[Shell] [VBScript] [PowerShell] [HTA] [JavaScript] [AutoIT] [Video Demos] [Technical Docs] [Library] [Web Links] [Misc] |
Page Under Construction- 25% of page 1/10 - 2% of all VBScript pagesArchive - VBScript - Active Directory "." - - ◄Contents►
How-To_Quick_Reference (examples) A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Command Keywords (terminology) A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Copy an Active Directory Computer Account Description Retrieves the attributes of an existing computer object and copies the attributes to a new computer object created by the script. Script Code Set objCompt = _ GetObject("LDAP://cn=Computers,dc=NA,dc=fabrikam,dc=com") Set objComptCopy = objCompt.Create("computer", "cn=SEA-SQL-01") objComptCopy.Put "sAMAccountName", "sea-sql-01" objComptCopy.SetInfo Set objComptTemplate = GetObject _ ("LDAP://cn=SEA-PM-01,cn=Computers,dc=NA,dc=fabrikam,dc=com") arrAttributes = Array("description", "location") For Each strAttrib in arrAttributes strValue = objComptTemplate.Get(strAttrib) objComptCopy.Put strAttrib, strValue Next objComptCopy.SetInfo Δ Create a Computer Account For a Specific User Description Creates and enables a computer account in Active Directory. A specific, authenticated user can then use this account to add his or her workstation to the domain. Script Code strComputer = "atl-pro-002" strComputerUser = "fabrikam\lewjudy" Const ADS_UF_PASSWD_NOTREQD = &h0020 Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = &h1000 Const ADS_ACETYPE_ACCESS_ALLOWED = &h0 Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5 Const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1 Const ADS_RIGHT_GENERIC_READ = &h80000000 Const ADS_RIGHT_DS_SELF = &h8 Const ADS_RIGHT_DS_WRITE_PROP = &h20 Const ADS_RIGHT_DS_CONTROL_ACCESS = &h100 Const ALLOWED_TO_AUTHENTICATE = _ "{68B1D179-0D15-4d4f-AB71-46152E79A7BC}" Const RECEIVE_AS = "{AB721A56-1E2f-11D0-9819-00AA0040529B}" Const SEND_AS = "{AB721A54-1E2f-11D0-9819-00AA0040529B}" Const USER_CHANGE_PASSWORD = _ "{AB721A53-1E2f-11D0-9819-00AA0040529b}" Const USER_FORCE_CHANGE_PASSWORD = _ "{00299570-246D-11D0-A768-00AA006E0529}" Const USER_ACCOUNT_RESTRICTIONS = _ "{4C164200-20C0-11D0-A768-00AA006E0529}" Const VALIDATED_DNS_HOST_NAME = _ "{72E39547-7B18-11D1-ADEF-00C04FD8D5CD}" Const VALIDATED_SPN = "{F3A64788-5306-11D1-A9C5-0000F80367C1}" Set objRootDSE = GetObject("LDAP://rootDSE") Set objContainer = GetObject("LDAP://cn=Computers," & _ objRootDSE.Get("defaultNamingContext")) Set objComputer = objContainer.Create _ ("Computer", "cn=" & strComputer) objComputer.Put "sAMAccountName", strComputer & "$" objComputer.Put "userAccountControl", _ ADS_UF_PASSWD_NOTREQD Or ADS_UF_WORKSTATION_TRUST_ACCOUNT objComputer.SetInfo Set objSecurityDescriptor = objComputer.Get("ntSecurityDescriptor") Set objDACL = objSecurityDescriptor.DiscretionaryAcl Set objACE1 = CreateObject("AccessControlEntry") objACE1.Trustee = strComputerUser objACE1.AccessMask = ADS_RIGHT_GENERIC_READ objACE1.AceFlags = 0 objACE1.AceType = ADS_ACETYPE_ACCESS_ALLOWED Set objACE2 = CreateObject("AccessControlEntry") objACE2.Trustee = strComputerUser objACE2.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS objACE2.AceFlags = 0 objACE2.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE2.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE2.ObjectType = ALLOWED_TO_AUTHENTICATE Set objACE3 = CreateObject("AccessControlEntry") objACE3.Trustee = strComputerUser objACE3.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS objACE3.AceFlags = 0 objACE3.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE3.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE3.ObjectType = RECEIVE_AS Set objACE4 = CreateObject("AccessControlEntry") objACE4.Trustee = strComputerUser objACE4.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS objACE4.AceFlags = 0 objACE4.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE4.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE4.ObjectType = SEND_AS Set objACE5 = CreateObject("AccessControlEntry") objACE5.Trustee = strComputerUser objACE5.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS objACE5.AceFlags = 0 objACE5.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE5.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE5.ObjectType = USER_CHANGE_PASSWORD Set objACE6 = CreateObject("AccessControlEntry") objACE6.Trustee = strComputerUser objACE6.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS objACE6.AceFlags = 0 objACE6.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE6.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE6.ObjectType = USER_FORCE_CHANGE_PASSWORD Set objACE7 = CreateObject("AccessControlEntry") objACE7.Trustee = strComputerUser objACE7.AccessMask = ADS_RIGHT_DS_WRITE_PROP objACE7.AceFlags = 0 objACE7.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE7.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE7.ObjectType = USER_ACCOUNT_RESTRICTIONS Set objACE8 = CreateObject("AccessControlEntry") objACE8.Trustee = strComputerUser objACE8.AccessMask = ADS_RIGHT_DS_SELF objACE8.AceFlags = 0 objACE8.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE8.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE8.ObjectType = VALIDATED_DNS_HOST_NAME Set objACE9 = CreateObject("AccessControlEntry") objACE9.Trustee = strComputerUser objACE9.AccessMask = ADS_RIGHT_DS_SELF objACE9.AceFlags = 0 objACE9.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE9.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE9.ObjectType = VALIDATED_SPN objDACL.AddAce objACE1 objDACL.AddAce objACE2 objDACL.AddAce objACE3 objDACL.AddAce objACE4 objDACL.AddAce objACE5 objDACL.AddAce objACE6 objDACL.AddAce objACE7 objDACL.AddAce objACE8 objDACL.AddAce objACE9 objSecurityDescriptor.DiscretionaryAcl = objDACL objComputer.Put "ntSecurityDescriptor", objSecurityDescriptor objComputer.SetInfo Δ Delete a Computer Account Description Deletes an individual computer account in Active Directory. Script Code strComputer = "atl-pro-040" set objComputer = GetObject("LDAP://CN=" & strComputer & _ ",CN=Computers,DC=fabrikam,DC=com") objComputer.DeleteObject (0) Δ Disable a Global Catalog Server Description Disables the global catalog service on the domain controller atl-dc-01. Script Code strComputer = "atl-dc-01" Const NTDSDSA_OPT_IS_GC = 1 Set objRootDSE = GetObject("LDAP://" & strComputer & "/rootDSE") strDsServiceDN = objRootDSE.Get("dsServiceName") Set objDsRoot = GetObject _ ("LDAP://" & strComputer & "/" & strDsServiceDN) intOptions = objDsRoot.Get("options") If intOptions And NTDSDSA_OPT_IS_GC Then objDsRoot.Put "options", intOptions Xor NTDSDSA_OPT_IS_GC objDsRoot.Setinfo End If Δ Enable a Global Catalog Server Description Enables the global catalog service on the domain controller atl-dc-01. Script Code strComputer = "atl-dc-01" Const NTDSDSA_OPT_IS_GC = 1 Set objRootDSE = GetObject("LDAP://" & strComputer & "/RootDSE") strDsServiceDN = objRootDSE.Get("dsServiceName") Set objDsRoot = GetObject _ ("LDAP://" & strComputer & "/" & strDsServiceDN) intOptions = objDsRoot.Get("options") If (intOptions And NTDSDSA_OPT_IS_GC) = FALSE Then objDsRoot.Put "options" , intOptions Or NTDSDSA_OPT_IS_GC objDsRoot.Setinfo End If Δ Join a Computer to a Domain Description Joins the local computer to a domain and creates the computer's account in Active Directory. Script Code Const JOIN_DOMAIN = 1 Const ACCT_CREATE = 2 Const ACCT_DELETE = 4 Const WIN9X_UPGRADE = 16 Const DOMAIN_JOIN_IF_JOINED = 32 Const JOIN_UNSECURE = 64 Const MACHINE_PASSWORD_PASSED = 128 Const DEFERRED_SPN_SET = 256 Const INSTALL_INVOCATION = 262144 strDomain = "FABRIKAM" strPassword = "ls4k5ywA" strUser = "shenalan" Set objNetwork = CreateObject("WScript.Network") strComputer = objNetwork.ComputerName Set objComputer = GetObject("winmgmts:{impersonationLevel=Impersonate}!\\" & _ strComputer & "\root\cimv2:Win32_ComputerSystem.Name='" & _ strComputer & "'") ReturnValue = objComputer.JoinDomainOrWorkGroup(strDomain, _ strPassword, strDomain & "\" & strUser, NULL, _ JOIN_DOMAIN + ACCT_CREATE) Δ List All Computer Accounts in Active Directory Description Returns the name and location for all the computer accounts in Active Directory. Script Code Const ADS_SCOPE_SUBTREE = 2 Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOObject" objConnection.Open "Active Directory Provider" Set objCOmmand.ActiveConnection = objConnection objCommand.CommandText = _ "Select Name, Location from 'LDAP://DC=fabrikam,DC=com' " _ & "Where objectClass='computer'" objCommand.Properties("Page Size") = 1000 objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE Set objRecordSet = objCommand.Execute objRecordSet.MoveFirst Do Until objRecordSet.EOF Wscript.Echo "Computer Name: " & objRecordSet.Fields("Name").Value Wscript.Echo "Location: " & objRecordSet.Fields("Location").Value objRecordSet.MoveNext Loop Δ List FSMO Role Holders Description Identifies the Active Directory domain controllers providing the five FSMO roles: Schema Master, Domain Naming Master, PDC Emulator, RID Master, and Infrastructure Master. Script Code Set objRootDSE = GetObject("LDAP://rootDSE") Set objSchema = GetObject _ ("LDAP://" & objRootDSE.Get("schemaNamingContext")) strSchemaMaster = objSchema.Get("fSMORoleOwner") Set objNtds = GetObject("LDAP://" & strSchemaMaster) Set objComputer = GetObject(objNtds.Parent) WScript.Echo "Forest-wide Schema Master FSMO: " & objComputer.Name Set objNtds = Nothing Set objComputer = Nothing Set objPartitions = GetObject("LDAP://CN=Partitions," & _ objRootDSE.Get("configurationNamingContext")) strDomainNamingMaster = objPartitions.Get("fSMORoleOwner") Set objNtds = GetObject("LDAP://" & strDomainNamingMaster) Set objComputer = GetObject(objNtds.Parent) WScript.Echo "Forest-wide Domain Naming Master FSMO: " & objComputer.Name Set objDomain = GetObject _ ("LDAP://" & objRootDSE.Get("defaultNamingContext")) strPdcEmulator = objDomain.Get("fSMORoleOwner") Set objNtds = GetObject("LDAP://" & strPdcEmulator) Set objComputer = GetObject(objNtds.Parent) WScript.Echo "Domain's PDC Emulator FSMO: " & objComputer.Name Set objRidManager = GetObject("LDAP://CN=RID Manager$,CN=System," & _ objRootDSE.Get("defaultNamingContext")) strRidMaster = objRidManager.Get("fSMORoleOwner") Set objNtds = GetObject("LDAP://" & strRidMaster) Set objComputer = GetObject(objNtds.Parent) WScript.Echo "Domain's RID Master FSMO: " & objComputer.Name Set objInfrastructure = GetObject("LDAP://CN=Infrastructure," & _ objRootDSE.Get("defaultNamingContext")) strInfrastructureMaster = objInfrastructure.Get("fSMORoleOwner") Set objNtds = GetObject("LDAP://" & strInfrastructureMaster) Set objComputer = GetObject(objNtds.Parent) WScript.Echo "Domain's Infrastructure Master FSMO: " & objComputer.Name Δ List Selected Computer Account Attributes Description Demonstration script that retrieves the location and description attributes for a computer account in Active Directory. Script Code On Error Resume Next Set objComputer = GetObject _ ("LDAP://CN=atl-dc-01,CN=Computers,DC=fabrikam,DC=com") objProperty = objComputer.Get("Location") If IsNull(objProperty) Then Wscript.Echo "The location has not been set." Else Wscript.Echo "Location: " & objProperty objProperty = Null End If objProperty = objComputer.Get("Description") If IsNull(objProperty) Then Wscript.Echo "The description has not been set." Else Wscript.Echo "Description: " & objProperty objProperty = Null End If Δ Modify Computer Location Attribute Description Demonstration script that changes the location attribute for a computer account in Active Directory. Script Code Set objComputer = GetObject _ ("LDAP://CN=atl-dc-01,CN=Computers,DC=fabrikam,DC=com") objComputer.Put "Location" , "Building 37, Floor 2, Room 2133" objComputer.SetInfo Δ Move a Computer Account Description Moves a computer account from the Computers container in Active Directory to the Finance OU in the same domain. Script Code Set objNewOU = GetObject("LDAP://OU=Finance,DC=fabrikam,DC=com") Set objMoveComputer = objNewOU.MoveHere _ ("LDAP://CN=atl-pro-03,CN=Computers,DC=fabrikam,DC=com", "CN=atl-pro-03") Δ Move a Computer Account to a New Domain Description Uses the MoveHere method to move an object to another domain. Note that there are a number of restrictions associated with performing this type of move operation. For details, see the Directory Services Platform SDK. Script Code Set objOU = GetObject("LDAP://cn=Computers,dc=NA,dc=fabrikam,dc=com") objOU.MoveHere "LDAP://cn=Computer01,cn=Users,dc=fabrikam,dc=com", _ vbNullString Δ Rename a Computer Account Description Renames an Active Directory computer account. Script Code Set objNewOU = GetObject("LDAP://OU=Finance,DC=fabrikam,DC=com") Set objMoveComputer = objNewOU.MoveHere _ ("LDAP://CN=atl-pro-037,OU=Finance,DC=fabrikam,DC=com", _ "CN=atl-pro-003") Δ Rename a Computer and Computer Account Description Renames a computer and its corresponding Active Directory computer account. Requires Windows XP or Windows Server 2003, and must be run on the local computer. Script Code strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colComputers = objWMIService.ExecQuery _ ("Select * from Win32_ComputerSystem") For Each objComputer in colComputers err = objComputer.Rename("WebServer") Next Δ Reset a Computer Account Password Description Resets a computer account password in Active Directory. Script Code Set objComputer = GetObject _ ("LDAP://CN=atl-dc-01,CN=Computers,DC=Reskit,DC=COM") objComputer.SetPassword "atl-dc-01$" Δ Search for Specific Computer Accounts Description Returns the name and location for all the computers in the domain that are running Windows Server 2003. Script Code Const ADS_SCOPE_SUBTREE = 2 Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOObject" objConnection.Open "Active Directory Provider" Set objCommand.ActiveConnection = objConnection objCommand.CommandText = _ "Select Name, Location, operatingSystemVersion from " & _ "'LDAP://DC=fabrikam,DC=com' where objectClass='computer'" & _ " and operatingSystemVersion = '5.1 (3600)'" objCommand.Properties("Page Size") = 1000 objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE Set objRecordSet = objCommand.Execute objRecordSet.MoveFirst Do Until objRecordSet.EOF Wscript.Echo "Computer Name: " & objRecordSet.Fields("Name").Value Wscript.Echo "Location: " & objRecordSet.Fields("Location").Value objRecordSet.MoveNext Loop Δ Verify Computer Role Description Returns the basic role (domain controller, member server, workstation, etc.) for a computer. Script Code strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colComputers = objWMIService.ExecQuery _ ("Select DomainRole from Win32_ComputerSystem") For Each objComputer in colComputers Select Case objComputer.DomainRole Case 0 strComputerRole = "Standalone Workstation" Case 1 strComputerRole = "Member Workstation" Case 2 strComputerRole = "Standalone Server" Case 3 strComputerRole = "Member Server" Case 4 strComputerRole = "Backup Domain Controller" Case 5 strComputerRole = "Primary Domain Controller" End Select Wscript.Echo strComputerRole Next Δ Verify that a Computer is a Global Catalog Server Description Indicates whether or not the atl-dc-01 domain controller is a global catalog server. Script Code strComputer = "atl-dc-01" Const NTDSDSA_OPT_IS_GC = 1 Set objRootDSE = GetObject("LDAP://" & strComputer & "/rootDSE") strDsServiceDN = objRootDSE.Get("dsServiceName") Set objDsRoot = GetObject("LDAP://" & strComputer & "/" & strDsServiceDN) intOptions = objDsRoot.Get("options") If intOptions And NTDSDSA_OPT_IS_GC Then WScript.Echo strComputer & " is a global catalog server." Else Wscript.Echo strComputer & " is not a global catalog server." End If Δ List Domain Information Using WMI Description Retrieves information about domains discovered on the network. Script Code On Error Resume Next strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colItems = objWMIService.ExecQuery("Select * from Win32_NTDomain") For Each objItem in colItems Wscript.Echo "Client Site Name: " & objItem.ClientSiteName Wscript.Echo "DC Site Name: " & objItem.DcSiteName Wscript.Echo "Description: " & objItem.Description Wscript.Echo "DNS Forest Name: " & objItem.DnsForestName Wscript.Echo "Domain Controller Address: " & _ objItem.DomainControllerAddress Wscript.Echo "Domain Controller Address Type: " & _ objItem.DomainControllerAddressType Wscript.Echo "Domain Controller Name: " & objItem.DomainControllerName Wscript.Echo "Domain GUID: " & objItem.DomainGuid Wscript.Echo "Domain Name: " & objItem.DomainName Wscript.Echo "DS Directory Service Flag: " & objItem.DSDirectoryServiceFlag Wscript.Echo "DS DNS Controller Flag: " & objItem.DSDnsControllerFlag Wscript.Echo "DS DNS Domain Flag: " & objItem.DSDnsDomainFlag Wscript.Echo "DS DNS Forest Flag: " & objItem.DSDnsForestFlag Wscript.Echo "DS Global Catalog Flag: " & objItem.DSGlobalCatalogFlag Wscript.Echo "DS Kerberos Distribution Center Flag: " & _ objItem.DSKerberosDistributionCenterFlag Wscript.Echo "DS Primary Domain Controller Flag: " & _ objItem.DSPrimaryDomainControllerFlag Wscript.Echo "DS Time Service Flag: " & objItem.DSTimeServiceFlag Wscript.Echo "DS Writable Flag: " & objItem.DSWritableFlag Wscript.Echo "Name: " & objItem.Name Wscript.Echo "Primary Owner Contact: " & objItem.PrimaryOwnerContact Wscript.Echo Next Δ Add 1000 Sample Users to a Security Group Description Demonstration script that creates a security group named Group1, and adds one thousand users (UserNo1 through UserNo10000) to that group. This script is not intended for use in a production environment. Script Code Const ADS_PROPERTY_APPEND = 3 Set objRootDSE = GetObject("LDAP://rootDSE") Set objContainer = GetObject("LDAP://cn=Users," & _ objRootDSE.Get("defaultNamingContext")) Set objGroup = objContainer.Create("Group", "cn=Group1") objGroup.Put "sAMAccountName","Group1" objGroup.SetInfo For i = 1 To 1000 strDN = ",cn=Users," & objRootDSE.defaultNamingContext objGroup.PutEx ADS_PROPERTY_APPEND, "member", _ Array("cn=UserNo" & i & strDN) objGroup.SetInfo Next WScript.Echo "Group1 created and 1000 Users added to the group." Δ Add a User to Two Security Groups Description Adds a user (MyerKen) to two different Active Directory security groups: Atl-Users and NA-Employees. Script Code Const ADS_PROPERTY_APPEND = 3 Set objGroup = GetObject _ ("LDAP://cn=Atl-Users,cn=Users,dc=NA,dc=fabrikam,dc=com") objGroup.PutEx ADS_PROPERTY_APPEND, _ "member", Array("cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objGroup.SetInfo Set objGroup = GetObject _ ("LDAP://cn=NA-Employees,cn=Users,dc=NA,dc=fabrikam,dc=com") objGroup.PutEx ADS_PROPERTY_APPEND, _ "member", Array("cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objGroup.SetInfo Δ Add New Members to a Security Group Description Adds two groups (Executives and Scientists) and one user account (MyerKen) to the Sea-Users group in Active Directory. Script Code Const ADS_PROPERTY_APPEND = 3 Set objGroup = GetObject _ ("LDAP://cn=Sea-Users,cn=Users,dc=NA,dc=fabrikam,dc=com") objGroup.PutEx ADS_PROPERTY_APPEND, "member", _ Array("cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com", _ "cn=Executives,ou=Management,dc=NA,dc=fabrikam,dc=com", _ "cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objGroup.SetInfo Δ Assign a Group Manager Description Assigns user MyerKen as the manager of an Active Directory security group named Scientists. Script Code Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") objGroup.Put "managedBy", "cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com" objGroup.SetInfo Δ Change the Scope of a Security Group Description Changes a global distribution group named Scientists to a universal security group. Script Code Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2 Const ADS_GROUP_TYPE_LOCAL_GROUP = &h4 Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8 Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000 Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") objGroup.Put "groupType", _ ADS_GROUP_TYPE_GLOBAL_GROUP + ADS_GROUP_TYPE_SECURITY_ENABLED objGroup.SetInfo Δ Create a Domain Local Distribution Group Description Creates a domain local Active Directory distribution group named Vendors. Script Code Const ADS_GROUP_TYPE_LOCAL_GROUP = &h4 Set objOU = GetObject("LDAP://ou=HR,dc=NA,dc=fabrikam,dc=com") Set objGroup = objOU.Create("Group", "cn=Vendors") objGroup.Put "sAMAccountName", "vendors" objGroup.Put "groupType", ADS_GROUP_TYPE_LOCAL_GROUP objGroup.SetInfo Create a Domain Local Security Group Description Creates a domain local Active Directory security group named DB-Servers. Script Code Const ADS_GROUP_TYPE_LOCAL_GROUP = &h4 Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000 Set objOU = GetObject("LDAP://cn=Computers,dc=NA,dc=fabrikam,dc=com") Set objGroup = objOU.Create("Group", "cn=DB-Servers") objGroup.Put "sAMAccountName", "DBServers" objGroup.Put "groupType", ADS_GROUP_TYPE_LOCAL_GROUP Or _ ADS_GROUP_TYPE_SECURITY_ENABLED objGroup.SetInfo Create a Global Distribution Group Description Creates a global Active Directory distribution group named Scientists. Script Code Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2 Set objOU = GetObject("LDAP://ou=R&D,dc=NA,dc=fabrikam,dc=com") Set objGroup = objOU.Create("Group", "cn=Scientists") objGroup.Put "sAMAccountName", "scientists" objGroup.Put "groupType", ADS_GROUP_TYPE_GLOBAL_GROUP objGroup.SetInfo Create a Global Security Group Description Creates a global Active Directory security group named HR-Employees. Script Code Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2 Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000 Set objOU = GetObject("LDAP://ou=HR,dc=NA,dc=fabrikam,dc=com") Set objGroup = objOU.Create("Group", "cn=HR-Employees") objGroup.Put "sAMAccountName", "HRStaff" objGroup.Put "groupType", ADS_GROUP_TYPE_GLOBAL_GROUP Or _ ADS_GROUP_TYPE_SECURITY_ENABLED objGroup.SetInfo Create a Universal Distribution Group Description Creates a universal Active Directory distribution group named Customers. Script Code Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8 Set objOU = GetObject("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com") Set objGroup = objOU.Create("Group", "cn=Customers") objGroup.Put "sAMAccountName", "customers" objGroup.Put "groupType", ADS_GROUP_TYPE_UNIVERSAL_GROUP objGroup.SetInfo Create a Universal Security Group Description Creates a universal Active Directory security group named All-Employees. Script Code Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8 Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000 Set objOU = GetObject("LDAP://cn=Users,dc=NA,dc=fabrikam,dc=com") Set objGroup = objOU.Create("Group", "cn=All-Employees") objGroup.Put "sAMAccountName", "AllEmployees" objGroup.Put "groupType", ADS_GROUP_TYPE_UNIVERSAL_GROUP Or _ ADS_GROUP_TYPE_SECURITY_ENABLED objGroup.SetInfo Delete a Group from Active Directory Description Deletes a group named atl-users from the HR organizational unit in the domain fabrikam.com. Script Code Set objOU = GetObject("LDAP://ou=hr,dc=fabrikam,dc=com") objOU.Delete "group", "cn=atl-users" List All the Members of a Group Description Returns the members of an Active Directory group named Scientists. Script Code On Error Resume Next Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") objGroup.GetInfo arrMemberOf = objGroup.GetEx("member") WScript.Echo "Members:" For Each strMember in arrMemberOf WScript.echo strMember Next 25 of 153 S List Group Memberships for All the Users in an OU Description Retrieves the memberOf and primaryGroupID attributes of a user account to display group membership. Note that the primaryGroupID attribute contains an integer that maps to the name of the primary group. The memberOf attribute does not contain the name of the primary group of which the user is a member. Script Code On Error Resume Next Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D Set objOU = GetObject _ ("LDAP://cn=Users,dc=NA,dc=fabrikam,dc=com") ObjOU.Filter= Array("user") For Each objUser in objOU WScript.Echo objUser.cn & " is a member of: " WScript.Echo vbTab & "Primary Group ID: " & _ objUser.Get("primaryGroupID") arrMemberOf = objUser.GetEx("memberOf") If Err.Number <> E_ADS_PROPERTY_NOT_FOUND Then For Each Group in arrMemberOf WScript.Echo vbTab & Group Next Else WScript.Echo vbTab & "memberOf attribute is not set" Err.Clear End If Wscript.Echo Next S 26 of 153 List Group Object Information Description Retrieves the information found on the Object page in Active Directory Users and Computers for a security group named Scientists. Script Code Set objGroup = GetObject _ ("GC://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") strWhenCreated = objGroup.Get("whenCreated") strWhenChanged = objGroup.Get("whenChanged") Set objUSNChanged = objGroup.Get("uSNChanged") dblUSNChanged = _ Abs(objUSNChanged.HighPart * 2^32 + objUSNChanged.LowPart) Set objUSNCreated = objGroup.Get("uSNCreated") dblUSNCreated = _ Abs(objUSNCreated.HighPart * 2^32 + objUSNCreated.LowPart) objGroup.GetInfoEx Array("canonicalName"), 0 arrCanonicalName = objGroup.GetEx("canonicalName") WScript.echo "CanonicalName of object:" For Each strValue in arrCanonicalName WScript.Echo vbTab & strValue Next WScript.Echo WScript.Echo "Object class: " & objGroup.Class WScript.Echo "When Created: " & strWhenCreated & " (Created - GMT)" WScript.Echo "When Changed: " & strWhenChanged & " (Modified - GMT)" WScript.Echo WScript.Echo "USN Changed: " & dblUSNChanged & " (USN Current)" WScript.Echo "USN Created: " & dblUSNCreated & " (USN Original)" S 27 of 153 List Other Groups a Group Belongs To Description Returns a list of all the groups that the Active Directory security group Scientists is a member of. Script Code On Error Resume Next Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") objGroup.GetInfo arrMembersOf = objGroup.GetEx("memberOf") WScript.Echo "MembersOf:" For Each strMemberOf in arrMembersOf WScript.Echo strMemberOf Next S List the Active Directory Groups a User Belongs To Description Returns a list of all the Active Directory security groups (including the primary group) that include the MyerKen user account as a member. 28 of 153 Script Code On Error Resume Next Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") intPrimaryGroupID = objUser.Get("primaryGroupID") arrMemberOf = objUser.GetEx("memberOf") If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then WScript.Echo "The memberOf attribute is not set." Else WScript.Echo "Member of: " For Each Group in arrMemberOf WScript.Echo Group Next End If Set objConnection = CreateObject("ADODB.Connection") objConnection.Open "Provider=ADsDSOObject;" Set objCommand = CreateObject("ADODB.Command") objCommand.ActiveConnection = objConnection objCommand.CommandText = _ ";(objectCategory=Group);" & _ "distinguishedName,primaryGroupToken;subtree" Set objRecordSet = objCommand.Execute Do Until objRecordset.EOF If objRecordset.Fields("primaryGroupToken") = intPrimaryGroupID Then WScript.Echo "Primary group:" WScript.Echo objRecordset.Fields("distinguishedName") & _ " (primaryGroupID: " & intPrimaryGroupID & ")" End If objRecordset.MoveNext Loop objConnection.Close S List the Attributes of the Group Class Description Returns a list of mandatory and optional attributes of the group class (as stored in the Active Directory schema). 29 of 153 Script Code Set objGroupClass = GetObject("LDAP://schema/group") Set objSchemaClass = GetObject(objGroupClass.Parent) i = 0 WScript.Echo "Mandatory attributes:" For Each strAttribute in objGroupClass.MandatoryProperties i= i + 1 WScript.Echo i & vbTab & strAttribute Set objAttribute = objSchemaClass.GetObject("Property", strAttribute) WScript.Echo " (Syntax: " & objAttribute.Syntax & ")" If objAttribute.MultiValued Then WScript.Echo " Multivalued" Else WScript.Echo " Single-valued" End If Next WScript.Echo VbCrLf & "Optional attributes:" For Each strAttribute in objGroupClass.OptionalProperties i= i + 1 Wscript.Echo i & vbTab & strAttribute Set objAttribute = objSchemaClass.GetObject("Property", strAttribute) Wscript.Echo " [Syntax: " & objAttribute.Syntax & "]" If objAttribute.MultiValued Then WScript.Echo " Multivalued" Else WScript.Echo " Single-valued" End If Next S List the General Properties of a Group Description Reads the values found on the General Properties page in Active Directory Users and Computers for a group named Scientists. 30 of 153 Script Code On Error Resume Next Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2 Const ADS_GROUP_TYPE_LOCAL_GROUP = &h4 Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8 Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000 Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") WScript.Echo "Name: " & objGroup.Name WScript.Echo "SAM Account Name: " & objGroup.SAMAccountName WScript.Echo "Mail: " & objGroup.Mail WScript.Echo "Info: " & objGroup.Info If intGroupType AND ADS_GROUP_TYPE_LOCAL_GROUP Then WScript.Echo "Group scope: Domain local" ElseIf intGroupType AND ADS_GROUP_TYPE_GLOBAL_GROUP Then WScript.Echo "Group scope: Global" ElseIf intGroupType AND ADS_GROUP_TYPE_UNIVERSAL_GROUP Then WScript.Echo "Group scope: Universal" Else WScript.Echo "Group scope: Unknown" End If If intGroupType AND ADS_GROUP_TYPE_SECURITY_ENABLED Then WScript.Echo "Group type: Security group" Else WScript.Echo "Group type: Distribution group" End If For Each strValue in objGroup.Description WScript.Echo "Description: " & strValue Next List the Managed By Information for a Group Description Returns information about the manager assigned to an Active Directory security group named Scientists. Script Code On Error Resume Next Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") strManagedBy = objGroup.Get("managedBy") If IsEmpty(strManagedBy) = TRUE Then WScript.Echo "No user account is assigned to manage " & _ "this group." Else Set objUser = GetObject("LDAP://" & strManagedBy) Call GetUpdateMemberList WScript.Echo "Office: " & _ objUser.physicalDeliveryOfficeName WScript.Echo "Street Address: " & objUser.streetAddress WScript.Echo "Locality: " & objUser.l WScript.Echo "State/Province: " & objUser.st WScript.Echo "Country: " & objUser.c WScript.Echo "Telephone Number: " & objUser.telephoneNumber WScript.Echo "Fax Number: " & _ objUser.facsimileTelephoneNumber End If Sub GetUpdateMemberList Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5 Const Member_SchemaIDGuid = "{BF9679C0-0DE6-11D0-A285-00AA003049E2}" Const ADS_RIGHT_DS_WRITE_PROP = &H20 objUser.GetInfoEx Array("canonicalName"),0 strCanonicalName = objUser.Get("canonicalName") strDomain = Mid(strCanonicalName,1,InStr(1,strCanonicalName,".")-1) strSAMAccountName = objUser.Get("sAMAccountName") Set objNtSecurityDescriptor = objGroup.Get("ntSecurityDescriptor") Set objDiscretionaryAcl = objNtSecurityDescriptor.DiscretionaryAcl blnMatch = False For Each objAce In objDiscretionaryAcl If LCase(objAce.Trustee) = _ LCase(strDomain & "\" & strSAMAccountName) AND _ objAce.ObjectType = Member_SchemaIDGuid AND _ objAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT AND _ objAce.AccessMask And ADS_RIGHT_DS_WRITE_PROP Then blnMatch = True End If Next If blnMatch Then WScript.Echo "Manager can update the member list" Else WScript.Echo "Manager cannot update the member list." End If End Sub List the Owner of a Group Description Returns the owner of an Active Directory security group named Scientists. Script Code Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") Set objNtSecurityDescriptor = objGroup.Get("ntSecurityDescriptor") WScript.Echo "Owner Tab" WScript.Echo "Current owner of this item: " & objNtSecurityDescriptor.Owner List the Primary Group for a User Account Description Reports the primary group for the MyerKen Active Directory user account. Script Code On Error Resume Next Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") intPrimaryGroupID = objUser.Get("primaryGroupID") Set objConnection = CreateObject("ADODB.Connection") objConnection.Open "Provider=ADsDSOObject;" Set objCommand = CreateObject("ADODB.Command") objCommand.ActiveConnection = objConnection objCommand.CommandText = _ ";(objectCategory=Group);" & _ "distinguishedName,primaryGroupToken;subtree" Set objRecordSet = objCommand.Execute Do Until objRecordset.EOF If objRecordset.Fields("primaryGroupToken") = intPrimaryGroupID Then WScript.Echo "Primary group:" WScript.Echo objRecordset.Fields("distinguishedName") & _ " (primaryGroupID: " & intPrimaryGroupID & ")" End If objRecordset.MoveNext Loop objConnection.Close List the Security Descriptor for a Group Description Returns information found on the security descriptor for the Active Directory group named Scientists. Script Code Const SE_DACL_PROTECTED = &H1000 Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") Set objNtSecurityDescriptor = objGroup.Get("ntSecurityDescriptor") intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control WScript.Echo "Permissions Tab" strMessage = "Allow inheritable permissions from the parent to " & _ "propogate to this object and all child objects " If (intNtSecurityDescriptorControl And SE_DACL_PROTECTED) Then Wscript.Echo strMessage & "is disabled." Else WScript.Echo strMessage & "is enabled." End If WScript.Echo Set objDiscretionaryAcl = objNtSecurityDescriptor.DiscretionaryAcl DisplayAceInformation objDiscretionaryAcl, "DACL" Sub DisplayAceInformation(SecurityStructure, strType) Const ADS_ACETYPE_ACCESS_ALLOWED = &H0 Const ADS_ACETYPE_ACCESS_DENIED = &H1 Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5 Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6 intAceCount = 0 For Each objAce In SecurityStructure strTrustee = Mid(objAce.Trustee,1,12) If StrComp(strTrustee, "NT AUTHORITY", 1) <> 0 Then intAceCount = intAceCount + 1 WScript.Echo strType & " permission entry: " & intAceCount WScript.Echo "Name: " & objAce.Trustee intAceType = objAce.AceType If (intAceType = ADS_ACETYPE_ACCESS_ALLOWED Or _ intAceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT) Then WScript.Echo "Type: Allow Access" ElseIf (intAceType = ADS_ACETYPE_ACCESS_DENIED Or _ intAceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) Then WScript.Echo "Type: Deny Acess" Else WScript.Echo "Acess Type Unknown." End If ReadBitsInAccessMask(objAce.AccessMask) WScript.Echo VbCr End If Next End Sub Sub ReadBitsInAccessMask(AccessMask) Const ADS_RIGHT_DELETE = &H10000 Const ADS_RIGHT_READ_CONTROL = &H20000 Const ADS_RIGHT_WRITE_DAC = &H40000 Const ADS_RIGHT_WRITE_OWNER = &H80000 Const ADS_RIGHT_DS_CREATE_CHILD = &H1 Const ADS_RIGHT_DS_DELETE_CHILD = &H2 Const ADS_RIGHT_ACTRL_DS_LIST = &H4 Const ADS_RIGHT_DS_SELF = &H8 Const ADS_RIGHT_DS_READ_PROP = &H10 Const ADS_RIGHT_DS_WRITE_PROP = &H20 Const ADS_RIGHT_DS_DELETE_TREE = &H40 Const ADS_RIGHT_DS_LIST_OBJECT = &H80 Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100 WScript.Echo VbCrLf & "Standard Access Rights" If (AccessMask And ADS_RIGHT_DELETE) Then _ WScript.Echo vbTab & "-Delete an object." If (AccessMask And ADS_RIGHT_READ_CONTROL) Then _ WScript.Echo vbTab & "-Read permissions." If (AccessMask And ADS_RIGHT_WRITE_DAC) Then _ WScript.Echo vbTab & "-Write permissions." If (AccessMask And ADS_RIGHT_WRITE_OWNER) Then _ WScript.Echo vbTab & "-Modify owner." WScript.Echo VbCrLf & "Directory Service Specific Access Rights" If (AccessMask And ADS_RIGHT_DS_CREATE_CHILD) Then _ WScript.Echo vbTab & "-Create child objects." If (AccessMask And ADS_RIGHT_DS_DELETE_CHILD) Then _ WScript.Echo vbTab & "-Delete child objects." If (AccessMask And ADS_RIGHT_ACTRL_DS_LIST) Then _ WScript.Echo vbTab & "-Enumerate an object." If (AccessMask And ADS_RIGHT_DS_READ_PROP) Then _ WScript.Echo vbTab & "-Read the properties of an object." If (AccessMask And ADS_RIGHT_DS_WRITE_PROP) Then _ WScript.Echo vbTab & "-Write the properties of an object." If (AccessMask And ADS_RIGHT_DS_DELETE_TREE) Then _ WScript.Echo vbTab & "-Delete a tree of objects" If (AccessMask And ADS_RIGHT_DS_LIST_OBJECT) Then _ WScript.Echo vbTab & "-List a tree of objects." WScript.Echo VbCrLf & "Control Access Rights" If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) + _ (AccessMask And ADS_RIGHT_DS_SELF) = 0 Then WScript.Echo "-None" Else If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) Then _ WScript.Echo vbTab & "-Extended access rights." If (AccessMask And ADS_RIGHT_DS_SELF) Then WScript.Echo vbTab & "-Active Directory must validate a property " WScript.Echo vbTab & " write operation beyond the schema " & _ "definition " WScript.Echo vbTab & " for the attribute." End If End If End Sub List the System Access Control List for a Group Description Returns information found on the System Access Control List (SACL) for an Active Directory security group named Scientists. Script Code Const SE_SACL_PROTECTED = &H2000 Const ADS_SECURITY_INFO_OWNER = &H1 Const ADS_SECURITY_INFO_GROUP = &H2 Const ADS_OPTION_SECURITY_MASK =&H3 Const ADS_SECURITY_INFO_DACL = &H4 Const ADS_SECURITY_INFO_SACL = &H8 Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") objGroup.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_OWNER _ Or ADS_SECURITY_INFO_GROUP Or ADS_SECURITY_INFO_DACL _ Or ADS_SECURITY_INFO_SACL Set objNtSecurityDescriptor = objGroup.Get("ntSecurityDescriptor") intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control WScript.Echo "Auditing Tab" strMessage = "Allow inheritable auditing entries from" & _ "the parent to " strMessage = strMessage & "propogate to this object and all child objects " If (intNtSecurityDescriptorControl And SE_SACL_PROTECTED) Then Wscript.Echo strMessage & "is disabled." Else WScript.Echo strMessage & "is enabled." End If WScript.Echo Set objSacl = objNtSecurityDescriptor.SystemAcl DisplayAceInformation objSacl, "SACL" Sub DisplayAceInformation(SecurityStructure, strType) Const ADS_ACETYPE_SYSTEM_AUDIT = &H2 Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7 intAceCount = 0 For Each objAce In SecurityStructure strTrustee = Mid(objAce.Trustee,1,12) If StrComp(strTrustee, "NT AUTHORITY", 1) <> 0 Then intAceCount = intAceCount + 1 WScript.Echo strType & " permission entry: " & intAceCount WScript.Echo "Name: " & objAce.Trustee intAceType = objAce.AceType WScript.Echo "ACETYPE IS: " & intAceType If (intAceType = ADS_ACETYPE_SYSTEM_AUDIT or _ intAceType = ADS_ACETYPE_SYSTEM_AUDIT_OBJECT) Then WScript.Echo "Type: Success or Failure Audit" Else WScript.Echo "Audit Type Unknown." End If ReadBitsInAccessMask(objAce.AccessMask) WScript.Echo End If Next End Sub Sub ReadBitsInAccessMask(AccessMask) Const ADS_RIGHT_DELETE = &H10000 Const ADS_RIGHT_READ_CONTROL = &H20000 Const ADS_RIGHT_WRITE_DAC = &H40000 Const ADS_RIGHT_WRITE_OWNER = &H80000 Const ADS_RIGHT_DS_CREATE_CHILD = &H1 Const ADS_RIGHT_DS_DELETE_CHILD = &H2 Const ADS_RIGHT_ACTRL_DS_LIST = &H4 Const ADS_RIGHT_DS_SELF = &H8 Const ADS_RIGHT_DS_READ_PROP = &H10 Const ADS_RIGHT_DS_WRITE_PROP = &H20 Const ADS_RIGHT_DS_DELETE_TREE = &H40 Const ADS_RIGHT_DS_LIST_OBJECT = &H80 Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100 WScript.Echo VbCrLf & "Standard Access Rights" If (AccessMask And ADS_RIGHT_DELETE) Then _ WScript.Echo vbTab & "-Delete an object." If (AccessMask And ADS_RIGHT_READ_CONTROL) Then _ WScript.Echo vbTab & "-Read permissions." If (AccessMask And ADS_RIGHT_WRITE_DAC) Then _ WScript.Echo vbTab & "-Write permissions." If (AccessMask And ADS_RIGHT_WRITE_OWNER) Then _ WScript.Echo vbTab & "-Modify owner." WScript.Echo VbCrLf & "Directory Service Specific Access Rights" If (AccessMask And ADS_RIGHT_DS_CREATE_CHILD) Then _ WScript.Echo vbTab & "-Create child objects." If (AccessMask And ADS_RIGHT_DS_DELETE_CHILD) Then _ WScript.Echo vbTab & "-Delete child objects." If (AccessMask And ADS_RIGHT_ACTRL_DS_LIST) Then _ WScript.Echo vbTab & "-Enumerate an object." If (AccessMask And ADS_RIGHT_DS_READ_PROP) Then _ WScript.Echo vbTab & "-Read the properties of an object." If (AccessMask And ADS_RIGHT_DS_WRITE_PROP) Then _ WScript.Echo vbTab & "-Write the properties of an object." If (AccessMask And ADS_RIGHT_DS_DELETE_TREE) Then _ WScript.Echo vbTab & "-Delete a tree of objects" If (AccessMask And ADS_RIGHT_DS_LIST_OBJECT) Then _ WScript.Echo vbTab & "-List a tree of objects." WScript.Echo VbCrLf & "Control Access Rights" If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) + _ (AccessMask And ADS_RIGHT_DS_SELF) = 0 Then WScript.Echo "-None" Else If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) Then _ WScript.Echo vbTab & "-Extended access rights." If (AccessMask And ADS_RIGHT_DS_SELF) Then WScript.Echo vbTab & "-Active Directory must validate a property " WScript.Echo vbTab & " write operation beyond the schema " & _ 38 of 153 "definition " WScript.Echo vbTab & " for the attribute." End If End If End Sub Modify Group Attributes Description Modifies both single-value (samAccountName, mail, info) and multi-value (description) attributes for a group named Scientists. Script Code Const ADS_PROPERTY_UPDATE = 2 Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") objGroup.Put "sAMAccountName", "Scientist01" objGroup.Put "mail", "YoungRob@fabrikam.com" objGroup.Put "info", "Use this group for official communications " & _ "with scientists who are contracted to work with Contoso.com." objGroup.PutEx ADS_PROPERTY_UPDATE, _ "description", Array("Scientist Mailing List") objGroup.SetInfo Modify Group Type Description Changes a local group named Scientists to a global security group. Script Code Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2 Const ADS_GROUP_TYPE_LOCAL_GROUP = &h4 Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8 Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000 Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") objGroup.Put "groupType", _ ADS_GROUP_TYPE_UNIVERSAL_GROUP + ADS_GROUP_TYPE_SECURITY_ENABLED objGroup.SetInfo Move a Group Within a Domain Description Moves a group account from the HR OU to the Users container. Script Code Set objOU = GetObject("LDAP://cn=Users,dc=NA,dc=fabrikam,dc=com") objOU.MoveHere "LDAP://cn=atl-users,ou=HR,dc=NA,dc=fabrikam,dc=com", _ vbNullString Remove a User from a Group Description Removes user MyerKen from the group Sea-Users. Script Code Const ADS_PROPERTY_DELETE = 4 Set objGroup = GetObject _ ("LDAP://cn=Sea-Users,cn=Users,dc=NA,dc=fabrikam,dc=com") objGroup.PutEx ADS_PROPERTY_DELETE, _ "member",Array("cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objGroup.SetInfo Remove All Group Memberships for a User Account Description Removes the MyerKen user account from all Active Directory security groups. Script Code On Error Resume Next Const ADS_PROPERTY_DELETE = 4 Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") arrMemberOf = objUser.GetEx("memberOf") If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then WScript.Echo "This account is not a member of any security groups." WScript.Quit End If For Each Group in arrMemberOf Set objGroup = GetObject("LDAP://" & Group) objGroup.PutEx ADS_PROPERTY_DELETE, _ "member", Array("cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objGroup.SetInfo Next Remove All the Members of a Group Description Removes all the members of an Active Directory group named Sea-Users. Script Code Const ADS_PROPERTY_CLEAR = 1 Set objGroup = GetObject _ ("LDAP://cn=Sea-Users,cn=Users,dc=NA,dc=fabrikam,dc=com") objGroup.PutEx ADS_PROPERTY_CLEAR, "member", 0 objGroup.SetInfo Remove the Manager of a Group Description Removes the manager entry for the Active Directory security group named Scientists. When this script is run, the group will no longer have an assigned manager. Script Code Const ADS_PROPERTY_CLEAR = 1 Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") objGroup.PutEx ADS_PROPERTY_CLEAR, "managedBy", 0 objGroup.SetInfo Replace Group Membership with All-New Members Description Replaces the existing membership of a group named Scientists with two new group members: YoungRob and ShenAlan. Script Code Const ADS_PROPERTY_UPDATE = 2 Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") objGroup.PutEx ADS_PROPERTY_UPDATE, "member", _ Array("cn=YoungRob,ou=R&D,dc=NA,dc=fabrikam,dc=com", _ "cn=ShenAlan,ou=R&D,dc=NA,dc=fabrikam,dc=com") objGroup.SetInfo Configure Trust Relationship Properties Description Configures trust relationship refresh and validation properties. Script Code strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & _ strComputer & "\root\MicrosoftActiveDirectory") Set colTrustList = objWMIService.ExecQuery _ ("Select * from Microsoft_TrustProvider") For Each objTrust in colTrustList objTrust.TrustListLifetime = 25 objTrust.TrustStatusLifetime = 10 objTrust.TrustCheckLevel = 1 objTrust.Put_ Next Install Active Directory Database Performance Counters Description Installs the Active Database performance counters on a domain controller. Script Code Set WshShell = WScript.CreateObject("WScript.Shell") Set objFSO = CreateObject("Scripting.FileSystemObject") Set objShell = CreateObject("Shell.Application") objFSO.CreateFolder ("C:\Performance") Set objCopyFile = objFSO.GetFile("C:\windows\system32\esentprf.dll ") objCopyFile.Copy ("C:\performance\esentprf.dll ") WshShell.RegWrite _ "HKLM\System\CurrentControlSet\Services\Esent\Performance\Open", _ "OpenPerformanceData", "REG_SZ" WshShell.RegWrite _ "HKLM\System\CurrentControlSet\Services\Esent\Performance\Collect", _ "CollectPerformanceData", "REG_SZ" WshShell.RegWrite _ "HKLM\System\CurrentControlSet\Services\Esent\Performance\Close", _ "ClosePerformanceData", "REG_SZ" WshShell.RegWrite _ "HKLM\System\CurrentControlSet\Services\Esent\Performance\Library", _ "C:\Performance\Esentprf.dll", "REG_SZ" strCommandText = "%comspec% /c lodctr.exe c:\windows\system32\esentprf.ini" WshShell.Run strCommandText List Active Directory Database Replication Partners Description Configures trust relationship refresh and validation properties. Script Code strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & _ strComputer & "\root\MicrosoftActiveDirectory") Set colReplicationOperations = objWMIService.ExecQuery _ ("Select * from MSAD_ReplNeighbor") For each objReplicationJob in colReplicationOperations Wscript.Echo "Domain: " & objReplicationJob.Domain Wscript.Echo "Naming context DN: " & objReplicationJob.NamingContextDN Wscript.Echo "Source DSA DN: " & objReplicationJob.SourceDsaDN Wscript.Echo "Last synch result: " & objReplicationJob.LastSyncResult Wscript.Echo "Number of consecutive synchronization failures: " & _ objReplicationJob.NumConsecutiveSyncFailures Next List Domain Information for Trust Partners Description Returns local domain information. Script Code strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & _ strComputer & "\root\MicrosoftActiveDirectory") Set colDomainInfo = objWMIService.ExecQuery _ ("Select * from Microsoft_LocalDomainInfo") For each objDomain in colDomainInfo Wscript.Echo "DNS name: " & objDomain.DNSName Wscript.Echo "Flat name: " & objDomain.FlatName Wscript.Echo "SID: " & objDomain.SID Wscript.Echo "Tree name: " & objDomain.TreeName Wscript.Echo "Domain controller name: " & objDomain.DCName Next List Trust Relationships Description Enumerates trust relationships. Script Code strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & _ strComputer & "\root\MicrosoftActiveDirectory") Set colTrustList = objWMIService.ExecQuery _ ("Select * from Microsoft_DomainTrustStatus") For each objTrust in colTrustList Wscript.Echo "Trusted domain: " & objTrust.TrustedDomain Wscript.Echo "Trust direction: " & objTrust.TrustDirection Wscript.Echo "Trust type: " & objTrust.TrustType Wscript.Echo "Trust attributes: " & objTrust.TrustAttributes Wscript.Echo "Trusted domain controller name: " & objTrust.TrustedDCName Wscript.Echo "Trust status: " & objTrust.TrustStatus Wscript.Echo "Trust is OK: " & objTrust.TrustIsOK Next Monitor Active Directory Database Performance Description Uses cooked performance counters to monitor the performance of the Active Directory database on a domain controller. Script Code strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colDatabases = objWMIService.ExecQuery _ ("Select * from Win32_PerfFormattedData_Esent_Database " _ & "Where Name = 'NT Directory'") For Each objADDatabase in colDatabases Wscript.Echo "Database cache hit percent: " & _ objADDatabase.DatabaseCachePercentHit Next Monitor Active Directory Replication Description Returns a list of pending replication jobs on a domain controller. Script Code strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & _ strComputer & "\root\MicrosoftActiveDirectory") Set colReplicationOperations = objWMIService.ExecQuery _ ("Select * from MSAD_ReplPendingOp") If colReplicationOperations.Count = 0 Then Wscript.Echo "There are no replication jobs pending." Wscript.Quit Else For each objReplicationJob in colReplicationOperations Wscript.Echo "Serial number: " & objReplicationJob.SerialNumber Wscript.Echo "Time in queue: " & objReplicationJob.TimeEnqueued Wscript.Echo "DSA DN: " & objReplicationJob.DsaDN Wscript.Echo "DSA address: " & objReplicationJob.DsaAddress Wscript.Echo "Naming context DN: " & objReplicationJob.NamingContextDn Next End If Monitor Domain Controller Performance Description Monitors the performance of an Active Directory domain controller. Script Code strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colDatabases = objWMIService.ExecQuery _ ("Select * from Win32_PerfFormattedData_NTDS_NTDS") For Each objADDatabase in colDatabases Wscript.Echo "DS threads in use: " & objADDatabase.DSThreadsInUse Wscript.Echo "LDAP bind time: " & objADDatabase.LDAPBindTime Wscript.Echo "LDAP client sessions: " & objADDatabase.LDAPClientSessions Next Monitor FRS Replication Description Uses cooked performance counters to monitor File Replication Service performance on a domain controller. Script Code strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colFRSSet = objWMIService.ExecQuery _ ("Select * from Win32_PerfFormattedData_FileReplicaConn_FileReplicaConn") For Each objFRSInstance in colFRSSet Wscript.Echo "Remote change orders received: " & _ objFRSInstance.RemoteChangeOrdersReceived Wscript.Echo "Remote change orders sent: " & _ objFRSInstance.RemoteChangeOrdersSent Wscript.Echo "Packets sent: " & objFRSInstance.PacketsSent Next Monitor NTDS Performance Description Uses cooked performance counters to monitor NTDS performance on a domain controller. Script Code strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") set objRefresher = CreateObject("WbemScripting.SWbemRefresher") Set colItems = objRefresher.AddEnum _ (objWMIService, "Win32_PerfFormattedData_NTDS_NTDS").objectSet objRefresher.Refresh For i = 1 to 5 For Each objItem in colItems Wscript.Echo "Directory service threads in use: " & _ objItem.DSThreadsInUse Wscript.Sleep 2000 objRefresher.Refresh Next Next Assign a New Group Policy Link to an OU Description Assigns the Group Policy link Sales Policy to the Sales OU in Active Directory. Script Code On Error Resume Next Set objContainer = GetObject _ ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com") strExistingGPLink = objContainer.Get("gPLink") strGPODisplayName = "Sales Policy" strGPOLinkOptions = 2 strNewGPLink = "[" & GetGPOADsPath & ";" & strGPOLinkOptions & "]" objContainer.Put "gPLink", strExistingGPLink & strNewGPLink objContainer.Put "gPOptions", "0" objContainer.SetInfo Function GetGPOADsPath Set objConnection = CreateObject("ADODB.Connection") objConnection.Open "Provider=ADsDSOObject;" Set objCommand = CreateObject("ADODB.Command") objCommand.ActiveConnection = objConnection objCommand.CommandText = _ ";;" & _ "distinguishedName,displayName;onelevel" Set objRecordSet = objCommand.Execute Do Until objRecordSet.EOF If objRecordSet.Fields("displayName") = strGPODisplayName Then GetGPOADsPath = "LDAP://" & objRecordSet.Fields("distinguishedName") objConnection.Close Exit Function End If objRecordSet.MoveNext Loop objConnection.Close End Function Assign a New Manager to an OU Description Assigns the user account AkersKim as manager of the Sales OU in Active Directory. Script Code Set objContainer = GetObject _ ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com") objContainer.Put "managedBy", "cn=AkersKim,ou=Sales,dc=NA,dc=fabrikam,dc=com" objContainer.SetInfo Clear COM+ Attributes from a User Account Description Removes all information from the msCOM-UserPartitionSetLink attribute of the MyerKen user account in Active Directory. Script Code Const ADS_PROPERTY_CLEAR = 1 Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objUser.PutEx ADS_PROPERTY_CLEAR, "msCOM-UserPartitionSetLink", 0 objUser.SetInfo Clear the COM+ Partition Link Set of an OU Description Removes the COM+ partition link set assigned to the Sales OU in Active Directory. Script Code Const ADS_PROPERTY_CLEAR = 1 Set objContainer = GetObject _ ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com") objContainer.PutEx ADS_PROPERTY_CLEAR, "msCOM-UserPartitionSetLink", 0 objContainer.SetInfo Clear the General Properties of an OU Description Modifies the attribute values found on the General Properties page in Active Directory Users and Computers for an OU named Sales. Script Code Const ADS_PROPERTY_CLEAR = 1 Set objContainer = GetObject _ ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com") objContainer.PutEx ADS_PROPERTY_CLEAR, "description", 0 objContainer.PutEx ADS_PROPERTY_CLEAR, "street", 0 objContainer.PutEx ADS_PROPERTY_CLEAR, "l", 0 objContainer.PutEx ADS_PROPERTY_CLEAR, "st", 0 objContainer.PutEx ADS_PROPERTY_CLEAR, "postalCode", 0 objContainer.PutEx ADS_PROPERTY_CLEAR, "c", 0 objContainer.SetInfo Clear the Group Policy Links Assigned to an OU Description Removes all the Group Policy links assigned to the Sales OU in Active Directory. Script Code Const ADS_PROPERTY_CLEAR = 1 Set objContainer = GetObject _ ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com") objContainer.PutEx ADS_PROPERTY_CLEAR, "gPLink", 0 objContainer.PutEx ADS_PROPERTY_CLEAR, "gPOptions", 0 objContainer.SetInfo Create an OU Description Creates a new organizational unit within Active Directory. Script Code Set objDomain = GetObject("LDAP://dc=fabrikam,dc=com") Set objOU = objDomain.Create("organizationalUnit", "ou=Management") objOU.SetInfo Create an OU in an Existing OU Description Creates a new organizational unit (OU2) in an existing organizational unit (OU1). Script Code Set objOU1 = GetObject("LDAP://ou=OU1,dc=na,dc=fabrikam,dc=com") Set objOU2 = objOU1.Create("organizationalUnit", "ou=OU2") objOU2.SetInfo Delete an OU Description Deletes an organizational unit named HR from the domain fabrikam.com. Script Code Set objDomain = GetObject("LDAP://dc=fabrikam,dc=com") objDomain.Delete "organizationalUnit", "ou=hr" List COM+ Partition Information for a Domain Description Returns COM+ partition information for the domain na.fabrikam.com. Script Code Set objCOMPartitionSets = GetObject _ ("LDAP://cn=ComPartitionSets,cn=System,dc=NA,dc=fabrikam,dc=com") For Each objPartitionSet in objCOMPartitionSets WScript.Echo "Name: " & objPartitionSet.Name Next List COM+ Partition Sets Description Returns a list of Active Directory COM+ partition sets. Script Code Set objCOMPartitionSets = GetObject _ ("LDAP://cn=ComPartitionSets,cn=System,dc=NA,dc=fabrikam,dc=com") For Each objPartitionSet in objCOMPartitionSets WScript.Echo "Name: " & objPartitionSet.Name Next List Group Policy Information for an OU Description Returns the values found on the Group Policy page in Active Directory Users and Computers for the Sales OU. Script Code On Error Resume Next Set objContainer = GetObject _ ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com") strGpLink = objContainer.Get("gPLink") intGpOptions = objContainer.Get("gPOptions") If strGpLink <> " " Then arrGpLinkItems = Split(strGpLink,"]") For i = UBound(arrGPLinkItems) to LBound(arrGpLinkItems) + 1 Step -1 arrGPLink = Split(arrGpLinkItems(i-1),";") strDNGPLink = Mid(arrGPLink(0),9) WScript.Echo GetGPOName Select Case arrGPLink(1) Case 0 WScript.Echo "No Override is cleared and the GPO is enabled." Case 1 WScript.Echo "No Override is cleared and the GPO is disabled." Case 2 WScript.Echo "No Override is checked and the GPO is enabled." Case 3 WScript.Echo "No Override is checked and the GPO is disabled." End Select Next WScript.Echo VbCrLf End If If intGpOptions = 1 Then WScript.Echo "Block Policy Inheritance is checked." Else WScript.Echo "Block Policy Inheritance is not checked." End If Function GetGPOName Set objConnection = CreateObject("ADODB.Connection") objConnection.Open "Provider=ADsDSOObject;" Set objCommand = CreateObject("ADODB.Command") objCommand.ActiveConnection = objConnection objCommand.CommandText = _ ";;" & _ "distinguishedName,displayName;onelevel" Set objRecordSet = objCommand.Execute Do Until objRecordSet.EOF If objRecordSet.Fields("distinguishedName") = strDNGPLink Then GetGPOName = objRecordSet.Fields("displayName") objConnection.Close Exit Function End If objRecordSet.MoveNext Loop objConnection.Close List the Attributes of the organizationalUnit Class Description Returns both the mandatory and optional attributes for the organizationalUnit class (as found in the Active Directory schema). Script Code Set objOrganizationalUnitClass = _ GetObject("LDAP://schema/organizationalUnit") Set objSchemaClass = GetObject(objOrganizationalUnitClass.Parent) i = 0 WScript.Echo "Mandatory attributes:" For Each strAttribute in objOrganizationalUnitClass.MandatoryProperties i= i + 1 WScript.Echo i & vbTab & strAttribute Set objAttribute = objSchemaClass.GetObject("Property", strAttribute) WScript.Echo " (Syntax: " & objAttribute.Syntax & ")" If objAttribute.MultiValued Then WScript.Echo " Multivalued" Else WScript.Echo " Single-valued" End If Next WScript.Echo VbCrLf & "Optional attributes:" For Each strAttribute in objOrganizationalUnitClass.OptionalProperties i= i + 1 WScript.StdOut.Write i & vbTab & strAttribute Set objAttribute = objSchemaClass.GetObject("Property", strAttribute) Wscript.Echo " [Syntax: " & objAttribute.Syntax & "]" If objAttribute.MultiValued Then WScript.Echo " Multivalued" Else WScript.Echo " Single-valued" End If Next List the COM+ Properties of an OU Description Returns information about the COM+ properties configured for the Sales OU in Active Directory. Script Code On Error Resume Next Set objContainer = GetObject _ ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com") strMsCOMUserPartitionSetLink = objContainer.Get("msCOM-UserPartitionSetLink") WScript.Echo "ms-COMUserPartitionSetLink: " & strMsCOMUserPartitionSetLink List the General Properties of an OU Description Returns information found on the General Properties page in Active Directory Users and Computers for an OU named Sales. Script Code On Error Resume Next Set objContainer = GetObject _ ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com") For Each strValue in objContainer.description WScript.Echo "Description: " & strValue Next Wscript.Echo "Street Address: " & strStreetAddress Wscript.Echo "Locality: " & Wscript.Echo "State/porvince: " & objContainer.st Wscript.Echo "Postal Code: " & objContainer.postalCode Wscript.Echo "Country: " & objContainer.c List the Managed By Information for an OU Description Returns information about the account assigned as manager of the Sales OU in Active Directory. Script Code On Error Resume Next Set objContainer = GetObject _ ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com") strManagedBy = objContainer.Get("managedBy") If IsEmpty(strManagedBy) = TRUE Then WScript.Echo "No user account is assigned to manage " & _ "this OU." Else Set objUser = GetObject("LDAP://" & strManagedBy) WScript.Echo "Manager: " & objUser.streetAddress WScript.Echo "Office: " & _ objUser.physicalDeliveryOfficeName WScript.Echo "Street Address: " & strStreetAddress WScript.Echo "Locality: " & objUser.l WScript.Echo "State/province: " & objUser.st WScript.Echo "Country: " & objUser.c WScript.Echo "Telephone Number: " & objUser.telephoneNumber WScript.Echo "Fax Number: " & _ objUser.facsimileTelephoneNumber End If List the Owner of an OU Description Returns the owner of the Sales OU in Active Directory. Script Code Set objContainer = GetObject _ ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com") Set objNtSecurityDescriptor = objContainer.Get("ntSecurityDescriptor") WScript.Echo "Owner Tab" WScript.Echo "Current owner of this item: " & objNtSecurityDescriptor.Owner List the Properties of an OU Object Description Returns information found on the Object page in Active Directory Users and Computers for the Sales OU. Script Code Set objContainer = GetObject _ ("GC://ou=Sales,dc=NA,dc=fabrikam,dc=com") strWhenCreated = objContainer.Get("whenCreated") strWhenChanged = objContainer.Get("whenChanged") Set objUSNChanged = objContainer.Get("uSNChanged") dblUSNChanged = _ Abs(objUSNChanged.HighPart * 2^32 + objUSNChanged.LowPart) Set objUSNCreated = objContainer.Get("uSNCreated") dblUSNCreated = _ Abs(objUSNCreated.HighPart * 2^32 + objUSNCreated.LowPart) objContainer.GetInfoEx Array("canonicalName"), 0 arrCanonicalName = objContainer.GetEx("canonicalName") WScript.Echo "CanonicalName of object:" For Each strValue in arrCanonicalName WScript.Echo vbTab & strValue Next WScript.Echo WScript.Echo "Object class: " & objContainer.Class & vbCrLf WScript.Echo "whenCreated: " & strWhenCreated & " (Created - GMT)" WScript.Echo "whenChanged: " & strWhenChanged & " (Modified - GMT)" WScript.Echo VbCrLf WScript.Echo "uSNChanged: " & dblUSNChanged & " (USN Current)" WScript.Echo "uSNCreated: " & dblUSNCreated & " (USN Original)" List the Security Descriptor for an OU Description Returns the information found on the security descriptor for the Sales OU in Active Directory. Script Code Const SE_DACL_PROTECTED = &H1000 Set objContainer = GetObject _ ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com") Set objNtSecurityDescriptor = objContainer.Get("ntSecurityDescriptor") intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control WScript.Echo "Permissions Tab" strMessage = "Allow inheritable permissions from the parent to " & _ "propogate to this object and all child objects " If (intNtSecurityDescriptorControl And SE_DACL_PROTECTED) Then Wscript.Echo strMessage & "is disabled." Else WScript.Echo strMessage & "is enabled." End If WScript.Echo Set objDiscretionaryAcl = objNtSecurityDescriptor.DiscretionaryAcl DisplayAceInformation objDiscretionaryAcl, "DACL" Sub DisplayAceInformation(SecurityStructure, strType) Const ADS_ACETYPE_ACCESS_ALLOWED = &H0 Const ADS_ACETYPE_ACCESS_DENIED = &H1 Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5 Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6 intAceCount = 0 For Each objAce In SecurityStructure strTrustee = Mid(objAce.Trustee,1,12) If StrComp(strTrustee, "NT AUTHORITY", 1) <> 0 Then intAceCount = intAceCount + 1 WScript.Echo strType & " permission entry: " & intAceCount WScript.Echo "Name: " & objAce.Trustee intAceType = objAce.AceType If (intAceType = ADS_ACETYPE_ACCESS_ALLOWED Or _ intAceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT) Then WScript.Echo "Type: Allow Access" ElseIf (intAceType = ADS_ACETYPE_ACCESS_DENIED Or _ intAceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) Then WScript.Echo "Type: Deny Acess" Else WScript.Echo "Acess Type Unknown." End If ReadBitsInAccessMask(objAce.AccessMask) WScript.Echo VbCr End If Next End Sub Sub ReadBitsInAccessMask(AccessMask) Const ADS_RIGHT_DELETE = &H10000 Const ADS_RIGHT_READ_CONTROL = &H20000 Const ADS_RIGHT_WRITE_DAC = &H40000 Const ADS_RIGHT_WRITE_OWNER = &H80000 Const ADS_RIGHT_DS_CREATE_CHILD = &H1 Const ADS_RIGHT_DS_DELETE_CHILD = &H2 Const ADS_RIGHT_ACTRL_DS_LIST = &H4 Const ADS_RIGHT_DS_SELF = &H8 Const ADS_RIGHT_DS_READ_PROP = &H10 Const ADS_RIGHT_DS_WRITE_PROP = &H20 Const ADS_RIGHT_DS_DELETE_TREE = &H40 Const ADS_RIGHT_DS_LIST_OBJECT = &H80 Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100 WScript.Echo VbCrLf & "Standard Access Rights" If (AccessMask And ADS_RIGHT_DELETE) Then _ WScript.Echo vbTab & "-Delete an object." If (AccessMask And ADS_RIGHT_READ_CONTROL) Then _ WScript.Echo vbTab & "-Read permissions." If (AccessMask And ADS_RIGHT_WRITE_DAC) Then _ WScript.Echo vbTab & "-Write permissions." If (AccessMask And ADS_RIGHT_WRITE_OWNER) Then _ WScript.Echo vbTab & "-Modify owner." WScript.Echo VbCrLf & "Directory Service Specific Access Rights" If (AccessMask And ADS_RIGHT_DS_CREATE_CHILD) Then _ WScript.Echo vbTab & "-Create child objects." If (AccessMask And ADS_RIGHT_DS_DELETE_CHILD) Then _ WScript.Echo vbTab & "-Delete child objects." If (AccessMask And ADS_RIGHT_ACTRL_DS_LIST) Then _ WScript.Echo vbTab & "-Enumerate an object." If (AccessMask And ADS_RIGHT_DS_READ_PROP) Then _ WScript.Echo vbTab & "-Read the properties of an object." If (AccessMask And ADS_RIGHT_DS_WRITE_PROP) Then _ WScript.Echo vbTab & "-Write the properties of an object." If (AccessMask And ADS_RIGHT_DS_DELETE_TREE) Then _ WScript.Echo vbTab & "-Delete a tree of objects" If (AccessMask And ADS_RIGHT_DS_LIST_OBJECT) Then _ WScript.Echo vbTab & "-List a tree of objects." WScript.Echo VbCrLf & "Control Access Rights" If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) + _ (AccessMask And ADS_RIGHT_DS_SELF) = 0 Then WScript.Echo "-None" Else If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) Then _ WScript.Echo vbTab & "-Extended access rights." If (AccessMask And ADS_RIGHT_DS_SELF) Then WScript.Echo vbTab & "-Active Directory must validate a property " WScript.Echo vbTab & " write operation beyond the schema definition " WScript.Echo vbTab & " for the attribute." End If End If End Sub List the System Access Control List of an OU Description Returns information found on the System Access Control List (SACL) for the Sales OU in Active Directory. Script Code Const SE_SACL_PROTECTED = &H2000 Const ADS_SECURITY_INFO_OWNER = &H1 Const ADS_SECURITY_INFO_GROUP = &H2 Const ADS_OPTION_SECURITY_MASK =&H3 Const ADS_SECURITY_INFO_DACL = &H4 Const ADS_SECURITY_INFO_SACL = &H8 Set objContainer = GetObject _ ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com") objContainer.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_OWNER _ Or ADS_SECURITY_INFO_GROUP Or ADS_SECURITY_INFO_DACL _ Or ADS_SECURITY_INFO_SACL Set objNtSecurityDescriptor = objContainer.Get("ntSecurityDescriptor") intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control WScript.Echo "Auditing Tab" strMessage = "Allow inheritable auditing entries from" & _ "the parent to propogate to this object and all child objects " If (intNtSecurityDescriptorControl And SE_SACL_PROTECTED) Then Wscript.Echo strMessage & "is disabled." Else WScript.Echo strMessage & "is enabled." End If WScript.Echo Set objSacl = objNtSecurityDescriptor.SystemAcl DisplayAceInformation objSacl, "SACL" Sub DisplayAceInformation(SecurityStructure, strType) Const ADS_ACETYPE_SYSTEM_AUDIT = &H2 Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7 intAceCount = 0 For Each objAce In SecurityStructure strTrustee = Mid(objAce.Trustee,1,12) If StrComp(strTrustee, "NT AUTHORITY", 1) <> 0 Then intAceCount = intAceCount + 1 WScript.Echo strType & " permission entry: " & intAceCount WScript.Echo "Name: " & objAce.Trustee intAceType = objAce.AceType WScript.Echo "ACETYPE IS: " & intAceType If (intAceType = ADS_ACETYPE_SYSTEM_AUDIT or _ intAceType = ADS_ACETYPE_SYSTEM_AUDIT_OBJECT) Then WScript.StdOut.Write "Type: Success or Failure Audit" Else WScript.StdOut.Write "Audit Type Unknown." End If ReadBitsInAccessMask(objAce.AccessMask) WScript.Echo End If Next End Sub Sub ReadBitsInAccessMask(AccessMask) Const ADS_RIGHT_DELETE = &H10000 Const ADS_RIGHT_READ_CONTROL = &H20000 Const ADS_RIGHT_WRITE_DAC = &H40000 Const ADS_RIGHT_WRITE_OWNER = &H80000 Const ADS_RIGHT_DS_CREATE_CHILD = &H1 Const ADS_RIGHT_DS_DELETE_CHILD = &H2 Const ADS_RIGHT_ACTRL_DS_LIST = &H4 Const ADS_RIGHT_DS_SELF = &H8 Const ADS_RIGHT_DS_READ_PROP = &H10 Const ADS_RIGHT_DS_WRITE_PROP = &H20 Const ADS_RIGHT_DS_DELETE_TREE = &H40 Const ADS_RIGHT_DS_LIST_OBJECT = &H80 Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100 WScript.Echo VbCrLf & "Standard Access Rights" If (AccessMask And ADS_RIGHT_DELETE) Then _ WScript.Echo vbTab & "-Delete an object." If (AccessMask And ADS_RIGHT_READ_CONTROL) Then _ WScript.Echo vbTab & "-Read permissions." If (AccessMask And ADS_RIGHT_WRITE_DAC) Then _ WScript.Echo vbTab & "-Write permissions." If (AccessMask And ADS_RIGHT_WRITE_OWNER) Then _ WScript.Echo vbTab & "-Modify owner." WScript.Echo VbCrLf & "Directory Service Specific Access Rights" If (AccessMask And ADS_RIGHT_DS_CREATE_CHILD) Then _ WScript.Echo vbTab & "-Create child objects." If (AccessMask And ADS_RIGHT_DS_DELETE_CHILD) Then _ WScript.Echo vbTab & "-Delete child objects." If (AccessMask And ADS_RIGHT_ACTRL_DS_LIST) Then _ WScript.Echo vbTab & "-Enumerate an object." If (AccessMask And ADS_RIGHT_DS_READ_PROP) Then _ WScript.Echo vbTab & "-Read the properties of an object." If (AccessMask And ADS_RIGHT_DS_WRITE_PROP) Then _ WScript.Echo vbTab & "-Write the properties of an object." If (AccessMask And ADS_RIGHT_DS_DELETE_TREE) Then _ WScript.Echo vbTab & "-Delete a tree of objects" If (AccessMask And ADS_RIGHT_DS_LIST_OBJECT) Then _ WScript.Echo vbTab & "-List a tree of objects." WScript.Echo VbCrLf & "Control Access Rights" If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) + _ (AccessMask And ADS_RIGHT_DS_SELF) = 0 Then WScript.Echo "-None" Else If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) Then _ WScript.Echo vbTab & "-Extended access rights." If (AccessMask And ADS_RIGHT_DS_SELF) Then WScript.Echo vbTab & "-Active Directory must validate a property " WScript.Echo vbTab & " write operation beyond the schema " & _ "definition " WScript.Echo vbTab & " for the attribute." End If End If End Sub Modify the COM+ Partition Set Link of an OU Description Assigns the COM+ partition set PartitionSet1 to the Sales OU in Active Directory. Script Code Set objContainer = GetObject _ ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com") objContainer.Put "msCOM-UserPartitionSetLink", _ "cn=PartitionSet1,cn=ComPartitionSets,cn=System,dc=NA,dc=fabrikam,dc=com" objContainer.SetInfo Modify the General Properties of an OU Description Modifies the attribute values found on the General Properties page in Active Directory Users and Computers for an OU named Sales. Script Code Const ADS_PROPERTY_UPDATE = 2 Set objContainer = GetObject _ ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com") objContainer.Put "street", "Building 43" & vbCrLf & "One Microsoft Way" objContainer.Put "l", "Redmond" objContainer.Put "st", "Washington" objContainer.Put "postalCode", "98053" objContainer.Put "c", "US" objContainer.PutEx ADS_PROPERTY_UPDATE, _ "description", Array("Sales staff") objContainer.SetInfo Remove an OU Manager Description Removes the manager entry for the Active Directory OU named Sales. When this group is run, the OU will no longer have an assigned manager. Script Code Const ADS_PROPERTY_CLEAR = 1 Set objContainer = GetObject _ ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com") objContainer.PutEx ADS_PROPERTY_CLEAR, "managedBy", 0 objContainer.SetInfo Create an Active Directory Site Description Creates an Active Directory site and sets the site link for the new site. Script Code strSiteRDN = "cn=Ga-Atl-Sales" strSiteLinkRDN = "cn=DEFAULTIPSITELINK" strSiteLinkType = "IP" Const ADS_PROPERTY_APPEND = 3 Set objRootDSE = GetObject("LDAP://RootDSE") strConfigurationNC = objRootDSE.Get("configurationNamingContext") strSitesContainer = "LDAP://cn=Sites," & strConfigurationNC Set objSitesContainer = GetObject(strSitesContainer) Set objSite = objSitesContainer.Create("site", strSiteRDN) objSite.SetInfo Set objLicensingSiteSettings = objSite.Create("licensingSiteSettings", _ "cn=Licensing Site Settings") objLicensingSiteSettings.SetInfo Set objNtdsSiteSettings = objSite.Create("nTDSSiteSettings", _ "cn=NTDS Site Settings") objNtdsSiteSettings.SetInfo Set objServersContainer = objSite.Create("serversContainer", "cn=Servers") objServersContainer.SetInfo strSiteLinkPath = "LDAP://" & strSiteLinkRDN & ",cn=" & strSiteLinkType & _ ",cn=Inter-Site Transports,cn=Sites," & strConfigurationNC Set objSiteLink = GetObject(strSiteLinkPath) objSiteLink.PutEx ADS_PROPERTY_APPEND, "siteList", _ Array(objSite.Get("distinguishedName")) objSiteLink.SetInfo Create an Active Directory Site Link Description Creates an Active Directory site link. Script Code strSite1Name = "Ga-Atl-Sales" strSite2Name = "Wa-Red-Sales" strSiteLinkRDN = "cn=[" & strSite1Name & "][" & strSite2Name & "]" intCost = 100 intReplInterval = 60 strDescription = "[" & strSite1Name & "][" & strSite2Name & "]" Const ADS_PROPERTY_UPDATE = 2 Set objRootDSE = GetObject("LDAP://RootDSE") strConfigurationNC = objRootDSE.Get("configurationNamingContext") strSite1DN = "cn=" & strSite1Name & ",cn=Sites," & strConfigurationNC strSite2DN = "cn=" & strSite2Name & ",cn=Sites," & strConfigurationNC Set objInterSiteTransports = GetObject("LDAP://" & _ "cn=IP,cn=Inter-Site Transports,cn=Sites," & strConfigurationNC) Set objSiteLink = objInterSiteTransports.Create("siteLink", strSiteLinkRDN) objSiteLink.Put "cost", intCost objSiteLink.Put "replInterval", intReplInterval objSiteLink.Put "description", strDescription objSiteLink.PutEx ADS_PROPERTY_UPDATE, "siteList", _ Array(strSite1DN, strSite2DN) objSiteLink.SetInfo Create an Active Directory Subnet Description Creates an Active Directory subnet. Script Code strSubnetRDN = "cn=192.168.1.0/26" strSiteObjectRDN = "cn=Ga-Atl-Sales" strDescription = "192.168.1.0/255.255.255.192" strLocation = "USA/GA/Atlanta" Set objRootDSE = GetObject("LDAP://RootDSE") strConfigurationNC = objRootDSE.Get("configurationNamingContext") strSiteObjectDN = strSiteObjectRDN & ",cn=Sites," & strConfigurationNC strSubnetsContainer = "LDAP://cn=Subnets,cn=Sites," & strConfigurationNC Set objSubnetsContainer = GetObject(strSubnetsContainer) 74 of 153 Set objSubnet = objSubnetsContainer.Create("subnet", strSubnetRDN) objSubnet.Put "siteObject", strSiteObjectDN objSubnet.Put "description", strDescription objSubnet.Put "location", strLocation objSubnet.SetInfo S Delete an Active Directory Subnet Description Deletes an Active Directory subnet. Script Code strSubnetCN = "cn=192.168.1.0/26" Set objRootDSE = GetObject("LDAP://RootDSE") strConfigurationNC = objRootDSE.Get("configurationNamingContext") strSubnetsContainer = "LDAP://cn=Subnets,cn=Sites," & strConfigurationNC Set objSubnetsContainer = GetObject(strSubnetsContainer) objSubnetsContainer.Delete "subnet", strSubnetCN S 75 of 153 List Active Directory Connections Description Lists Active Directory connections (nTDSConnection objects) for a specified domain controller. Script Code strDcRDN = "cn=atl-dc-01" strSiteRDN = "cn=Ga-Atl-Sales" Set objRootDSE = GetObject("LDAP://RootDSE") strConfigurationNC = objRootDSE.Get("configurationNamingContext") strNtdsSettingsPath = "LDAP://cn=NTDS Settings," & strDcRDN & _ ",cn=Servers," & strSiteRDN & ",cn=Sites," & strConfigurationNC Set objNtdsSettings = GetObject(strNtdsSettingsPath) objNtdsSettings.Filter = Array("nTDSConnection") WScript.Echo strDcRDN & " NTDS Connection Objects" & vbCrLf & _ String(Len(strDcRDN) + 24, "=") For Each objConnection In objNtdsSettings WScript.Echo "Name: " & objConnection.Name WScript.Echo "Enabled: " & objConnection.enabledConnection WScript.Echo "From: " & Split(objConnection.fromServer, ",")(1) WScript.Echo "Options: " & objConnection.Options WScript.Echo "Transport: " & Split(objConnection.transportType, ",")(0) WScript.Echo "Naming Contexts" WScript.Echo "---------------" For Each objDNWithBin In objConnection.GetEx("ms-DS-ReplicatesNCReason") Wscript.Echo objDNWithBin.DNString Next WScript.Echo Next S 76 of 153 List Active Directory Sites Description Lists Active Directory sites. Script Code Set objRootDSE = GetObject("LDAP://RootDSE") strConfigurationNC = objRootDSE.Get("configurationNamingContext") strSitesContainer = "LDAP://cn=Sites," & strConfigurationNC Set objSitesContainer = GetObject(strSitesContainer) objSitesContainer.Filter = Array("site") For Each objSite In objSitesContainer WScript.Echo "Name: " & objSite.Name Next S List All Domain Controllers Description Returns a list of all the domain controllers in the fabrikam.com domain. Script Code Const ADS_SCOPE_SUBTREE = 2 Set objConnection = CreateObject("ADODB.Connection") 77 of 153 Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOObject" objConnection.Open "Active Directory Provider" Set objCOmmand.ActiveConnection = objConnection objCommand.CommandText = _ "Select distinguishedName from " & _ "'LDAP://cn=Configuration,DC=fabrikam,DC=com' " _ & "where objectClass='nTDSDSA'" objCommand.Properties("Page Size") = 1000 objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE Set objRecordSet = objCommand.Execute objRecordSet.MoveFirst Do Until objRecordSet.EOF Wscript.Echo "Computer Name: " & _ objRecordSet.Fields("distinguishedName").Value objRecordSet.MoveNext Loop List Servers in an Active Directory Site Description Lists servers in a specified Active Directory site. Script Code strSiteRDN = "cn=Ga-Atl-Sales" Set objRootDSE = GetObject("LDAP://RootDSE") strConfigurationNC = objRootDSE.Get("configurationNamingContext") strServersPath = "LDAP://cn=Servers," & strSiteRDN & ",cn=Sites," & _ strConfigurationNC Set objServersContainer = GetObject(strServersPath) For Each objServer In objServersContainer WScript.Echo "Name: " & objServer.Name Next List the Protocols Over Which a Bridgehead Server Replicates Description Reads the bridgehead transport list from a domain controller in a site. Script Code On Error Resume Next Set objServer = GetObject _ ("LDAP://CN=SEA-DC-01,CN=Servers,CN=Default-First-Site-Name," & _ " CN=Sites,CN=Configuration,DC=fabrikam,DC=com") dnBHTList = objServer.GetEx("bridgeheadTransportList") WScript.Echo "Bridge Head Transport List:" WScript.Echo "This multi-valued attribute lists the protocol" & _ "transports over which this BridgeHead Server replicates" For Each dnValue in dnBHTList WScript.Echo "Value: " & dnValue Next List the Site Name for a Domain Controller Description Reports the site name for a specified computer. Script Code strDcName = "atl-dc-01" Set objADSysInfo = CreateObject("ADSystemInfo") strDcSiteName = objADSysInfo.GetDCSiteName(strDcName) WScript.Echo "DC Site Name: " & strDcSiteName List the Site Name for the Local Computer Description Reports the site name for the local computer. Script Code Set objADSysInfo = CreateObject("ADSystemInfo") WScript.Echo "Current site name: " & objADSysInfo.SiteName List the Subnets in all Active Directory Sites Description Lists subnets in all Active Directory sites. Script Code Set objRootDSE = GetObject("LDAP://RootDSE") strConfigurationNC = objRootDSE.Get("configurationNamingContext") strSubnetsContainer = "LDAP://cn=Subnets,cn=Sites," & strConfigurationNC Set objSubnetsContainer = GetObject(strSubnetsContainer) objSubnetsContainer.Filter = Array("subnet") Set objHash = CreateObject("Scripting.Dictionary") For Each objSubnet In objSubnetsContainer objSubnet.GetInfoEx Array("siteObject"), 0 strSiteObjectDN = objSubnet.Get("siteObject") strSiteObjectName = Split(Split(strSiteObjectDN, ",")(0), "=")(1) If objHash.Exists(strSiteObjectName) Then objHash(strSiteObjectName) = objHash(strSiteObjectName) & "," & _ Split(objSubnet.Name, "=")(1) Else objHash.Add strSiteObjectName, Split(objSubnet.Name, "=")(1) End If Next For Each strKey In objHash.Keys WScript.Echo strKey & "," & objHash(strKey) Next List the Subnets in an Active Directory Site Description Lists subnets in a specified Active Directory site. Script Code strSiteRDN = "cn=Ga-Atl-Sales" Set objRootDSE = GetObject("LDAP://RootDSE") strConfigurationNC = objRootDSE.Get("configurationNamingContext") strSitePath = "LDAP://" & strSiteRDN & ",cn=Sites," & strConfigurationNC Set objSite = GetObject(strSitePath) objSite.GetInfoEx Array("siteObjectBL"), 0 arrSiteObjectBL = objSite.GetEx("siteObjectBL") WScript.Echo strSiteRDN & " Subnets" & vbCrLf & _ String(Len(strSiteRDN) + 8, "-") For Each strSiteObjectBL In arrSiteObjectBL WScript.Echo Split(Split(strSiteObjectBL, ",")(0), "=")(1) Next List Your Domain Controller Description Returns the name of the domain controller used to authenticate the logged-on user of a computer. Script Code Set objDomain = GetObject("LDAP://rootDse") objDC = objDomain.Get("dnsHostName") Wscript.Echo "Authenticating domain controller:" & objDC Move a Domain Controller to a New Active Directory Site Description Moves a domain controller from one Active Directory site (strSourceSiteRDN) to another Active Directory site (strTargetSiteRDN). Script Code strSourceSiteRDN = "cn=Default-First-Site-Name" strTargetSiteRDN = "cn=Ga-Atl-Sales" strDcRDN = "cn=atl-dc-01" Set objRootDSE = GetObject("LDAP://RootDSE") strConfigurationNC = objRootDSE.Get("configurationNamingContext") strDcPath = "LDAP://" & strDcRDN & ",cn=Servers," & strSourceSiteRDN & _ ",cn=Sites," & strConfigurationNC strTargetSitePath = "LDAP://cn=Servers," & strTargetSiteRDN & _ ",cn=Sites," & strConfigurationNC Set objTargetSite = GetObject(strTargetSitePath) objTargetSite.MoveHere strDcPath, strDcRDN Rename an Active Directory Site Description Renames an Active Directory site. Script Code strOldSiteRDN = "cn=Default-First-Site-Name" strNewSiteRDN = "cn=Ga-Atl-Sales" Set objRootDSE = GetObject("LDAP://RootDSE") strConfigurationNC = objRootDSE.Get("configurationNamingContext") strSitesContainer = "LDAP://cn=Sites," & strConfigurationNC strOldSitePath = "LDAP://" & strOldSiteRDN & ",cn=Sites," & strConfigurationNC Set objSitesContainer = GetObject(strSitesContainer) objSitesContainer.MoveHere strOldSitePath, strNewSiteRDN Verify that a Domain Controller is in a Site Description Checks to see if a domain controller is in a specific Active Directory site. Script Code strDcName = "atl-dc-01" strSiteName = "ga-atl-sales" Set objADSysInfo = CreateObject("ADSystemInfo") strDcSiteName = objADSysInfo.GetDCSiteName(strDcName) If UCase(strSiteName) = UCase(strDcSiteName) Then WScript.Echo "TRUE: " & strDcName & " is in site " & strSiteName Else WScript.Echo "FALSE: " & strDcName & " is NOT in site " & strSiteName End If Add a Route to the Dial-In Properties of a User Account Description Appends a new route to the Dial-In properties of a user account in Active Directory. This operation adds the new route without deleting any existing routes. Script Code Const ADS_PROPERTY_APPEND = 3 85 of 153 Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objUser.PutEx ADS_PROPERTY_APPEND, _ "msRASSavedFramedRoute", _ Array("128.168.0.0/15 0.0.0.0 5") objUser.PutEx ADS_PROPERTY_APPEND, _ "msRADIUSFramedRoute", _ Array("128.168.0.0/15 0.0.0.0 5") objUser.SetInfo S Add Additional postOfficeBox Information for a User Account Description Appends new entries to the postOfficeBox attribute of an Active Directory user account. This operation adds the new post office boxes without deleting any existing entries. Script Code Const ADS_PROPERTY_APPEND = 3 Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objUser.PutEx ADS_PROPERTY_APPEND, "postOfficeBox", Array("2225","2226") objUser.SetInfo S 86 of 153 Add an Additional Home Phone Number to a User Account Description Appends a new phone number to the otherHomePhone attribute of an Active Directory user account. This operation adds the phone number to the attribute without deleting any existing phone numbers. Script Code Const ADS_PROPERTY_APPEND = 3 Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objUser.PutEx ADS_PROPERTY_APPEND, "otherHomePhone", Array("(425) 555-0116") objUser.SetInfo Add an Additional URL to a User Account Description Adds an additional URL to a user account. Demonstrates how to append a new value to a multi-valued attribute. Script Code Const ADS_PROPERTY_APPEND = 3 Set objUser = GetObject _ ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") objUser.PutEx ADS_PROPERTY_APPEND, _ "url", Array("http://www.fabrikam.com/policy") objUser.SetInfo Assign the Primary Group for a User Description Sets the primary group for the MyerKen Active Directory user account to MgmtUniversal. Script Code Const ADS_PROPERTY_APPEND = 3 Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") Set objGroup = GetObject _ ("LDAP://cn=MgmtUniversal,ou=Management,dc=NA,dc=fabrikam,dc=com") objGroup.GetInfoEx Array("primaryGroupToken"), 0 intPrimaryGroupToken = objGroup.Get("primaryGroupToken") objGroup.PutEx ADS_PROPERTY_APPEND, _ "member", Array("cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objGroup.SetInfo objUser.Put "primaryGroupID", intPrimaryGroupToken objUser.SetInfo Clearing User Account Address Attributes Description Clears selected address-related attributes for a user account. Script Code Const ADS_PROPERTY_CLEAR = 1 Set objUser = GetObject _ ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") objUser.PutEx ADS_PROPERTY_CLEAR, "streetAddress", 0 objUser.PutEx ADS_PROPERTY_CLEAR, "c", 0 objUser.SetInfo S Copy a Published Certificate to a User Account Description Copies a published certificate from a template account (userTemplate) and assigns it to the MyerKen Active Directory user account. This operation replaces any existing published certificates for the MyerKen account. 89 of 153 Script Code On Error Resume Next Const ADS_PROPERTY_UPDATE = 2 Set objUserTemplate = _ GetObject("LDAP://cn=userTemplate,OU=Management,dc=NA,dc=fabrikam,dc=com") arrUserCertificates = objUserTemplate.GetEx("userCertificate") Set objUser = _ GetObject("LDAP://cn=MyerKen,OU=Management,dc=NA,dc=fabrikam,dc=com") objUser.PutEx ADS_PROPERTY_UPDATE, "userCertificate", arrUserCertificates objUser.SetInfo S Delete a Calling Station ID from a User Account Description Removes a specific calling station ID from the MyerKen Active Directory user account. This operation only removes the specified calling station ID; no other IDs are deleted. Script Code Const ADS_PROPERTY_DELETE = 4 Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objUser.PutEx ADS_PROPERTY_DELETE, _ "msNPSavedCallingStationID", Array("555-0111") objUser.PutEx ADS_PROPERTY_DELETE, _ "msNPCallingStationID", Array("555-0111") objUser.SetInfo 90 of 153 S Delete a Post Office Box from a User Account Description Removes a specified value (2224) from the postOfficeBox attribute of the MyerKen Active Directory user account. This operation removes only the specified post office box; other entries will not be deleted. Script Code Const ADS_PROPERTY_DELETE = 4 Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objUser.PutEx ADS_PROPERTY_DELETE, "postOfficeBox", Array("2224") objUser.SetInfo S Delete Address Page Information for a User Account Description Removes all information for the c (country) and postOfficeBox attributes of the MyerKen Active Directory user account. 91 of 153 Script Code Const ADS_PROPERTY_CLEAR = 1 Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objUser.PutEx ADS_PROPERTY_CLEAR, "c", 0 objUser.PutEx ADS_PROPERTY_CLEAR, "postOfficeBox", 0 objUser.SetInfo S Delete All Department and Direct Report Information from a User Account Description Removes all information from the department, directReports, and manager attributes of the MyerKen Active Directory user account. Script Code On Error Resume Next Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D Const ADS_PROPERTY_CLEAR = 1 Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objUser.PutEx ADS_PROPERTY_CLEAR, "department", 0 objUser.SetInfo arrDirectReports = objUser.GetEx("directReports") If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then WScript.Quit 92 of 153 Else For Each strValue in arrDirectReports Set objUserSource = GetObject("LDAP://" & strValue) objUserSource.PutEx ADS_PROPERTY_CLEAR, "manager", 0 objUserSource.SetInfo Next End If S Delete All Dial-In Properties for a User Account Description Clears all Dial-In attribute values for the MyerKen Active Directory user account. Script Code Const ADS_PROPERTY_CLEAR = 1 Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objUser.PutEx ADS_PROPERTY_CLEAR, "msNPAllowDialin", 0 objUser.PutEx ADS_PROPERTY_CLEAR, "msNPCallingStationID", 0 objUser.PutEx ADS_PROPERTY_CLEAR, "msNPSavedCallingStationID", 0 objUser.PutEx ADS_PROPERTY_CLEAR, "msRADIUSServiceType", 0 objUser.PutEx ADS_PROPERTY_CLEAR, "msRADIUSCallbackNumber", 0 objUser.PutEx ADS_PROPERTY_CLEAR, "msRASSavedCallbackNumber", 0 objUser.PutEx ADS_PROPERTY_CLEAR, "msRADIUSFramedIPAddress", 0 objUser.PutEx ADS_PROPERTY_CLEAR, "msRASSavedFramedIPAddress", 0 objUser.PutEx ADS_PROPERTY_CLEAR, "msRADIUSFramedRoute", 0 objUser.PutEx ADS_PROPERTY_CLEAR, "msRASSavedFramedRoute", 0 objUser.SetInfo 93 of 153 S Delete All Published Certificates from a User Account Description Removes all published certificates for the MyerKen Active Directory user account. Script Code Const ADS_PROPERTY_CLEAR = 1 Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objUser.PutEx ADS_PROPERTY_CLEAR, "userCertificate", 0 objUser.SetInfo S Delete an otherMobile Phone Number Description Deletes a phone number from a user account with multiple mobile phone numbers. 94 of 153 Script Code Const ADS_PROPERTY_DELETE = 4 Set objUser = GetObject _ ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") objUser.PutEx ADS_PROPERTY_DELETE, _ "otherMobile", Array("(425) 555-3334") objUser.SetInfo S Delete Published Certificates from a User Account Description Retrieves a set of published certificates from a template account (userTemplate), and then deletes each of those certificates from the MyerKen Active Directory user account. Script Code On Error Resume Next Const ADS_PROPERTY_DELETE = 4 Set objUserTemplate = _ GetObject("LDAP://cn=userTemplate,OU=Management,dc=NA,dc=fabrikam,dc=com") arrUserCertificates = objUserTemplate.GetEx("userCertificate") Set objUser = _ GetObject("LDAP://cn=MyerKen,OU=Management,dc=NA,dc=fabrikam,dc=com") objUser.PutEx ADS_PROPERTY_DELETE, "userCertificate", arrUserCertificates objUser.SetInfo 95 of 153 S Delete Selected Attributes from a User Account Description Deletes selected attributes from a user account. Demonstrates how to delete single-valued attributes as well as how to delete a single entry from a multi-valued attribute. Script Code Const ADS_PROPERTY_DELETE = 4 Set objUser = GetObject _ ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") objUser.PutEx ADS_PROPERTY_DELETE, _ "otherTelephone", Array("(425) 555-1213") objUser.PutEx ADS_PROPERTY_DELETE, "initials", Array("E.") objUser.SetInfo S Delete Selected User Account Attributes Description Clears selected attributes for a user account. 96 of 153 Script Code Const ADS_PROPERTY_CLEAR = 1 Set objUser = GetObject _ ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") objUser.PutEx ADS_PROPERTY_CLEAR, "initials", 0 objUser.PutEx ADS_PROPERTY_CLEAR, "otherTelephone", 0 objUser.SetInfo S Delete User Account Telephone Attributes Description Clears selected telephone-related attributes for a user account. Script Code Const ADS_PROPERTY_CLEAR = 1 Set objUser = GetObject _ ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") objUser.PutEx ADS_PROPERTY_CLEAR, "info", 0 objUser.PutEx ADS_PROPERTY_CLEAR, "otherPager", 0 objUser.SetInfo 97 of 153 S Disable the Smartcard Required Attribute for a User Account Description Disables the setting that requires MyerKen to use a smartcard when logging on to Active Directory. Script Code Const ADS_UF_SMARTCARD_REQUIRED = &h40000 Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") intUAC = objUser.Get("userAccountControl") If (intUAC AND ADS_UF_SMARTCARD_REQUIRED) <> 0 Then objUser.Put "userAccountControl", intUAC XOR ADS_UF_SMARTCARD_REQUIRED objUser.SetInfo End If S Enable a User to Log on at Any Time Description Configures the MyerKen Active Directory user account so that the user can log on at any time on any day of the week. 98 of 153 Script Code Const ADS_PROPERTY_CLEAR = 1 Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objUser.PutEx ADS_PROPERTY_CLEAR, "logonHours", 0 objUser.SetInfo S Modify Account Page Information for a User Account Description Configures basic account information for the MyerKen Active Directory user account. Script Code Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objUser.Put "userPrincipalName", "MyerKen@fabrikam.com" objUser.Put "sAMAccountName", "MyerKen01" objUser.Put "userWorkstations","wks1,wks2,wks3" objUser.SetInfo 99 of 153 S Modify Address Page Information for a User Account Description Configures address-related information for the MyerKen Active Directory user account. Script Code Const ADS_PROPERTY_UPDATE = 2 Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objUser.Put "streetAddress", "Building 43" & vbCrLf & "One Microsoft Way" objUser.Put "l", "Redmond" objUser.Put "st", "Washington" objUser.Put "postalCode", "98053" objUser.Put "c", "US" objUser.PutEx ADS_PROPERTY_UPDATE, _ "postOfficeBox", Array("2222", "2223", "2224") objUser.SetInfo S Modify COM+ Information for a User Account Description Sets COM+ information for the MyerKen Active Directory user account. 100 of 153 Script Code Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objUser.Put "msCOM-UserPartitionSetLink", _ "cn=PartitionSet1,cn=ComPartitionSets,cn=System,dc=NA,dc=fabrikam,dc=com" objUser.SetInfo S Modify Dial-In Properties for a User Account Description Configures Dial-In attribute values for the MyerKen Active Directory user account. Script Code Const ADS_PROPERTY_UPDATE = 2 Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objUser.Put "msNPAllowDialin", TRUE objUser.PutEx ADS_PROPERTY_UPDATE, _ "msNPSavedCallingStationID", Array("555-0100", "555-0111") objUser.PutEx ADS_PROPERTY_UPDATE, _ "msNPCallingStationID", Array("555-0100", "555-0111") objUser.Put "msRADIUSServiceType", 4 objUser.Put "msRADIUSCallbackNumber", "555-0112" objUser.Put "msRASSavedFramedIPAddress", 167903442 objUser.Put "msRADIUSFramedIPAddress", 167903442 'value of 10.2.0.210 objUser.PutEx ADS_PROPERTY_UPDATE, _ "msRASSavedFramedRoute", _ Array("10.1.0.0/16 0.0.0.0 1", "192.168.1.0/24 0.0.0.0 3") 101 of 153 objUser.PutEx ADS_PROPERTY_UPDATE, _ "msRADIUSFramedRoute", _ Array("10.1.0.0/16 0.0.0.0 1", "192.168.1.0/24 0.0.0.0 3") objUser.SetInfo S Modify General User Account Attributes Description Configures user account attributes found on the General Properties page of the user account object in Active Directory Users and Computers. Script Code Const ADS_PROPERTY_UPDATE = 2 Set objUser = GetObject _ ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") objUser.Put "givenName", "Ken" objUser.Put "initials", "E." objUser.Put "sn", "Myer" objUser.Put "displayName", "Myer, Ken" objUser.Put "physicalDeliveryOfficeName", "Room 4358" objUser.Put "telephoneNumber", "(425) 555-1211" objUser.Put "mail", "myerken@fabrikam.com" objUser.Put "wWWHomePage", "http://www.fabrikam.com" objUser.PutEx ADS_PROPERTY_UPDATE, _ "description", Array("Management staff") objUser.PutEx ADS_PROPERTY_UPDATE, _ "otherTelephone", Array("(800) 555-1212", "(425) 555-1213") objUser.PutEx ADS_PROPERTY_UPDATE, _ "url", Array("http://www.fabrikam.com/management") objUser.SetInfo 102 of 153 S Modify Organization Properties for a User Account Description Configures organization information for the MyerKen Active Directory user account. The script also assigns MyerKen as the manager for LewJudy and AkersKim. Script Code Set objUser = GetObject _ ("LDAP://cn=Myerken,ou=Management,dc=NA,dc=fabrikam,dc=com") objUser.Put "title", "Manager" objUser.Put "department", "Executive Management Team" objUser.Put "company", "Fabrikam" objUser.Put "manager", _ "cn=AckermanPilar,OU=Management,dc=NA,dc=fabrikam,dc=com" objUser.SetInfo Set objUser01 = GetObject _ ("LDAP://cn=LewJudy,OU=Sales,dc=NA,dc=fabrikam,dc=com") Set objUser02 = GetObject _ ("LDAP://cn=AckersKim,OU=Sales,dc=NA,dc=fabrikam,dc=com") objUser01.Put "manager", objUser.Get("distinguishedName") objUser02.Put "manager", objUser.Get("distinguishedName") objUser01.SetInfo objUser02.SetInfo S 103 of 153 Modify User Account Address Attributes Description Configures address-related attributes for a user account. Script Code Set objUser = GetObject _ ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") objUser.Put "streetAddress", "Building 43" & _ VbCrLf & "One Microsoft Way" objUser.Put "l", "Redmond" objUser.Put "st", "Washington" objUser.Put "postalCode", "98053" objUser.Put "c", "US" objUser.Put "postOfficeBox", "2222" objUser.SetInfo S Modify User Account General Properties Description Configures general attributes for a user account. Script Code Set objUser = GetObject _ ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") 104 of 153 objUser.Put "userPrincipalName", "MyerKen@fabrikam.com" objUser.Put "sAMAccountName", "MyerKen01" objUser.Put "userWorkstations", "wks1,wks2,wks3" objUser.SetInfo S Modify User Account Telephone Numbers Description Configures telephone numbers and calling information for the MyerKen Active Directory user account. Script Code Const ADS_PROPERTY_UPDATE = 2 Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objUser.Put "homePhone", "(425) 555-0100" objUser.Put "pager", "(425) 555-0101" objUser.Put "mobile", "(425) 555-0102" objUser.Put "facsimileTelephoneNumber", "(425) 555-0103" objUser.Put "ipPhone", "5555" objUser.Put "info", "Please do not call this user account" & _ " at home unless there is a work-related emergency. Call" & _ " this user's mobile phone before calling the pager number." objUser.PutEx ADS_PROPERTY_UPDATE, "otherHomePhone", Array("(425) 555-0110") objUser.PutEx ADS_PROPERTY_UPDATE, "otherPager", Array("(425) 555-0111") objUser.PutEx ADS_PROPERTY_UPDATE, _ "otherMobile", Array("(425) 555-0112", "(425) 555-0113") objUser.PutEx ADS_PROPERTY_UPDATE, _ "otherFacsimileTelephoneNumber", Array("(425) 555-0114") objUser.PutEx ADS_PROPERTY_UPDATE, "otherIpPhone", Array("5556") objUser.SetInfo 105 of 153 S Modify User Profile Paths Description Changes the server name portion of the user profile path to \\fabrikam for the MyerKen Active Directory user account. Script Code Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") strCurrentProfilePath = objUser.Get("profilePath") intStringLen = Len(strCurrentProfilePath) intStringRemains = intStringLen - 11 strRemains = Mid(strCurrentProfilePath, 12, intStringRemains) strNewProfilePath = "\\fabrikam" & strRemains objUser.Put "profilePath", strNewProfilePath objUser.SetInfo S Modify User Profile Properties Description Configures user profile settings for a user account. 106 of 153 Script Code Set objUser = GetObject _ ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") objUser.Put "profilePath", "\\sea-dc-01\Profiles\myerken" objUser.Put "scriptPath", "logon.bat" objUser.Put "homeDirectory", "\\sea-dc-01\HomeFolders\myerken" objUser.Put "homeDrive", "H" objUser.SetInfo S Modify User Telephone Properties Description Configures telephone numbers and telephone-related attributes for a user account. Script Code Const ADS_PROPERTY_UPDATE = 2 Set objUser = GetObject _ ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") objUser.Put "homePhone", "(425) 555-1111" objUser.Put "pager", "(425) 555-2222" objUser.Put "mobile", "(425) 555-3333" objUser.Put "facsimileTelephoneNumber", "(425) 555-4444" objUser.Put "ipPhone", "5555" objUser.Put "info", "Please do not call this user account" & _ " at home unless there is a work-related emergency. Call" & _ " this user's mobile phone before calling the pager number" objUser.PutEx ADS_PROPERTY_UPDATE, _ 107 of 153 "otherHomePhone", Array("(425) 555-1112") objUser.PutEx ADS_PROPERTY_UPDATE, _ "otherPager", Array("(425) 555-2223") objUser.PutEx ADS_PROPERTY_UPDATE, _ "otherMobile", Array("(425) 555-3334", "(425) 555-3335") objUser.PutEx ADS_PROPERTY_UPDATE, _ "otherFacsimileTelephoneNumber", Array("(425) 555-4445") objUser.PutEx ADS_PROPERTY_UPDATE, _ "otherIpPhone", Array("6666") objUser.SetInfo S Require a User to Logon on Using a Smartcard Description Configures the MyerKen user account so that the user must use a smartcard in order to logon to Active Directory. Script Code Const ADS_UF_SMARTCARD_REQUIRED = &h40000 Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") intUAC = objUser.Get("userAccountControl") If (intUAC AND ADS_UF_SMARTCARD_REQUIRED) = 0 Then objUser.Put "userAccountControl", intUAC XOR ADS_UF_SMARTCARD_REQUIRED objUser.SetInfo End If 108 of 153 S Assign a Password to a User Description Configures a new password for a user. Script Code Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=management,dc=fabrikam,dc=com") objUser.SetPassword "i5A2sj*!" S Change the Password for a User Description Changes the password for a user. Requires you to know the user's previous password. Script Code Set objUser = GetObject _ ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") 109 of 153 objUser.ChangePassword "i5A2sj*!", "jl3R86df" S Create a Non-Expiring Password Description Configures the domain password for a user account to ensure that the password will never expire. Script Code Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000 Set objUser = GetObject _ ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") intUAC = objUser.Get("userAccountControl") If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then Wscript.Echo "Already enabled" Else objUser.Put "userAccountControl", intUAC XOR _ ADS_UF_DONT_EXPIRE_PASSWD objUser.SetInfo WScript.Echo "Password never expires is now enabled" End If S 110 of 153 Enable Users to Change Their Passwords Description Disables the User Cannot Change Password option, allowing the user to change their password. Script Code Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6 Const CHANGE_PASSWORD_GUID = _ "{ab721a53-1e2f-11d0-9819-00aa0040529b}" Set objUser = GetObject _ ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") Set objSD = objUser.Get("nTSecurityDescriptor") Set objDACL = objSD.DiscretionaryAcl arrTrustees = Array("nt authority\self", "everyone") For Each strTrustee In arrTrustees For Each ace In objDACL If(LCase(ace.Trustee) = strTrustee) Then If((ace.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) And _ (LCase(ace.ObjectType) = CHANGE_PASSWORD_GUID)) Then objDACL.RemoveAce ace End If End If Next Next objUser.Put "nTSecurityDescriptor", objSD objUser.SetInfo S List Domain Password Policy Settings Description Displays password policy settings for the domain. 111 of 153 Script Code Const MIN_IN_DAY = 1440 Const SEC_IN_MIN = 60 Set objDomain = GetObject("WinNT://fabrikam") Set objAdS = GetObject("LDAP://dc=fabrikam,dc=com") intMaxPwdAgeSeconds = objDomain.Get("MaxPasswordAge") intMinPwdAgeSeconds = objDomain.Get("MinPasswordAge") intLockOutObservationWindowSeconds = objDomain.Get("LockoutObservationInterval") intLockoutDurationSeconds = objDomain.Get("AutoUnlockInterval") intMinPwdLength = objAds.Get("minPwdLength") intPwdHistoryLength = objAds.Get("pwdHistoryLength") intPwdProperties = objAds.Get("pwdProperties") intLockoutThreshold = objAds.Get("lockoutThreshold") intMaxPwdAgeDays = _ ((intMaxPwdAgeSeconds/SEC_IN_MIN)/MIN_IN_DAY) & " days" intMinPwdAgeDays = _ ((intMinPwdAgeSeconds/SEC_IN_MIN)/MIN_IN_DAY) & " days" intLockOutObservationWindowMinutes = _ (intLockOutObservationWindowSeconds/SEC_IN_MIN) & " minutes" If intLockoutDurationSeconds <> -1 Then intLockoutDurationMinutes = _ (intLockOutDurationSeconds/SEC_IN_MIN) & " minutes" Else intLockoutDurationMinutes = _ "Administrator must manually unlock locked accounts" End If WScript.Echo "maxPwdAge = " & intMaxPwdAgeDays WScript.Echo "minPwdAge = " & intMinPwdAgeDays WScript.Echo "minPwdLength = " & intMinPwdLength WScript.Echo "pwdHistoryLength = " & intPwdHistoryLength WScript.Echo "pwdProperties = " & intPwdProperties WScript.Echo "lockOutThreshold = " & intLockoutThreshold WScript.Echo "lockOutObservationWindow = " & intLockOutObservationWindowMinutes WScript.Echo "lockOutDuration = " & intLockoutDurationMinutes S 112 of 153 List Domain Password Property Attributes Description Displays password settings for the domain. Script Code Set objHash = CreateObject("Scripting.Dictionary") objHash.Add "DOMAIN_PASSWORD_COMPLEX", &h1 objHash.Add "DOMAIN_PASSWORD_NO_ANON_CHANGE", &h2 objHash.Add "DOMAIN_PASSWORD_NO_CLEAR_CHANGE", &h4 objHash.Add "DOMAIN_LOCKOUT_ADMINS", &h8 objHash.Add "DOMAIN_PASSWORD_STORE_CLEARTEXT", &h16 objHash.Add "DOMAIN_REFUSE_PASSWORD_CHANGE", &h32 Set objDomain = GetObject("LDAP://dc=fabrikam,dc=com") intPwdProperties = objDomain.Get("PwdProperties") WScript.Echo "Password Properties = " & intPwdProperties For Each Key In objHash.Keys If objHash(Key) And intPwdProperties Then WScript.Echo Key & " is enabled" Else WScript.Echo Key & " is disabled" End If Next S List Password Attributes for a User Account Description Displays password-related attributes for an individual user account. 113 of 153 Script Code Const ADS_UF_PASSWORD_EXPIRED = &h800000 Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6 Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}" Set objHash = CreateObject("Scripting.Dictionary") objHash.Add "ADS_UF_PASSWD_NOTREQD", &h00020 objHash.Add "ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED", &h0080 objHash.Add "ADS_UF_DONT_EXPIRE_PASSWD", &h10000 Set objUser = GetObject _ ("LDAP://CN=MyerKen,OU=management,DC=Fabrikam,DC=com") intUserAccountControl = objUser.Get("userAccountControl") Set objUserNT = GetObject("WinNT://fabrikam/myerken") intUserFlags = objUserNT.Get("userFlags") If ADS_UF_PASSWORD_EXPIRED And intUserFlags Then blnExpiredFlag = True Wscript.Echo "ADS_UF_PASSWORD_EXPIRED is enabled" Else Wscript.Echo "ADS_UF_PASSWORD_EXPIRED is disabled" End If For Each Key In objHash.Keys If objHash(Key) And intUserAccountControl Then WScript.Echo Key & " is enabled" Else WScript.Echo Key & " is disabled" End If Next Set objSD = objUser.Get("nTSecurityDescriptor") Set objDACL = objSD.DiscretionaryAcl For Each Ace In objDACL If ((Ace.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) And _ (LCase(Ace.ObjectType) = CHANGE_PASSWORD_GUID)) Then blnACEPresent = True End If Next If blnACEPresent Then Wscript.Echo "ADS_UF_PASSWD_CANT_CHANGE is enabled" Else Wscript.Echo "ADS_UF_PASSWD_CANT_CHANGE is disabled" End If If blnExpiredFlag = True Then Wscript.echo "pwdLastSet is null" Else Wscript.echo "pwdLastSet is " & objUser.PasswordLastChanged End If 114 of 153 S List When a Password Expires Description Determines the date when a user password will expire. Script Code Const SEC_IN_DAY = 86400 Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000 Set objUserLDAP = GetObject _ ("LDAP://CN=myerken,OU=management,DC=fabrikam,DC=com") intCurrentValue = objUserLDAP.Get("userAccountControl") If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then Wscript.Echo "The password does not expire." Else dtmValue = objUserLDAP.PasswordLastChanged Wscript.Echo "The password was last changed on " & _ DateValue(dtmValue) & " at " & TimeValue(dtmValue) & VbCrLf & _ "The difference between when the password was last set" & _ "and today is " & int(now - dtmValue) & " days" intTimeInterval = int(now - dtmValue) Set objDomainNT = GetObject("WinNT://fabrikam") intMaxPwdAge = objDomainNT.Get("MaxPasswordAge") If intMaxPwdAge < 0 Then WScript.Echo "The Maximum Password Age is set to 0 in the " & _ "domain. Therefore, the password does not expire." Else intMaxPwdAge = (intMaxPwdAge/SEC_IN_DAY) Wscript.Echo "The maximum password age is " & intMaxPwdAge & " days" If intTimeInterval >= intMaxPwdAge Then Wscript.Echo "The password has expired." Else Wscript.Echo "The password will expire on " & _ DateValue(dtmValue + intMaxPwdAge) & " (" & _ int((dtmValue + intMaxPwdAge) - now) & " days from today" & _ ")." End If End If End If 115 of 153 S List When a Password was Last Changed Description Identifies the last time a user password was changed. Script Code Set objUser = GetObject _ ("LDAP://CN=myerken,OU=management,DC=Fabrikam,DC=com") dtmValue = objUser.PasswordLastChanged WScript.Echo "Password last changed: " & dtmValue S Prevent Passwords from Being Stored Using Reversible Encrypted Text Description Disables the option allowing a password to be stored using reversible encrypted text. 116 of 153 Script Code Const ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = &H80 Set objUser = GetObject _ ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") intUAC = objUser.Get("userAccountControl") If intUAC AND _ ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED Then objUser.Put "userAccountControl", intUAC XOR _ ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED objUser.SetInfo End If S Prevent Users From Changing Their Passwords Description Enables the User Cannot Change Password option, which prevents the user from changing his or her password. Script Code Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6 Const ADS_ACEFLAG_OBJECT_TYPE_PRESENT = &H1 Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}" Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100 Set objUser = GetObject _ ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") Set objSD = objUser.Get("ntSecurityDescriptor") Set objDACL = objSD.DiscretionaryAcl 117 of 153 arrTrustees = array("nt authority\self", "EVERYONE") For Each strTrustee in arrTrustees Set objACE = CreateObject("AccessControlEntry") objACE.Trustee = strTrustee objACE.AceFlags = 0 objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT objACE.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT objACE.ObjectType = CHANGE_PASSWORD_GUID objACE.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS objDACL.AddAce objACE Next objSD.DiscretionaryAcl = objDACL objUser.Put "nTSecurityDescriptor", objSD objUser. SetInfo S Require Users to Change Their Password Description Forces a user to change their password the next time they logon. Script Code Set objUser = GetObject _ ("LDAP://CN=myerken,OU=management,DC=Fabrikam,DC=com") objUser.Put "pwdLastSet", 0 objUser.SetInfo 118 of 153 S Verify Whether Users Can Change Their Passwords Description Identifies whether or not a user is allowed to change his or her password. Script Code Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6 Const CHANGE_PASSWORD_GUID = _ "{ab721a53-1e2f-11d0-9819-00aa0040529b}" Set objUser = GetObject _ ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") Set objSD = objUser.Get("nTSecurityDescriptor") Set objDACL = objSD.DiscretionaryAcl For Each Ace In objDACL If ((Ace.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) And _ (LCase(Ace.ObjectType) = CHANGE_PASSWORD_GUID)) Then blnEnabled = True End If Next If blnEnabled Then WScript.Echo "The user cannot change his or her password." Else WScript.Echo "The user can change his or her password." End If S List Account Page Information for a User Account 119 of 153 Description Returns basic account information for the MyerKen Active Directory user account. Script Code On Error Resume Next Set objUser = GetObject _ ("LDAP://cn=Myerken,ou=Management,dc=NA,dc=fabrikam,dc=com") WScript.Echo "User Principal Name: " & objUser.userPrincipalName WScript.Echo "SAM Account Name: " & objUser.sAMAccountName WScript.Echo "User Workstations: " & objUser.userWorkstations Set objDomain = GetObject("LDAP://dc=NA,dc=fabrikam,dc=com") WScript.Echo "Domain controller: " & objDomain.dc S List Address Page Information for a User Account Description Returns address-related attribute values for the MyerKen Active Directory user account. Script Code On Error Resume Next Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") WScript.Echo "Street Address: " & objUser.streetAddress WScript.Echo "Locality: " & objUser.l 120 of 153 WScript.Echo "State/province: " & objUser.st WScript.Echo "Postal Code: " & objUser.postalCode WScript.Echo "Country: " & objUser.c WScript.Echo "Post Office Boxes:" For Each strValue in objUser.postOfficeBox WScript.echo vbTab & vbTab & strValue Next S List All Telephone Settings for a User Account Description Displays all the telephone attribute values for the MyerKen Active Directory user account. Script Code On Error Resume Next Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") WScript.Echo "Home Phone: " & objUser.homePhone WScript.Echo "Pager: " & objUser.pager WScript.Echo "Mobile phone: " & objUser.mobile WScript.Echo " IP Phone: " & objUser.ipPhone WScript.Echo "Information: " & objUser.info WScript.Echo " Fax Number: " & objUser.facsimileTelephoneNumber WScript.Echo "Other Home Phone:" For Each strValue in objUser.otherHomePhone WScript.Echo strValue Next WScript.Echo "Other Pager:" For Each strValue in objUser.otherPager WScript.Echo strValue Next WScript.Echo "oOther Mobile Phone:" 121 of 153 For Each strValue in objUser.otherMobile WScript.Echo strValue Next WScript.Echo "Other IP Phone:" For Each strValue in objUser.otherIpPhone WScript.Echo strValue Next WScript.Echo "Other Fax Number:" For Each strValue in objUser.otherFacsimileTelephoneNumber WScript.Echo strValue Next S List All the Attributes of the User Class Description Returns a list of mandatory and optional attributes for the User class in Active Directory. Script Code Set objUserClass = GetObject("LDAP://schema/user") Set objSchemaClass = GetObject(objUserClass.Parent) i = 0 WScript.Echo "Mandatory attributes:" For Each strAttribute in objUserClass.MandatoryProperties i= i + 1 WScript.Echo i & vbTab & strAttribute Set objAttribute = objSchemaClass.GetObject("Property", strAttribute) WScript.Echo " (Syntax: " & objAttribute.Syntax & ")" If objAttribute.MultiValued Then WScript.Echo " Multivalued" Else WScript.Echo " Single-valued" End If Next WScript.Echo VbCrLf & "Optional attributes:" 122 of 153 For Each strAttribute in objUserClass.OptionalProperties i=i + 1 WScript.Echo i & vbTab & strAttribute Set objAttribute = objSchemaClass.GetObject("Property", strAttribute) WScript.Echo " [Syntax: " & objAttribute.Syntax & "]" If objAttribute.MultiValued Then WScript.Echo " Multivalued" Else WScript.Echo " Single-valued" End If Next S List Allowed User Logon Hours Description Returns the allowed logon hours for the MyerKen Active Directory user account. Script Code On Error Resume Next Dim arrLogonHoursBytes(20) Dim arrLogonHoursBits(167) arrDayOfWeek = Array _ ("Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat") Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") arrLogonHours = objUser.Get("logonHours") For i = 1 To LenB(arrLogonHours) arrLogonHoursBytes(i-1) = AscB(MidB(arrLogonHours, i, 1)) WScript.Echo "MidB returns: " & MidB(arrLogonHours, i, 1) WScript.Echo "arrLogonHoursBytes: " & arrLogonHoursBytes(i-1) wscript.echo vbcrlf Next intCounter = 0 intLoopCounter = 0 WScript.echo "Day Byte 1 Byte 2 Byte 3" 123 of 153 For Each LogonHourByte In arrLogonHoursBytes arrLogonHourBits = GetLogonHourBits(LogonHourByte) If intCounter = 0 Then WScript.STDOUT.Write arrDayOfWeek(intLoopCounter) & Space(2) intLoopCounter = intLoopCounter + 1 End If For Each LogonHourBit In arrLogonHourBits WScript.STDOUT.Write LogonHourBit intCounter = 1 + intCounter If intCounter = 8 or intCounter = 16 Then Wscript.STDOUT.Write Space(1) End If If intCounter = 24 Then WScript.echo vbCr intCounter = 0 End If Next Next Function GetLogonHourBits(x) Dim arrBits(7) For i = 7 to 0 Step -1 If x And 2^i Then arrBits(i) = 1 Else arrBits(i) = 0 End If Next GetLogonHourBits = arrBits End Function S List Audit Permissions for a User Account Description Returns audit permissions for the MyerKen Active Directory user account. 124 of 153 Script Code Const SE_SACL_PROTECTED = &H2000 Const ADS_SECURITY_INFO_OWNER = &H1 Const ADS_SECURITY_INFO_GROUP = &H2 Const ADS_OPTION_SECURITY_MASK =&H3 Const ADS_SECURITY_INFO_DACL = &H4 Const ADS_SECURITY_INFO_SACL = &H8 Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objUser.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_OWNER _ Or ADS_SECURITY_INFO_GROUP Or ADS_SECURITY_INFO_DACL _ Or ADS_SECURITY_INFO_SACL Set objNtSecurityDescriptor = objUser.Get("ntSecurityDescriptor") intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control WScript.Echo "Auditing Tab" strMessage = "Allow inheritable auditing entries from" & _ "the parent to propogate to this object and all child objects " If (intNtSecurityDescriptorControl And SE_SACL_PROTECTED) Then Wscript.Echo strMessage & "is disabled." Else WScript.Echo strMessage & "is enabled." End If WScript.Echo Set objSacl = objNtSecurityDescriptor.SystemAcl DisplayAceInformation objSacl, "SACL" Sub DisplayAceInformation(SecurityStructure, strType) Const ADS_ACETYPE_SYSTEM_AUDIT = &H2 Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7 intAceCount = 0 For Each objAce In SecurityStructure strTrustee = Mid(objAce.Trustee,1,12) If StrComp(strTrustee, "NT AUTHORITY", 1) <> 0 Then intAceCount = intAceCount + 1 WScript.Echo strType & " permission entry: " & intAceCount WScript.Echo "Name: " & objAce.Trustee intAceType = objAce.AceType WScript.Echo "ACETYPE IS: " & intAceType If (intAceType = ADS_ACETYPE_SYSTEM_AUDIT or _ intAceType = ADS_ACETYPE_SYSTEM_AUDIT_OBJECT) Then WScript.Echo "Type: Success or Failure Audit" Else WScript.Echo "Audit Type Unknown." End If ReadBitsInAccessMask(objAce.AccessMask) WScript.Echo End If Next End Sub Sub ReadBitsInAccessMask(AccessMask) Const ADS_RIGHT_DELETE = &H10000 Const ADS_RIGHT_READ_CONTROL = &H20000 Const ADS_RIGHT_WRITE_DAC = &H40000 Const ADS_RIGHT_WRITE_OWNER = &H80000 Const ADS_RIGHT_DS_CREATE_CHILD = &H1 125 of 153 Const ADS_RIGHT_DS_DELETE_CHILD = &H2 Const ADS_RIGHT_ACTRL_DS_LIST = &H4 Const ADS_RIGHT_DS_SELF = &H8 Const ADS_RIGHT_DS_READ_PROP = &H10 Const ADS_RIGHT_DS_WRITE_PROP = &H20 Const ADS_RIGHT_DS_DELETE_TREE = &H40 Const ADS_RIGHT_DS_LIST_OBJECT = &H80 Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100 WScript.Echo VbCrLf & "Standard Access Rights" If (AccessMask And ADS_RIGHT_DELETE) Then _ WScript.Echo vbTab & "-Delete an object." If (AccessMask And ADS_RIGHT_READ_CONTROL) Then _ WScript.Echo vbTab & "-Read permissions." If (AccessMask And ADS_RIGHT_WRITE_DAC) Then _ WScript.Echo vbTab & "-Write permissions." If (AccessMask And ADS_RIGHT_WRITE_OWNER) Then _ WScript.Echo vbTab & "-Modify owner." WScript.Echo VbCrLf & "Directory Service Specific Access Rights" If (AccessMask And ADS_RIGHT_DS_CREATE_CHILD) Then _ WScript.Echo vbTab & "-Create child objects." If (AccessMask And ADS_RIGHT_DS_DELETE_CHILD) Then _ WScript.Echo vbTab & "-Delete child objects." If (AccessMask And ADS_RIGHT_ACTRL_DS_LIST) Then _ WScript.Echo vbTab & "-Enumerate an object." If (AccessMask And ADS_RIGHT_DS_READ_PROP) Then _ WScript.Echo vbTab & "-Read the properties of an object." If (AccessMask And ADS_RIGHT_DS_WRITE_PROP) Then _ WScript.Echo vbTab & "-Write the properties of an object." If (AccessMask And ADS_RIGHT_DS_DELETE_TREE) Then _ WScript.Echo vbTab & "-Delete a tree of objects" If (AccessMask And ADS_RIGHT_DS_LIST_OBJECT) Then _ WScript.Echo vbTab & "-List a tree of objects." WScript.Echo VbCrLf & "Control Access Rights" If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) + _ (AccessMask And ADS_RIGHT_DS_SELF) = 0 Then WScript.Echo "-None" Else If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) Then _ WScript.Echo vbTab & "-Extended access rights." If (AccessMask And ADS_RIGHT_DS_SELF) Then WScript.Echo vbTab & "-Active Directory must validate " & _ "a property " WScript.Echo vbTab & " write operation beyond the " & _ "schema definition " WScript.Echo vbTab & " for the attribute." End If End If End Sub S 126 of 153 List COM+ Information for a User Account Description Returns COM+ information for the MyerKen Active Directory user account. Script Code On Error Resume Next Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") WScript.Echo "COM User Partition Set Link: " & _ objUser.msCOM-UserPartitionSetLink S List Object Page Information for a User Account Description Returns information about the MyerKen user account object in Active Directory. Script Code Set objUser = GetObject _ ("GC://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") strWhenCreated = objUser.Get("whenCreated") strWhenChanged = objUser.Get("whenChanged") Set objUSNChanged = objUser.Get("uSNChanged") dblUSNChanged = _ Abs(objUSNChanged.HighPart * 2^32 + objUSNChanged.LowPart) Set objUSNCreated = objUser.Get("uSNCreated") dblUSNCreated = _ Abs(objUSNCreated.HighPart * 2^32 + objUSNCreated.LowPart) objUser.GetInfoEx Array("canonicalName"), 0 arrCanonicalName = objUser.GetEx("canonicalName") WScript.echo "Canonical Name of object:" For Each strValue in arrCanonicalName WScript.Echo vbTab & strValue Next WScript.Echo WScript.Echo "Object class: " & objUser.Class WScript.echo "When Created: " & strWhenCreated & " (Created - GMT)" WScript.echo "When Changed: " & strWhenChanged & " (Modified - GMT)" WScript.Echo WScript.Echo "USN Changed: " & dblUSNChanged & " (USN Current)" WScript.Echo "USN Created: " & dblUSNCreated & " (USN Original)" List Organization Information for a User Account Description Retrieves user account attributes found on the Organization page of the user account object in Active Directory Users and Computers. Script Code On Error Resume Next Set objUser = GetObject _ ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") WScript.Echo "Title: " & objUser.title WScript.Echo "Department: " & objUser.department WScript.Echo "Company: " & objUser.company WScript.Echo "Manager: " & objUser.manager For Each strValue in objUser.directReports WScript.Echo "Direct Reports: " & strValue Next List Published Certificates for a User Account Description Retrieves a list of all the published certificates assigned to the MyerKen user account. Script Code On Error Resume Next Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D Const ForWriting = 2 Const WshRunning = 0 Set objUser = GetObject _ ("GC://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objUser.GetInfoEx Array("userCertificate"), 0 arrUserCertificates = objUser.GetEx("userCertificate") If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then WScript.Echo "No assigned certificates" WScript.Quit Else Set objShell = CreateObject("WScript.Shell") Set objFSO = CreateObject("Scripting.FileSystemObject") strPath = "." intFileCounter = 0 For Each arrUserCertificate in arrUserCertificates strFileName = "file" & intFileCounter strFullName = objFSO.BuildPath(strPath, strFileName) Set objFile = objFSO.OpenTextFile(strFullName, ForWriting, True) For i = 1 To LenB(arrUserCertificate) ReDim Preserve arrUserCertificatesChar(i - 1) arrUserCertificatesChar(i-1) = _ Hex(AscB(MidB(arrUserCertificate, i, 3))) Next intCounter=0 For Each HexVal in arrUserCertificatesChar intCounter=intCounter + 1 If Len(HexVal) = 1 Then objFile.Write(0 & HexVal & " ") Else objFile.Write(HexVal & " ") End If Next objFile.Close Set objFile = Nothing Set objExecCmd1 = objShell.Exec _ ("certutil -decodeHex " & strFileName & " " & strFileName & ".cer") Do While objExecCmd1.Status = WshRunning WScript.Sleep 100 Loop Set objExecCmd1 = Nothing Set objExecCmd2 = objShell.Exec("certutil " & strFileName & ".cer") Set objStdOut = objExecCmd2.StdOut Set objExecCmd2 = Nothing WScript.Echo VbCrLf & "Certificate " & intFileCounter + 1 While Not objStdOut.AtEndOfStream strLine = objStdOut.ReadLine If InStr(strLine, "Issuer:") Then WScript.Echo Trim(strLine) WScript.Echo vbTab & Trim(objStdOut.ReadLine) End If If InStr(strLine, "Subject:") Then Wscript.Echo Trim(strLine) WScript.Echo vbTab & Trim(objStdOut.ReadLine) End If If InStr(strLine, "NotAfter:") Then strLine = Trim(strLine) WScript.Echo "Expires:" Wscript.Echo vbTab & Mid(strLine, 11) End If Wend objFSO.DeleteFile(strFullName) objFSO.DeleteFile(strPath & "\" & strFileName & ".cer") intFileCounter = intFileCounter + 1 Next End If List Security Permissions for a User Account Description Returns security permissions for the MyerKen Active Directory user account. Script Code Const SE_DACL_PROTECTED = &H1000 Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") Set objNtSecurityDescriptor = objUser.Get("ntSecurityDescriptor") intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control WScript.Echo "Permissions Tab" strMessage = "Allow inheritable permissions from the parent to " & _ "propogate to this object and all child objects " If (intNtSecurityDescriptorControl And SE_DACL_PROTECTED) Then Wscript.Echo strMessage & "is disabled." Else WScript.Echo strMessage & "is enabled." End If WScript.Echo Set objDiscretionaryAcl = objNtSecurityDescriptor.DiscretionaryAcl DisplayAceInformation objDiscretionaryAcl, "DACL" Sub DisplayAceInformation(SecurityStructure, strType) Const ADS_ACETYPE_ACCESS_ALLOWED = &H0 Const ADS_ACETYPE_ACCESS_DENIED = &H1 Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5 Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6 intAceCount = 0 For Each objAce In SecurityStructure strTrustee = Mid(objAce.Trustee,1,12) If StrComp(strTrustee, "NT AUTHORITY", 1) <> 0 Then intAceCount = intAceCount + 1 WScript.Echo strType & " permission entry: " & intAceCount WScript.Echo "Name: " & objAce.Trustee intAceType = objAce.AceType If (intAceType = ADS_ACETYPE_ACCESS_ALLOWED Or _ intAceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT) Then WScript.Echo "Type: Allow Access" ElseIf (intAceType = ADS_ACETYPE_ACCESS_DENIED Or _ intAceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) Then WScript.Echo "Type: Deny Acess" Else WScript.Echo "Acess Type Unknown." End If ReadBitsInAccessMask(objAce.AccessMask) WScript.Echo End If Next End Sub Sub ReadBitsInAccessMask(AccessMask) Const ADS_RIGHT_DELETE = &H10000 Const ADS_RIGHT_READ_CONTROL = &H20000 Const ADS_RIGHT_WRITE_DAC = &H40000 Const ADS_RIGHT_WRITE_OWNER = &H80000 Const ADS_RIGHT_DS_CREATE_CHILD = &H1 Const ADS_RIGHT_DS_DELETE_CHILD = &H2 Const ADS_RIGHT_ACTRL_DS_LIST = &H4 Const ADS_RIGHT_DS_SELF = &H8 Const ADS_RIGHT_DS_READ_PROP = &H10 Const ADS_RIGHT_DS_WRITE_PROP = &H20 Const ADS_RIGHT_DS_DELETE_TREE = &H40 Const ADS_RIGHT_DS_LIST_OBJECT = &H80 Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100 WScript.Echo VbCrLf & "Standard Access Rights" If (AccessMask And ADS_RIGHT_DELETE) Then _ WScript.Echo vbTab & "-Delete an object." If (AccessMask And ADS_RIGHT_READ_CONTROL) Then _ WScript.Echo vbTab & "-Read permissions." If (AccessMask And ADS_RIGHT_WRITE_DAC) Then _ WScript.Echo vbTab & "-Write permissions." If (AccessMask And ADS_RIGHT_WRITE_OWNER) Then _ WScript.Echo vbTab & "-Modify owner." WScript.Echo VbCrLf & "Directory Service Specific Access Rights" If (AccessMask And ADS_RIGHT_DS_CREATE_CHILD) Then _ WScript.Echo vbTab & "-Create child objects." If (AccessMask And ADS_RIGHT_DS_DELETE_CHILD) Then _ WScript.Echo vbTab & "-Delete child objects." If (AccessMask And ADS_RIGHT_ACTRL_DS_LIST) Then _ WScript.Echo vbTab & "-Enumerate an object." If (AccessMask And ADS_RIGHT_DS_READ_PROP) Then _ WScript.Echo vbTab & "-Read the properties of an object." If (AccessMask And ADS_RIGHT_DS_WRITE_PROP) Then _ WScript.Echo vbTab & "-Write the properties of an object." If (AccessMask And ADS_RIGHT_DS_DELETE_TREE) Then _ WScript.Echo vbTab & "-Delete a tree of objects" If (AccessMask And ADS_RIGHT_DS_LIST_OBJECT) Then _ WScript.Echo vbTab & "-List a tree of objects." WScript.Echo VbCrLf & "Control Access Rights" If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) + _ (AccessMask And ADS_RIGHT_DS_SELF) = 0 Then WScript.Echo "-None" Else If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) Then _ WScript.Echo vbTab & "-Extended access rights." If (AccessMask And ADS_RIGHT_DS_SELF) Then WScript.Echo vbTab & "-Active Directory must validate a property " WScript.Echo vbTab & " write operation beyond the schema " & _ "definition " WScript.Echo vbTab & " for the attribute." End If End If End Sub List the Dial-In Property Configuration Settings for a User Account Description Enumerates the Dial-In configuration settings for the MyerKen Active Directory user account. Script Code On Error Resume Next Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D Const FourthOctet = 1 Const ThirdOctet = 256 Const SecondOctet = 65536 Const FirstOctet = 16777216 Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") blnMsNPAllowDialin = objUser.Get("msNPAllowDialin") WScript.Echo "Remote Access Permission (Dial-in or VPN)" If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then WScript.Echo "Control access through Remote Access Policy" Err.Clear Else If blnMsNPAllowDialin = True Then WScript.Echo "Allow access (msNPAllowDialin)" Else WScript.Echo "Deny access (msNPAllowDialin)" End If End If WScript.Echo arrMsNPSavedCallingStationID = objUser.GetEx("msNPSavedCallingStationID") If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then WScript.Echo "No Caller-ID specified." Err.Clear Else WScript.Echo "Verify Caller ID (msNPSavedCallingStationID): " For Each strValue in arrMsNPSavedCallingStationID WScript.echo strValue Next objUser.GetEx "msNPCallingStationID" If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then WScript.Echo "Calling station ID(s) specified but not assigned." Err.Clear Else WScript.echo "Calling station ID(s) assigned." End If End If WScript.Echo intMsRADIUSServiceType = objUser.Get("msRADIUSServiceType") WScript.Echo "Callback Options" If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then WScript.Echo "No Callback" Err.Clear Else strMsRADIUSCallbackNumber = objUser.Get("msRADIUSCallbackNumber") If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then WScript.Echo "Set by caller (Routing and Remote Access Service only)" Err.Clear strMsRASSavedCallbackNumber = objUser.Get("msRASSavedCallbackNumber") If Err.Number <> E_ADS_PROPERTY_NOT_FOUND Then WScript.Echo "Unused value of " & strMsRASSavedCallbackNumber & _ " appears in the Always Callback to field." Else Err.Clear End If Else WScript.Echo "Always Callback to: " & _ strMsRADIUSCallbackNumber & " (msRADIUSCallbackNumber)" End If End If WScript.Echo intMsRASSavedFramedIPAddress = objUser.Get("msRASSavedFramedIPAddress") If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then WScript.Echo "No static IP address assigned." Err.Clear Else If sgn(intMsRASSavedFramedIPAddress) = -1 Then intIP = intMsRASSavedFramedIPAddress WScript.StdOut.Write 256 + (int(intIP/FirstOctet)) & "." intFirstRemainder = intIP mod FirstOctet WScript.StdOut.Write 256 + (int(intFirstRemainder/SecondOctet)) & "." intSecondRemainder = intFirstRemainder mod SecondOctet WScript.StdOut.Write 256 + (int(intSecondRemainder/ThirdOctet)) & "." intThirdRemainder = intSecondRemainder mod ThirdOctet WScript.Echo 256 + (int(intThirdRemainder/FourthOctet)) Else intIP = intMsRASSavedFramedIPAddress WScript.StdOut.Write int(intIP/FirstOctet) & "." intFirstRemainder = intIP mod FirstOctet WScript.StdOut.Write int(intFirstRemainder/SecondOctet) & "." intSecondRemainder = intFirstRemainder mod SecondOctet WScript.StdOut.Write int(intSecondRemainder/ThirdOctet) & "." intThirdRemainder = intSecondRemainder mod ThirdOctet WScript.Echo int(intThirdRemainder/FourthOctet) End If objUser.Get "msRADIUSFramedIPAddress" If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then WScript.Echo "Static IP address specified but not assigned." Err.Clear Else WScript.Echo "Static IP Address assigned." End If End If WScript.Echo arrMsRASSavedFramedRoute = objUser.GetEx("msRASSavedFramedRoute") If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then WScript.Echo "No static Routes specified." Err.Clear Else WScript.echo "Static Routes (msRASSavedFramedRoute):" WScript.Echo vbTab & "CIDR 0.0.0.0 Metric" For Each strValue in arrMsRASSavedFramedRoute WScript.echo vbTab & strValue Next objUser.GetEx "msRADIUSFramedRoute" If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then WScript.Echo "Static Routes specified but not assigned." Err.Clear Else WScript.echo "Static Routes assigned." End If End If List User Account Account Page Properties Description Retrieves user account attributes found on the Account page of the user account object in Active Directory Users and Computers. Script Code On Error Resume Next Set objUser = GetObject _ ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") WScript.Echo "User Principal Name: " & objUser.userPrincipalName WScript.Echo "SAM Account Name: " & objUser.sAMAccountName WScript.Echo "User Workstations: " & objUser.userWorkstations Set objDomain = GetObject("LDAP://dc=fabrikam,dc=com") WScript.Echo "Domain controller: " & objDomain.dc List User Account Address Page Attributes Description Retrieves user account attributes found on the Address page of the user account object in Active Directory Users and Computers. Script Code On Error Resume Next Set objUser = GetObject _ ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") WScript.Echo "Street Address: " & objUser.streetAddress WScript.Echo "Post Office Box: " & objUser.postOfficeBox WScript.Echo "Locality: " & objUser.l WScript.Echo "Street: " & objUser.st WScript.Echo "Postal Code: " & objUser.postalCode WScript.Echo "Country: " & objUser.c List User Account General Page Properties Description Retrieves user account attributes found on the General Properties page of the user account object in Active Directory Users and Computers. Script Code On Error Resume Next Set objUser = GetObject _ ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") WScript.Echo "First Name: " & objUser.givenName WScript.Echo "Initials: " & objUser.initials WScript.Echo "Last Name: " & objUser.sn WScript.Echo "Display Name: " & objUser.displayName WScript.Echo "Office: " & _ objUser.physicalDeliveryOfficeName WScript.Echo "Telephone Number: " & objUser.telephoneNumber WScript.Echo "Email: " & objUser.mail WScript.Echo "Home Page: " & For Each strValue in objUser.description WScript.Echo "Description: " & strValue Next For Each strValue in objUser.otherTelephone WScript.Echo "Other Telephone: " & strValue Next For Each strValue in objUser.url WScript.Echo "URL: " & strValue Next List User Profile Properties Description Retrieves user account attributes found on the Profile page of the user account object in Active Directory Users and Computers. Script Code On Error Resume Next Set objUser = GetObject _ ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") Wscript.Echo "Profile Path: " & objUser.ProfilePath Wscript.Echo "Script Path: " & objUser.ScriptPath Wscript.Echo "Home Directory: " & objUser.HomeDirectory Wscript.Echo "Home Drive: " & objUser.HomeDrive List userAccountControl Values for an Active Directory User Account Description Reads values from the userAccountControl of the MyerKen Active Directory user account. Script Code Set objHash = CreateObject("Scripting.Dictionary") objHash.Add "ADS_UF_SMARTCARD_REQUIRED", &h40000 objHash.Add "ADS_UF_TRUSTED_FOR_DELEGATION", &h80000 objHash.Add "ADS_UF_NOT_DELEGATED", &h100000 objHash.Add "ADS_UF_USE_DES_KEY_ONLY", &h200000 objHash.Add "ADS_UF_DONT_REQUIRE_PREAUTH", &h400000 Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") intUAC = objUser.Get("userAccountControl") If objUser.IsAccountLocked = True Then Wscript.Echo "ADS_UF_LOCKOUT is enabled" Else Wscript.Echo "ADS_UF_LOCKOUT is disabled" End If wscript.echo VBCRLF For Each Key In objHash.Keys If objHash(Key) And intUAC Then Wscript.Echo Key & " is enabled" Else Wscript.Echo Key & " is disabled" End If Next Search for a User Account in Active Directory Description Searches Active Directory to see if a user account with the name kenmyer already exists. Script Code strUserName = "kenmyer" dtStart = TimeValue(Now()) Set objConnection = CreateObject("ADODB.Connection") objConnection.Open "Provider=ADsDSOObject;" Set objCommand = CreateObject("ADODB.Command") objCommand.ActiveConnection = objConnection objCommand.CommandText = _ ";(&(objectCategory=User)" & _ "(samAccountName=" & strUserName & "));samAccountName;subtree" Set objRecordSet = objCommand.Execute If objRecordset.RecordCount = 0 Then WScript.Echo "sAMAccountName: " & strUserName & " does not exist." Else WScript.Echo strUserName & " exists." End If objConnection.Close Copy a Published Certificate to a User Account Description Copies a published certificate from a template account (userTemplate) to the MyerKen Active Directory user account. This operation appends the new certificate without deleting any existing certificates. Script Code On Error Resume Next Const ADS_PROPERTY_APPEND = 3 Set objUserTemplate = _ GetObject("LDAP://cn=userTemplate,OU=Management,dc=NA,dc=fabrikam,dc=com") arrUserCertificates = objUserTemplate.GetEx("userCertificate") Set objUser = _ GetObject("LDAP://cn=MyerKen,OU=Management,dc=NA,dc=fabrikam,dc=com") objUser.PutEx ADS_PROPERTY_APPEND, "userCertificate", arrUserCertificates objUser.SetInfo Copy Allowed Logon Hours from One Account to Another Description Copies the allowed logon hours from a template account (userTemplate) and assigns them to the MyerKen Active Directory user account. The MyerKen account will thus have the same logon hour restrictions as those assigned to the userTemplate account. Script Code On Error Resume Next Set objUserTemplate = _ GetObject("LDAP://cn=userTemplate,OU=Management,dc=NA,dc=fabrikam,dc=com") arrLogonHours = objUserTemplate.Get("logonHours") Set objUser = _ GetObject("LDAP://cn=MyerKen,OU=Management,dc=NA,dc=fabrikam,dc=com") objUser.Put "logonHours", arrLogonHours objUser.SetInfo Create 1000 Sample User Accounts Description Demonstration script that creates 1,000 user accounts (named UserNo1, UserNo2, UserNo3, etc.) in the Users container in Active Directory. The script is useful for test scenarios that require multiple user accounts. Script Code Set objRootDSE = GetObject("LDAP://rootDSE") Set objContainer = GetObject("LDAP://cn=Users," & _ objRootDSE.Get("defaultNamingContext")) For i = 1 To 1000 Set objLeaf = objContainer.Create("User", "cn=UserNo" & i) objLeaf.Put "sAMAccountName", "UserNo" & i objLeaf.SetInfo Next WScript.Echo "1000 Users created." Create a Contact in Active Directory Description Creates a contact account named MyerKen in the Management organizational unit in a hypothetical domain named fabrikam.com. Script Code Set objOU = GetObject("LDAP://OU=management,dc=fabrikam,dc=com") Set objUser = objOU.Create("contact", "cn=MyerKen") objUser.SetInfo Create a User Account Description Creates a user account in Active Directory. This script only creates the account, it does not enable it. Script Code Set objOU = GetObject("LDAP://OU=management,dc=fabrikam,dc=com") Set objUser = objOU.Create("User", "cn=MyerKen") objUser.Put "sAMAccountName", "myerken" objUser.SetInfo Create a User Account and Add it to a Group and an OU Description Demonstration script that: 1) creates a new Active Directory organizational unit; 2) creates a new user account and new security group; and, 3) adds the new user as a member of that security group. Script Code Set objDomain = GetObject("LDAP://dc=fabrikam,dc=com") Set objOU = objDomain.Create("organizationalUnit", "ou=Management") objOU.SetInfo Set objOU = GetObject("LDAP://OU=Management,dc=fabrikam,dc=com") Set objUser = objOU.Create("User", "cn= AckermanPilar") objUser.Put "sAMAccountName", "AckermanPila" objUser.SetInfo Set objOU = GetObject("LDAP://OU=Management,dc=fabrikam,dc=com") Set objGroup = objOU.Create("Group", "cn=atl-users") objGroup.Put "sAMAccountName", "atl-users" objGroup.SetInfo objGroup.Add objUser.ADSPath Delete a User Account from Active Directory Description Deletes the user account MyerKen from the HR organizational unit in a domain named fabrikam.com. Script Code Set objOU = GetObject("LDAP://ou=hr,dc=fabrikam,dc=com") objOU.Delete "user", "cn=MyerKen" List the Owner of a User Account Description Reports the owner of the MyerKen Active Directory user account. Script Code Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") Set objNtSecurityDescriptor = objUser.Get("ntSecurityDescriptor") WScript.Echo "Owner Tab" WScript.Echo "Current owner of this item: " & objNtSecurityDescriptor.Owner Modify the UPN Suffixes Defined in the Forest Description Configures the upnSuffixes attribute of the Partitions container and displays the new values. Script Code Const ADS_PROPERTY_APPEND = 3 Set objPartitions = GetObject _ ("LDAP://cn=Partitions,cn=Configuration,dc=fabrikam,dc=com") objPartitions.PutEx ADS_PROPERTY_APPEND, _ "upnSuffixes", Array("sa.fabrikam.com","corp.fabrikam.com") objPartitions.SetInfo Move a User Account Description Moves a user account from one OU to another. Script Code Set objOU = GetObject("LDAP://ou=sales,dc=na,dc=fabrikam,dc=com") objOU.MoveHere _ "LDAP://cn=BarrAdam,OU=hr,dc=na,dc=fabrikam,dc=com", vbNullString Move a User Account to a New Domain Description Uses the MoveHere method to move a user account to another domain. Note that there are a number of restrictions associated with performing this type of move operation. Script Code Set objOU = GetObject("LDAP://ou=management,dc=na,dc=fabrikam,dc=com") objOU.MoveHere _ "LDAP://cn=AckermanPilar,OU=management,dc=fabrikam,dc=com", vbNullString Set a User Account So It Never Expires Description Configures the MyerKen Active Directory user account so that it never expires. This is done by setting the expiration date to January 1, 1970. Script Code Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objUser.AccountExpirationDate = "01/01/1970" objUser.SetInfo Disable a User Account Description Disables a user account. Script Code Const ADS_UF_ACCOUNTDISABLE = 2 Set objUser = GetObject _ ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") intUAC = objUser.Get("userAccountControl") objUser.Put "userAccountControl", intUAC OR ADS_UF_ACCOUNTDISABLE objUser.SetInfo Enable a User Account Description Enables a user account. Script Code Set objUser = GetObject _ ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") objUser.AccountDisabled = FALSE objUser.SetInfo List All the Disabled User Accounts in Active Directory Description Returns a list of all disabled user accounts in the fabrikam.com domain. Script Code Const ADS_UF_ACCOUNTDISABLE = 2 Set objConnection = CreateObject("ADODB.Connection") objConnection.Open "Provider=ADsDSOObject;" Set objCommand = CreateObject("ADODB.Command") objCommand.ActiveConnection = objConnection objCommand.CommandText = _ ";(objectCategory=User)" & _ ";userAccountControl,distinguishedName;subtree" Set objRecordSet = objCommand.Execute intCounter = 0 Do Until objRecordset.EOF intUAC=objRecordset.Fields("userAccountControl") If intUAC AND ADS_UF_ACCOUNTDISABLE Then WScript.echo objRecordset.Fields("distinguishedName") & " is disabled" intCounter = intCounter + 1 End If objRecordset.MoveNext Loop WScript.Echo VbCrLf & "A total of " & intCounter & " accounts are disabled." objConnection.Close List the Date That a User Account Expires Description Reports the date that the MyerKen Active Directory user account expires. Script Code On Error Resume Next Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") dtmAccountExpiration = objUser.AccountExpirationDate If Err.Number = -2147467259 Or dtmAccountExpiration = "1/1/1970" Then WScript.Echo "No account expiration date specified" Else WScript.Echo "Account expiration date: " & objUser.AccountExpirationDate End If List the Status of a User Description Identifies whether a user account is enabled or disabled. Script Code Set objUser = GetObject _ ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") If objUser.AccountDisabled = FALSE Then WScript.Echo "The account is enabled." Else WScript.Echo "The account is disabled." End If Modify the Expiration Date for a User Account Description Configures the MyerKen Active Directory user account to expire on March 30, 2005. Script Code Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objUser.AccountExpirationDate = "03/30/2005" objUser.SetInfo Unlock a User Account Description Unlocks the MyerKen Active Directory user account. Script Code Set objUser = GetObject _ ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objUser.IsAccountLocked = False objUser.SetInfo
|
|