By using ADSI, you can programmatically reconfigure your domain structure: i.e., move, delete, and rename objects. Do not forget that this opportunity does not extend to built-in and system objects.
Moving and renaming an object are essentially the same LDAP operations ("Modify DN"). (This means that you cannot move or rename objects using the WinNT provider!) You simply specify different source and target containers for a move operation, and the same container for a rename operation. While moving, the object can retain or change its name. The following script moves a user from one OU to another. The MoveHere method of the IADsContainer interface is used.
The source and destination containers can be located in different domains in the same forest. Thus, it is possible to perform inter-domain move operations, but you must take into account possible authentication issues.
Changing the distinguished name of a user object does not affect values of such properties as the user's first name, last name, display name, or logon name. Most probably, you will need to renew them, too. Also, make sure to change the value of the sAMAccountNameattribute (pre-Windows 2000 name) for either user or group accounts. You can do this by binding to the object and using calls to the Get and Put methods.
Listing 17.13. moveRenameObject.vbs — Moving or Renaming a Directory Object
Dim strOldContainerPath, StrNewContainerPath, strOldObjName, — strNewObjName 'As String Dim objCont 'As IADsContainer Dim objObject 'As IADs ' If StrNewContainerPath is equal to StrOldContainerPath, ' then a renaming operation is performed, ' if not, a moving one is performed. StrOldContainerPath = "OU=HQ,OU=Personnel,DC=net,DC=dom" StrNewContainerPath = "OU=Staff, DC=net, DC=dom" ' If strNewObjName is equal to strOldObjName, the object is moved ' to a new container, retaining its name. ' You can move and rename an entire OU, a group or user object ' as well as directory objects of other types. strOldObjName = "CN=John Smith" strNewObjName = "CN=John Smith II" Set objCont = Getobject ("LDAP: //" + StrNewContainerPath) Set objObject = objCont.MoveHere("LDAP://" + - strOldObjName + ", " + StrOldContainerPath, strNewObjName) Set objCont = Nothing Set objObject = Nothing
There are two ways to delete a directory object: use the Delete method of the IADsContainer interface, or use a special interface named IADsDeleteOps.
To delete an object using the former method, you need to bind to the object's parent container and call the Delete method. This method is applicable to leaf objects only (i.e., the object must not have any child objects). If you try to delete a non-leaf object, you will get the error 2147016683 (Ox80072015), which means "The directory service can perform the requested operation only on a leaf object".
By using the IADsDeleteOps interface, you can delete an entire container with all child objects. (Be careful, since this is a crucial operation. You may want to verify first whether an object has children.) Take a look at the following two scripts.
Listing 17.14. deleteObject.vbs — Deleting a User (a Leaf Object)
Dim objCont 'As IADsContainer Set objCont = Getobject ("LDAP: //OU=Staff,DC=net,DC=dom") Call objCont.Delete ("user", "CN=Manager") Set objCont = Nothing
Listing 17.15. deleteContainer.vbs — Deleting an Entire Container
Dim objCont 'As IADsDeleteOps Set objCont = Getobject ("LDAP: //OU=Personnel, DC=net, DC=dom") Call objCont.DeleteObject (0) Set objCont = Nothing