Manipulating Account Properties

Previous page
Table of content
Next page
   
Manipulating Account Properties

As shown in Figure 4.5, the User Manager GUI allows the administrator to set an account expiration date and define if the account is permitted to participate in cross-domain security.

Figure 4.5. Account Information dialog box in User Manager for Domains

graphics/04fig05.gif

Using ADSI, you can manipulate both of these elements programmatically using the AccountExpirationDate property of the IADsUser interface and raising the ADS_TEMP_DUPLICATE_ACCOUNT user flag for the target user account.

Querying the Account Expiration Date Using Visual Basic

To query the SAM to find the account expiration date, simply examine the AccountExpirationDate property of the IADsUser interface using the following code: 

 On Error Resume Next Dim User as IADsUser Dim UserName as String Dim UserDomain as String UserDomain = "  Target_User_Domain  " UserName = "Target_User_Name" Set User = GetObject("WinNT://" & UserDomain & "/" & UserName & ",user") Dim AccountExpirationDate as Date AccountExpirationDate = User.AccountExpirationDate Debug.Print AccountExpirationDate

Note

In this example, you instructVisual Basic to skip over any errors if they are found. If the user account does not define an expiration date, ADSI will raise an error stating that the property could not be found in the cache. Please note that this error handler affects the scope of an entire procedure. If you are a " sloppy ," one-procedure kind of developer, you may find unexpected results with this option turned on. For best results, wrap the previous procedure in a function, passing in all required user variable data as arguments. Taking such an action will prevent the error handler from affecting the entire code module

With the error handler turned on, if the account has not defined an account expiration date, ADSI will return a value of 0, which is equivalent to 12:00:00 AM in the date datatype .


Setting the Account Expiration Date Using Visual Basic

In cases where an enterprise uses contractors or temporary employees , or wants to make sure an employee's account access is cut off on his or her termination date, the AccountExpirationDate can be modified to disable login on a specified date.

Note

It is important to note that the date in the SAM will not match the date in the GUI because the GUI specifies the last day the user has access (for example, the user retains access up until 23:59:59 on the date in the GUI) .


To set a new account expiration date for a user account, simply set the AccountExpirationDate variable in the following Visual Basic code with a meaningful date: 

 Dim User as IADsUser Dim UserName as String Dim UserDomain as String UserDomain = "  Target_User_Domain  " UserName = "  Target_User_Name  " Set User = GetObject("WinNT://" & UserDomain & "/" & UserName & ",user") Dim AccountExpirationDate as Date AccountExpirationDate = #mm/dd/yyyy# User.AccountExpirationDate = AccountExpirationDate User.SetInfo

Tip

If you want to remove an existing expiration date (configure the account so that it never expires ), simply set the AccountExpirationDate property to #12:00:00# .


Querying the Account Type Using Visual Basic

One of the more subtle configuration options available to Windows NT administrators is the ability to create either global or local accounts. By default, all user accounts are global accounts, which have the ability to access resources in multiple domains. Local accounts are limited to the domain in which they were created.

There are a few rare instances in which a local account may be desirable, such as when a user does not require access to remote domains, or when you must grant a user from an untrusted domain (temporary) access to the resources of a domain. These occasions may be few and far between; nevertheless, ADSI allows query and manipulation of this field.

As with all user flags, simply use the And operator to query the current status of the flag. If the return value is anything other than 0, the ADS_UF_TEMP_DUPLICATE_ACCOUNT flag is set for the account, as in the following Visual Basic code: 

 Dim User as IADsUser Dim UserName as String Dim UserDomain as String UserDomain = "  Target_User_Domain  " UserName = "  Target_User_Name  " Set User = GetObject("WinNT://" & UserDomain & "/" & UserName & ",user")  Dim Flags As Long Flags = User.Get("UserFlags") If (Flags And &H100) <> 0 Then      Debug.Print "Local Account" Else      Debug.Print "Global Account" End If

Using ADSI, you can also change the account type from a global account (default account type) to a local account. Perform this action by toggling the ADS_TEMP_DUPLICATE_ACCOUNT (0x100) user flag in the target user's SAM record.

Notice in these examples that you must call the SetInfo method twice to set the ADS_TEMP_DUPLICATE_ACCOUNT (0x100) or ADS_ NORMAL_ACCOUNT (0x200) user flag. Windows NT does not allow a user account to define both flags simultaneously , so you must first remove the conflicting user flag before attempting to reclassify the user account type.

Configuring a Global Account as a Local Account Using Visual Basic

Using the following Visual Basic code, you can easily disable the ability of an existing account to cross domain trusts by changing it to become a local account: 

 Dim User as IADsUser Dim UserName as String Dim UserDomain as String UserDomain = "  Target_User_Domain  " UserName = "  Target_User_Name  " Set User = GetObject("WinNT://" & UserDomain & "/" & UserName & ",user") Dim Flags As Long Flags = User.Get("UserFlags") If (Flags And &H200) <> 0 Then      User.Put "UserFlags", Flags Xor &H100      User.SetInfo      Flags = User.Get("UserFlags")      User.Put "UserFlags", Flags Xor &H200      User.SetInfo End If
Configuring a Local Account as a Global Account Using Visual Basic

If someone has already configured an account to be a local account but you now want to reclassify the account as global, you can configure the account to cross domain trusts by setting the NORMAL_ACCOUNT user flag, as follows : 

 Dim User as IADsUser Dim UserName as String Dim UserDomain as String UserDomain = "  Target_User_Domain  " UserName = "  Target_User_Name  " Set User = GetObject("WinNT://" & UserDomain & "/" & UserName & ",user") Dim Flags As Long Flags = User.Get("UserFlags") If (Flags And &H100) <> 0 Then      User.Put "UserFlags", Flags Xor &H100      User.SetInfo      Flags = User.Get("UserFlags")      User.Put "UserFlags", Flags Xor &H200      User.SetInfo End If
   
Top

Previous page
Table of content
Next page
Windows NT. 2000 ADSI Scripting for System Administration
Windows NT/2000 ADSI Scripting for System Administration
ISBN: 1578702194
EAN: 2147483647
Year: 2000
Pages: 194
Authors: Thomas Eck
BUY ON AMAZON
C++ GUI Programming with Qt 3
Java How to Program (6th Edition) (How to Program (Deitel))
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
Mastering Delphi 7
An Introduction to Design Patterns in C++ with Qt 4
Python Standard Library (Nutshell Handbooks) with
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy