by Jon Loomes Home
ADSI (Active Directory Services Interfaces) provides unparalleled
opportunity for Systems Administrators to automate many day-to-day
systems management tasks. ADSI can be used to access NT4.0, NDS,
Windows 2000, Microsoft Exchange and IIS directory structures, and
it is therefore possible to manage all these different environments
using a single management framework.
ADSI (Active Directory Services Interfaces) provides unparalleled opportunity for Systems Administrators to automate many day-to-day systems management tasks.
ADSI may seem daunting at first, if you are new to scripting and
COM objects, but the investment in time spent learning this exciting
new technology will pay dividends if you manage directory structures
as part of your job. Your motto should be: “IF IT HAS TO BE DONE
MORE THAN ONCE, SCRIPT IT!”
This article serves as a guide to using ADSI to access user,
group and computer information from both the NT4 SAM database and
from the Windows 2000 Active Directory. Accessing Exchange, NDS and
IIS directories is achieved in a similar way, although is not
specifically covered here.
To use the examples in the article you will need access to either
a Windows NT 4.0 machine with WSH and ADSI installed. Or a Windows
2000 machine running Active Directory.
You will also need to use a user account with sufficient
privileges to access user account information i.e. an account
operator or administrator equivalent.
It is suggested that you experiment with ADSI in a test
environment first, as it is fairly easy to create a script that has
the ability to make changes right across your environment.
Providers, Schemas, Objects, Properties and Methods – The
Building Blocks of ADSI
For those of you unfamiliar with COM terminology, here’s a (very)
brief explanation of the basics:
Provider
: The programming interface than allows you to gain
access to something i.e. the WinNT Provider in ADSI give you access
to the NT4 directory service
Schema
: The ‘design’ of the different objects in a directory.
For example the NT4 schema contains users, groups and computers.
Users have properties such as ‘FullName’ and Password’. In NT4 the
Schema is fixed i.e. you cannot change the basic design. In Active
Directory, the schema is extensible i.e. it is possible to add
classes to objects e.g. you could add a ‘Favourite Colour’ property
to the user object – pointless perhaps, but very powerful!
Objects
: The basic contents of a directory. i.e. User,
Groups, Computers etc
Properties
: Various attributes of an object. A User object
includes the properties ‘FullName’ and ‘Password’
Methods
: A method is a means of changing a property or an
object. .e.g you would use a method to change a users password.
ADSI comes with two providers, the WinNT provider and the LDAP
provider. Other providers, such as the IIS provider, are readily
available.
The WinNT Provider
The WinNT Provider is used to access the Windows NT 4.0 directory
structure (i.e. the SAM database). Use this object to access
directory information from NT4.0 based Domains and computers.
The WinNT Schema contains several objects as detailed
below:
Domain:
This object holds domain wide settings, such as
Minimum Password Age, Maximum Password Age etc.
User:
This object contains all information about a user.i.e.
Description, Home directory, profile path, login script etc
Group:
Contains NT Groups names and descriptions.
Compute
r: This object holds some information about a
particular computer, such as Operating System, Processor etc.
Accessing the WinNT Schema Objects
The syntax for accessing the WinNT schema using the WinNT
provider in ADSI is as follows:
First bind to the object required:
ObjDomain = GetObject(“WinNT://MyDomain”) ‘ This binds to a
DOMAIN called ‘MyDomain’ and assigns it to the variable ‘ObjDomain’
We can then access all objects in the Domain object hierarchy,
such as Computers, Users and Groups.
We can also bind to the directory structure on a particular
computer. E.g.
ObjComp = GetObject(“WinNT://MyDomain/MyComputer”) ‘ This binds
to a computer called ‘MyComputer’ in the domain
‘MyDomain’
We can use this to look at local users and groups on a particular
computer.
Once we have a connection to one of these ‘Top Level’ objects in
the WinNT schema, we are in a position to start accessing other
directory objects. This is achieved by examining the ‘Properties’ of
each object we find, determining what it is i.e. is it a user, a
group or a computer, and then performing further actions based on
the results of this.
Accessing Different Classes of Object
We can filter out certain types (Classes) of object as
follows:
ObjDomain = GetObject(WinNT://MyDomain”) ‘ Bind to the Domain
object
For each object in ObjDomain ‘ Look at each object
If object.class = “Computer” Then ‘ If its of type ‘Computer’
‘ Do something
End if
Next ‘ Go to next Object in the Domain
Another way of achieving the same thing is to use the VBScript
‘Filter’ function:
ObjDomain = GetObject(WinnNT://MyDomain”) ‘ Bind to the Domain
object
ObjDomain.Filter = Array(“Computer”) ‘ Filter out all the
‘Computer’ objects
For each ObjComp in ObjDomain ‘ For each object in the Domain
(i.e. Computer Object only, due to the filter
‘ do something
Next
This technique is slightly more graceful, as it requires fewer
lines of code.
Of course we can go directly to a particular object class in the
schema, if we know what it is e.g.
ObjUser = GetObject(“WinNT//MyDomain/MyUser”) ‘ Bind to a user
object called ‘MyUser’ in the ‘MyDomain’ Domain.
Accessing Object Properties
Once we have access to the Object type we are interested in, we
can access any ‘properties’ it may contain. For example, an object
of class ‘User’, may contain properties for ‘Password’, ‘Login
script’ and ‘Home Directory’
Properties are accessed as follows in VBScript:
ObjDomain = GetObject(WinnNT://MyDomain”) ‘ Bind to the Domain
object
ObjDomain.Filter = Array(“User”) ‘ Filter out all the objects of
class ‘User’
For each ObjUser in ObjDomain ‘ For each object in the Domain
(i.e. User Objects only, due to the filter
‘ Note that next two lines should be on one line
MsgBox ObjUser.Name & vbcrlf & ObjUser.Description &
vbcrlf & ObjUser.HomeDirectory
‘ Display a Message Box with the UserName, Description and Home
Directory separated by carriage returns (vbcrlf)
Next
N.B. The user account this script is run under must have
sufficient rights to be able to view these properties, otherwise the
script will fail.
Changing Object Properties
Now we know how to access various properties of an object, the
next logical step is to be able to change these properties. A
property of an object can be manipulated i.e. changed, by using one
of the ‘Methods’ for that object.
For example, we might want to change a users password, or home
directory.
The ‘Method’ for changing the password of a User class object is
called ‘SetPassword’, and its syntax is as follows:
ObjUser = GetObject(“WinNT//MyDomain/MyUser”) ‘ Bind to a
particular user
ObjUser.ChangePassword OldPassword, NewPassword ‘ Changes the
users password from ‘OldPassword to ‘NewPassword’
Of course the only drawback with this method is that it requires
knowledge of the users current password, not something that even an
Administrator would usually know!
Different Object classes and different properties have methods
available which are relevant to them. The following example is a
function that takes a server as an argument and starts or stops the
‘Scheduler’ service, depending on its current state.
‘ This function checks the status of the ‘Schedule’ service on a
given computer
‘ and starts it if it is stopped, or stops it if it is already
started
‘ A bit pointless perhaps, but you get the idea…….
Function CheckTaskService(server)
Set Comp = GetObject(“WinNT://MyDomain/” & Server &
“,Computer”) ‘ bind to the computer in question
Comp.Filter = Array(“Service”) ‘ Filter out all computer objects
of type ‘Service’
For Each svc in Comp ‘ For each Service on the computer
If svc.Name = “Schedule” AND svc.Status = “1” Then ‘If its name
is “Schedule” and its stopped
svc.Start ‘Start the service
Elseif svc.Name = “Schedule” AND svc.Status = “4” Then ‘ If its
name is “Schedule and its started
svc.Stop ‘ Stop the service
end if
Next
Set Comp = Nothing ‘Get rid of the objects we created
End Function
N.B. listing all the properties and methods for all the objects
in the WinNT schema would take too long here. This information is
readily available in the WSH documentation, in various books and on
the Web at http://msdn.microsoft.com/scripting
The Active Directory Provider
The Active Directory Provider is, as the name implies, what we
use to access Active Directory Objects in Windows 2000 environments.
Active Directory conforms to the LDAP (Lightweight Directory Access
Protocol) the Active Directory Provider is accessed by using the
ADSI LDAP provider as follows:
ObjOU =
GetObject(“LDAP://ServerName.CompanyName.Com/OU=MyDept”)
This example binds to an Organizational Unit (OU) called ‘MyDept’
in the Active Directory provided by the server
‘ServerName.CompanyName.Com’
Once we have bound to the object we can access its properties in
a similar way to the WinNT provider e.g.
For each Obj in ObjOU
MsgBox ObjOU.Name ‘ display the name of every object in the
OU
Next
Other properties contained within the OU Object are as
follows:
Locality Name
Postal Address
TelephoneNumber
FaxNumber
SeeAlso
BusinessCategory
The User Object
The User Object within the Active Directory has many more
properties than its equivalent in the WinNT directory structure. In
NT4.0 properties of a user are limited to: Description, FullName,
Home Directory, Profile, LoginScript etc etc. Active Directory has
all these plus additional properties such as EmailAddress,
PostalCode, NamePrefix, Title, Manager, TelephoneNumber,
TelephoneMobile etc etc. These can all be accessed and modified
(SET) via ADSI.
Therefore expanding on the code in the previous
section:
ObjOU =
GetObject(“LDAP://ServerName.CompanyName.Com/OU=MyDept”) ‘ Bind to
the OU called ‘MyDept’
ObjOU.Filter = Array(“User”) ‘filter out all the user objects in
the OU (OU’s can also contain computers)
For each ObjUser in ObjOU ‘For each user in the OU
MsgBox ObjUser.Name & vbcrlf & ObjUser.HomeDirectory
‘ return the user name and home directory
Next
The Computer Object
Active Directory Organizational Units (OU’s) may contain
computers as well as users. We can therefore modify the code in the
example above to retrieve information about computers in the
‘MyDept’ OU as follows:
ObjOU =
GetObject(“LDAP://ServerName.CompanyName.Com/OU=MyDept”) ‘ Bind to
the OU called ‘MyDept’
ObjOU.Filter = Array(“Computer”) ‘filter out all the computer
objects in the OU
For each ObjComp in ObjOU ‘For each computer in the OU
MsgBox ObjComp.Name & vbcrlf & ObjComp.Site & vbcrlf
& ObjComp.OperatingSystem
‘ return the computer name, site and operating system
Next
The Group Object
OU’s may also contain groups. So we can access the groups in the
‘MyDept’ OU with a few modifications to our code:
ObjOU =
GetObject(“LDAP://ServerName.CompanyName.Com/OU=MyDept”) ‘ Bind to
the OU called ‘MyDept’
ObjOU.Filter = Array(“Group”) ‘filter out all the group objects
in the OU
For each ObjGroup in ObjOU ‘For each group in the OU
MsgBox ObjGroup.Name & vbcrlf & ObjGroup.Description ‘
return the group name and description
Next
Further Information
Ill be posting more ADSI related information soon, so watch this
space for more examples of ADSI in use.
You can read more by going to: Microsoft’s
ADSI Page