use the
template C:\Scripts\Text_File.txt):
Const ForReading = 1
Set objOU =
GetObject("LDAP://OU=Finance,dc=fabrikam,dc=com")
Set objFSO =
CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile _
("new_users.txt", ForReading)
Do Until objTextFile.AtEndOfStream
strText = objTextFile.ReadLine
arrAttributes = Split(strText, ",")
strCN = arrAttributes(0) & " " &
arrAttributes(2)
Set objUser = objOU.Create("User", "cn=" &
strCN)
strsAMAccountName = Left(arrAttributes(0),1) &
arrAttributes(2)
objUser.sAMAccountName = strsAMAccountName
objUser.GivenName = arrAttributes(0)
objUser.Initials = arrAttributes(1)
objUser.SN = arrAttributes(2)
objUser.Department = "Finance"
objUser.Title = arrAttributes(3)
objUser.SetInfo
Active Directory Scripting 19
objUser.AccountDisabled = FALSE
objUser.SetInfo
Loop
objTextFile.Close
b. Click File | Save As.
c. Save the script as create_multiple_users.vbs in the folder C:\Scripts.
To ensure that the .vbs file extension is used, enclose the file name in
quotation marks before clicking Save:
"create_multiple_users.vbs"
d. Close Notepad.
e. In Command Prompt (Scripts Folder) type the following and press
ENTER:
cscript create_multiple_users.vbs
f. To verify that the new accounts have been created, switch to Active
Directory Users and Computers.
g. Right-click the Finance OU and then click Refresh.
You should now see the new user accounts.
Note. It should be pointed out that, outside of the lab environment, this
script might occasionally fail to create a user account. That’s because CNs
must be unique within a container, and the SAM Account Names must be
unique within a forest. As currently designed, the script would assign a
user named Barry Johnson a SAM Account Name of bjohnson; however, it
would also try to assign that same SAM Account Name to Brandon
Johnson. In a real production script, you could do a search to determine
whether a SAM Account Name is already in use; if it is, you could then tack
the number 1 on the end (e.g., bjohnson1) and check to see if that name is
in use. If it is, you could continue to increment the value until you finally
find a unique name.
20 Active Directory Scripting
Exercise 9
Creating new security groups
Creating accounts gives user the ability to log on to the domain. However, this does not give
them access to resources. Resource access is typically controlled through the use of security
groups; giving a single group access is easier than giving each of the individual members of
the group access to that same resource. (On top of that, any new users added to the group
automatically gain access to the resource, without having requiring any work whatsoever on
your part.) In this exercise, you will create a global security group named Finance Managers.
Notice that two constants (ADS_GROUP_TYPE_GLOBAL_GROUP and
ADS_GROUP_TYPE_SECURITY_ENABLED) are required when specifying the group type.
(Don’t be misled by the OR operator; in the bitwise logic used to set the group type, OR can
be read as if it was really the word and.) The constant
ADS_GROUP_TYPE_GLOBAL_GROUP makes the group a global group, while the
ADS_GROUP_TYPE_SECURITY_ENABLED constant makes it a security group. Without
this latter constant, you would create a distribution group instead.
1. Create a new security group. a. Double-click the Notepad shortcut on the desktop and type the
following (To reduce the amount of typing required, you can use the
template C:\Scripts\Container_Change.txt):
Const ADS_GROUP_TYPE_GLOBAL_GROUP = &H2
Const ADS_GROUP_TYPE_SECURITY_ENABLED = &H80000000
Set objOU =
GetObject("LDAP://OU=Finance,DC=fabrikam,DC=com")
Set objGroup = objOU.Create("Group", "CN=Finance
Users")
objGroup.Put "samAccountName", "FinanceUsers"
objGroup.Put "groupType",
ADS_GROUP_TYPE_GLOBAL_GROUP OR _
ADS_GROUP_TYPE_SECURITY_ENABLED
objGroup.SetInfo
b. Click File | Save As.
c. Save the script as create_group.vbs in the folder C:\Scripts. To
ensure that the .vbs file extension is used, enclose the file name in
quotation marks before clicking Save:
"create_group.vbs"
d. In Command Prompt (Scripts Folder) type the following and press
ENTER:
cscript create_group.vbs
e. To verify that the group has been created, switch to Active Directory
Users and Computers.
f. Right-click the Finance OU and then click Refresh.
You should now see the new FinanceUsers group.
Active Directory Scripting 21
Global group &H2 Users must all come from the same domain.
Permissions apply only to the local domain.
Domain local group &H4 Users can come from any domain in the forest,
but permissions apply only to the local domain.
Universal group &H8 Users can come from any domain in the forest.
Security group &H80000000 Security groups can be granted or denied access
to resources. Distribution groups cannot.
Exercise 10
Adding an individual user to a security group
Now that the Finance Users group exists you can begin adding members to it. In this exercise, you
will add Ken Myer to the Finance Users security group. This is done by binding to the group,
binding to the user account, and then calling the Add method to add the user to the group.
1. Add an individual user to a a. Double-click the Notepad shortcut on the desktop and type the
security group. following (To reduce the amount of typing required, you can use the
template C:\Scripts\Account_Change.txt):
Set objGroup = GetObject _
("LDAP://CN=Finance Users, OU=Finance,
DC=fabrikam, DC=com")
Set objUser = GetObject _
("LDAP://CN=Ken Myer, OU=Finance, DC=fabrikam,
DC=com")
objGroup.Add(objUser.ADsPath)
b. Click File | Save As.
c. Save the script as add_user.vbs in the folder C:\Scripts. To ensure
that the .vbs file extension is used, enclose the file name in quotation
marks before clicking Save:
"add_user.vbs"
d. Close Notepad.
e. In Command Prompt (Scripts Folder) type the following and press
ENTER:
cscript add_user.vbs
f. To verify that the user has been added to the group, switch to Active
Directory Users and Computers.
g. In the Finance OU, right-click Finance Users and click Properties.
h. In the Finance Users Properties dialog box, click the Members tab.
You should now see Ken Myer as a member of Finance Users.
i. Close the Finance Users Properties dialog box.
Exercise 11
Adding multiple users to a security group
A common requirement in many organizations is for all users in an OU to also be members of a
specified group. (This is often done because an OU is not a security principal.) Active Directory
does not have any mechanism for automatically placing all the users in an OU in a corresponding
security group; however, you can write a script that will retrieve a list of users found in and OU and
then place each of those users in a security group. In this exercise, you will use a script to add all
the users in the Finance OU to the Finance Users group. This is done by returning a collection of all
the users in the OU (notice the filter applied to the returned collection), and then adding the users to
the group, one-by-one.
1. Add multiple users to a a. Double-click the Notepad shortcut on the desktop and type the
security group. following (To reduce the amount of typing required, you can use the
template C:\Scripts\Account_Change.txt):
On Error Resume Next
Set objGroup = GetObject _
("LDAP://CN=Finance Users, OU=Finance,
DC=fabrikam, DC=com")
Set objOU = GetObject("LDAP://OU=Finance,
DC=fabrikam, DC=com")
objOU.Filter = Array("User")
For Each objUser in objOU
objGroup.Add(objUser.ADsPath)
Next
b. Click File | Save As.
c. Save the script as add_multiple_users.vbs in the folder C:\Scripts. To
ensure that the .vbs file extension is used, enclose the file name in
quotation marks before clicking Save:
"add_multiple_users.vbs"
d. Close Notepad.
e. In Command Prompt (Scripts Folder) type the following and press
ENTER:
cscript add_multiple_users.vbs
f. To verify that the users have been added to the group, switch to Active
Directory Users and Computers.
g. In the Finance OU, right-click Finance Users and then click
Properties.
h. In the Finance Users Properties dialog box, click the Members tab.
You should now see various users as members of Finance Users.
i. Close the Finance Users Properties dialog box.
24 Active Directory Scripting
Exercise 12
Removing a user from a security group
Having added Ken Myer to the Finance Users group, you now discover that, as a manager, he
should not be a member of this group. In this exercise, you will remove Ken Myer from the Finance
Users group. Note the similarities between the script that removes a user from a group and the
script that originally added the user to the group.
1. Remove a user from a a. Double-click the Notepad shortcut on the desktop and type the
security group following (To reduce the amount of typing required, you can use the
template C:\Scripts\Account_Change.txt):
Set objGroup = GetObject _
("LDAP://CN=Finance Users, OU=Finance,
DC=fabrikam, DC=com")
Set objUser = GetObject _
("LDAP://CN=Ken Myer, OU=Finance, DC=fabrikam,
DC=com")
objGroup.Remove(objUser.ADsPath)
b. Click File | Save As.
c. Save the script as remove_user.vbs in the folder C:\Scripts. To ensure
that the .vbs file extension is used, enclose the file name in quotation
marks before clicking Save:
"remove_user.vbs"
d. Close Notepad.
e. In Command Prompt (Scripts Folder) type the following and press
ENTER:
cscript remove_user.vbs
f. To verify that the user has been removed from the group, switch to
Active Directory Users and Computers.
g. In the Finance OU, right-click Finance Users and then click
Properties.
h. In the Finance Users Properties dialog box, click the Members tab.
You should no longer see Ken Myer listed as a member of Finance Users.
i. Close the Finance Users Properties dialog box.
Active Directory Scripting 25
Exercise 13
Modifying an individual user account
One reason you mistakenly placed Ken Myer in the Finance Users group is because you did not
realize Ken was a manager. To help avoid similar mistakes in the future, you decided to add Ken’s
department, job title, and company to his Active Directory user account. (This is an easy task,
because these attributes are available for use with any Active Directory user account.) In this
exercise, you will modify organization property values for the Ken Myer user account. This process
involves binding to the account, assigning the new property values, and then calling the SetInfo
method to write the changes to Active Directory.
1. Modify an individual user a. Double-click the Notepad shortcut on the desktop and type the
account. following (To reduce the amount of typing required, you can use the
template C:\Scripts\Account_Change.txt)
Set objUser = GetObject("LDAP://CN=Ken Myer,
OU=Finance, DC=fabrikam, DC=com")
objUser.Title = "Manager"
objUser.Department = "Finance Department Management
Team"
objUser.Company = "Fabrikam"
objUser.SetInfo
b. Click File | Save As.
c. Save the script as modify_user.vbs in the folder C:\Scripts. To ensure
that the .vbs file extension is used, enclose the file name in quotation
marks before clicking Save:
"modify_user.vbs"
d. Close Notepad.
e. In Command Prompt (Scripts Folder) type the following and press
ENTER:
cscript modify_user.vbs
f. To verify that the account values have been changed, switch to Active
Directory Users and Computers.
g. In the Finance OU, right-click Ken Myer in and click Refresh.
h. Right-click Ken Myer a second time and then click Properties.
i. In the Ken Myer Properties dialog box, click the Organization tab
and verify the values.
j. Close the Ken Myer Properties dialog box.
26 Active Directory Scripting
Exercise 14
Modifying a multi-valued attribute
When you talked to Ken Myer this morning, he also told you that he had just acquired a second
work phone, and he wanted to be sure that this second number was available in the directory
service. In this exercise, you will modify the otherTelephone attribute for the Ken Myer user
account. The otherTelephone attribute is an example of a “multi-valued” attribute, an attribute that
can contain more than one value.
Working with multi-valued attributes is different than working with single-valued attributes. With
a single-valued attribute, you typically assign a property value simply by, well, assigning a property
value:
objUser.SN = "Myer"
When working with a multi-valued attribute you use a defined constant to indicate the type of
operation you are performing. These constants and the operations they perform are listed in the
following table:
A complete explanation of working with multi-valued attributes lies beyond the scope of this lab;
this sample task is presented simply because you will often find yourself working with multi-valued
attributes. For more information, see the chapter Active Directory Users in the Microsoft
Windows 2000 Scripting Guide, or the Scripting Guys’ Webcast Users and Groups and OUs: Oh,
My!.
1. Modify a multi-valued a. Double-click the Notepad shortcut on the desktop and type the
attribute. following (To reduce the amount of typing required, you can use the
template C:\Scripts\Account_Change.txt):
Const ADS_PROPERTY_APPEND = 3
Set objUser = GetObject _
("LDAP://CN=Ken Myer, OU=Finance, DC=fabrikam,
DC=com")
objUser.PutEx ADS_PROPERTY_APPEND,
"otherTelephone",_
Array("(425)-555-4444")
objUser.SetInfo
b. Click File | Save As.
Active Directory Scripting 27
arrOtherPhones = objUser.GetEx("otherTelephone")
For Each strPhoneNumber in arrOtherPhones
WScript.Echo "Other work phone number: " &
strPhoneNumber
Next
28 Active Directory Scripting
Exercise 15
Reading the userAccountControl Attribute
You did not create Ken Myer’s user account, nor did your predecessor use a standard script when
creating account. Consequently, you do not know for sure how the account has been configured.
That’s important, because certain properties of a user account – such as configuring an account so
that a password is not required or so the password never requires – can represent security risks. In
this exercise, you will use the userAccountControl attribute to determine whether or not Ken
Myer’s user account password expires. (As a security precaution, it is highly recommended that you
do not assign users passwords that never expire.)
The userAccountControl is an example of a bitmask attribute, an attribute that, in effect, contains
multiple attributes and their values. Among other things, the userAccountControl attribute contains
information about whether a user:
Can change his or her password.
Has a password that never expires.
Can use an encrypted text password.
Must log on using a smartcard.
For a list of attributes and their corresponding hexadecimal values see Appendix 1:
userAccountControl Attributes and Values.
In this sample exercise, you will use bitwise logic to determine whether the Password never
expires attribute has been enabled for Ken Myer. That test is performed using this line of code:
If objUser.UserAccountControl AND ADS_UF_DONT_EXPIRE_PASSWD Then
If TRUE, that means the Password never expires attribute has been enabled; if FALSE, then the
password does expire, because the attribute has not been enabled. You can test for other values in
the userAccountControl attribute by substituting the appropriate constant and its hexadecimal value.
A complete explanation of working with the userAccountControl lies beyond the scope of this lab;
this sample task is presented simply because you will often find yourself working with this
attribute. For more information, see the chapter ADSI Scripting Primer in the Microsoft Windows
2000 Scripting Guide.
1. Read the a. Double-click the Notepad shortcut on the desktop and type the
userAccountControl following (To reduce the amount of typing required, you can use the
Attribute template C:\Scripts\Account_View.txt):
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
Set objUser = GetObject("LDAP://CN=Ken Myer,
OU=Finance, DC=fabrikam, DC=com")
If objUser.UserAccountControl AND
ADS_UF_DONT_EXPIRE_PASSWD Then
Wscript.Echo "This password never expires."
Else
Wscript.Echo "This password expires."
End If
b. Click File | Save As.
c. Save the script as read_uac.vbs in the folder C:\Scripts. To ensure
that the .vbs file extension is used, enclose the file name in quotation
marks before clicking Save:
Active Directory Scripting 29
"read_uac.vbs"
d. Close Notepad.
e. In Command Prompt (Scripts Folder) type the following and press
ENTER:
cscript read_uac.vbs
f. To verify that the password for the Ken Myer user account never
expires, switch to Active Directory Users and Computers.
g. In the Finance OU, right click Ken Myer and click Properties.
h. On the Account tab, verify that the checkbox labeled Password never
expires is selected.
i. Close the Ken Myer Properties dialogue box.
30 Active Directory Scripting
Exercise 16
Modifying the userAccountControl Attribute
The fact that Ken Myer’s password does not expire is a potential security risk; because of that, you
decide to reconfigure his account to ensure that the password will expire, and thus have to be
changed periodically. In this exercise, you will use the userAttribute control to ensure that Ken
Myer’s password will expire. To do that, you first use this line of code to determine whether or not
the password is currently set to expire:
If objUser.userAccountControl AND ADS_UF_DONT_EXPIRE_PASSWD Then
If TRUE, that means that the password does not expire. To change this to an expiring password, use
the bitwise logic XOR operator. The XOR operator toggles the value an attribute: if the attribute is
enabled, XOR will disable it; if the attribute is disabled, XOR will enable it.
1. Modify the a. Double-click the Notepad shortcut on the desktop and type the
userAccountControl following (To reduce the amount of typing required, you can use the
Attribute. template C:\Scripts\Account_Change.txt):
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
Set objUser = GetObject("LDAP://CN=Ken Myer,
OU=Finance, DC=fabrikam, DC=com")
If objUser.userAccountControl AND
ADS_UF_DONT_EXPIRE_PASSWD Then
objPasswordExpires = objUser.userAccountControl
XOR ADS_UF_DONT_EXPIRE_PASSWD
objUser.Put "userAccountControl",
objPasswordExpires
objUser.SetInfo
End If
b. Click File | Save As.
c. Save the script as modify_uac.vbs in the folder C:\Scripts. To ensure
that the .vbs file extension is used, enclose the file name in quotation
marks before clicking Save:
"modify_uac.vbs"
d. Close Notepad.
e. In Command Prompt (Scripts Folder) type the following and press
ENTER:
cscript modify_uac.vbs
f. To verify that the attribute value has been changed, re-run the script
read_uac.vbs that you created in Exercise 16.
Active Directory Scripting 31
Exercise 17
Modifying multiple user accounts
Fabrikam has several subsidiary companies, and it’s useful to keep track of which users work for
which company. Because all the users currently in your Active Directory for the parent company,
you decide to assign the value Fabrikam to the Company attribute for each of these users. In this
exercise, you will set the Company property for all the users in your domain to Fabrikam. As you
might expect, you use an Active Directory search as the framework for a script that changes a
property value for all the users in a domain. There is one catch, however: Active Directory searches
are read-only; for those of you familiar with SQL, there are no UPDATE queries when working
with Active Directory. Instead, you conduct a search, returning a collection of ADsPaths for all the
users in the domain. With those ADsPaths in hand, you then individually bind to each user account
in the collection and change the property value.
1. Modify multiple user a. Double-click the Notepad shortcut on the desktop and type the
accounts. following (To reduce the amount of typing required, you can use the
template C:\Scripts\Search.txt):
On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2
Set objConnection =
CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") =
ADS_SCOPE_SUBTREE
objCommand.CommandText = _
"SELECT ADsPath FROM
'LDAP://DC=fabrikam,DC=com' WHERE " _
& "objectCategory='user'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
strPath = objRecordSet.Fields("ADsPath").Value
Set objUser = GetObject(strPath)
objUser.Company = "Fabrikam"
objUser.SetInfo
objRecordSet.MoveNext
Loop
b. Click File | Save As.
c. Save the script as modify_many.vbs in the folder C:\Scripts. To
ensure that the .vbs file extension is used, enclose the file name in
quotation marks before clicking Save:
"modify_many.vbs"
d. Close Notepad.
e. In Command Prompt (Scripts Folder) type the following and press
ENTER:
cscript modify_many.vbs
f. To verify that the Company name has changed, switch to Active
32 Active Directory Scripting
Exercise 18
Changing a user’s password
Upon notifying Ken Myer that his account has been enabled, you discover that he does not know
his password; the password he used in the company’s Windows NT 4.0 domain is apparently not
the same password your predecessor assigned to his Active Directory account. In this exercise, you
will change the password for the Ken Myer user account. Note that the SetPassword method does
not require you to know the user’s current password.
1. Change a user’s password. a. Double-click the Notepad shortcut on the desktop and type the
following (To reduce the amount of typing required, you can use the
template C:\Scripts\Account_Change.txt):
Set objUser = GetObject _
("LDAP://CN=Ken
Myer,OU=Finance,DC=fabrikam,DC=com")
objUser.SetPassword("i5A2sj*!")
b. Click File | Save As.
c. Save the script as change_password.vbs in the folder C:\Scripts. To
ensure that the .vbs file extension is used, enclose the file name in
quotation marks before clicking Save:
"change_password.vbs"
d. Close Notepad.
e. In Command Prompt (Scripts Folder) type the following and press
ENTER:
cscript change_password.vbs
Note that there is no way to determine the password that has been assigned
to a user account; this information is not accessible even to enterprise
administrators. The only way to verify a password is to try to log on to the
domain using that password.
f. Close all open windows.
34 Active Directory Scripting
ADS_UF_DONT_EXPIRE_PASSWD 0x00010000 The password for this account will never expire.
ADS_UF_NOT_DELEGATED 0x00100000 The security context of the user will not be delegated to
a service even if the service account is set as trusted for
Kerberos delegation.
ADS_UF_PASSWORD_EXPIRED 0x00800000 The user password has expired. This flag is created by
the system using data from the Pwd-Last-Set attribute
and the domain policy.