|
|
This section describes some typical manipulations with the most frequently used directory objects — user accounts. I would once again recommend that you print out all documentation on the user object (methods and properties supported by various system providers, relevant enumerations, etc.) to keep on hand.
Note | Refer Listing 17.13 for information on moving and renaming user accounts. |
Creating a user account is basically a very simple operation. You need only to consider a few details, which different providers will determine. In general, the procedure is the same for both WinNT and LDAP providers: you bind to a container object and use the IADsContainer.Create method for creating a new object of a specified type. However, if the WinNT provider is used, you must bind to a domain, and the new account will appear in the default container — Users. By using the LDAP provider, you can bind to any container or OU and create an account within it. Look at the following code snippets:
WinNT provider:
Set objDomain = Getobject ("WinNT: //NET") Set objUser = objDomain. Create ("user", "JSmith") objUser.SetInfo
LDAP provider:
Set objOU = Getobject ("LDAP: //OU=Staff,DC=net,DC=dom") Set objUser = objOU.Create ("user", "cn=John Smith") objUser. Put "samAccountName", "JSmith" ' Additional (optional) property definitions go here, e.g.: ' objUser.FirstName = "John" ' objUser. LastName = "Smith" ' objUser. UserPrincipalName = "JSmith@net.dom" ' You can set the password only after creating the user account! objUser.SetInfo
In both cases, a user account with the minimal number of defined attributes is created. (See also the "Creating Multiple Objects" section.) Table 17.1 shows the differences between these cases.
Property (AD attribute) | Value | |
---|---|---|
| ||
LDAP provider | winNT provider | |
| ||
Account Disabled | TRUE | FALSE |
Account Never Expires | TRUE | TRUE |
Common Name (cn) | Must be specified explicitly | SAM Account Name |
First Name (givenName) | Empty | Empty |
Full Name (displayName) | Empty | SAM Account Name |
Group | Domain User | Domain User |
Last Name (sn) | Empty | Empty |
Password | Empty | Empty |
Password Never Expires | FALSE | FALSE |
Profile | Empty | Empty |
SamAccountName | Must be specified explicitly | Must be specified explicitly |
User Cannot Change Password | FALSE | FALSE |
User Must Change Password | TRUE | TRUE |
User Principal Name (UPN) | Empty | Empty |
To set or change the password of a user account, you need to use the special methods — SetPassword and ChangePassword — of the IADsUser interface. The following script (Listing 17.8) sets a new password for a user and forces him or her to change it at the first logon to the system.
Listing 17.8. setPassword.vbs — Resetting User Password
Dim strPath 'As String Dim objUser 'As IADsUser strPath = "WinNT: //netdc1/JSmith" 'strPath = "LDAP: //CN=John Smith,OU=Staff, DC=net,DC=dom" 'Connect to the directory object specified in the path: Set objUser = Getobject (strPath) 'The following statements are used with the LDAP provider: ' objUser. SetPassword "newPsw" ' User must change the password: ' objUser. Put "pwdLastSet", 0 ' The following statements are used with the WinNT provider: objUser. SetPassword "newPsw" ' User must change the password: objUser. Put "PasswordExpired", CLng (1) On Error Resume Next objUser.SetInfo WScript.Echo "Error: " + Hex (Err.Number) Set objUser = Nothing
You can disable or enable a user or computer account by binding to an object and using the AccountDisabled method of the IADsUser interface. Take a look at the following example script:
Listing 17.9. disableAccount.vbs — Disabling an Account
Dim objAccount 'As IADsUser ' Set objAccount = Getobject ("WinNT: //NET/JSmith") - for users only ' The LDAP provider allows you to disable both user and computer ' accounts, for example: ' Set objAccount = _ ' Getobject ("LDAP: //CN=John Smith,OU=Staff, DC=net, DC=dom") ' Disable a computer account: Set objAccount = _ Getobject ("LDAP: //CN=W2KPR03, CN=Computers, DC=net, DC=dom") objAccount.AccountDisabled = True 'False - to enable objAccount.SetInfo Set objAccount = Nothing
|
|