Scripting User Management

Scripts to manage Active Directory users include features such as creating users, searching AD containers to get a list of users, and changing user attribute values for existing users. For the particular user object in AD, mandatory and optional attributes are available.

Each mandatory attribute must have a value in order for the user to be created. Every user will have a value for each mandatory attribute. When searching for a user, you should use these primary attributes. For example, a mandatory user attribute is the SamAccountName attribute. If you want to create a list of user logon names, you can query the domain for user objects and request the value of the SamAccountName attribute for each user object.

An optional attribute could be a user's pager or telephone number. Locating users based on optional attributes could be effective only if you want to filter a search. For example, if you want to create a list of users in the domain with a last name of Smith, you can get a list of all the users using the SamAccountName attribute, query the last name value, and then compare it to Smith. The list returned would be only users whose last name matches the criteria.

Note

The Last Name field has a directory name of sn, representing surname.

Scripting User Creation

To create a new AD user using ADSI and VBScript, you can break down the process into these four simple steps:

1.	Connect to the directory or specific container object.
2.	Create the user by populating the mandatory attributes.
3.	Populate additional attributes and update the user object.
4.	Exit the script.

To access an Active Directory user object, you use ADSI, but to perform a search, you use ADO. If exchange attributes need to be populated, you use CDO. To create a user, you need to populate one of the mandatory attributes, the CN attribute, at creation. This attribute contains the value that will be used to create the DN, or distinguished name, of the user object. To create a user creation script, type the following code in a new text file using Notepad:

set obj= GetObject("LDAP://cn=users,dc=companyabc,dc=com") set usr = obj.Create("user","cn="& "TestUser") usr.SetInfo

Now follow these steps to continue the process:

1.	Save the file as ADuser.vbs in the C:\Scripts directory, which will be used to store scripts.
2.	Choose Start, Run.
3.	Type `cmd.exe` and click OK to open a command prompt.
4.	Type `cscript c:\scripts\ADuser.vbs` to execute the script in the command-line environment.

Note

The ADuser.vbs script will not work in this form if a password policy configured in the domain does not allow null passwords.

The ADuser.vbs script will create a user named TestUser in the Users container of the Companyabc.com domain. The first line of the code uses ADSI to connect to the Users container and essentially binds to it. The GetObject method does not specify authentication, so the script runs in the context of the logged-in user. The second line creates a user object in the Users container. The last line actually saves the changes to the directory container specified in the first line of code.

This very basic script, outlined previously, can be modified to connect to a specific organizational unit or even specify a domain controller. The initial connection line using the GetObject method, which uses what is called the ADSPath attribute of an object, is used to bind to the directory. If the initial ADS path to the container you are binding to is unknown, you cannot connect to it using ADSI. The ADSPath attribute is made up of the protocol binding format, followed by the object or container's DistinguishedName value. To find the DistinguishedName value of the Users container in the Companyabc.com domain, use ADSI Edit as outlined in the "ADSI Edit MMC Snap-in" section earlier in this chapter. Then follow these steps:

1.	Log on to the desired workstation or server with the appropriate level of permissions to open ADSI to browse the directory objects. Usually, membership in the Domain Admin group will suffice.
2.	Choose Start, All Programs, Administrative Tools, ADSI Edit. If the console does not appear, perform the steps outlined in the "ADSI Edit MMC Snap-in" section earlier in this chapter to create the console.
3.	Browse the directory to locate the user or container for which you want to find the `DistinguishedName` value.
4.	Right-click that object and select Properties.
5.	On the Attribute Editor tab, make sure both the Show Mandatory Attributes and the Show Optional Attributes boxes are checked.

6.	Scroll down in the window to find the `DistinguishedName` attribute and note the value, as shown in Figure 23.4, for the Users container of the `Companyabc.com` domain. Figure 23.4. Locating the value of the `DistinguishedName` attribute for the Users container.

In this case, the DistinguishedName for the Users container is CN = Users,DC = companyabc,DC = com. The DC reference is used for the domain. Separate subdomains also use the DC reference. Organizational units use the OU reference. Users, groups, contacts, containers, computers, and other directory objects use the CN reference. This all comes from the ADSI object model. To use the distinguished name (DN) to construct an ADSPath value for connecting to Active Directory objects, simply add LDAP:// to the beginning of the DN value when referencing it in a script.

Populating Optional User Attributes

After you create a user in Active Directory, you can add optional attribute values. Expanding on the previous three-line user creation script, you can add more attributes after the user is created. The following script populates the pager and initial password attributes:

set obj= GetObject("LDAP://cn=users,dc=companyabc,dc=com") set usr = obj.Create("user","cn="& "TestUser") usr.pager = "999-999-9999" usr.SetInfo usr.setpassword ="mycleartextpassword" usr.SetInfo

Save this file as a VBS file and run it using Cscript.exe, as shown in previous examples. The interesting aspect of this example is that the password is set only after the user is created because the user must first exist before the password can be set.

Populating User Attributes Using Variables

When you plan to create many users, populating attributes using data stored in variables can save you many hours. Expanding on the basic user creation script, you can set a user's logon script path using a variable. If you're writing a complicated script, using subroutines to perform basic tasks for each object, you will need to declare variables globally so that they can be referenced throughout the script. If a variable will be used only in a particular subroutine, the variable may need to be declared, or it can just be declared and used within that subroutine. To declare a variable and populate a user's profile path when creating the user, modify the previous script as follows:

Dim ProfilePth ProfilePth = "companyabc.com\Profiles\%Username%" set obj= GetObject("LDAP://cn=users,dc=companyabc,dc=com") set usr = obj.Create("user","cn=" & "TestUser") usr.pager = "999-999-9999" usr.ProfilePath = ProfilePth usr.SetInfo usr.setpassword ="mycleartextpassword" usr.SetInfo ProfilePth = ""

The three lines added at the beginning declare the variable. Next, the variable is populated with a value. Three lines later, the ProfilePath attribute is set to the value stored in the ProfilePth variable. Finally, the last line in the script clears the contents of the variable.

Similar to ADSI Edit, ADSI scripting has almost no safeguards. In addition, since a single script can update thousands of user objects in a matter of seconds, there is a risk that a single misspelled character can cause disastrous results.

There are several things that can be done to minimize the risk of mass updates of AD attributes:

1.	Understand exactly what effect the changes will make.
2.	Test the script in the lab.
3.	Create an Active Directory Backup.
4.	Run the script on a limited scope of Active Directory objects (such as a single OU) before doing a full-scale attribute update.

Scripting Exchange 2000 Properties for Active Directory

When Exchange 2000 or Exchange 5.5 with the Active Directory Connector (ADC) is used with an Active Directory forest, the forest schema is extended to support the necessary attributes to give a user or group Exchange messaging attributes. To manipulate a user's messaging status or configuration, an administrator must use the programming object models made available with Collaborative Data Objects (CDO).

Collaborative Data Objects

CDO provides a programming interface and object model to manage Exchange 5.5 and 2000 server messaging objects using a script written in VBScript or a compiled application written in a programming language such as Visual Basic or Visual Ccompatible languages. CDO can be used to create public folders, add contacts to the Exchange address book, and create a user's mailbox. Scripts that create users in Active Directory can be easily modified to also give these users email addresses or mailboxes on an Exchange 2000 server. To create users and also mail-enable them, you could write a single script in VBScript that will connect to Active Directory using ADSI to create the user object and CDO to mail-enable the users. To mail-enable an Active Directory user in a forest that contains Exchange 2000 servers, follow these steps:


1.	Log on to the desired workstation or server with the appropriate level of permissions to completely administer user objects in Active Directory. This user account must also have a minimum of Exchange 2000 View Only Admin rights in the respective Exchange 2000 Administrative group. For more information on Exchange 2000 organizations and permissions, review Exchange 2000 documentation.
2.	If it has not already been installed on the system, install the Windows Server 2003 Adminpak.msi and install the Exchange 2000 System Tools. The Adminpack will be necessary to use tools such as the Active Directory Users and Computers MMC snap-in to review user status after the script has run. Installing the Exchange System Tools will install and register the CDO.dll so that the CDO object models can be used on this machine.
3.	To extend the user creation script and mail-enable the test user upon creation, create the following script: set obj= GetObject("LDAP://cn=users,dc=companyabc,dc=com") set usr = obj.Create("user","cn="& "TestUser") usr.pager = "999-999-9999" usr.SetInfo usr.MailEnable "smtp:" & usr.cn & "@domain.com" usr.setpassword ="mycleartextpassword" usr.SetInfo

Using the preceding script will create a user, add a value to the Pager attribute, mail-enable this user (which means giving this user an external email address and adding a reference to the Exchange address book), and finally set the initial password.

Scripting User Creation

Figure 23.4. Locating the value of the DistinguishedName attribute for the Users container.

Populating Optional User Attributes

Populating User Attributes Using Variables

Scripting Exchange 2000 Properties for Active Directory

Collaborative Data Objects

Figure 23.4. Locating the value of the `DistinguishedName` attribute for the Users container.