Guides Using ADSI and VBScript to Access Objects in NT4 and the Active...

Using ADSI and VBScript to Access Objects in NT4 and the Active Directory




by Jon Loomes Home

ADSI (Active Directory Services Interfaces) provides unparalleled
opportunity for Systems Administrators to automate many day-to-day
systems management tasks. ADSI can be used to access NT4.0, NDS,
Windows 2000, Microsoft Exchange and IIS directory structures, and
it is therefore possible to manage all these different environments
using a single management framework.

ADSI (Active Directory Services Interfaces) provides unparalleled opportunity for Systems Administrators to automate many day-to-day systems management tasks.

ADSI may seem daunting at first, if you are new to scripting and
COM objects, but the investment in time spent learning this exciting
new technology will pay dividends if you manage directory structures
as part of your job. Your motto should be: “IF IT HAS TO BE DONE
MORE THAN ONCE, SCRIPT IT!”

This article serves as a guide to using ADSI to access user,
group and computer information from both the NT4 SAM database and
from the Windows 2000 Active Directory. Accessing Exchange, NDS and
IIS directories is achieved in a similar way, although is not
specifically covered here.

To use the examples in the article you will need access to either
a Windows NT 4.0 machine with WSH and ADSI installed. Or a Windows
2000 machine running Active Directory.

You will also need to use a user account with sufficient
privileges to access user account information i.e. an account
operator or administrator equivalent.

It is suggested that you experiment with ADSI in a test
environment first, as it is fairly easy to create a script that has
the ability to make changes right across your environment.

Providers, Schemas, Objects, Properties and Methods – The
Building Blocks of ADSI

For those of you unfamiliar with COM terminology, here’s a (very)
brief explanation of the basics:

Provider

: The programming interface than allows you to gain
access to something i.e. the WinNT Provider in ADSI give you access
to the NT4 directory service

Schema

: The ‘design’ of the different objects in a directory.
For example the NT4 schema contains users, groups and computers.
Users have properties such as ‘FullName’ and Password’. In NT4 the
Schema is fixed i.e. you cannot change the basic design. In Active
Directory, the schema is extensible i.e. it is possible to add
classes to objects e.g. you could add a ‘Favourite Colour’ property
to the user object – pointless perhaps, but very powerful!

Objects

: The basic contents of a directory. i.e. User,
Groups, Computers etc

Properties

: Various attributes of an object. A User object
includes the properties ‘FullName’ and ‘Password’

Methods

: A method is a means of changing a property or an
object. .e.g you would use a method to change a users password.

ADSI comes with two providers, the WinNT provider and the LDAP
provider. Other providers, such as the IIS provider, are readily
available.

 

The WinNT Provider

The WinNT Provider is used to access the Windows NT 4.0 directory
structure (i.e. the SAM database). Use this object to access
directory information from NT4.0 based Domains and computers.

The WinNT Schema contains several objects as detailed
below:

Domain:

This object holds domain wide settings, such as
Minimum Password Age, Maximum Password Age etc.

User:

This object contains all information about a user.i.e.
Description, Home directory, profile path, login script etc

Group:

Contains NT Groups names and descriptions.

Compute

r: This object holds some information about a
particular computer, such as Operating System, Processor etc.

 

Accessing the WinNT Schema Objects

The syntax for accessing the WinNT schema using the WinNT
provider in ADSI is as follows:

First bind to the object required:

ObjDomain = GetObject(“WinNT://MyDomain”) ‘ This binds to a
DOMAIN called ‘MyDomain’ and assigns it to the variable ‘ObjDomain’

We can then access all objects in the Domain object hierarchy,
such as Computers, Users and Groups.

We can also bind to the directory structure on a particular
computer. E.g.

ObjComp = GetObject(“WinNT://MyDomain/MyComputer”) ‘ This binds
to a computer called ‘MyComputer’ in the domain
‘MyDomain’

We can use this to look at local users and groups on a particular
computer.

Once we have a connection to one of these ‘Top Level’ objects in
the WinNT schema, we are in a position to start accessing other
directory objects. This is achieved by examining the ‘Properties’ of
each object we find, determining what it is i.e. is it a user, a
group or a computer, and then performing further actions based on
the results of this.

 

Accessing Different Classes of Object

We can filter out certain types (Classes) of object as
follows:

ObjDomain = GetObject(WinNT://MyDomain”) ‘ Bind to the Domain
object

For each object in ObjDomain ‘ Look at each object

If object.class = “Computer” Then ‘ If its of type ‘Computer’

‘ Do something

End if

Next ‘ Go to next Object in the Domain

Another way of achieving the same thing is to use the VBScript
‘Filter’ function:

 

ObjDomain = GetObject(WinnNT://MyDomain”) ‘ Bind to the Domain
object

ObjDomain.Filter = Array(“Computer”) ‘ Filter out all the
‘Computer’ objects

For each ObjComp in ObjDomain ‘ For each object in the Domain
(i.e. Computer Object only, due to the filter

‘ do something

Next

This technique is slightly more graceful, as it requires fewer
lines of code.

Of course we can go directly to a particular object class in the
schema, if we know what it is e.g.

ObjUser = GetObject(“WinNT//MyDomain/MyUser”) ‘ Bind to a user
object called ‘MyUser’ in the ‘MyDomain’ Domain.

 

Accessing Object Properties

Once we have access to the Object type we are interested in, we
can access any ‘properties’ it may contain. For example, an object
of class ‘User’, may contain properties for ‘Password’, ‘Login
script’ and ‘Home Directory’

Properties are accessed as follows in VBScript:

ObjDomain = GetObject(WinnNT://MyDomain”) ‘ Bind to the Domain
object

ObjDomain.Filter = Array(“User”) ‘ Filter out all the objects of
class ‘User’

For each ObjUser in ObjDomain ‘ For each object in the Domain
(i.e. User Objects only, due to the filter

‘ Note that next two lines should be on one line

MsgBox ObjUser.Name & vbcrlf & ObjUser.Description &
vbcrlf & ObjUser.HomeDirectory

‘ Display a Message Box with the UserName, Description and Home
Directory separated by carriage returns (vbcrlf)

Next

N.B. The user account this script is run under must have
sufficient rights to be able to view these properties, otherwise the
script will fail.

 

Changing Object Properties

Now we know how to access various properties of an object, the
next logical step is to be able to change these properties. A
property of an object can be manipulated i.e. changed, by using one
of the ‘Methods’ for that object.

For example, we might want to change a users password, or home
directory.

The ‘Method’ for changing the password of a User class object is
called ‘SetPassword’, and its syntax is as follows:

ObjUser = GetObject(“WinNT//MyDomain/MyUser”) ‘ Bind to a
particular user

ObjUser.ChangePassword OldPassword, NewPassword ‘ Changes the
users password from ‘OldPassword to ‘NewPassword’

Of course the only drawback with this method is that it requires
knowledge of the users current password, not something that even an
Administrator would usually know!

Different Object classes and different properties have methods
available which are relevant to them. The following example is a
function that takes a server as an argument and starts or stops the
‘Scheduler’ service, depending on its current state.

‘ This function checks the status of the ‘Schedule’ service on a
given computer

‘ and starts it if it is stopped, or stops it if it is already
started

‘ A bit pointless perhaps, but you get the idea…….

Function CheckTaskService(server)

Set Comp = GetObject(“WinNT://MyDomain/” & Server &
“,Computer”) ‘ bind to the computer in question

Comp.Filter = Array(“Service”) ‘ Filter out all computer objects
of type ‘Service’

For Each svc in Comp ‘ For each Service on the computer

If svc.Name = “Schedule” AND svc.Status = “1” Then ‘If its name
is “Schedule” and its stopped

svc.Start ‘Start the service

Elseif svc.Name = “Schedule” AND svc.Status = “4” Then ‘ If its
name is “Schedule and its started

svc.Stop ‘ Stop the service

end if

Next

Set Comp = Nothing ‘Get rid of the objects we created

End Function

N.B. listing all the properties and methods for all the objects
in the WinNT schema would take too long here. This information is
readily available in the WSH documentation, in various books and on
the Web at http://msdn.microsoft.com/scripting

 

The Active Directory Provider

The Active Directory Provider is, as the name implies, what we
use to access Active Directory Objects in Windows 2000 environments.
Active Directory conforms to the LDAP (Lightweight Directory Access
Protocol) the Active Directory Provider is accessed by using the
ADSI LDAP provider as follows:

ObjOU =
GetObject(“LDAP://ServerName.CompanyName.Com/OU=MyDept”)

This example binds to an Organizational Unit (OU) called ‘MyDept’
in the Active Directory provided by the server
‘ServerName.CompanyName.Com’

Once we have bound to the object we can access its properties in
a similar way to the WinNT provider e.g.

For each Obj in ObjOU

MsgBox ObjOU.Name ‘ display the name of every object in the
OU

Next

Other properties contained within the OU Object are as
follows:

Locality Name

Postal Address

TelephoneNumber

FaxNumber

SeeAlso

BusinessCategory

 

The User Object

The User Object within the Active Directory has many more
properties than its equivalent in the WinNT directory structure. In
NT4.0 properties of a user are limited to: Description, FullName,
Home Directory, Profile, LoginScript etc etc. Active Directory has
all these plus additional properties such as EmailAddress,
PostalCode, NamePrefix, Title, Manager, TelephoneNumber,
TelephoneMobile etc etc. These can all be accessed and modified
(SET) via ADSI.

Therefore expanding on the code in the previous
section:

ObjOU =
GetObject(“LDAP://ServerName.CompanyName.Com/OU=MyDept”) ‘ Bind to
the OU called ‘MyDept’

ObjOU.Filter = Array(“User”) ‘filter out all the user objects in
the OU (OU’s can also contain computers)

For each ObjUser in ObjOU ‘For each user in the OU

MsgBox ObjUser.Name & vbcrlf & ObjUser.HomeDirectory

‘ return the user name and home directory

Next

The Computer Object

Active Directory Organizational Units (OU’s) may contain
computers as well as users. We can therefore modify the code in the
example above to retrieve information about computers in the
‘MyDept’ OU as follows:

ObjOU =
GetObject(“LDAP://ServerName.CompanyName.Com/OU=MyDept”) ‘ Bind to
the OU called ‘MyDept’

ObjOU.Filter = Array(“Computer”) ‘filter out all the computer
objects in the OU

For each ObjComp in ObjOU ‘For each computer in the OU

MsgBox ObjComp.Name & vbcrlf & ObjComp.Site & vbcrlf
& ObjComp.OperatingSystem

‘ return the computer name, site and operating system

Next

 

The Group Object

OU’s may also contain groups. So we can access the groups in the
‘MyDept’ OU with a few modifications to our code:

ObjOU =
GetObject(“LDAP://ServerName.CompanyName.Com/OU=MyDept”) ‘ Bind to
the OU called ‘MyDept’

ObjOU.Filter = Array(“Group”) ‘filter out all the group objects
in the OU

For each ObjGroup in ObjOU ‘For each group in the OU

MsgBox ObjGroup.Name & vbcrlf & ObjGroup.Description ‘
return the group name and description

Next

Further Information

Ill be posting more ADSI related information soon, so watch this
space for more examples of ADSI in use.

You can read more by going to: Microsoft’s
ADSI Page

Latest Posts

Related Stories