Creating and Deleting Objects Using IADsContainer

Previous page
Table of content
Next page
   
Creating and Deleting Objects Using IADsContainer

As a container object, a domain must expose the ability to create and remove objects within the container. Whether managing a resource domain or a user domain, the Create and Delete methods of the IADsContainer interface allow addition and removal of computer accounts, user accounts, and groups in the domain.

Note

An account with administrative privileges in the bound domain is required to add or remove objects in the domain container. A run-time error (-2147023570/8007052e) will be returned if the user account does not have sufficient privileges when attempting to add or remove an object from the domain container .


Adding and Removing Computer Accounts

For any Windows NT machine to participate in domain security, it must first have a computer account created in the resource domain. Typically, the creation of such an account is performed using Server Manager.

Using ADSI, you can perform the addition and removal of machine accounts with the distinct advantage of being able to script and automate the creation/removal of new machine accounts.

Adding a New Computer Account Using Visual Basic

Contrary to popular understanding, a computer account is actually a user account with a few exceptions:

  • The object must be created using the "computer" class.

  • The object must have the user flag ADS_UF_WORKSTATION_TRUST_ACCOUNT (0x1000) set.

  • The initial password for the account must be set to the name of the machine in lower case.

Use the following Visual Basic code to create a new computer account in the domain: 

 Dim Container as IADsContainer Dim ContainerName as String Dim ComputerAccount as IADsUser ContainerName = "  Container_Name_To_Manage  " Set Container = GetObject("WinNT://"&ContainerName) Dim Computer as IADsComputer Dim NewComputer as String NewComputer = "  Computer_Account_To_Create  " Set Computer = Container.Create("Computer", UCase(NewComputer)) Computer.SetInfo Set ComputerAccount = GetObject("WinNT://"&ContainerName&"/"&NewComputer& "$,user") ComputerAccount.Put "UserFlags", (ComputerAccount.Get("UserFlags") Or &H1000) ComputerAccount.SetPassword (LCase(NewComputer)) ComputerAccount.SetInfo

Note

Notice that three bindings are taking place in this example. After binding the container, a new computer object is created and written to the namespace. Then, the new object is bound as a user object and several user account properties are set to allow the machine to join the domain.


Removing a Computer Account Using Visual Basic

To remove a computer account, simply bind to the container object and call the Delete method on the account to remove it from the container.

Unlike the Create method, deletions are performed immediately and do not require a call to the SetInfo method to commit the change to the SAM. 

 Dim Container as IADsContainer Dim ContainerName as String ContainerName = "  Container_Name_To_Manage  " Set Container = GetObject("WinNT://"&ContainerName) Dim ComputerToRemove as String ComputerToRemove = "  Computer_Account_To_Remove  " Call Container.Delete("Computer", ComputerToRemove)

Adding, Removing, and Renaming User Accounts

Using the IADsContainer and IADsUser objects, you can begin the process of creating a new user in the domain. This process is similar to creating a new user account using User Manager for Domains without setting any of the extended properties for the account (such as full name, description, group membership, password, and so on). These properties will be covered in great detail in Chapter 4, "Programmatic User Account Manipulation" .

Although the variable names and data types are changed to accommodate the class of the new object, the syntax used to create a new user or group is nearly identical for each class. Additionally, you can rename user accounts using the IADsContainer MoveHere method.

Adding a New User Account Using Visual Basic

After binding to the container, you can simply call the IADsContainer Create method to establish a new object in the container. Use the following Visual Basic code to add a new user account: 

 Dim Container as IADsContainer Dim ContainerName as String ContainerName = "  Container_Name_To_Manage  " Set Container = GetObject("WinNT://"&ContainerName) Dim User as IADsUser Dim NewUser as String NewUser = "  User_Account_To_Create  " Set User = Container.Create("User", NewUser) User.SetInfo

Tip

If you wish to set properties of the user object, such as the description or full name associated with the account, you should do so before calling the IADs SetInfo method. Note that set password is an immediate operation. The account must exist before attempting any password manipulation function calls. See Chapter 4 for more information on User Account property manipulation.


Removing a User Account Using Visual Basic

Unlike the addition of a new object in a container, removal of an object from a container requires only a call to the Delete method of the IADsContainer interface. Use the following Visual Basic code to remove a user account: 

 Dim Container as IADsContainer Dim ContainerName as String ContainerName = "  Container_Name_To_Manage  " Set Container = GetObject("WinNT://"&ContainerName) Dim UserToRemove as String UserToRemove = "  User_Account_To_Remove  " Call Container.Delete("User", UserToRemove)
Renaming a User Account Using Visual Basic

Because each account is identified by its security identifier (SID), Windows NT allows you to easily rename user accounts. To do this programmatically, simply use the IADsContainer MoveHere method to change the name of the account. Although the name has changed, the SID has remained the same, leaving all access control lists (ACLs) intact. Use the following Visual Basic code to rename a user account: 

 Dim Container As IADsContainer Dim ContainerName As String Dim OldName As String Dim User As IADsUser Dim NewUser As IADsUser Dim NewName As String OldName = "  Old_Account_Name  " NewName = "  New_Account_Name  " ContainerName = "Target_Domain_Name" Set Container = GetObject("WinNT://"&ContainerName) Set User = GetObject("WinNT://"&ContainerName&"/"&OldName&",user") Set NewUser = Container.MoveHere(User.ADsPath, NewName) Set User = Nothing

Adding and Removing Groups

Once again, by making a simple change to the name of the class of object to be manipulated, the same code can be reused for group creation and deletion.

You can determine the default group type by looking at the type of object that is bound. For example, if you bind to a local workstation SAM, you are permitted only to create a local group, and thus this is the default group type created when the Create method of IADsContainer is called.

By default, a domain controller binding will yield the creation of a global group when the Create method is called. To prevent such ambiguity when creating groups, you can assign an ADSI constant to the GroupType attribute to explicitly state which group type you wish to create.

Adding a New Local Group Using Visual Basic

To add a local group on a domain controller, member server, or workstation, set the GroupType parameter to ADS_GROUP_TYPE_LOCAL_GROUP (0x4) after calling the Create method of the IADsContainer interface. Use the following Visual Basic code to add a new local group: 

 Dim Container as IADsContainer Dim ContainerName as String ContainerName = "  Container_Name_To_Manage  " Set Container = GetObject("WinNT://"&ContainerName) Dim Group as IADsGroup Dim NewGroup as String NewGroup = "  Requested_Groupname  " Set Group = Container.Create("Group", NewGroup) Group.Put "groupType", 4 Group.SetInfo
Adding a New Global Group Using Visual Basic

Just as you can specify that the group to be created should belong to the LocalGroup class, you can create global groups on domain controllers by specifying the ADS_GROUP_TYPE_GLOBAL_GROUP (0x2) parameter when creating a new group object in the container. Use the following Visual Basic code to add a new global group: 

 Dim Container as IADsContainer Dim ContainerName as String ContainerName = "  Container_Name_To_Manage  " Set Container = GetObject("WinNT://"&ContainerName) Dim Group as IADsGroup Dim NewGroup as String NewGroup = "  Requested_Groupname  " Set Group = Container.Create("Group", NewGroup) Group.Put "groupType", 2 Group.SetInfo

Note

Despite the difference in classes, Windows NT does not allow the coexistence of a local group and a global group with the same name.


Removing a Group Using Visual Basic

In the removal process, Windows NT does not care if the group object is a local group or a global group, so you need not specify an explicit group class. In these cases, the generic "Group" class will not yield any ambiguity when binding to the group object that you wish to remove. Use the following Visual Basic code to remove a group: 

 Dim Container as IADsContainer Dim ContainerName as String ContainerName = "  Container_Name_To_Manage  " Set Container = GetObject("WinNT://"&ContainerName) Dim GroupToRemove as String GroupToRemove = "  Group_To_Remove  " Call Container.Delete("Group", GroupToRemove)
   
Top

Previous page
Table of content
Next page
Windows NT. 2000 ADSI Scripting for System Administration
Windows NT/2000 ADSI Scripting for System Administration
ISBN: 1578702194
EAN: 2147483647
Year: 2000
Pages: 194
Authors: Thomas Eck
BUY ON AMAZON
ERP and Data Warehousing in Organizations: Issues and Challenges
The CISSP and CAP Prep Guide: Platinum Edition
C++ GUI Programming with Qt 3
Cisco IOS Cookbook (Cookbooks (OReilly))
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
Cultural Imperative: Global Trends in the 21st Century
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy