One interesting technique you can use with ADSI is create users. Although using the Graphical User Interface (GUI) to create a single user is easy, using the GUI to create a dozen or more users would certainly not be. In addition, as you’ll see, because there is a lot of similarity among ADSI scripts, deleting a dozen or more users is just as simple as creating them. And because you can use the same input text file for all the scripts, ADSI makes creating temporary accounts for use in a lab or school a real snap.
Just the Steps | To create users
|
The CreateUser.ps1 script, which follows, is very similar to the CreateOU.ps1 script. In fact, CreateUser.ps1 was created from CreateOU.ps1, so a detailed analysis of the script is unnecessary. The only difference is that oClass is equal to the “User” class instead of to an “organizationalUnit” class.
Tip | These scripts use a Windows PowerShell trick. When using VBScript to create a user or a group, you must supply a value for the sAMAccountName attribute. When using Windows PowerShell on Windows 2000, this is also the case. With Windows PowerShell on Windows Server 2003, however, the sAMAccountName attribute will be automatically created for you. In the CreateUser.ps1 script, I have included the $objUser.Put command, which would be required for Windows 2000, but it is not required in Windows Server 2003. |
CreateUser.ps1
$strCLass = "User" $StrName = "CN=MyNewUser" $objADSI = [ADSI]"LDAP://ou=myTestOU,dc=nwtraders,dc=msft" $objUser = $objADSI.create($strCLass, $StrName) $objUser.Put("sAMAccountName", "MyNewUser") $objUser.setInfo()
Q. To create a user, which class must be specified?
A. You need to specify the User class to create a user.
Q. What is the Put method used for?
A. The Put method is used to write additional property data to the object that it is bound to.
Open the CreateUser.ps1script in Notepad, and save it as yourname CreateGroup.ps1.
Declare a variable called $intGroupType. This variable will be used to control the type of group to create. Assign the number 2 to the variable. When used as the group type, a type 2 will be a distribution group. This line of code is shown here:
$intGroupType = 2
Change the value of $strClass from user to group. This variable will be used to control the type of object that gets created in Active Directory. This is shown here:
$strGroup = "Group"
Change the name of the $objUser variable to $objGroup (less confusing that way). This will need to be done in two places, as shown here:
$objGroup = $objADSI.create($strCLass, $StrName) $objGroup.setInfo()
Above the $objGroup.setInfo() line, use the Put method to create a distribution group. The distribution group is grouptype of 2, and we can use the value held in the $intGroupType variable. This line of code is shown here:
$ObjGroup.put("GroupType",$intGroupType)
Save and run the script. It should create a group called MyNewGroup in the MyTestOU in Active Directory. If the script does not perform as expected, compare you script with the CreateGroup.ps1 script.
This concludes the creating groups procedure.
Open CreateUser.ps1 script in Notepad, and save it as yourname CreateComputer.ps1.
Change the $strClass from “user” to “Computer”. The revised command is shown here:
$strCLass = "computer"
Change the $strName from “CN=MyNewUser” to “CN=MyComputer”. This command is shown here:
$StrName = "CN=MyComputer"
The [ADSI] accelerator connection string is already connecting to ou=myTestOU and should not need modification.
Change the name of the $objUser variable used to hold the object that is returned from the Create method to $objComputer. This revised line of code is shown here:
$objComputer = $objADSI.create($strCLass, $StrName)
Use the Put method from the DirectoryEntry object created in the previous line to put the value “MyComputer” in the sAMAccountName attribute. This line of code is shown here:
$objComputer.put("sAMAccountName", "MyComputer")
Use the SetInfo() method to write the changes to Active Directory. This line of code is shown here:
$objComputer.setInfo()
After the Computer object has been created in Active Directory, you can modify the UserAccountControl attribute. The value 4128 in UserAccountControl means the workstation is a trusted account and does not need to change the password. This line of code is shown here:
$objComputer.put("UserAccountControl",4128)
Use the SetInfo() method to write the change back to Active Directory. This line of code is shown here:
$objComputer.setinfo()
Save and run the script. You should see a computer account appear in Active Directory Users and Computers. If your script does not product the expected results, compare it with CreateComputer.ps1.
This concludes the creating a computer account procedure.
What Is User Account Control? | User account control is an attribute stored in Active Directory that is used to enable or disable a User Account, Computer Account, or other object defined in Active Directory. It is not a single string attribute; rather, it is a series of flags that get computed from the values listed in Table 7-3. Because of the way the UserAccountControl attribute is created, simply examining the numeric value is of little help, unless you can decipher the individual numbers that make up the large number. These flags, when added together, control the behavior of the user account on the system. In the script CreateComputer.ps1, we set two user account control flags: the ADS_UF_PASSWD_NOTREQD flag and the ADS_UF_WORKSTATION_TRUST_ACCOUNT flag. The password not required flag has a hex value of 0x20, and the the trusted workstation flag has a hex value of 0x1000. When added together, and turned into decimal value, they equal 4128, which is the value actually shown in ADSI Edit. |
Ads Constant | Value |
---|---|
ADS_UF_SCRIPT | 0X0001 |
ADS_UF_ACCOUNTDISABLE | 0X0002 |
ADS_UF_HOMEDIR_REQUIRED | 0X0008 |
ADS_UF_LOCKOUT | 0X0010 |
ADS_UF_PASSWD_NOTREQD | 0X0020 |
ADS_UF_PASSWD_CANT_CHANGE | 0X0040 |
ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED | 0X0080 |
ADS_UF_TEMP_DUPLICATE_ACCOUNT | 0X0100 |
ADS_UF_NORMAL_ACCOUNT | 0X0200 |
ADS_UF_INTERDOMAIN_TRUST_ACCOUNT | 0X0800 |
ADS_UF_WORKSTATION_TRUST_ACCOUNT | 0X1000 |
ADS_UF_SERVER_TRUST_ACCOUNT | 0X2000 |
ADS_UF_DONT_EXPIRE_PASSWD | 0X10000 |
ADS_UF_MNS_LOGON_ACCOUNT | 0X20000 |
ADS_UF_SMARTCARD_REQUIRED | 0X40000 |
ADS_UF_TRUSTED_FOR_DELEGATION | 0X80000 |
ADS_UF_NOT_DELEGATED | 0X100000 |
ADS_UF_USE_DES_KEY_ONLY | 0x200000 |
ADS_UF_DONT_REQUIRE_PREAUTH | 0x400000 |
ADS_UF_PASSWORD_EXPIRED | 0x800000 |
ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION | 0x1000000 |