Active Directory Scripting

2 Table of Contents

Table of Contents

Active Directory Scripting ......................................................................................................................... 3 Exercise 1 Viewing existing accounts ................................................................................................................6 Exercise 2 Retrieving information from an individual user account ..................................................................9 Exercise 3 Enabling an individual user account ...............................................................................................11 Exercise 4 Deleting an individual user account................................................................................................12 Exercise 5 Creating a New OU ........................................................................................................................13 Exercise 6 Moving a user account to a different OU........................................................................................14 Exercise 7 Creating a new user account ...........................................................................................................16 Exercise 8 Creating multiple user accounts using a text file ............................................................................18 Exercise 9 Creating new security groups .........................................................................................................20 Exercise 10 Adding an individual user to a security group ..............................................................................22 Exercise 11 Adding multiple users to a security group ....................................................................................23 Exercise 12 Removing a user from a security group........................................................................................24 Exercise 13 Modifying an individual user account ..........................................................................................25 Exercise 14 Modifying a multi-valued attribute...............................................................................................26 Exercise 15 Reading the userAccountControl Attribute ..................................................................................28 Exercise 16 Modifying the userAccountControl Attribute...............................................................................30 Exercise 17 Modifying multiple user accounts ................................................................................................31 Exercise 18 Changing a user’s password .........................................................................................................33 For More Information........................................................................................................................................34 Appendix 1: userAccountControl Attributes and Values ..................................................................................34

Active Directory Scripting 3

Active Directory Scripting

Objectives After completing this lab, you will be able to:

Use scripts to carry out fundamental Active Directory management tasks such as creating, modifying, and deleting user accounts.

Write scripts that carry out those same fundamental Active Directory management tasks.

Prerequisites Before working on this lab, you must have:

Nothing; no prerequisites are required, although a knowledge of basic scripting fundamentals and of Active Directory are both useful. It is also recommended that you watch the Scripting Guys’ Webcast Users and Groups and OUs: Oh, My! before doing the lab.

For more information Email [email protected].

Scenario It’s your first day on the job as IT Manager for Fabrikam, Inc., and you’ve just discovered that your predecessor’s final project – to convert your organization’s directory service to Active Directory – was never completed. She managed to get Active Directory up and running, and even created a handful of user accounts. However, she did not get all the required accounts created, nor did she complete the rest of the Active Directory infrastructure: your domain currently has no organizational units (OUs) and no security groups other than the ones automatically created when you install Active Directory. Consequently, you are faced with three major tasks:

Determining the current state of your Active Directory. For example, you need to figure out which user accounts have been created and which ones have not.

Setting up the rest of the Active Directory infrastructure. This includes such things as creating additional user accounts; creating OUs and sub-OUs; moving existing user accounts to the appropriate OUs; and creating and populating security groups.

Making additional modifications as needed. As part of your day-to-day management of Active Directory, you need to do such things as audit existing user accounts to ensure that they are in compliance with Fabrikam policies, as well as make changes to accounts to match changes in the workplace. (For example, if a user acquires a second telephone number, that number should be recorded in Active Directory.)

4 Active Directory Scripting

Fortunately, you can use ADSI scripts to help you with these tasks. Note that in the exercises in this lab an argument can be made that a script is possibly less efficient than simply carrying out a task using Active Directory Users and Computers. For the most part, this is an artifact of the lab environment: in order to keep the lab manageable, and in order to ensure that all the tasks can be completed in a reasonable amount of time, you will often be asked to do something to just one user account. When working with a single user account, you might very well find it faster and easier to use Active Directory Users and Computers. Scripting becomes a more useful alternative in situations such as this:

You need to make a change to many user accounts at once. This lab offers a few simple examples of working with multiple accounts at the same time; for example, in one exercise you will use a script to move all the users in a department to a specified OU, regardless of the current Active Directory location of those user accounts. In the lab this involves moving a handful of accounts; in real-life this might involve moving thousands of user accounts. If you are working with thousands of user accounts at the same time, a script might save you several days’ worth of effort.

You want to enforce standards. For example, you might want all your user accounts to have a CN in the format First Name Last Name (e.g., Ken Myer) and a logon name in the format First Initial Last Name (e.g., kmyer). Scripts can help enforce these standards by carrying out these tasks for you; in one of the labs, you will write a script that reads user information (in this case, first name and last name) from a text file and then creates multiple user accounts, using your organization standards to automatically create such things as the CN (common name) and the SAM Account (logon) name.

Using the Script Templates To help reduce the need to completely type in each script, script templates are provided in the C:\Scripts folder. These templates include boilerplate code that limits the amount of typing required to create a script. (This also helps to emphasize the fact that many scripts follow predictable patterns; after you learn how to write one ADSI script, you will discover that you now know how to write scores of ADSI scripts.)

For example, suppose an exercise calls for you to write the following script:

Set colItems = GetObject _

("LDAP://CN=Users, DC=fabrikam, DC=com")

For Each objItem in colItems

Wscript.Echo objItem.Name & ", " & objItem.Class

Next

The template for this script might look similar to this:


("LDAP://XX=XXXXXXXXXX, DC=fabrikam, DC=com")


Wscript.Echo objItem.XXXXXXXXXX & ", " & objItem.XXXXXXXXXX

Next

You can either type in the full script, or you can open the template and replace the X's with the required information; you would then only have to type the items in bold:



("LDAP://CN=Users, DC=fabrikam, DC=com")


Wscript.Echo objItem.Name & ", " & objItem.Class

Next

If you cannot get a script to work no matter what you try, you can find complete copies of all the scripts used in this lab in the C:\Solutions folder.

Using the Bonus Scripts A number of “bonus” scripts are included in this lab. These scripts, which illustrate additional/alternative tasks for managing Active Directory are included primarily for your reference; however, complete versions of all the bonus scripts are available in the folder C:\Solutions. Although technically not part of the lab, you can run these scripts if you’d like to see what they do.

Estimated time to complete this lab: 60 minutes


Exercise 1 Viewing existing accounts Before you can finish setting up the new Active Directory, you need to determine how much your predecessor managed to get done herself. In this exercise, you will use a simple ADSI script to view the accounts currently in Active Directory. Because you have already been told that all the accounts are in the Users container, the script binds to that container and enumerates only the items found there. The resulting output will show the CN (common name) for each account, as well as the account type. For example:

Administrator, user

Cert Publishers, group

DHCP Administrators, group

DHCP Users, group

Tasks Detailed steps

1. View existing accounts a. Click in the virtual machine window.

b. Press Right-ALT + DEL.

c. Log on to the domain as Administrator, with a password of password.

d. Double-click the Notepad shortcut on the desktop and type the following (To reduce the amount of typing required, you can use the template C:\Scripts\Container_View.txt):

Set colItems = GetObject _ ("LDAP://CN=Users, DC=fabrikam, DC=com") For Each objItem in colItems Wscript.Echo objItem.CN & ", " & objItem.Class Next e. Click File | Save As.

f. Save the script as view_accounts.vbs in the folder C:\Scripts. To ensure that the .vbs file extension is used, enclose the file name in quotation marks before clicking Save:

"view_accounts.vbs" g. Close Notepad.

h. Double-click the Command Prompt (Scripts Folder) shortcut on the desktop.

i. Type the following and press ENTER: cscript view_accounts.vbs j. To verify that the script is returning accurate information, click Start |

Programs | Administrative Tools | Active Directory Users and Computers.

k. In Active Directory Users and Computers, expand fabrikam.com and then click Users.

l. For convenience, leave both the Command Prompt and Active Directory Users and Computers open for the remainder of this lab.


Why CScript? When you run a script in this lab, the instructions for starting that script will always be prefaced by the word “cscript”:

cscript view_accounts.vbs This ensures that the script runs under the CScript script host; in turn, that ensures that the output will appear in the command window rather than in a seemingly-endless series of message boxes (as would be the case using WScript, the default script host). If you do not want to type in the word cscript each and every time, you can change the default script host to CScript by typing the following at the command prompt, and then pressing ENTER:

cscript //H:cscript If you want to change the default host back to WScript, then type this at the command prompt and press ENTER:

cscript //H:wscript

Bonus Script: Filtering user and computer accounts The script used in Exercise 1 returns a collection of all the objects found in the Users container. However, there might be times when you want to work with only a selected portion of the objects in a container, such as just the user accounts or just the security groups. With ADSI you can limit the object types returned in a collection by applying a filter. For example, this script (filter_accounts) returns only the user accounts found in the Users container:

Set colItems = GetObject("LDAP://CN=Users, DC=fabrikam, DC=com") colItems.Filter = Array("User") For Each objItem in colItems Wscript.Echo objItem.CN & ", " & objItem.Class Next As you can see, the parameter passed to the Filter must be passed as an array; that means you can filter for more than one type of object. For example, this filter returns both user and computer accounts, but nothing else:

colItems.Filter = Array("User", "Computer")

Bonus Script: Searching for user accounts The scripts shown thus far return a collection of all the users in a specified Active Directory container. However, what if you want to return a list of all the user accounts, regardless of the location of that account within Active Directory? The quickest and easiest way to do that is to search Active Directory, looking for everything with an objectCategory equal to User. This sample script (search_for_accounts.vbs) returns the name of all the user accounts in the fabrikam.com domain, regardless of the account’s location within Active Directory: On Error Resume Next Const ADS_SCOPE_SUBTREE = 2 Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOObject" objConnection.Open "Active Directory Provider" Set objCommand.ActiveConnection = objConnection objCommand.Properties("Page Size") = 1000 objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE objCommand.CommandText = _ "SELECT Name FROM 'LDAP://DC=fabrikam,DC=com' WHERE " _ & "objectCategory='user'" Set objRecordSet = objCommand.Execute objRecordSet.MoveFirst Do Until objRecordSet.EOF


Wscript.Echo objRecordSet.Fields("Name").Value objRecordSet.MoveNext Loop If you run this script, you might notice a stray user account (David Hamilton) that did not appear when you looked at the list of user accounts found in the Users container. That’s because this account was mistakenly created in the Computers container rather than the Users container.


Exercise 2 Retrieving information from an individual user account You were initially alerted to the fact that there was a problem when one of your users – Ken Myer – called to say that he was enable to log on to the domain. In the previous exercise you noticed that an account exists for Ken Myer; now all you need to do is figure out when he is unable to log on. In this exercise, you will use an ADSI script to bind to the Ken Myer user account (found in the Users container) and retrieve some basic account information, including the user’s first name, last name, and middle initial, as well as the current account status (whether the account is enabled or disabled).


1. Retrieve information from an individual user account.

a. Double-click the Notepad shortcut on the desktop and type the following (To reduce the amount of typing required, you can use the template C:\Scripts\Account_View.txt):

Set objUser = GetObject _ ("LDAP://CN=Ken Myer, CN=Users, DC=fabrikam, DC=com") Wscript.Echo "First name: " & objUser.GivenName Wscript.Echo "Middle initial: " & objUser.Initials Wscript.Echo "Last name: " & objUser.SN Wscript.Echo "Account disabled: " & _ objUser.AccountDisabled b. Click File | Save As.

c. Save the script as bind_user.vbs, in the folder C:\Scripts. To ensure that the .vbs file extension is used, enclose the file name in quotation marks before clicking Save:

"bind_user.vbs" d. Close Notepad.

e. In Command Prompt (Scripts Folder) type the following and press ENTER:

cscript bind_user.vbs f. Check the output to see the requested information for the Ken Myer

user account. Be sure to verify that this user account is disabled.

Bonus Script: Binding to CNs That Include Commas The script shown in Exercise 2 binds to an account with the CN of Ken Myer; with only the slightest modification, it can just as easily bind to an account with the CN of Tamara Johnston or Scott Rockfeld. However, the script will fail if it tries to bind to an account with the CN of Penor, Lori. Why? The culprit turns out to be the comma embedded in the CN. ADSI expects the comma to be used to separate the individual parts of a user’s distinguished name; because of that, the script thinks the ADsPath to this user account is this:

CN=Penor Lori CN=Users DC=fabrikam DC=com That’s not a valid Active Directory path, so an error occurs.


If you have CNs that include commas, you need to “escape” the comma by placing a \ before it, as shown in this sample script (comma_in_cn.vbs):

Set objUser = GetObject("LDAP://CN=Penor\, Lori, CN=Users, DC=fabrikam, DC=com") Wscript.Echo objUser.CN For more information on binding to user accounts when the account CN includes a comma, see this edition of the Hey, Scripting Guy! column on TechNet.


Exercise 3 Enabling an individual user account As it turns out, Ken Myer is unable to log on because his account is disabled. In this exercise, you will use an ADSI script to enable the Ken Myer user account. Enabling an account is an important task for script writers; by default, any account you create using a script is disabled, at least until you explicitly enable it. Note the use of the SetInfo method in the last line of the script. SetInfo is roughly equivalent to the Save command in an application; you can make any changes you want to a user account, but those changes are not actually written to Active Directory until you call SetInfo.


1. Enable an individual user account.

a. Double-click the Notepad shortcut on the desktop and type the following (To reduce the amount of typing required, you can use the template C:\Scripts\Account_Change.txt):

Set objUser = GetObject _ ("LDAP://CN=Ken Myer, CN=Users, DC=fabrikam, DC=com") objUser.AccountDisabled = FALSE objUser.SetInfo b. Click File | Save As.

c. Save the script as enable_user.vbs in the folder C:\Scripts. To ensure that the .vbs file extension is used, enclose the file name in quotation marks before clicking Save:

"enable_user.vbs" d. Close Notepad.


cscript enable_user.vbs f. To verify that the account has been enabled, type the following and

press ENTER: cscript bind_user.vbs


Exercise 4 Deleting an individual user account When you looked over the user accounts back in Exercise 1, you noticed that an account for Pilar Ackerman still exited. Pilar was your predecessor; it’s obviously a gaping security hole for her to still have a valid domain administrator account. In this exercise, you will delete the user account for Pilar Ackerman. Bear in mind that, when you call the Delete method, the account will immediately be deleted from Active Directory; you will not be given a prompt along the lines of “Are you sure you want to delete this user account?” However, you could include such a prompt as part of your script code; you would simply need to make sure that the prompt occurred before you actually called the Delete method.


1. Delete an individual user account.

a. In Command Prompt (Scripts Folder) type the following and press ENTER:

cscript view_accounts.vbs b. Verify that the Pilar Ackerman user account exists in Active

Directory.

c. Double-click the Notepad shortcut on the desktop and type the following (To reduce the amount of typing required, you can use the template C:\Scripts\Container_Change.txt):

Set objOU = GetObject _ ("LDAP://CN=Users, DC=fabrikam, DC=com") objOU.Delete "user", "CN=Pilar Ackerman" d. Click File | Save As.

e. Save the script as delete_user.vbs in the folder C:\Scripts. To ensure that the .vbs file extension is used, enclose the file name in quotation marks before clicking Save:

"delete_user.vbs" f. Close Notepad.

g. In Command Prompt (Scripts Folder) type the following and press ENTER:

cscript delete_user.vbs h. To verify that the Pilar Ackerman user account has been deleted, type

the following and press ENTER: cscript view_accounts.vbs.


Exercise 5 Creating a New OU It’s now time to begin setting up the Active Directory infrastructure, and to start creating all the outstanding user accounts. In this exercise, you will create a new organizational unit (OU) named Finance. A “top-level” OU such as Finance is created by binding to the domain root, and then calling the Create method.


1. Create a New Organizational Unit

a. Switch to Active Directory Users and Computers, expand fabrikam.com.

You should NOT see an OU named Finance.

b. Minimize Active Directory Users and Computers.

c. Double-click the Notepad shortcut on the desktop and type the following (To reduce the amount of typing required, you can use the template C:\Scripts\Container_Change.txt):

Set objDomain = GetObject("LDAP://DC=fabrikam, DC=com") Set objOU = objDomain.Create("organizationalUnit", "OU=Finance") objOU.SetInfo d. Click File | Save As.

e. Save the script as create_ou.vbs in the folder C:\Scripts. To ensure that the .vbs file extension is used, enclose the file name in quotation marks before clicking Save:

"create_ou.vbs" f. Close Notepad.

g. In Command Prompt (Scripts Folder) type the following and press ENTER:

cscript create_ou.vbs h. To verify that the new OU has been created, switch to Active

Directory Users and Computers.

i. Right-click fabrikam.com and click Refresh.

Bonus Script: Creating an OU inside another OU One scripting question that seems to get asked frequently is this: How do I create an OU inside another OU? Surprisingly enough, there’s nothing particularly difficult about that; you simply bind to the parent OU rather than the domain root. For example, in this sample script (nested_ou.vbs), the script binds to the Finance OU and then creates a nested OU named International:

Set objDomain = GetObject("LDAP://OU=Finance, DC=fabrikam, DC=com") Set objOU = objDomain.Create("organizationalUnit", "OU=International") objOU.SetInfo After running this script the Finance OU will contain a sub-OU named International (OU=International, OU=Finance, DC=fabrikam, DC=com).


Exercise 6 Moving a user account to a different OU Ken Myer is a member of the Finance department; as such, it makes sense that his user account be stored in the Finance OU rather than the Users container. In this exercise, you will move the Ken Myer user account from the Users container to the Finance OU. This script requires just two lines of code. In line 1, you bind to the OU where you want the account to be moved (in this example, the Finance OU). In line 2, you call the MoveHere method, specifying the current ADsPath (LDAP://CN=Ken Myer,CN=Users,DC=fabrikam,DC=com ) of the account being moved.


1. Move a user account to a different OU.

a. Double-click the Notepad shortcut on the desktop and type the following (To reduce the amount of typing required, you can use the template C:\Scripts\Container_Change.txt):

Set objOU = GetObject("LDAP://OU=Finance,DC=fabrikam,DC=com") objOU.MoveHere _ "LDAP://CN=Ken Myer,CN=Users,DC=fabrikam,DC=com", vbNullString b. Click File | Save As.

c. Save the script as move_user.vbs in the folder C:\Scripts. To ensure that the .vbs file extension is used, enclose the file name in quotation marks before clicking Save:

"move_user.vbs" d. Close Notepad.


cscript move_user.vbs f. To verify that the user account has been moved, switch to Active


g. Right-click fabrikam.com and then click Refresh.

h. Click the Finance OU.

You should see that the Ken Myer account is now in the Finance OU.

Bonus Exercise: Moving multiple user accounts based on department name The preceding script does a perfectly good job of moving a single user account from one Active Directory container to another. However, it does raise an understandable question: if all you are doing is moving one user account, wouldn’t it be faster and easier to use Active Directory Users and Computers as opposed to writing a script?

Yes, it probably would. However, suppose you wanted to move all the users in the Finance department to the Finance OU, and suppose: a) you don’t know off the top of your head which users are actually in the Finance department; and, b) those user accounts could be located anywhere within Active Directory. In a case such as that, using a script to automatically find and move each


of those accounts is far faster, far easier, and far more reliable than trying to perform the same task by hand.

The sample script shown below (move_multiple_users.vbs) searches Active Directory for all users in the Finance department (department=’Finance’), and then moves each account to the Finance OU:

On Error Resume Next Const ADS_SCOPE_SUBTREE = 2 Set objOU = GetObject("LDAP://OU=Finance,DC=fabrikam,DC=com") Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOObject" objConnection.Open "Active Directory Provider" Set objCommand.ActiveConnection = objConnection objCommand.Properties("Page Size") = 1000 objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE objCommand.CommandText = _ "SELECT ADsPath FROM 'LDAP://DC=fabrikam,DC=com' WHERE objectCategory='user' " & _ "AND Department='Finance'" Set objRecordSet = objCommand.Execute objRecordSet.MoveFirst Do Until objRecordSet.EOF objOU.MoveHere objRecordSet.Fields("ADsPath").Value, vbNullString objRecordSet.MoveNext Loop


Exercise 7 Creating a new user account You’ve also received a call this morning from Eszter Hidasi, who can’t log on to the domain either. In this case, however, it’s not because the account is disabled, but because the account does not exist. In this exercise, you will create a new user account with two mandatory properties: a CN of Eszter Hidasi and a SAM Account Name of ehidasi. Note that these two property values must be specified when creating a user account; hence the term mandatory attributes. The other attributes specified in the script, including GivenName (first name), Initials, and SN (surname, or last name) are optional; you can create a user account without specifying these values.

Note as well that you must call the SetInfo method to create the account before you can enable that account; you will then need to call SetInfo a second time to enable the account. That’s because the account must exist before it can be enabled. Likewise, the account must exist before you can assign the user a password (a task covered in Exercise 18).


1. Create a new user account a. Double-click the Notepad shortcut on the desktop and type the following (To reduce the amount of typing required, you can use the template C:\Scripts\Container_Change.txt):

Set objOU = GetObject("LDAP://OU=Finance, DC=fabrikam, DC=com") Set objUser = objOU.Create("User", "CN=Eszter Hidasi") objUser.sAMAccountName = "ehidasi" objUser.GivenName = "Eszter" objUser.Initials = "A" objUser.SN = "Hidasi" objUser.SetInfo objUser.AccountDisabled = FALSE objUser.SetInfo b. Click File | Save As.

c. Save the script as create_user.vbs in the folder C:\Scripts. To ensure that the .vbs file extension is used, enclose the file name in quotation marks before clicking Save:

"create_user.vbs" d. Close Notepad.


cscript create_user.vbs f. To verify that the user account has been created, switch to Active


g. Right-click the Finance OUand then click Refresh.

You should now see a new user account for Eszter Hidasi.


Bonus Script: Creating a new contact One of the nice things about ADSI is that ADSI scripts tend to follow certain patterns. For example, the process for creating an OU is very similar to the process for creating a user account which is very similar to the process for creating a contact. To illustrate this, the following script (create_contact.vbs) creates a contact named Simon Pearson; notice that the script follows the basic pattern of binding to the OU, calling the Create method, and then calling SetInfo to write the new account to Active Directory:

Set objOU = GetObject("LDAP://OU=Finance, DC=fabrikam, DC=com") Set objUser = objOU.Create("contact", "CN=Simon Pearson") objUser.SetInfo Note that with a contact you only have to specify a CN; you do not have to specify a logon name, because contacts – which are not security principals – cannot log on to the domain anyway.


Exercise 8 Creating multiple user accounts using a text file After creating an account for Ezster Hidasi, you discovered that the Finance department has prepared a text file that has the information needed to create the other user accounts for this department. In this exercise, you will create multiple user accounts by reading information from a text file (C:\Scripts\New_Users.txt). The text file is a simple comma-delimited file that looks like this (first name, middle initial, last name, job title):

Amy,A,Recker,Administrator Jamie,F,Reding,Accountant Miles,M,Reid,Accountant The script works by reading in the first line of the file and then using the VBScript Split function to create an array consisting of the individual fields within the record:

Amy A Recker Administrator The script uses that array to set the appropriate property values; for example, the user’s GivenName (first name) is assigned the value of item 0 in the array (the first item in an array is given the index number 0, the second value is given the index number 1, and so on). In addition, the script automatically generates a CN and a SAM Account Name for each user.

In a real-world situation you might find it easier to store information in Microsoft Excel rather than in a text file. For information on creating user accounts based on information found in an Excel spreadsheet, see this edition of the Scripting Clinic column on MSDN.


1. Create user accounts using a text file.

a. Double-click the Notepad shortcut on the desktop and type the following (To reduce the amount of typing required, you can use the template C:\Scripts\Text_File.txt):

Const ForReading = 1 Set objOU = GetObject("LDAP://OU=Finance,dc=fabrikam,dc=com") Set objFSO = CreateObject("Scripting.FileSystemObject") Set objTextFile = objFSO.OpenTextFile _ ("new_users.txt", ForReading) Do Until objTextFile.AtEndOfStream strText = objTextFile.ReadLine arrAttributes = Split(strText, ",") strCN = arrAttributes(0) & " " & arrAttributes(2) Set objUser = objOU.Create("User", "cn=" & strCN) strsAMAccountName = Left(arrAttributes(0),1) & arrAttributes(2) objUser.sAMAccountName = strsAMAccountName objUser.GivenName = arrAttributes(0) objUser.Initials = arrAttributes(1) objUser.SN = arrAttributes(2) objUser.Department = "Finance" objUser.Title = arrAttributes(3) objUser.SetInfo


objUser.AccountDisabled = FALSE objUser.SetInfo Loop objTextFile.Close b. Click File | Save As.

c. Save the script as create_multiple_users.vbs in the folder C:\Scripts. To ensure that the .vbs file extension is used, enclose the file name in quotation marks before clicking Save:

"create_multiple_users.vbs" d. Close Notepad.


cscript create_multiple_users.vbs f. To verify that the new accounts have been created, switch to Active


g. Right-click the Finance OU and then click Refresh.

You should now see the new user accounts.

Note. It should be pointed out that, outside of the lab environment, this script might occasionally fail to create a user account. That’s because CNs must be unique within a container, and the SAM Account Names must be unique within a forest. As currently designed, the script would assign a user named Barry Johnson a SAM Account Name of bjohnson; however, it would also try to assign that same SAM Account Name to Brandon Johnson. In a real production script, you could do a search to determine whether a SAM Account Name is already in use; if it is, you could then tack the number 1 on the end (e.g., bjohnson1) and check to see if that name is in use. If it is, you could continue to increment the value until you finally find a unique name.


Exercise 9 Creating new security groups

Creating accounts gives user the ability to log on to the domain. However, this does not give them access to resources. Resource access is typically controlled through the use of security groups; giving a single group access is easier than giving each of the individual members of the group access to that same resource. (On top of that, any new users added to the group automatically gain access to the resource, without having requiring any work whatsoever on your part.) In this exercise, you will create a global security group named Finance Managers. Notice that two constants (ADS_GROUP_TYPE_GLOBAL_GROUP and ADS_GROUP_TYPE_SECURITY_ENABLED) are required when specifying the group type. (Don’t be misled by the OR operator; in the bitwise logic used to set the group type, OR can be read as if it was really the word and.) The constant ADS_GROUP_TYPE_GLOBAL_GROUP makes the group a global group, while the ADS_GROUP_TYPE_SECURITY_ENABLED constant makes it a security group. Without this latter constant, you would create a distribution group instead.


1. Create a new security group. a. Double-click the Notepad shortcut on the desktop and type the following (To reduce the amount of typing required, you can use the template C:\Scripts\Container_Change.txt):

Const ADS_GROUP_TYPE_GLOBAL_GROUP = &H2 Const ADS_GROUP_TYPE_SECURITY_ENABLED = &H80000000 Set objOU = GetObject("LDAP://OU=Finance,DC=fabrikam,DC=com") Set objGroup = objOU.Create("Group", "CN=Finance Users") objGroup.Put "samAccountName", "FinanceUsers" objGroup.Put "groupType", ADS_GROUP_TYPE_GLOBAL_GROUP OR _ ADS_GROUP_TYPE_SECURITY_ENABLED objGroup.SetInfo b. Click File | Save As.

c. Save the script as create_group.vbs in the folder C:\Scripts. To ensure that the .vbs file extension is used, enclose the file name in quotation marks before clicking Save:

"create_group.vbs" d. In Command Prompt (Scripts Folder) type the following and press

ENTER: cscript create_group.vbs e. To verify that the group has been created, switch to Active Directory

Users and Computers.

f. Right-click the Finance OU and then click Refresh.

You should now see the new FinanceUsers group.


Bonus Script: Creating other types of groups There are a total of six group types that can be created in Active Directory: you can create global, domain local, and universal security groups, and you can create global, domain local, and universal distribution groups. Constant values used in creating Active Directory groups are shown in the following table:

Group Type Constant Value Description

Global group &H2 Users must all come from the same domain. Permissions apply only to the local domain.

Domain local group &H4 Users can come from any domain in the forest, but permissions apply only to the local domain.

Universal group &H8 Users can come from any domain in the forest.

Security group &H80000000 Security groups can be granted or denied access to resources. Distribution groups cannot.

The following script (create_distribution_group.vbs) creates a domain local distribution group. Note that because this is not a security group, the constant value for creating a security group (&H80000000) is not used.

Const ADS_GROUP_TYPE_LOCAL_GROUP = &H4 Set objOU = GetObject("LDAP://OU=Finance, DC=fabrikam, DC=com") Set objGroup = objOU.Create("Group", "CN=Vendors") objGroup.Put "samAccountName", "vendors" objGroup.Put "groupType", ADS_GROUP_TYPE_LOCAL_GROUP objGroup.SetInfo


Exercise 10 Adding an individual user to a security group

Now that the Finance Users group exists you can begin adding members to it. In this exercise, you will add Ken Myer to the Finance Users security group. This is done by binding to the group, binding to the user account, and then calling the Add method to add the user to the group.


1. Add an individual user to a security group.


Set objGroup = GetObject _ ("LDAP://CN=Finance Users, OU=Finance, DC=fabrikam, DC=com") Set objUser = GetObject _ ("LDAP://CN=Ken Myer, OU=Finance, DC=fabrikam, DC=com") objGroup.Add(objUser.ADsPath) b. Click File | Save As.

c. Save the script as add_user.vbs in the folder C:\Scripts. To ensure that the .vbs file extension is used, enclose the file name in quotation marks before clicking Save:

"add_user.vbs" d. Close Notepad.


cscript add_user.vbs f. To verify that the user has been added to the group, switch to Active


g. In the Finance OU, right-click Finance Users and click Properties.

h. In the Finance Users Properties dialog box, click the Members tab.

You should now see Ken Myer as a member of Finance Users.

i. Close the Finance Users Properties dialog box.

Bonus Script: Viewing Group Membership To find out which users are members of a group, all you have to do is bind to the group and then report back the values contained in the Members property (Members is an example of a multi-valued attribute, an attribute type you will deal with in Exercise 14). This sample script (view_group_membership.vbs) lists the CN for all the members of the Finance Users group: Set objGroup = GetObject _ ("LDAP://CN=Finance Users, OU=Finance, DC=fabrikam, DC=com") For Each strUser in objGroup.Members WScript.Echo strUser.CN Next


Exercise 11 Adding multiple users to a security group A common requirement in many organizations is for all users in an OU to also be members of a specified group. (This is often done because an OU is not a security principal.) Active Directory does not have any mechanism for automatically placing all the users in an OU in a corresponding security group; however, you can write a script that will retrieve a list of users found in and OU and then place each of those users in a security group. In this exercise, you will use a script to add all the users in the Finance OU to the Finance Users group. This is done by returning a collection of all the users in the OU (notice the filter applied to the returned collection), and then adding the users to the group, one-by-one.


1. Add multiple users to a security group.


On Error Resume Next Set objGroup = GetObject _ ("LDAP://CN=Finance Users, OU=Finance, DC=fabrikam, DC=com") Set objOU = GetObject("LDAP://OU=Finance, DC=fabrikam, DC=com") objOU.Filter = Array("User") For Each objUser in objOU objGroup.Add(objUser.ADsPath) Next b. Click File | Save As.

c. Save the script as add_multiple_users.vbs in the folder C:\Scripts. To ensure that the .vbs file extension is used, enclose the file name in quotation marks before clicking Save:

"add_multiple_users.vbs" d. Close Notepad.


cscript add_multiple_users.vbs f. To verify that the users have been added to the group, switch to Active


g. In the Finance OU, right-click Finance Users and then click Properties.


You should now see various users as members of Finance Users.



Exercise 12 Removing a user from a security group Having added Ken Myer to the Finance Users group, you now discover that, as a manager, he should not be a member of this group. In this exercise, you will remove Ken Myer from the Finance Users group. Note the similarities between the script that removes a user from a group and the script that originally added the user to the group.


1. Remove a user from a security group


Set objGroup = GetObject _ ("LDAP://CN=Finance Users, OU=Finance, DC=fabrikam, DC=com") Set objUser = GetObject _ ("LDAP://CN=Ken Myer, OU=Finance, DC=fabrikam, DC=com") objGroup.Remove(objUser.ADsPath) b. Click File | Save As.

c. Save the script as remove_user.vbs in the folder C:\Scripts. To ensure that the .vbs file extension is used, enclose the file name in quotation marks before clicking Save:

"remove_user.vbs" d. Close Notepad.


cscript remove_user.vbs f. To verify that the user has been removed from the group, switch to

Active Directory Users and Computers.

g. In the Finance OU, right-click Finance Users and then click Properties.


You should no longer see Ken Myer listed as a member of Finance Users.



Exercise 13 Modifying an individual user account One reason you mistakenly placed Ken Myer in the Finance Users group is because you did not realize Ken was a manager. To help avoid similar mistakes in the future, you decided to add Ken’s department, job title, and company to his Active Directory user account. (This is an easy task, because these attributes are available for use with any Active Directory user account.) In this exercise, you will modify organization property values for the Ken Myer user account. This process involves binding to the account, assigning the new property values, and then calling the SetInfo method to write the changes to Active Directory.


1. Modify an individual user account.

a. Double-click the Notepad shortcut on the desktop and type the following (To reduce the amount of typing required, you can use the template C:\Scripts\Account_Change.txt)

Set objUser = GetObject("LDAP://CN=Ken Myer, OU=Finance, DC=fabrikam, DC=com") objUser.Title = "Manager" objUser.Department = "Finance Department Management Team" objUser.Company = "Fabrikam" objUser.SetInfo b. Click File | Save As.

c. Save the script as modify_user.vbs in the folder C:\Scripts. To ensure that the .vbs file extension is used, enclose the file name in quotation marks before clicking Save:

"modify_user.vbs" d. Close Notepad.


cscript modify_user.vbs f. To verify that the account values have been changed, switch to Active


g. In the Finance OU, right-click Ken Myer in and click Refresh.

h. Right-click Ken Myer a second time and then click Properties.

i. In the Ken Myer Properties dialog box, click the Organization tab and verify the values.

j. Close the Ken Myer Properties dialog box.


Exercise 14 Modifying a multi-valued attribute When you talked to Ken Myer this morning, he also told you that he had just acquired a second work phone, and he wanted to be sure that this second number was available in the directory service. In this exercise, you will modify the otherTelephone attribute for the Ken Myer user account. The otherTelephone attribute is an example of a “multi-valued” attribute, an attribute that can contain more than one value.

Working with multi-valued attributes is different than working with single-valued attributes. With a single-valued attribute, you typically assign a property value simply by, well, assigning a property value:

objUser.SN = "Myer"

When working with a multi-valued attribute you use a defined constant to indicate the type of operation you are performing. These constants and the operations they perform are listed in the following table:

Constant Value Description

ADS_PROPERTY_CLEAR 1 Clears all the values from the specified attribute.

ADS_PROPERTY_UPDATE 2 Replaces the value in the specified attribute with new values.

ADS_PROPERTY_APPEND 3 Appends a new value (or values) in the specified attribute.

ADS_PROPERTY_DELETE 4 Deletes the value (or values) from the specified attribute.

A complete explanation of working with multi-valued attributes lies beyond the scope of this lab; this sample task is presented simply because you will often find yourself working with multi-valued attributes. For more information, see the chapter Active Directory Users in the Microsoft Windows 2000 Scripting Guide, or the Scripting Guys’ Webcast Users and Groups and OUs: Oh, My!.


1. Modify a multi-valued attribute.


Const ADS_PROPERTY_APPEND = 3 Set objUser = GetObject _ ("LDAP://CN=Ken Myer, OU=Finance, DC=fabrikam, DC=com") objUser.PutEx ADS_PROPERTY_APPEND, "otherTelephone",_ Array("(425)-555-4444") objUser.SetInfo b. Click File | Save As.


c. Save the script as modify_multi-value.vbs in the folder C:\Scripts. To

ensure that the .vbs file extension is used, enclose the file name in quotation marks before clicking Save:

"modify_multi-value.vbs" d. Close Notepad.


cscript modify_multi-value.vbs f. To verify that the new phone number has been added, switch to Active


g. In the Finance OU, right-click Ken Myer and click Refresh.

h. Right-click Ken Myer a second time and click Properties.

i. In the Ken Myer Properties dialog box, on the General tab, click the Other … button located next to Telephone Number.

j. Verify that the new phone number appears in the Phone Number (Others) dialog box.

k. Close the Ken Myer Properties dialogue box.

Bonus Script: Displaying a Multi-Valued Attribute Multi-valued attributes are stored as an array; because of that, you will generate a Type Mismatch error if you try to directly echo a multi-valued attribute (for example, using code similar to Wscript.Echo objUser.otherTelephone). Instead, you must deal with a multi-valued attribute the same way that you deal with any array: by creating a For-Each loop and then enumerating each item in the array (each value in the multi-valued attribute).

In addition, you should use the GetEx method to explicitly grab the multi-valued attribute; using GetEx ensures that the value is returned as an array and that your For-Each loop will then function correctly.

For example, this script (display_milti-value.vbs) echoes all the values in the multi-valued attribute otherTelephone:

Set objUser = GetObject _ ("LDAP://cn=Ken Myer,ou=Finance,dc=fabrikam,dc=com") Wscript.Echo "First name: " & objUser.GivenName Wscript.Echo "Middle initial: " & objUser.Initials Wscript.Echo "Last name: " & objUser.SN arrOtherPhones = objUser.GetEx("otherTelephone") For Each strPhoneNumber in arrOtherPhones WScript.Echo "Other work phone number: " & strPhoneNumber Next


Exercise 15 Reading the userAccountControl Attribute You did not create Ken Myer’s user account, nor did your predecessor use a standard script when creating account. Consequently, you do not know for sure how the account has been configured. That’s important, because certain properties of a user account – such as configuring an account so that a password is not required or so the password never requires – can represent security risks. In this exercise, you will use the userAccountControl attribute to determine whether or not Ken Myer’s user account password expires. (As a security precaution, it is highly recommended that you do not assign users passwords that never expire.)

The userAccountControl is an example of a bitmask attribute, an attribute that, in effect, contains multiple attributes and their values. Among other things, the userAccountControl attribute contains information about whether a user:

Can change his or her password. Has a password that never expires. Can use an encrypted text password. Must log on using a smartcard.

For a list of attributes and their corresponding hexadecimal values see Appendix 1: userAccountControl Attributes and Values.

In this sample exercise, you will use bitwise logic to determine whether the Password never expires attribute has been enabled for Ken Myer. That test is performed using this line of code:

If objUser.UserAccountControl AND ADS_UF_DONT_EXPIRE_PASSWD Then If TRUE, that means the Password never expires attribute has been enabled; if FALSE, then the password does expire, because the attribute has not been enabled. You can test for other values in the userAccountControl attribute by substituting the appropriate constant and its hexadecimal value.

A complete explanation of working with the userAccountControl lies beyond the scope of this lab; this sample task is presented simply because you will often find yourself working with this attribute. For more information, see the chapter ADSI Scripting Primer in the Microsoft Windows 2000 Scripting Guide.


1. Read the userAccountControl Attribute

a. Double-click the Notepad shortcut on the desktop and type the following (To reduce the amount of typing required, you can use the template C:\Scripts\Account_View.txt):

Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000 Set objUser = GetObject("LDAP://CN=Ken Myer, OU=Finance, DC=fabrikam, DC=com") If objUser.UserAccountControl AND ADS_UF_DONT_EXPIRE_PASSWD Then Wscript.Echo "This password never expires." Else Wscript.Echo "This password expires." End If b. Click File | Save As.

c. Save the script as read_uac.vbs in the folder C:\Scripts. To ensure that the .vbs file extension is used, enclose the file name in quotation marks before clicking Save:


"read_uac.vbs" d. Close Notepad.


cscript read_uac.vbs f. To verify that the password for the Ken Myer user account never

expires, switch to Active Directory Users and Computers.

g. In the Finance OU, right click Ken Myer and click Properties.

h. On the Account tab, verify that the checkbox labeled Password never expires is selected.

i. Close the Ken Myer Properties dialogue box.


Exercise 16 Modifying the userAccountControl Attribute The fact that Ken Myer’s password does not expire is a potential security risk; because of that, you decide to reconfigure his account to ensure that the password will expire, and thus have to be changed periodically. In this exercise, you will use the userAttribute control to ensure that Ken Myer’s password will expire. To do that, you first use this line of code to determine whether or not the password is currently set to expire:

If objUser.userAccountControl AND ADS_UF_DONT_EXPIRE_PASSWD Then If TRUE, that means that the password does not expire. To change this to an expiring password, use the bitwise logic XOR operator. The XOR operator toggles the value an attribute: if the attribute is enabled, XOR will disable it; if the attribute is disabled, XOR will enable it.


1. Modify the userAccountControl Attribute.


Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000 Set objUser = GetObject("LDAP://CN=Ken Myer, OU=Finance, DC=fabrikam, DC=com") If objUser.userAccountControl AND ADS_UF_DONT_EXPIRE_PASSWD Then objPasswordExpires = objUser.userAccountControl XOR ADS_UF_DONT_EXPIRE_PASSWD objUser.Put "userAccountControl", objPasswordExpires objUser.SetInfo End If b. Click File | Save As.

c. Save the script as modify_uac.vbs in the folder C:\Scripts. To ensure that the .vbs file extension is used, enclose the file name in quotation marks before clicking Save:

"modify_uac.vbs" d. Close Notepad.


cscript modify_uac.vbs f. To verify that the attribute value has been changed, re-run the script

read_uac.vbs that you created in Exercise 16.


Exercise 17 Modifying multiple user accounts Fabrikam has several subsidiary companies, and it’s useful to keep track of which users work for which company. Because all the users currently in your Active Directory for the parent company, you decide to assign the value Fabrikam to the Company attribute for each of these users. In this exercise, you will set the Company property for all the users in your domain to Fabrikam. As you might expect, you use an Active Directory search as the framework for a script that changes a property value for all the users in a domain. There is one catch, however: Active Directory searches are read-only; for those of you familiar with SQL, there are no UPDATE queries when working with Active Directory. Instead, you conduct a search, returning a collection of ADsPaths for all the users in the domain. With those ADsPaths in hand, you then individually bind to each user account in the collection and change the property value.


1. Modify multiple user accounts.

a. Double-click the Notepad shortcut on the desktop and type the following (To reduce the amount of typing required, you can use the template C:\Scripts\Search.txt):

On Error Resume Next Const ADS_SCOPE_SUBTREE = 2 Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOObject" objConnection.Open "Active Directory Provider" Set objCommand.ActiveConnection = objConnection objCommand.Properties("Page Size") = 1000 objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE objCommand.CommandText = _ "SELECT ADsPath FROM 'LDAP://DC=fabrikam,DC=com' WHERE " _ & "objectCategory='user'" Set objRecordSet = objCommand.Execute objRecordSet.MoveFirst Do Until objRecordSet.EOF strPath = objRecordSet.Fields("ADsPath").Value Set objUser = GetObject(strPath) objUser.Company = "Fabrikam" objUser.SetInfo objRecordSet.MoveNext Loop b. Click File | Save As.

c. Save the script as modify_many.vbs in the folder C:\Scripts. To ensure that the .vbs file extension is used, enclose the file name in quotation marks before clicking Save:

"modify_many.vbs" d. Close Notepad.


cscript modify_many.vbs f. To verify that the Company name has changed, switch to Active



g. In the Finance OU, right-click any user account and click Refresh.

h. Right-click the user account a second time and then click Properties.

i. In the Properties dialog box for the user account, on the Organization tab, verify the Company name.

j. Close the user Properties dialog box.


Exercise 18 Changing a user’s password Upon notifying Ken Myer that his account has been enabled, you discover that he does not know his password; the password he used in the company’s Windows NT 4.0 domain is apparently not the same password your predecessor assigned to his Active Directory account. In this exercise, you will change the password for the Ken Myer user account. Note that the SetPassword method does not require you to know the user’s current password.


1. Change a user’s password. a. Double-click the Notepad shortcut on the desktop and type the following (To reduce the amount of typing required, you can use the template C:\Scripts\Account_Change.txt):

Set objUser = GetObject _ ("LDAP://CN=Ken Myer,OU=Finance,DC=fabrikam,DC=com") objUser.SetPassword("i5A2sj*!") b. Click File | Save As.

c. Save the script as change_password.vbs in the folder C:\Scripts. To ensure that the .vbs file extension is used, enclose the file name in quotation marks before clicking Save:

"change_password.vbs" d. Close Notepad.


cscript change_password.vbs Note that there is no way to determine the password that has been assigned to a user account; this information is not accessible even to enterprise administrators. The only way to verify a password is to try to log on to the domain using that password.

f. Close all open windows.


For More Information Active Directory is a large and complex piece of technology; because of that, this lab covers only a handful of the many management tasks that can be carried out using ADSI scripts. For more information on using scripts to manage Active Directory, please refer to the following resources:

The ADSI Scripting Primer chapter in the Microsoft Windows 2000 Scripting Guide The Active Directory Users chapter in the Microsoft Windows 2000 Scripting Guide The Scripting Guys’ Webcast Users and Groups and OUs: Oh, My! The Scripting Guys’ Webcast Pokin’ Your Nose Into Active Directory The Scripting Guys’ Webcast Inactive Directory? Not When You Use Scripts to Help Manage

AD The Scripting Clinic column Creating User Accounts from Information in an Excel

Spreadsheet The Scripting Clinic column Scripting Excel: The Saga Continues

Appendix 1: userAccountControl Attributes and Values Individual attributes, their corresponding constants, and their hexadecimal values found in the userAttributeControl are shown in the following table:

Constant Value Attribute Description

ADS_UF_SCRIPT 0x00000001 The logon script is executed.

ADS_UF_ACCOUNTDISABLE 0x00000002 The user account is disabled.

ADS_UF_HOMEDIR_REQUIRED 0x00000008 The home directory is required.

ADS_UF_LOCKOUT 0x00000010 The account is currently locked out.

ADS_UF_PASSWD_NOTREQD 0x00000020 No password is required.

ADS_UF_PASSWD_CANT_CHANGE 0x00000040 The user cannot change the password.

ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED

0x00000080 The user can send an encrypted password.

ADS_UF_TEMP_DUPLICATE_ACCOUNT 0x00000100 This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. Also known as a local user account.

ADS_UF_NORMAL_ACCOUNT 0x00000200 This is a default account type that represents a typical user.

ADS_UF_INTERDOMAIN_TRUST_ACCOUNT

0x00000800 This is a permit to trust account for a system domain that trusts other domains.

ADS_UF_WORKSTATION_TRUST_ACCOUNT

0x00001000 This is a computer account for a computer that is a member of this domain.

ADS_UF_SERVER_TRUST_ACCOUNT 0x00002000 This is a computer account for a system backup domain controller that is a member of this domain.


ADS_UF_DONT_EXPIRE_PASSWD 0x00010000 The password for this account will never expire.

ADS_UF_MNS_LOGON_ACCOUNT 0x00020000 This is an MNS logon account.

ADS_UF_SMARTCARD_REQUIRED 0x00040000 The user must log on using a smart card.

ADS_UF_TRUSTED_FOR_DELEGATION 0x00080000 The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service.

ADS_UF_NOT_DELEGATED 0x00100000 The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation.

ADS_UF_USE_DES_KEY_ONLY 0x00200000 Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.

ADS_UF_DONT_REQUIRE_PREAUTH 0x00400000 This account does not require Kerberos preauthentication for logon.

ADS_UF_PASSWORD_EXPIRED 0x00800000 The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy.

ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION

0x01000000 The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to other remote servers on the network.

Date post:	12-Nov-2014
Category:	Documents
Upload:	alanshirer
View:	863 times
Download:	1 times

Active Directory Scripting

Documents