Windows Admin Scripting Little Black Book (Little Black Books (Paraglyph Press))
Managing Computer Accounts from the Command Line
Computer accounts, like user accounts, allow the system to be part of the domain and access its resources. When a computer joins a domain, a computer account is created establishing a one-way trust and allowing the computer to access the domain. Although computer account management is usually done through the administrative tools of the operating system, computer account management can be scripted from the command line.
Managing Computer Accounts with the NET Command
The built-in NET.EXE command allows you to manage computer accounts from the command line on any domain controller. The basic syntax of the NET command to add computer accounts is:
NET COMPUTER \ compname / commands
Here, compname is the computer account to manage, and the available commands are:
-
/ADD ”Adds a computer account to the domain
-
/DELETE ” Removes a computer account from the domain
| Tip | You can use one of the remote management methods discussed in Chapter 8 to run this command on a remote domain controller. |
Managing Computer Accounts with the NETDOM Utility
NETDOM is a Windows 2000 Resource Kit Utility/Windows XP Support Tool used to manage computer accounts from the command line. The basic syntax of NETDOM is:
NETDOM MEMBER \\ computer /D: domain /U: domain \ user /P: password /commands
| Note | The highlighted code on the previous page must be placed on one line. |
Here, computer is the computer account to manage; password is the password of the domain\user account with privileges to manage computer accounts on the specified domain ; and the available commands are as follows :
-
/ADD ”Adds a computer account to the domain
-
/DELETE ”Removes a computer account from the domain
-
/JOINDOMAIN ”Joins the computer to the domain
-
/QUERY ”Retrieves information on an existing computer account
To connect to the domain and add a computer account, you would enter:
NETDOM MEMBER \\ computer /D: domain /U: domain \ user /P: password /JOINDOMAIN NETDOM MEMBER \\ computer /D: domain /U: domain \ user /P: password /ADD
| Note | The highlighted code above must be placed on one line. |
To connect to the domain and remove a computer account, you would enter:
NETDOM MEMBER \\ computer /D: domain /U: domain \ user /P: password /JOINDOMAIN NETDOM MEMBER \\ computer /D: domain /U: domain \ user /P: password /DELETE
| Note | The highlighted code above must be placed on one line. |
Managing User Accounts from the Command Line
User accounts allow users to access domain and local system resources with a valid username and password. Although user management is mostly done through the administrative tools of the operating system, scripting user account management from the command line is significantly faster when dealing with remote systems and multiple modifications.
Managing Computer Accounts with the NET Command
One of the most unused command-line utilities to manage user accounts is the NET command. The basic syntax of the NET command to manage user accounts is:
NET USER USERNAME PASSWORD / commands
Here, username is the user account to manage; password is either the password of the account or an asterisk (*) to be prompted for a password; and the available commands are as follows:
-
/ACTIVE: X ”Controls the activation of an account where X is YES or NO.
-
/ADD ”Adds a user account.
-
/DELETE ”Removes a user account.
-
/DOMAIN ”Creates the account in the currently active domain.
-
/COMMENT : " X " ”Sets the account description where X is the comment.
-
/COUNTRYCODE: X ”Sets the account's country code.
-
/USERCOMMENT: " X " ”Sets the user comment where X is the comment.
-
/ EXPIRES : X ”Sets the expiration date of the account where X is either NEVER or a date in the format of MM/DD/YY. This format may differ depending on your country code.
-
/ FULLNAME : " X " ”Sets the full account name where X is the name.
-
/HOMEDIR: X ”Sets the home directory where X is the path .
-
/PASSWORDCHG: X ”Controls the user's ability to change the password where X is YES or NO .
-
/PASSWORDREQ: X ”Sets whether a password is required where X is YES or NO .
-
/PROFILEPATH: X ”Sets the profile directory where X is the path.
-
/SCRIPTPATH: X ”Sets the logon script directory where X is the path.
-
/ TIMES: X ”Sets the hours a user may log on where X is either ALL or days and times separated by commas.
Here is an example showing how to add an account using the NET command:
NET USER "Tyler" TEMPPASSWORD /ADD /COMMENT:"Project Account" /ACTIVE:NO /EXPIRES:12/31/03 /FULLNAME:"Tyler Durden" /HOMEDIR:C:\ /PASSWORDCHG:NO /PASSWORDREQ:YES /PROFILEPATH:C:\PROFILES\TD /USERCOMMENT:"Corporate Sponsor" /WORKSTATIONS:STATION1 /SCRIPTPATH:SOMEWHERE\OUTTHERE /TIMES:MONDAY-THURSDAY,8AM-5PM
| Note | The highlighted code above must be placed on one line. |
Managing Computer Accounts with the ADDUSERS Utility
ADDUSERS.EXE is a Windows 2000 resource kit utility to manage user accounts from the command line. This utility reads command-delimited text files and can create or delete user accounts. The basic syntax of ADDUSERS to manage user accounts is:
ADDUSERS \ computer commands file
Here, computer is the computer account to manage; file is the name of the comma-delimited text file to use; and the available commands are as follows:
-
/C ”Creates user accounts or groups specified in the file
-
/D ”Dumps the user account or group information to the file
-
/E ”Deletes user account specified in the file
-
/P: X ”If combined with /C , specifies the creating parameters where X is:
-
C ”User cannot change password
-
D ”Account disabled
-
E ”Password never expires
-
L ”Do not change password at next logon
-
| Tip | To add a user account to the local computer, omit the computer name from the command line. |
The basic syntax of the comma-delimited file is:
[User] UserName , FullName , Password , Comment , Home , Profile , Script ,
Here, Comment is the account description; Home is the path to the user home directory; Profile is the path to the user's profile; Script is the name of the logon script to use; and UserNames are the user names (separated by commas) to add to the groups.
The following example adds a user called JFROST to the computer BOB:
ADDUSERS \BOB/C file
Here, file is the full path and file name of a text file that contains the following:
[User] JFROST,Jack E. Frost,Password,Project Manager,\SERVER\HOME\ JFROST,\SERVER\PROFILE\JFROST,LOGON.KIX,
| Note | The highlighted code above must be placed on one line. |
Managing User Accounts with the CURSMGR Utility
CURSMGR.EXE is a Windows 2000 resource kit utility to modify current account or group properties. This utility supports many switches, all of which are case-sensitive. The basic syntax of CURSMGR is:
CURSMGR -u username -m \ computer commands
Here, username is the user account to manage; computer is the computer name on which to perform management; and the available commands are as follows:
-
-C ”Sets user comment
-
-D ”Deletes a user account
-
-F ”Sets user full name
-
-h ”Sets the path to the user's home directory
-
-H ”Sets the drive letter to map the user's home directory
-
-n ”Sets the path to the logon script's directory
-
-p ”Sets a random password
-
-P ”Sets the password to Password
-
+-S ”Use the +S or -S to set or reset the following properties
-
AccountLockout ”Locks/unlocks a user account
-
MustChangePassword ”Sets/resets the User Must Change Password At Next Logon option
-
CanNotChangePassword ”Sets/resets the User Cannot Change Password option
-
PasswordNeverExpires ”Sets/resets the Password Never Expires option
-
AccountDisabled ”Disables/enables an account
-
RASUser ”Enables/disables remote access dial-in
-
-
-U ”Sets the path to the user's profile directory
Here is an example of how to modify a user account:
CUSRMGR -u name -m \\ computer -h \\ server \ homeshare -f " fullname " -c " description " -H Q
| Note | The highlighted code above must be placed on one line. |
Here, name is the user name; computer is the system that holds the account; \\server\homeshare is where the user's home directory resides; fullname is the user's fullname; and description is the account description.
Managing Groups from the Command Line
Groups allow administrators a method of organizing and assigning user account privileges. Groups are also helpful when attempting to identify a collection of users with a common trait (for example, temporary employees ). You can script group management from the command line to automate your daily tasks .
Managing Groups with the NET Command
The built-in NET.EXE command allows you to manage local and global groups from the command line. The basic syntax of the NET command to manage global groups is:
NET type name commands
Here, type is the keyword GROUP for global or LOCALGROUP for local group management; name is the group to manage, and the available commands are as follows:
-
/ADD ”Adds user accounts to the specified group where multiple user accounts are separated by spaces
-
/COMMENT: " X " ”Sets the group comment
-
/DELETE ”Deletes a group or removes the user account from the specified group
-
/DOMAIN ”Performs the operation on the primary domain controller
-
username ”Specifies a user account to add or remove from the group
Managing Groups with the ADDUSERS Utility
Earlier in this chapter, you learned how to use the resource kit utility ADDUSERS.EXE to manage user accounts from the command line. This utility can also be used to add groups and group members from the command line. The basic syntax of ADDUSERS to add groups is:
ADDUSERS \ computer /C file
Here, computer is the computer account to manage, and file is the name of the comma-delimited text file to use. The basic syntax of the comma-delimited file is:
[Global] Name,Comment,UserNames, [Local] Name,Comment,UserNames,
Here, the [GLOBAL] sections add global groups; name is the name of the group to add; comment is the group description; and usernames are the users, separated by commas, to add to the group.
Managing Groups with the USRTOGRP Utility
USRTOGRP.EXE is an NT resource kit utility to add user accounts to groups from the command line. The basic syntax of the USRTOGRP utility is:
USRTOGRP file
Here, file is a text file with the following format:
DOMAIN: computer grouptype : group users
Here, computer is the name of the system or domain that contains the specified group; grouptype specifies the group type as either LOCALGROUP or GLOBALGROUP ; group is the name of the group; and users are the usernames, separated by spaces, to add to the group.
Here is a quick example to add two users to the Domain Admins group in the PROJECT domain:
USRTOGRP file
Here, file is the full path and file name of a text file that contains the following:
DOMAIN: PROJECT GLOBALGROUP: Domain Admins JACK TYLER
Managing the Enterprise with ADSI
Prior to ADSI, your only alternatives to manage network resources were command-line utilities and administrative tools. Through ADSI, you can create simple scripts to control all the resources of your network.
Listing Shares
To list shares using ADSI, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set DomObj = GetObject("WinNT:// Domain / Computer /lanmanserver, FileService") For each Share in DomObj List = List & Share .Name & VBlF Next Wscript.echo List
| Note | The highlighted code above must be placed on one line. |
Here, domain is the name of the domain, and computer is the computer name containing the shares to list.
| Related solution: | Found on page: |
|---|---|
| Listing Shares | 179 |
Creating a Share
To create a share using ADSI, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set DomObj = GetObject("WinNT:// Domain / Computer / lanmanserver") Set Share = DomObj .Create("fileshare", " ShareName ") Share .Path = " SharePath " Share .Description = " ShareDescribe " Share .MaxUserCount = maxnum Share .SetInfo
| Note | The highlighted code above must be placed on one line. |
Here, domain is the name of the domain; computer is the computer name on which you want to create shares; sharename is the name of the share to create; sharepath is the path to the new share; sharedescribe is the share comment; and maxnum is the maximum number of simultaneous connections to the share.
| Related solution: | Found on page: |
|---|---|
| Listing Shares | 179 |
Deleting a Share
To delete a share using ADSI, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set DomObj = GetObject("WinNT:// Domain / Computer /lanmanserver") DomObj .Delete "fileshare", " ShareName "
Here, domain is the name of the domain; computer is the computer name on which you want to create shares; and sharename is the name of the share to delete.
| Related solution: | Found on page: |
|---|---|
| Removing Shares | 159 |
Listing Computer Accounts
To list computer accounts using ADSI, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set DomObj = GetObject("WinNT://" & Domain ) DomObj .Filter = Array("computer") For Each Computer In DomObj wscript.echo Computer .name Next
Here, domain is the name of the domain to query.
Creating a Computer Account
To create a computer account using ADSI, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set DomObj = GetObject("WinNT:// Domain ") Set Computer = DomObj .Create("Computer", " name ") Computer .SetInfo
Here, domain is the name of the domain, and name is the computer name to assign to the computer account.
Deleting a Computer Account
To delete a computer account, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set DomObj = GetObject("WinNT:// Domain ") DomObj .Delete "Computer", " name "
Here, domain is the name of the domain, and name is the name of the computer account to delete.
Setting a User's Domain Password
To set a user's domain password using ADSI, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set DomObj = GetObject("WinNT:// Domain / Name ,user") DomObj .SetPassword " pswd "
Here, domain is the name of the domain; name is the user account to modify; and pswd is the new password to assign.
Changing the Local Administrator Password
A common administrative task is to change the local administrator password on a system. To change the local administrator password using ADSI, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set DomObj = GetObject("WinNT:// Domain / Computer / Administrator ,user") DomObj .SetPassword " pswd "
| Note | The highlighted code above must be placed on one line. |
Here, domain is the name of the domain; computer is the computer containing the local administrator account; Administrator is the name of the local administrator account; and pswd is the new password to assign.
Listing User Accounts
To list user accounts using ADSI, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set DomObj = GetObject("WinNT://" & Domain ) DomObj .Filter = Array("user") For Each User In DomObj wscript.echo User .name Next
Here, domain is the name of the domain to query.
Creating a User Account
To create a user account using ADSI, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set DomObj = GetObject("WinNT:// Domain ") Set User = DomObj .Create("User", " Name ") User .SetPassword(" pswd ") User .FullName = " fullname " User .HomeDirectory = " homedir " User .Profile = " profiledir " User .LoginScript = " script " User .Description = " describe " User .SetInfo
Here, domain is the name of the domain; name is the name of the user account to create; pswd is the password to assign to the new account; fullname is the user's full name; homedir is the path of the user's home directory; profiledir is the path of the user's profile; script is the name of the logon script; and describe is the user description.
| Tip | You can create new users with initial blank passwords by omitting the highlighted line in the script above. |
Deleting a User Account
To delete a user account using ADSI, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set DomObj = GetObject("WinNT:// Domain ") DomObj .Delete "User", " name "
Here, domain is the name of the domain, and name is the name of the user account to delete.
Unlocking a User Account
To unlock a user account using ADSI, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set User = GetObject("WinNT:// Domain / Name ,User") User .Put "UserFlags", User.Get("UserFlags") - 16 User .SetInfo
Here, domain is the name of the domain, and name is the name of the user account to unlock.
| Note | Although ADSI can unlock a user account, it cannot lock an account. |
Disabling a User Account
To disable an active user account using ADSI, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set User = GetObject("WinNT:// Domain / Name ,User") If User .AccountDisabled = "False" Then User .Put "UserFlags", User.Get("UserFlags") + 2 User .SetInfo End If
Here, domain is the name of the domain, and name is the name of the user account to unlock.
| Tip | To enable a disabled account, change the False to True and the + 2 to -2 in the above script. |
Listing a User's Groups
To list the groups a user belongs to using ADSI, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set User = GetObject("WinNT://" & Domain & "/" & Name & ",user") For Each Group in User.Groups wscript.echo Group .Name Next
Here, domain is the name of the domain, and name is the name of the user account.
Listing Groups
To list user accounts using ADSI, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set DomObj = GetObject("WinNT://" & Domain ) DomObj .Filter = Array("group") For Each User In DomObj wscript.echo User .name Next
Here, domain is the name of the domain to query.
Creating Groups
To create a global group using ADSI, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set DomObj = GetObject("WinNT:// Domain ") Set Group = DomObj .Create("group", " name ") Group .GroupType = 4 Group .Description = " describe " Group .SetInfo
Here, domain is the name of the domain; name is the name of the group to create; and describe is the group description.
| Tip | To create a local group, omit the highlighted line in the script above. |
Deleting Groups
To delete a group using ADSI, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set DomObj = GetObject("WinNT:// Domain ") DomObj .Delete "group", " name "
Here, domain is the name of the domain, and name is the name of the group to delete.
Adding a User Account to a Group
To add a user account to a group using ADSI, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set Group = GetObject("WinNT:// Gdomain / groupname ,group") Group .Add "WinNT:// UDomain / useraccount ,User"
Here, gdomain is the name of the domain containing the specified groupname , and udomain is the domain containing the useraccount to add to the specified group.
Removing a User Account from a Group
To remove a user account from a group using ADSI, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set Group = GetObject("WinNT:// gdomain / groupname ,group") Group .Remove "WinNT:// udomain / useraccount ,User"
Here, gdomain is the name of the domain containing the specified groupname , and udomain is the domain containing the useraccount to remove from the specified group.
Listing Groups Members
To list the user accounts that belong to a particular group using ADSI, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set DomObj = GetObject("WinNT://" & Domain & "/" & Group ) For Each User In DomObj .Members wscript.echo User .name Next
Here, domain is the name of the domain and group is the name of the group.
Managing Windows 2000/2003 through LDAP
Most of the previous ADSI examples merely need the binding statement changed in order to convert a WinNT provider script to an LDAP provider script. This section will illustrate a few of the changes you need to make to use these scripts in a Windows 2000/2003 domain.
| Note | Remember, you can still use the WinNT provider to manage a Windows 2000/2003 domain. |
Creating OUs under Windows 2000/2003
To create an organizational unit under Windows 2000/2003, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set Root = GetObject("LDAP://RootDSE") Set DomObj = GetObject( "LDAP://" & Root.Get ("defaultNamingContext")) Set OU = DomObj .Create("organizationalUnit", "OU= name ") OU .Description = " describe " OU .SetInfo
| Note | The highlighted code above must be placed on one line. |
Here, name is the name of the organizational unit to create, and describe is the OU description.
Deleting OUs under Windows 2000/2003
To delete an organizational unit under Windows 2000/2003, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set Root = GetObject("LDAP://RootDSE") Set DomObj = GetObject( "LDAP://" & Root .Get("defaultNamingContext")) DomObj .Delete "organizationalUnit", "OU= name "
| Note | The highlighted code above must be placed on one line. |
Here, name is the name of the organizational unit to delete.
Listing Computer Accounts under Windows 2000/2003
To list computer accounts using LDAP, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set Root = GetObject("LDAP://RootDSE") DomObj = Root .Get("DefaultNamingContext") Set objConn = CreateObject("ADODB.Connection") objConn .Provider = "ADsDSOObject" objConn .Open "Active Directory Provider" Set objCMD = CreateObject("ADODB.Command") objCMD .ActiveConnection = objConn objCMD .CommandText = "<LDAP://" & DomObj & ">;(objectCategory=computer);name;subtree" objCMD .Properties("Page Size") = 1000 objCMD .Properties("Timeout") = 30 objCMD .Properties("Cache Results") = False Set objRS = objCMD .Execute objRS .MoveFirst While Not objRS .EOF wscript.echo objRS.Fields("name") objRS.MoveNext Wend
Creating Computer Accounts under Windows 2000/2003
To create a computer account using LDAP, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set Root = GetObject("LDAP://RootDSE") Set DomObj = GetObject( "LDAP://" & Root.Get ("defaultNamingContext")) Set Computer = DomObj .Create("computer", "CN= name ") Computer .samAccountName = " name " Computer .SetInfo
Here, name is the name of the computer account to create.
| Note | The highlighted code above must be placed on one line. |
Deleting Computer Accounts under Windows 2000/2003
To delete a computer account using LDAP, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from"http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set Root = GetObject("LDAP://RootDSE") Set DomObj = GetObject( "LDAP://" & Root.Get ("defaultNamingContext")) Set Computer = DomObj .Create("computer", "CN= name ") Computer .samAccountName = " name " Computer .SetInfo
| Note | The highlighted code above must be placed on one line. |
Here, name is the name of the computer account to delete.
Listing User Accounts under Windows 2000/2003
To list computer accounts using LDAP, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set Root = GetObject("LDAP://RootDSE") DomObj = Root .Get("DefaultNamingContext") Set objCon n = CreateObject("ADODB.Connection") objConn .Provider = "ADsDSOObject" objConn .Open "Active Directory Provider" Set objCMD = CreateObject("ADODB.Command") objCMD .ActiveConnection = objConn objCMD .CommandText = "<LDAP://" & DomObj & ">; (&(objectClass=user)(objectCategory=person));name;subtree" objCMD .Properties("Page Size") = 1000 objCMD .Properties("Timeout") = 30 objCMD .Properties("Cache Results") = False Set objRS = objCMD .Execute objRS .MoveFirst While Not objRS .EOF wscript.echo objRS .Fields("name") objRS .MoveNext Wend
| Note | The highlighted code above must be placed on one line. |
| Note | The LDAP ObjectClass contains both user and computer accounts. To query for only user accounts, we must use "(&(objectClass=user)(objectCategory=person))" as in the example above. |
Creating User Accounts under Windows 2000/2003
To create a user account using LDAP, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set Root = GetObject("LDAP://RootDSE") Set DomObj = GetObject( "LDAP://" & Root.Get ("defaultNamingContext")) Set User = DomObj .Create("user", "CN= fullname ") User .samAccountName = " name " User .SetInfo
Here, name is the name of the user account to create, and fullname is the user's full name.
Deleting User Accounts under Windows 2000/2003
To delete a user account using LDAP, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set Root = GetObject("LDAP://RootDSE") Set DomObj = GetObject( "LDAP://" & Root.Get ("defaultNamingContext")) DomObj .Delete "user", "CN= name "
| Note | The highlighted code above must be placed on one line. |
Here, name is the name of the user account to delete.
Listing Groups under Windows 2000/2003
To list computer accounts using LDAP, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set Root = GetObject("LDAP://RootDSE") DomObj = Root .Get("DefaultNamingContext") Set objConn = CreateObject("ADODB.Connection") objConn .Provider = "ADsDSOObject" objConn .Open "Active Directory Provider" Set objCMD = CreateObject("ADODB.Command") objCMD .ActiveConnection = objConn objCMD .CommandText = "<LDAP://" & DomObj & ">;(objectCategory=group);name;subtree" objCMD .Properties("Page Size") = 1000 objCMD .Properties("Timeout") = 30 objCMD .Properties("Cache Results") = False Set objRS = objCMD .Execute objRS .MoveFirst While Not objRS .EOF wscript.echo objRS .Fields("name") objRS .MoveNext Wend
| Note | The highlighted code above must be placed on one line. |
Listing Group Members under Windows 2000/2003
To list the user accounts that belong to a particular group using LDAP, proceed as follows:
-
Create a new directory to store all files included in this example.
-
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
-
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set Root = GetObject("LDAP://RootDSE") DomObj = Root.Get("DefaultNamingContext") Set objGroup = GetObject("LDAP://CN=Domain Admins,CN=Users," & _ DomObj) For each objMember in objGroup.Members Wscript.Echo Replace(objMember.Name,"CN=","") Next
The example above lists the members of the Domain Admins group.