Summary

Using the IADsUser interface, you can manipulate the majority of the most common administrative tasks performed on a daily basis. Combining enumeration functions with the properties and methods of the IADsUser interface, you can perform extremely powerful queries and account manipulation procedures on a container object and its contents.

The IADsUser interface applies not only to user accounts, but also to computer accounts. This opens a wealth of possibilities, including the ability to query machine password age. Additionally, you can populate unused fields with the name of the primary user, business unit, and physical location of the machine to create extremely powerful directed administration procedures.

Using the password age for a user account, you can force users with privileged accounts to change their passwords more frequently than standard user accounts. Taking such an action is highly recommended if the default domain password policy allows password ages of greater than 30 days to minimize the risk of compromises from password-cracking utilities. Ultimately, encrypting the SAM using SysKey is the best protection against compromise from such utilities.

With the ADSI IADsUser interface, it is also possible to query fields and counters that are not visible using standard Windows NT GUI tools such as BadLoginCount , LastLogin , and LastLogoff for an individual user account.

With the code samples throughout this text and a bit of practice with the ADSI IADsUser interface, you can create extremely powerful user management tools using Visual Basic.