Δ Copy an Active Directory Computer Account
![bar1](web_images/darkgraybar.bmp)
'Retrieves the attributes of an existing computer object and copies the attributes to a new computer object created by 'the script.
Set objCompt = _ GetObject("LDAP://cn=Computers,dc=NA,dc=fabrikam,dc=com") Set objComptCopy = objCompt.Create("computer", "cn=SEA-SQL-01") objComptCopy.Put "sAMAccountName", "sea-sql-01" objComptCopy.SetInfo
Set objComptTemplate = GetObject _ ("LDAP://cn=SEA-PM-01,cn=Computers,dc=NA,dc=fabrikam,dc=com") arrAttributes = Array("description", "location")
For Each strAttrib in arrAttributes strValue = objComptTemplate.Get(strAttrib) objComptCopy.Put strAttrib, strValue Next
objComptCopy.SetInfo
![bar1](web_images/darkgraybar.bmp) ▲ ▼
![bar1](web_images/lightgraybar.bmp)
Δ Create a Computer Account For a Specific User
![bar1](web_images/darkgraybar.bmp)
'Creates and enables a computer account in Active Directory. A specific, authenticated user can then use this account 'to add his or her workstation to the domain.
strComputer = "atl-pro-002" strComputerUser = "fabrikam\lewjudy"
Const ADS_UF_PASSWD_NOTREQD = &h0020 Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = &h1000 Const ADS_ACETYPE_ACCESS_ALLOWED = &h0 Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5 Const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1 Const ADS_RIGHT_GENERIC_READ = &h80000000 Const ADS_RIGHT_DS_SELF = &h8 Const ADS_RIGHT_DS_WRITE_PROP = &h20 Const ADS_RIGHT_DS_CONTROL_ACCESS = &h100
Const ALLOWED_TO_AUTHENTICATE = _ "{68B1D179-0D15-4d4f-AB71-46152E79A7BC}" Const RECEIVE_AS = "{AB721A56-1E2f-11D0-9819-00AA0040529B}" Const SEND_AS = "{AB721A54-1E2f-11D0-9819-00AA0040529B}" Const USER_CHANGE_PASSWORD = _ "{AB721A53-1E2f-11D0-9819-00AA0040529b}" Const USER_FORCE_CHANGE_PASSWORD = _ "{00299570-246D-11D0-A768-00AA006E0529}" Const USER_ACCOUNT_RESTRICTIONS = _ "{4C164200-20C0-11D0-A768-00AA006E0529}" Const VALIDATED_DNS_HOST_NAME = _ "{72E39547-7B18-11D1-ADEF-00C04FD8D5CD}" Const VALIDATED_SPN = "{F3A64788-5306-11D1-A9C5-0000F80367C1}"
Set objRootDSE = GetObject("LDAP://rootDSE") Set objContainer = GetObject("LDAP://cn=Computers," & _ objRootDSE.Get("defaultNamingContext"))
Set objComputer = objContainer.Create _ ("Computer", "cn=" & strComputer) objComputer.Put "sAMAccountName", strComputer & "tiny_mce_markerquot; objComputer.Put "userAccountControl", _ ADS_UF_PASSWD_NOTREQD Or ADS_UF_WORKSTATION_TRUST_ACCOUNT objComputer.SetInfo
Set objSecurityDescriptor = objComputer.Get("ntSecurityDescriptor") Set objDACL = objSecurityDescriptor.DiscretionaryAcl
Set objACE1 = CreateObject("AccessControlEntry") objACE1.Trustee = strComputerUser objACE1.AccessMask = ADS_RIGHT_GENERIC_READ objACE1.AceFlags = 0 objACE1.AceType = ADS_ACETYPE_ACCESS_ALLOWED
Set objACE2 = CreateObject("AccessControlEntry") objACE2.Trustee = strComputerUser objACE2.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS objACE2.AceFlags = 0 objACE2.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE2.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE2.ObjectType = ALLOWED_TO_AUTHENTICATE
Set objACE3 = CreateObject("AccessControlEntry") objACE3.Trustee = strComputerUser objACE3.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS objACE3.AceFlags = 0 objACE3.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE3.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE3.ObjectType = RECEIVE_AS
Set objACE4 = CreateObject("AccessControlEntry") objACE4.Trustee = strComputerUser objACE4.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS objACE4.AceFlags = 0 objACE4.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE4.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE4.ObjectType = SEND_AS
Set objACE5 = CreateObject("AccessControlEntry") objACE5.Trustee = strComputerUser objACE5.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS objACE5.AceFlags = 0 objACE5.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE5.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE5.ObjectType = USER_CHANGE_PASSWORD
Set objACE6 = CreateObject("AccessControlEntry") objACE6.Trustee = strComputerUser objACE6.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS objACE6.AceFlags = 0 objACE6.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE6.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE6.ObjectType = USER_FORCE_CHANGE_PASSWORD
Set objACE7 = CreateObject("AccessControlEntry") objACE7.Trustee = strComputerUser objACE7.AccessMask = ADS_RIGHT_DS_WRITE_PROP objACE7.AceFlags = 0 objACE7.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE7.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE7.ObjectType = USER_ACCOUNT_RESTRICTIONS
Set objACE8 = CreateObject("AccessControlEntry") objACE8.Trustee = strComputerUser objACE8.AccessMask = ADS_RIGHT_DS_SELF objACE8.AceFlags = 0 objACE8.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE8.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE8.ObjectType = VALIDATED_DNS_HOST_NAME
Set objACE9 = CreateObject("AccessControlEntry") objACE9.Trustee = strComputerUser objACE9.AccessMask = ADS_RIGHT_DS_SELF objACE9.AceFlags = 0 objACE9.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE9.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE9.ObjectType = VALIDATED_SPN
objDACL.AddAce objACE1 objDACL.AddAce objACE2 objDACL.AddAce objACE3 objDACL.AddAce objACE4 objDACL.AddAce objACE5 objDACL.AddAce objACE6 objDACL.AddAce objACE7 objDACL.AddAce objACE8 objDACL.AddAce objACE9
objSecurityDescriptor.DiscretionaryAcl = objDACL objComputer.Put "ntSecurityDescriptor", objSecurityDescriptor objComputer.SetInfo
![bar1](web_images/darkgraybar.bmp) ▲ ▼
![bar1](web_images/lightgraybar.bmp)
Δ Delete a Computer Account
![bar1](web_images/darkgraybar.bmp)
'Deletes an individual computer account in Active Directory.
strComputer = "atl-pro-040"
set objComputer = GetObject("LDAP://CN=" & strComputer & _ ",CN=Computers,DC=fabrikam,DC=com") objComputer.DeleteObject (0)
![bar1](web_images/darkgraybar.bmp) ▲ ▼
![bar1](web_images/lightgraybar.bmp)
Δ Disable a Global Catalog Server
![bar1](web_images/darkgraybar.bmp)
'Disables the global catalog service on the domain controller atl-dc-01.
strComputer = "atl-dc-01"
Const NTDSDSA_OPT_IS_GC = 1
Set objRootDSE = GetObject("LDAP://" & strComputer & "/rootDSE") strDsServiceDN = objRootDSE.Get("dsServiceName") Set objDsRoot = GetObject _ ("LDAP://" & strComputer & "/" & strDsServiceDN) intOptions = objDsRoot.Get("options")
If intOptions And NTDSDSA_OPT_IS_GC Then objDsRoot.Put "options", intOptions Xor NTDSDSA_OPT_IS_GC objDsRoot.Setinfo End If
![bar1](web_images/darkgraybar.bmp) ▲ ▼
![bar1](web_images/lightgraybar.bmp)
Δ Enable a Global Catalog Server
![bar1](web_images/darkgraybar.bmp)
'Enables the global catalog service on the domain controller atl-dc-01.
strComputer = "atl-dc-01"
Const NTDSDSA_OPT_IS_GC = 1
Set objRootDSE = GetObject("LDAP://" & strComputer & "/RootDSE") strDsServiceDN = objRootDSE.Get("dsServiceName") Set objDsRoot = GetObject _ ("LDAP://" & strComputer & "/" & strDsServiceDN) intOptions = objDsRoot.Get("options")
If (intOptions And NTDSDSA_OPT_IS_GC) = FALSE Then objDsRoot.Put "options" , intOptions Or NTDSDSA_OPT_IS_GC objDsRoot.Setinfo End If
![bar1](web_images/darkgraybar.bmp) ▲ ▼
![bar1](web_images/lightgraybar.bmp)
Δ Join a Computer to a Domain
![bar1](web_images/darkgraybar.bmp)
'Joins the local computer to a domain and creates the computer's account in Active Directory.
Const JOIN_DOMAIN = 1 Const ACCT_CREATE = 2 Const ACCT_DELETE = 4 Const WIN9X_UPGRADE = 16 Const DOMAIN_JOIN_IF_JOINED = 32 Const JOIN_UNSECURE = 64 Const MACHINE_PASSWORD_PASSED = 128 Const DEFERRED_SPN_SET = 256 Const INSTALL_INVOCATION = 262144
strDomain = "FABRIKAM" strPassword = "ls4k5ywA" strUser = "shenalan"
Set objNetwork = CreateObject("WScript.Network") strComputer = objNetwork.ComputerName
Set objComputer = GetObject("winmgmts:{impersonationLevel=Impersonate}!\\" & _ strComputer & "\root\cimv2:Win32_ComputerSystem.Name='" & _ strComputer & "'")
ReturnValue = objComputer.JoinDomainOrWorkGroup(strDomain, _ strPassword, strDomain & "\" & strUser, NULL, _ JOIN_DOMAIN + ACCT_CREATE)
![bar1](web_images/darkgraybar.bmp) ▲ ▼
![bar1](web_images/lightgraybar.bmp)
Δ List All Computer Accounts in Active Directory
![bar1](web_images/darkgraybar.bmp)
'Returns the name and location for all the computer accounts in Active Directory.
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOObject" objConnection.Open "Active Directory Provider"
Set objCOmmand.ActiveConnection = objConnection objCommand.CommandText = _ "Select Name, Location from 'LDAP://DC=fabrikam,DC=com' " _ & "Where objectClass='computer'" objCommand.Properties("Page Size") = 1000 objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE Set objRecordSet = objCommand.Execute objRecordSet.MoveFirst
Do Until objRecordSet.EOF Wscript.Echo "Computer Name: " & objRecordSet.Fields("Name").Value Wscript.Echo "Location: " & objRecordSet.Fields("Location").Value objRecordSet.MoveNext Loop
![bar1](web_images/darkgraybar.bmp) ▲ ▼
![bar1](web_images/lightgraybar.bmp)
Δ List FSMO Role Holders
![bar1](web_images/darkgraybar.bmp)
'Identifies the Active Directory domain controllers providing the five FSMO roles: Schema Master, Domain Naming 'Master, PDC Emulator, RID Master, and Infrastructure Master.
Set objRootDSE = GetObject("LDAP://rootDSE")
Set objSchema = GetObject _ ("LDAP://" & objRootDSE.Get("schemaNamingContext")) strSchemaMaster = objSchema.Get("fSMORoleOwner") Set objNtds = GetObject("LDAP://" & strSchemaMaster) Set objComputer = GetObject(objNtds.Parent) WScript.Echo "Forest-wide Schema Master FSMO: " & objComputer.Name
Set objNtds = Nothing Set objComputer = Nothing
Set objPartitions = GetObject("LDAP://CN=Partitions," & _ objRootDSE.Get("configurationNamingContext")) strDomainNamingMaster = objPartitions.Get("fSMORoleOwner") Set objNtds = GetObject("LDAP://" & strDomainNamingMaster) Set objComputer = GetObject(objNtds.Parent) WScript.Echo "Forest-wide Domain Naming Master FSMO: " & objComputer.Name
Set objDomain = GetObject _ ("LDAP://" & objRootDSE.Get("defaultNamingContext")) strPdcEmulator = objDomain.Get("fSMORoleOwner") Set objNtds = GetObject("LDAP://" & strPdcEmulator) Set objComputer = GetObject(objNtds.Parent) WScript.Echo "Domain's PDC Emulator FSMO: " & objComputer.Name
Set objRidManager = GetObject("LDAP://CN=RID Manager$,CN=System," & _ objRootDSE.Get("defaultNamingContext")) strRidMaster = objRidManager.Get("fSMORoleOwner") Set objNtds = GetObject("LDAP://" & strRidMaster) Set objComputer = GetObject(objNtds.Parent) WScript.Echo "Domain's RID Master FSMO: " & objComputer.Name
Set objInfrastructure = GetObject("LDAP://CN=Infrastructure," & _ objRootDSE.Get("defaultNamingContext")) strInfrastructureMaster = objInfrastructure.Get("fSMORoleOwner") Set objNtds = GetObject("LDAP://" & strInfrastructureMaster) Set objComputer = GetObject(objNtds.Parent) WScript.Echo "Domain's Infrastructure Master FSMO: " & objComputer.Name
![bar1](web_images/darkgraybar.bmp) ▲ ▼
![bar1](web_images/lightgraybar.bmp)
Δ List Selected Computer Account Attributes
![bar1](web_images/darkgraybar.bmp)
'Demonstration script that retrieves the location and description attributes for a computer account in Active Directory.
On Error Resume Next
Set objComputer = GetObject _ ("LDAP://CN=atl-dc-01,CN=Computers,DC=fabrikam,DC=com")
objProperty = objComputer.Get("Location") If IsNull(objProperty) Then Wscript.Echo "The location has not been set." Else Wscript.Echo "Location: " & objProperty objProperty = Null End If
objProperty = objComputer.Get("Description") If IsNull(objProperty) Then Wscript.Echo "The description has not been set." Else Wscript.Echo "Description: " & objProperty objProperty = Null End If
![bar1](web_images/darkgraybar.bmp) ▲ ▼
![bar1](web_images/lightgraybar.bmp)
Δ Modify Computer Location Attribute
![bar1](web_images/darkgraybar.bmp)
'Demonstration script that changes the location attribute for a computer account in Active Directory.
Set objComputer = GetObject _ ("LDAP://CN=atl-dc-01,CN=Computers,DC=fabrikam,DC=com")
objComputer.Put "Location" , "Building 37, Floor 2, Room 2133" objComputer.SetInfo
![bar1](web_images/darkgraybar.bmp) ▲ ▼
![bar1](web_images/lightgraybar.bmp)
Δ Move a Computer Account
![bar1](web_images/darkgraybar.bmp)
'Moves a computer account from the Computers container in Active Directory to the Finance OU in the same domain.
Set objNewOU = GetObject("LDAP://OU=Finance,DC=fabrikam,DC=com")
Set objMoveComputer = objNewOU.MoveHere _ ("LDAP://CN=atl-pro-03,CN=Computers,DC=fabrikam,DC=com", "CN=atl-pro-03")
![bar1](web_images/darkgraybar.bmp) ▲ ▼
![bar1](web_images/lightgraybar.bmp)
Δ Move a Computer Account to a New Domain
![bar1](web_images/darkgraybar.bmp)
'Uses the MoveHere method to move an object to another domain. Note that there are a number of restrictions 'associated with performing this type of move operation. For details, see the Directory Services Platform SDK.
Set objOU = GetObject("LDAP://cn=Computers,dc=NA,dc=fabrikam,dc=com")
objOU.MoveHere "LDAP://cn=Computer01,cn=Users,dc=fabrikam,dc=com", _ vbNullString
![bar1](web_images/darkgraybar.bmp) ▲ ▼
![bar1](web_images/lightgraybar.bmp)
Δ Rename a Computer Account
![bar1](web_images/darkgraybar.bmp)
'Renames an Active Directory computer account.
Set objNewOU = GetObject("LDAP://OU=Finance,DC=fabrikam,DC=com")
Set objMoveComputer = objNewOU.MoveHere _ ("LDAP://CN=atl-pro-037,OU=Finance,DC=fabrikam,DC=com", _ "CN=atl-pro-003")
![bar1](web_images/darkgraybar.bmp) ▲ ▼
![bar1](web_images/lightgraybar.bmp)
Δ Rename a Computer and Computer Account
![bar1](web_images/darkgraybar.bmp)
'Renames a computer and its corresponding Active Directory computer account. Requires Windows XP or Windows 'Server 2003, and must be run on the local computer.
strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colComputers = objWMIService.ExecQuery _ ("Select * from Win32_ComputerSystem")
For Each objComputer in colComputers err = objComputer.Rename("WebServer") Next
![bar1](web_images/darkgraybar.bmp) ▲ ▼
![bar1](web_images/lightgraybar.bmp)
Δ Reset a Computer Account Password
![bar1](web_images/darkgraybar.bmp)
'Resets a computer account password in Active Directory.
Set objComputer = GetObject _ ("LDAP://CN=atl-dc-01,CN=Computers,DC=Reskit,DC=COM")
objComputer.SetPassword "atl-dc-01tiny_mce_markerquot;
![bar1](web_images/darkgraybar.bmp) ▲ ▼
![bar1](web_images/lightgraybar.bmp)
Δ Search for Specific Computer Accounts
![bar1](web_images/darkgraybar.bmp)
'Returns the name and location for all the computers in the domain that are running Windows Server 2003.
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOObject" objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection objCommand.CommandText = _ "Select Name, Location, operatingSystemVersion from " & _ "'LDAP://DC=fabrikam,DC=com' where objectClass='computer'" & _ " and operatingSystemVersion = '5.1 (3600)'" objCommand.Properties("Page Size") = 1000 objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE Set objRecordSet = objCommand.Execute objRecordSet.MoveFirst
Do Until objRecordSet.EOF Wscript.Echo "Computer Name: " & objRecordSet.Fields("Name").Value Wscript.Echo "Location: " & objRecordSet.Fields("Location").Value objRecordSet.MoveNext Loop
![bar1](web_images/darkgraybar.bmp) ▲ ▼
![bar1](web_images/lightgraybar.bmp)
Δ Verify Computer Role
![bar1](web_images/darkgraybar.bmp)
'Returns the basic role (domain controller, member server, workstation, etc.) for a computer.
strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colComputers = objWMIService.ExecQuery _ ("Select DomainRole from Win32_ComputerSystem")
For Each objComputer in colComputers Select Case objComputer.DomainRole Case 0 strComputerRole = "Standalone Workstation" Case 1 strComputerRole = "Member Workstation" Case 2 strComputerRole = "Standalone Server" Case 3 strComputerRole = "Member Server" Case 4 strComputerRole = "Backup Domain Controller" Case 5 strComputerRole = "Primary Domain Controller" End Select Wscript.Echo strComputerRole Next
![bar1](web_images/darkgraybar.bmp) ▲ ▼
![bar1](web_images/lightgraybar.bmp)
Δ Verify that a Computer is a Global Catalog Server
![bar1](web_images/darkgraybar.bmp)
'Indicates whether or not the atl-dc-01 domain controller is a global catalog server.
strComputer = "atl-dc-01"
Const NTDSDSA_OPT_IS_GC = 1
Set objRootDSE = GetObject("LDAP://" & strComputer & "/rootDSE") strDsServiceDN = objRootDSE.Get("dsServiceName") Set objDsRoot = GetObject("LDAP://" & strComputer & "/" & strDsServiceDN) intOptions = objDsRoot.Get("options")
If intOptions And NTDSDSA_OPT_IS_GC Then WScript.Echo strComputer & " is a global catalog server." Else Wscript.Echo strComputer & " is not a global catalog server." End If
![bar1](web_images/darkgraybar.bmp) ▲
![bar1](web_images/lightgraybar.bmp)
|