AcctCrt Component

The AcctCrt component provides services for creating mailboxes in Exchange Server version 5.5 using ADSI. ADSI does not provide a mechanism to associate Windows NT accounts with Exchange Server mailboxes, but the AcctCrt COM component does. It also allows you to programmatically create and delete Windows NT accounts in your Windows NT domain. The AcctCrt component is very straightforward—it supports only six methods: ChangeOwnerofSecDescriptor, NTAccountCreate, NTAccountDelete, GetSidFromName, GetNameFromSid, and GenerateSecDescriptor. Let's take a look at how to create an instance of the AcctCrt component and use the methods it supports.

Creating an Instance of the AcctCrt Component

Creating an instance of the AcctCrt component is actually very easy. The ProgID for the component is MSExchange.AcctMgmt. The following line of code shows how to create an instance of the component and store it in a variable named mntAcct:

 Set mntAcct = CreateObject("MSExchange.AcctMgmt") 

Once you have an instance of the component, you can call its available methods.

Creating a Windows NT Account by Using the AcctCrt Component

The AcctCrt component contains a method named NTAccountCreate that allows you to programmatically add a new account to your Windows NT domain as long as you have the proper permissions in that domain. This method takes five arguments: Domain, Login, Password, UserComment, and LocalGroup. If you don't specify the domain name, AcctCrt defaults to using the local machine domain. If you don't specify the local group, the component automatically adds the user to the domain user group. The following code example shows you how to create a Windows NT account using NTAccountCreate:

 Set mntAcct = CreateObject("MSExchange.AcctMgmt") 'NTAccountCreate takes Domain,Login,Password,UserComment,LocalGroup MntAcct.NTAccountCreate "", "Test User", "password", "", "" 

NOTE

---

You need the proper permissions to create the Windows NT account using NTAccountCreate. If you want to use the AcctCrt component from an Active Server Pages (ASP) page, you must authenticate the user by challenging the user's credentials in the browser; otherwise, ASP will use the anonymous Microsoft Internet Information Services (IIS) account to attempt creating the Windows NT user account. This attempt will most likely fail.

Deleting a Windows NT Account by Using the AcctCrt Component

Deleting a Windows NT Account using the AcctCrt component is as easy as creating a Windows NT account. To delete a Windows NT account, you use the NTAccountDelete method, which takes two arguments: Domain and UserLogin. If you don't specify the domain parameter, the component will use the local machine domain. Here's how you delete the account we added in the previous example code:

 MntAcct.NTAccountDelete "","Test User" 

Associating Windows NT Accounts with Exchange Server Mailboxes

Now that you've seen how to create and delete a Windows NT account, you need to learn how to associate a new Windows NT account with a mailbox and change a Windows NT account associated with a mailbox (in cases where you delete the Windows NT account). The AcctCrt component provides these capabilities through its remaining four methods. The following subroutine shows you all four of these methods.

 Public Sub ManageSids(oldSid, oldDescriptor, NTDomain, _ NTAccountName, NewSid, NewDescriptor) 'Check to see if modifying existing SID If IsEmpty(oldSid) then 'Generate new SID mntAcct.GenerateSecDescriptor NTDomain, NTAccountName, _ NewSecDescriptor 'NewSecDescriptor now contains the new security descriptor. 'We can then use the new security descriptor for our 'mailbox in ADSI. else mntAcct.GetNameFromSid NTDomain, (oldSid), oldNTDomain, _ oldNTAccountName mntAcct.ChangeOwnerofSecDescriptor oldNTDomain, _ oldNTAccountName, NewNTDomain, NewNTAccountName, _ (oldSid), newSecDescriptor 'Just to show how to use it mntAcct.GetSidFromName NewNTDomain, NewNTAccountName, testSid end if 

The ManageSids subroutine takes a number of parameters. If you pass in a security descriptor for the oldSid variable, the subroutine expects you to also pass in a domain name and an account name representing the new account you want to assign the security identifier (SID) to. The subroutine then modifies the security descriptor to reflect the new account and domain. It does this by retrieving the name of the old Windows NT domain and account for the security descriptor using the GetNameFromSid method. This method takes the domain name and a current SID as its parameters. (Be sure to enclose the variable for your SID in parentheses so that the value is passed by reference to the method. If you don't do this, you will receive an error.) The final two parameters are variables that the method fills in for you. They contain the Windows NT domain and the user name that the SID corresponds to.

Security Descriptors and Security Identifiers

Understanding the difference between a security descriptor and a security identifier might be a little confusing. A security descriptor is a structure that contains the security information about an object, such as the owner and primary group, and users who have permissions to access the object. A SID is a structure that uniquely identifies a user or a group in Windows NT. Exchange Server requires the security descriptor to be placed in the NT-Security-Descriptor attribute and the SID to be placed in the Assoc-NT-Account attribute.

The ManageSids subroutine needs to change the ownership of the security descriptor to the new Windows NT domain and account passed in by the user by using the ChangeOwnerOfSecDescriptor method. This method takes six parameters. The first five are values that you pass in, such as the Windows NT domain and account, which is the current account for the security descriptor; the new Windows NT domain and account you want to change the descriptor to; and the descriptor you want to modify, enclosed in parentheses. The sixth parameter is a variable where the new security descriptor is returned. You can then take the new security descriptor and use it to update permissions on the Exchange Server mailbox to reflect a new user using ADSI.

I included the GetSidFromName method in the subroutine to show you how to use it. It retrieves the SID for a Windows NT account if you know only the name and domain of the account. Use GetSidFromName when you want to quickly find an account and retrieve its SID so that you can place it into an Exchange Server mailbox to assign ownership for the mailbox. GetSidFromName takes three parameters, the first two being the Windows NT domain and the account name that you want to find the SID for. Assuming the method could find the account, the third parameter is a variable that the method fills in with the value of the SID.

If you do not pass in the SID to the ManageSids subroutine, the subroutine assumes that you want to generate a new security descriptor for the Windows NT domain and account name that you passed to the parameter. The subroutine generates this new security descriptor by using the method GenerateSecDescriptor. The GenerateSecDescriptor method takes the Windows NT domain, the user name that you want to generate a security descriptor for, and a return variable for the new security descriptor. You can use this new security descriptor in your ADSI code for mailboxes you create.