Manipulating User Objects

This section describes some typical manipulations with the most frequently used directory objects — user accounts. I would once again recommend that you print out all documentation on the user object (methods and properties supported by various system providers, relevant enumerations, etc.) to keep on hand.

Creating a User Account

Creating a user account is basically a very simple operation. You need only to consider a few details, which different providers will determine. In general, the procedure is the same for both WinNT and LDAP providers: you bind to a container object and use the IADsContainer.Create method for creating a new object of a specified type. However, if the WinNT provider is used, you must bind to a domain, and the new account will appear in the default container — Users. By using the LDAP provider, you can bind to any container or OU and create an account within it. Look at the following code snippets:

WinNT provider:

    Set objDomain = Getobject ("WinNT: //NET")    Set objUser = objDomain. Create ("user", "JSmith")    objUser.SetInfo 

LDAP provider:

    Set objOU = Getobject ("LDAP: //OU=Staff,DC=net,DC=dom")    Set objUser = objOU.Create ("user", "cn=John Smith")    objUser. Put "samAccountName", "JSmith"    ' Additional (optional) property definitions go here, e.g.:    '  objUser.FirstName = "John"    '  objUser. LastName = "Smith"    '  objUser. UserPrincipalName = "JSmith@net.dom"    ' You can set the password only after creating the user account!    objUser.SetInfo 

In both cases, a user account with the minimal number of defined attributes is created. (See also the "Creating Multiple Objects" section.) Table 17.1 shows the differences between these cases.

Resetting the Password

To set or change the password of a user account, you need to use the special methods — SetPassword and ChangePassword — of the IADsUser interface. The following script (Listing 17.8) sets a new password for a user and forces him or her to change it at the first logon to the system.

Listing 17.8. setPassword.vbs — Resetting User Password

    Dim strPath 'As String    Dim objUser 'As IADsUser    strPath = "WinNT: //netdc1/JSmith"    'strPath = "LDAP: //CN=John Smith,OU=Staff, DC=net,DC=dom"    'Connect to the directory object specified in the path:    Set objUser = Getobject (strPath)    'The following statements are used with the LDAP provider:    '  objUser. SetPassword "newPsw"    ' User must change the password:    '  objUser. Put "pwdLastSet", 0    ' The following statements are used with the WinNT provider:    objUser. SetPassword "newPsw"    ' User must change the password:    objUser. Put "PasswordExpired", CLng (1)    On Error Resume Next    objUser.SetInfo    WScript.Echo "Error: " + Hex (Err.Number)    Set objUser = Nothing 

Disabling Accounts

You can disable or enable a user or computer account by binding to an object and using the AccountDisabled method of the IADsUser interface. Take a look at the following example script:

Listing 17.9. disableAccount.vbs — Disabling an Account

    Dim objAccount 'As IADsUser    '  Set objAccount = Getobject ("WinNT: //NET/JSmith") - for users only    ' The LDAP provider allows you to disable both user and computer    ' accounts, for example:    '  Set objAccount = _    '         Getobject ("LDAP: //CN=John Smith,OU=Staff, DC=net, DC=dom")    ' Disable a computer account:    Set objAccount = _           Getobject ("LDAP: //CN=W2KPR03, CN=Computers, DC=net, DC=dom")    objAccount.AccountDisabled = True 'False - to enable    objAccount.SetInfo    Set objAccount = Nothing