dcsimg

Using ADSI and VBScript to Access Objects in NT4 and the Active Directory

By ServerWatch Staff (Send Email)
Posted Mar 20, 2000


by Jon Loomes Home

ADSI (Active Directory Services Interfaces) provides unparalleled opportunity for Systems Administrators to automate many day-to-day systems management tasks. ADSI can be used to access NT4.0, NDS, Windows 2000, Microsoft Exchange and IIS directory structures, and it is therefore possible to manage all these different environments using a single management framework.

ADSI (Active Directory Services Interfaces) provides unparalleled opportunity for Systems Administrators to automate many day-to-day systems management tasks.

ADSI may seem daunting at first, if you are new to scripting and COM objects, but the investment in time spent learning this exciting new technology will pay dividends if you manage directory structures as part of your job. Your motto should be: "IF IT HAS TO BE DONE MORE THAN ONCE, SCRIPT IT!"

This article serves as a guide to using ADSI to access user, group and computer information from both the NT4 SAM database and from the Windows 2000 Active Directory. Accessing Exchange, NDS and IIS directories is achieved in a similar way, although is not specifically covered here.

To use the examples in the article you will need access to either a Windows NT 4.0 machine with WSH and ADSI installed. Or a Windows 2000 machine running Active Directory.

You will also need to use a user account with sufficient privileges to access user account information i.e. an account operator or administrator equivalent.

It is suggested that you experiment with ADSI in a test environment first, as it is fairly easy to create a script that has the ability to make changes right across your environment.

Providers, Schemas, Objects, Properties and Methods - The Building Blocks of ADSI

For those of you unfamiliar with COM terminology, here's a (very) brief explanation of the basics:

Provider: The programming interface than allows you to gain access to something i.e. the WinNT Provider in ADSI give you access to the NT4 directory service

Schema: The 'design' of the different objects in a directory. For example the NT4 schema contains users, groups and computers. Users have properties such as 'FullName' and Password'. In NT4 the Schema is fixed i.e. you cannot change the basic design. In Active Directory, the schema is extensible i.e. it is possible to add classes to objects e.g. you could add a 'Favourite Colour' property to the user object - pointless perhaps, but very powerful!

Objects: The basic contents of a directory. i.e. User, Groups, Computers etc

Properties: Various attributes of an object. A User object includes the properties 'FullName' and 'Password'

Methods: A method is a means of changing a property or an object. .e.g you would use a method to change a users password.

ADSI comes with two providers, the WinNT provider and the LDAP provider. Other providers, such as the IIS provider, are readily available.

 

The WinNT Provider

The WinNT Provider is used to access the Windows NT 4.0 directory structure (i.e. the SAM database). Use this object to access directory information from NT4.0 based Domains and computers.

The WinNT Schema contains several objects as detailed below:

Domain: This object holds domain wide settings, such as Minimum Password Age, Maximum Password Age etc.

User: This object contains all information about a user.i.e. Description, Home directory, profile path, login script etc

Group: Contains NT Groups names and descriptions.

Computer: This object holds some information about a particular computer, such as Operating System, Processor etc.

 

Accessing the WinNT Schema Objects

The syntax for accessing the WinNT schema using the WinNT provider in ADSI is as follows:

First bind to the object required:

ObjDomain = GetObject("WinNT://MyDomain") ' This binds to a DOMAIN called 'MyDomain' and assigns it to the variable 'ObjDomain'

We can then access all objects in the Domain object hierarchy, such as Computers, Users and Groups.

We can also bind to the directory structure on a particular computer. E.g.

ObjComp = GetObject("WinNT://MyDomain/MyComputer") ' This binds to a computer called 'MyComputer' in the domain 'MyDomain'

We can use this to look at local users and groups on a particular computer.

Once we have a connection to one of these 'Top Level' objects in the WinNT schema, we are in a position to start accessing other directory objects. This is achieved by examining the 'Properties' of each object we find, determining what it is i.e. is it a user, a group or a computer, and then performing further actions based on the results of this.

 

Accessing Different Classes of Object

We can filter out certain types (Classes) of object as follows:

ObjDomain = GetObject(WinNT://MyDomain") ' Bind to the Domain object

For each object in ObjDomain ' Look at each object

If object.class = "Computer" Then ' If its of type 'Computer'

<DO IT> ' Do something

End if

Next ' Go to next Object in the Domain

Another way of achieving the same thing is to use the VBScript 'Filter' function:

 

ObjDomain = GetObject(WinnNT://MyDomain") ' Bind to the Domain object

ObjDomain.Filter = Array("Computer") ' Filter out all the 'Computer' objects

For each ObjComp in ObjDomain ' For each object in the Domain (i.e. Computer Object only, due to the filter

<DO IT> ' do something

Next

This technique is slightly more graceful, as it requires fewer lines of code.

Of course we can go directly to a particular object class in the schema, if we know what it is e.g.

ObjUser = GetObject("WinNT//MyDomain/MyUser") ' Bind to a user object called 'MyUser' in the 'MyDomain' Domain.

 

Accessing Object Properties

Once we have access to the Object type we are interested in, we can access any 'properties' it may contain. For example, an object of class 'User', may contain properties for 'Password', 'Login script' and 'Home Directory'

Properties are accessed as follows in VBScript:

ObjDomain = GetObject(WinnNT://MyDomain") ' Bind to the Domain object

ObjDomain.Filter = Array("User") ' Filter out all the objects of class 'User'

For each ObjUser in ObjDomain ' For each object in the Domain (i.e. User Objects only, due to the filter

' Note that next two lines should be on one line

MsgBox ObjUser.Name & vbcrlf & ObjUser.Description & vbcrlf & ObjUser.HomeDirectory

' Display a Message Box with the UserName, Description and Home Directory separated by carriage returns (vbcrlf)

Next

N.B. The user account this script is run under must have sufficient rights to be able to view these properties, otherwise the script will fail.

 

Changing Object Properties

Now we know how to access various properties of an object, the next logical step is to be able to change these properties. A property of an object can be manipulated i.e. changed, by using one of the 'Methods' for that object.

For example, we might want to change a users password, or home directory.

The 'Method' for changing the password of a User class object is called 'SetPassword', and its syntax is as follows:

ObjUser = GetObject("WinNT//MyDomain/MyUser") ' Bind to a particular user

ObjUser.ChangePassword OldPassword, NewPassword ' Changes the users password from 'OldPassword to 'NewPassword'

Of course the only drawback with this method is that it requires knowledge of the users current password, not something that even an Administrator would usually know!

Different Object classes and different properties have methods available which are relevant to them. The following example is a function that takes a server as an argument and starts or stops the 'Scheduler' service, depending on its current state.

' This function checks the status of the 'Schedule' service on a given computer

' and starts it if it is stopped, or stops it if it is already started

' A bit pointless perhaps, but you get the idea.......

Function CheckTaskService(server)

Set Comp = GetObject("WinNT://MyDomain/" & Server & ",Computer") ' bind to the computer in question

Comp.Filter = Array("Service") ' Filter out all computer objects of type 'Service'

For Each svc in Comp ' For each Service on the computer

If svc.Name = "Schedule" AND svc.Status = "1" Then 'If its name is "Schedule" and its stopped

svc.Start 'Start the service

Elseif svc.Name = "Schedule" AND svc.Status = "4" Then ' If its name is "Schedule and its started

svc.Stop ' Stop the service

end if

Next

Set Comp = Nothing 'Get rid of the objects we created

End Function

N.B. listing all the properties and methods for all the objects in the WinNT schema would take too long here. This information is readily available in the WSH documentation, in various books and on the Web at http://msdn.microsoft.com/scripting

 

The Active Directory Provider

The Active Directory Provider is, as the name implies, what we use to access Active Directory Objects in Windows 2000 environments. Active Directory conforms to the LDAP (Lightweight Directory Access Protocol) the Active Directory Provider is accessed by using the ADSI LDAP provider as follows:

ObjOU = GetObject("LDAP://ServerName.CompanyName.Com/OU=MyDept")

This example binds to an Organizational Unit (OU) called 'MyDept' in the Active Directory provided by the server 'ServerName.CompanyName.Com'

Once we have bound to the object we can access its properties in a similar way to the WinNT provider e.g.

For each Obj in ObjOU

MsgBox ObjOU.Name ' display the name of every object in the OU

Next

Other properties contained within the OU Object are as follows:

Locality Name

Postal Address

TelephoneNumber

FaxNumber

SeeAlso

BusinessCategory

 

The User Object

The User Object within the Active Directory has many more properties than its equivalent in the WinNT directory structure. In NT4.0 properties of a user are limited to: Description, FullName, Home Directory, Profile, LoginScript etc etc. Active Directory has all these plus additional properties such as EmailAddress, PostalCode, NamePrefix, Title, Manager, TelephoneNumber, TelephoneMobile etc etc. These can all be accessed and modified (SET) via ADSI.

Therefore expanding on the code in the previous section:

ObjOU = GetObject("LDAP://ServerName.CompanyName.Com/OU=MyDept") ' Bind to the OU called 'MyDept'

ObjOU.Filter = Array("User") 'filter out all the user objects in the OU (OU's can also contain computers)

For each ObjUser in ObjOU 'For each user in the OU

MsgBox ObjUser.Name & vbcrlf & ObjUser.HomeDirectory

' return the user name and home directory

Next

The Computer Object

Active Directory Organizational Units (OU's) may contain computers as well as users. We can therefore modify the code in the example above to retrieve information about computers in the 'MyDept' OU as follows:

ObjOU = GetObject("LDAP://ServerName.CompanyName.Com/OU=MyDept") ' Bind to the OU called 'MyDept'

ObjOU.Filter = Array("Computer") 'filter out all the computer objects in the OU

For each ObjComp in ObjOU 'For each computer in the OU

MsgBox ObjComp.Name & vbcrlf & ObjComp.Site & vbcrlf & ObjComp.OperatingSystem

' return the computer name, site and operating system

Next

 

The Group Object

OU's may also contain groups. So we can access the groups in the 'MyDept' OU with a few modifications to our code:

ObjOU = GetObject("LDAP://ServerName.CompanyName.Com/OU=MyDept") ' Bind to the OU called 'MyDept'

ObjOU.Filter = Array("Group") 'filter out all the group objects in the OU

For each ObjGroup in ObjOU 'For each group in the OU

MsgBox ObjGroup.Name & vbcrlf & ObjGroup.Description ' return the group name and description

Next

Further Information

Ill be posting more ADSI related information soon, so watch this space for more examples of ADSI in use.

You can read more by going to: Microsoft's ADSI Page

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.