[ Team LiB ] |
21.2 Creating a Full-Featured User AccountCreating user accounts as we've done previously is fine for an introduction, but typically you'll need to set many more attributes to make them usable in your environment. The approaches you use to create fully featured users in the NT and Active Directory environments differ slightly; Active Directory offers considerably more properties than NT, such as the office and home addresses of users, as well as lists of email addresses and pager, fax, and phone numbers. You can manipulate User objects with a special interface called IADsUser. IADsUser's methods and property methods let you directly set many of the User object's property values. Table 21-1 through Table 21-3 contain the methods, read-write property methods, and read-only property methods, respectively, for the IADsUser interface. The corresponding Active Directory attribute is included in parentheses for the property methods that can be set with the LDAP provider.
For more information on IADsUser, check out the following location in the MSDN Library (http://msdn.microsoft.com/library/): Networking and Directory Services Active Directory, ADSI and Directory Services SDK Documentation Directory Services Active Directory Service Interfaces Active Directory Service Interfaces Reference ADSI Interfaces Persistent Object Interfaces IADsUser. Now let's apply some of this knowledge to two examples. The first shows how to create a fully featured user in Windows NT, and the second shows how to create a fully featured user in Active Directory. 21.2.1 WinNT ProviderExample 21-1 uses several IADsUser property methods and several constant values to create a fully featured user in NT. Example 21-1. Creating a full-featured user account in Windows NTOption Explicit '********************************************************************** 'Flag constants. See the later sidebar on "Boolean Arithmetic with 'Hexadecimal Values." '********************************************************************** Const UF_SCRIPT = &H1 Const UF_ACCOUNTDISABLE = &H2 Const UF_LOCKOUT = &H10 Const UF_PASSWD_NOTREQD = &H20 Const UF_PASSWORD_CANT_CHANGE = &H40 Const UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = &H80 Const UF_DONT_EXPIRE_PASSWD = &H10000 Dim objDomain, objUser, fso, intUserFlags, intNewUserFlags Dim fldUserHomedir, wshShell Set objDomain = GetObject("WinNT://MYDOMAIN") Set objUser = objDomain.Create("user","vlaunders") '********************************************************************** 'Write the newly created object out from the property cache and read 'all the properties for the object, including the ones set by the 'system on creation '********************************************************************** objUser.SetInfo objUser.GetInfo '********************************************************************** 'Set the properties '********************************************************************** objUser.AccountDisabled = False objUser.AccountExpirationDate = "02/05/04" objUser.Description = "My description goes here!" objUser.FullName = "Victoria Launders" objUser.IsAccountLocked = False objUser.LoginScript = "login.vbs" objUser.PasswordRequired = True '********************************************************************** 'Set all the properties for the user and read back the data, including 'any default so that you can set the flags '********************************************************************** objUser.SetInfo objUser.GetInfo '********************************************************************** 'Make sure the password never expires and the user can't change it '********************************************************************** intUserFlags = objUser.Get("userFlags") intNewUserFlags = intUserFlags Or UF_DONT_EXPIRE_PASSWD intNewUserFlags = intNewUserFlags Or UF_PASSWORD_CANT_CHANGE objUser.Put "userFlags", intNewUserFlags objUser.SetInfo '********************************************************************** 'Set the password '********************************************************************** objUser.SetPassword "thepassword" Most of the code in the script is self-explanatory, except for making sure the password never expires. We used two hexadecimal constants to explicitly force the new user account to have a password that never expires and that the user can't change. The code to set these password requirements might seem complicated, but it involves simple arithmetic; the sidebar "Boolean Arithmetic with Hexadecimal Values" explains this arithmetic. If you prefer not to use hex constants, you might be able to use a User object property method. For example, you can use the IADsUser::AccountDisabled property method instead of the UF_ACCOUNTDISABLE constant to disable an account. Similarly, you can use the IADsUser::IsAccountLocked property method instead of the UF_LOCKOUT constant to lock an account. These IADs property methods hide the arithmetic within a simple Boolean value.
21.2.2 LDAP ProviderExample 21-2 shows how to create a fully featured user in Active Directory. This script is similar to the last one, with a couple of major differences. The property name userFlags changes to userAccountControl for the extended settings. Home directory attributes are set along with creation of the home directory folder if it doesn't exist. Other minor differences exist, such as the use of more constants and property methods. Active Directory lets you set many property values for users, including multivalue properties that you set via an array. For example, you can list several telephone numbers for the TelephoneNumber, TelephoneMobile, and TelephoneHome properties. Through the use of constants, you can even set up Active Directory to let users log on with smart cards. Example 21-2. Creating a full-featured user account in Active DirectoryOption Explicit '********************************************************************** 'WshShell::Run constants '********************************************************************** Const vbMinimizedNoFocus = 6 '********************************************************************** 'Flag constants. See the later sidebar on "Boolean Arithmetic with 'Hexadecimal Values." '********************************************************************** Const UF_SCRIPT = &H1 Const UF_ACCOUNTDISABLE = &H2 Const UF_HOMEDIR_REQUIRED = &H8 Const UF_LOCKOUT = &H10 Const UF_PASSWD_NOTREQD = &H20 Const UF_PASSWORD_CANT_CHANGE = &H40 Const UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = &H80 Const UF_DONT_EXPIRE_PASSWD = &H10000 Const UF_MNS_LOGON_ACCOUNT = &H20000 Const UF_SMARTCARD_REQUIRED = &H40000 Const UF_TRUSTED_FOR_DELEGATION = &H80000 Const UF_NOT_DELEGATED = &H100000 Const ADS_PROPERTY_UPDATE = 2 Dim objDomain, objUser, fso, intUserFlags, intNewUserFlags Dim fldUserHomedir, wshShell Set objDomain = GetObject("LDAP://cn=Users,dc=mycorp,dc=com") Set objUser = objDomain.Create("user","cn=vlaunders") objUser.Put "sAMAccountName", "vlaunders" objUser.Put "userPrincipalName", "[email protected]" '********************************************************************** 'Write the newly created object out from the property cache and read 'all the properties for the object, including the ones set by the 'system on creation '********************************************************************** objUser.SetInfo objUser.GetInfo '********************************************************************** 'Set the properties '********************************************************************** objUser.AccountDisabled = False objUser.AccountExpirationDate = "02/05/01" objUser.Description = "My description goes here!" objUser.IsAccountLocked = False objUser.LoginScript = "login.vbs" objUser.Profile = "\\MYDOMAIN\DFS\Users\vlaunders\profile" objUser.PasswordRequired = True objUser.TelephoneHome = Array("0123-555-7890") objUser.PutEx ADS_PROPERTY_UPDATE, "otherHomePhone", _ Array("0123 555 7891", "0123 555 7892") objUser.TelephoneNumber = Array("0123 555 7890") objUser.PutEx ADS_PROPERTY_UPDATE, "otherTelephone", _ Array("0123 555 7891", "0123 555 7892") objUser.TelephoneMobile = Array("0123 555 7890") objUser.PutEx ADS_PROPERTY_UPDATE, "otherMobile", _ Array("0123 555 7891", "0123 555 7892") objUser.NamePrefix = "Ms." objUser.FirstName = "Victoria" objUser.LastName = "Launders" objUser.DisplayName = "Victoria Launders" '********************************************************************** 'Set the drive that you'll map to '********************************************************************** objUser.HomeDirectory = "\\MYDOMAIN\DFS\Users\vlaunders" objUser.Put "homeDrive", "Z:" '********************************************************************** 'Set all the properties for the user and read back the data, including 'any defaults, so that you can set the flags '********************************************************************** objUser.SetInfo objUser.GetInfo '********************************************************************** 'Make sure the password never expires and the user can't change it '********************************************************************** intUserFlags = objUser.Get("userAccountControl") intNewUserFlags = intUserFlags Or UF_DONT_EXPIRE_PASSWD intNewUserFlags = intNewUserFlags Or UF_PASSWORD_CANT_CHANGE objUser.Put "userAccountControl", intNewUserFlags objUser.SetInfo '********************************************************************** 'Create the home directory '********************************************************************** Set fso = CreateObject("Scripting.FileSystemObject") If Not fso.FolderExists("\\MYDOMAIN\DFS\Users\vlaunders") Then Set fldUserHomedir = fso.CreateFolder("\\MYDOMAIN\DFS\Users\vlaunders") End If '********************************************************************** 'Set full rights for the user to the home directory '********************************************************************** Set wshShell = WScript.CreateObject("Wscript.Shell") wshShell.Run "cacls.exe \\MYDOMAIN\DFS\Users\vlaunders /e /g vlaunders:F", vbMinimizedNoFocus, True '********************************************************************** 'Set the password '********************************************************************** objUser.SetPassword "thepassword" We created the home directory by obtaining a reference to a FileSystemObject object and calling the FileSystemObject::CreateFolder method if the directory doesn't already exist. The permissions were set by running the cacls.exe command available from the Resource Kit using the WshShell::Run method. When calling WshShell::Run, you need to include three parameters. The first parameter is the command you want to execute; the second parameter can be any of the following constant values that describe how you want to treat the new window produced by executing the command: Const vbHide = 0 ` hides the window Const vbNormalFocus = 1 ` displays the window Const vbMinimizedFocus = 2 ` minimizes the window with focus Const vbMaximizedFocus = 3 ` maximizes the window with focus Const vbNormalNoFocus = 4 ` displays the window w/o focus Const vbMinimizedNoFocus = 6 ` minimizes the window w/o focus The last parameter to the WshShell::Run method should be to set to true if you want the script to wait until CACLS finishes before continuing to the next line.
|
[ Team LiB ] |