Microsoft® Windows® 2000 Scripting Guide
« Previous | Next »
The two primary interfaces for managing Active Directory user accounts are IADs and IADsUser. IADs is a core interface and can be used to manage many types of objects in Active Directory, not just user accounts. In contrast, IADsUser is a persistent interface that is specifically limited to managing user account objects. The attributes of a user account object available from IADsUser are represented as properties of the interface. For example, the pwdLastSet attribute of a user account is represented by the PasswordLastChanged property of IADsUser. IADs has a small set of methods that use the lDAPDisplayNames of attributes to manage user accounts and other types of object in Active Directory. Therefore, to retrieve the first name of a user account, IADs reads the lDAPDisplayName, givenName.
It might seem sensible to use IADsUser for all of your user account management tasks, because the property names are intuitive and easier to remember than the lDAPDisplayNames of the attributes. However, the IADsUser interface does not provide access to most of the attributes of a user account and is limited to managing user account objects. IADs, on the other hand, can read all attributes of all Active Directory object. Thus, your comfort with managing user account attributes from the IADs core interface will make it easier to understand how to manage many other types of Active Directory objects.
Managing the attributes of a user account object involves reading and writing to those attributes. The key to using the IADs core interface to manage attributes of user account objects is knowing how to find the following characteristics of each attribute:
If an attribute cannot be easily displayed by using the LDAP provider and VBScript, determine whether you can read the attribute with a persistent interface such as IADsUser or by using the WinNT provider.
Note
When modifying values using either Put or PutEx, you will need to specify the type of operation being performed (clear, update, append, or delete). These operations are listed in Table 7.7.
Table 7.7 Put and PutEx Operations
Constant | Value | Description |
---|---|---|
ADS_PROPERTY_CLEAR | 1 | Clears the value (or values) from the specified attribute. |
ADS_PROPERTY_UPDATE | 2 | Replaces the value in the specified attribute with new values. |
ADS_PROPERTY_APPEND | 3 | Appends a new value to the value (or values) in the specified attribute. |
ADS_PROPERTY_DELETE | 4 | Deletes the value (or values) from the specified attribute. |
The General tab appears first by default when you view the Properties dialog box of a user account object. This tab contains attributes that are commonly used to identify particular users in the directory. The information on this page is available to all Active Directory users when they access the properties of a user account by browsing the directory from Windows Explorer.
The General properties page is shown in this chapter to demonstrate methods for reading and writing user account attributes. These same methods can be used for reading and writing the user account attributes found on the other properties pages.
The lDAPDisplayName of each attribute is commonly used to read and write entries to the General properties page. Therefore, it is important for you to be able to identify these attributes by name. The labels appearing on the property pages are often different from the lDAPDisplayNames of their corresponding attributes. On the General properties page, only two labels are the same as their lDAPDisplayNames: the Description label (with the lDAPDisplayName description) and the Initials label (with the lDAPDisplayName initials). Figure 7.1 shows the General properties page of the MyerKen user account and the lDAPDisplayNames as they appear in the Active Directory schema for each user interface label on this page.
Figure 7.1 User Account Attributes on the General Properties Page
User Account Attributes on the General Properties Page
Table 7.8 lists selected properties of the attributes appearing on the General properties page of a user account object.
Table 7.8 User Account Attributes on the General Properties Page and Selected Attribute Definitions
lDAPDisplayName | Single-valued or Multivalued | Indexed | Data Type | In Global Catalog |
---|---|---|---|---|
givenName | Single-valued | Yes | String | Yes |
initials | Single-valued | No | String | No |
sn | Single-valued | Yes | String | Yes |
displayName | Single-valued | Yes | String | Yes |
description | Multivalued | No | String | Yes |
physicalDeliveryOfficeName | Single-valued | Yes | String | No |
telephoneNumber | Single-valued | No | String | Yes |
otherTelephone | Multivalued | No | String | No |
Single-valued | Yes | String | Yes | |
wWWHomePage | Single-valued | No | String | No |
url | Multivalued | No | String | No |
The cn/name attribute, MyerKen, that appears near the top of Figure 7.1 does not appear in Table 7.8 because this attribute is automatically created when the user account object is created, and it cannot be changed by simply modifying the cn/name attribute. Modifying this attribute is equivalent to renaming the user account object. For information about renaming a user account, see "Moving and Renaming User Accounts" later in this chapter.
Send us your feedback | « Previous | Next » |