Re: Renaming AD User Accounts using the WinNT Provider
- From: meridean <chris.john.flynn@xxxxxxxxx>
- Date: Thu, 12 Jul 2007 02:07:27 -0700
On 10 Jul, 16:42, "Richard Mueller [MVP]" <rlmueller-
nos...@xxxxxxxxxxxxxxxxxxxx> wrote:
meridean wrote:
Can anyone help me here please. I have a VBScript which will rename
and disable NT accounts with no problem but am struggling to get a
Script to work for the AD users.
I need to be able to do the following:
A) Search the AD using input from the user for the username.
B) Rename the AD Username and Pre-Windows 2000 username with new
input.
C) Disable the account once it has been renamed.
If anyone can help with this I would appreciate it. Many Thanks
There are several attributes used to name Active Directory user accounts.
The value of the cn attribute (Common Name) is the value in the field
labeled "name" in ADUC. It is also called the Relative Distinguished Name
(RDN), because it uniquely identifies the object in the AD container/OU.
However, it does not need to be unique in the domain. There can be many
objects with the same Common Name, as long as they are in different
container/OU's.
The distinguishedName of the object uniquely identifies the object, shows
where it is in the hierarchy of AD, and includes the Common Name. For
example:
cn=Jim Smith,ou=Sales,ou=West,dc=MyDomain,dc=com
This object has RDN "cn=Jim Smith" and is in the OU "ou=Sales", which in
turn is in the OU "ou=West", which is in the domain "MyDomain.com".
Another name attribute is sAMAccountName, also called the NT name (because
it is the same as the value of the "Name" attribute exposed by the WinNT
provider) or the "pre-Windows 2000 logon name". Some call this the UserID.
It must be unique in the domain.
The first problem with your question is that the WinNT provider is blind to
the distinguishedName and cn attributes. It only exposes the "Name"
attribute, which is the value of the sAMAccountName attribute. You cannot
change the value of the "cn" attribute with the WinNT provider. You must use
the MoveHere method of the user object to modify the "Name" attribute
exposed by the WinNT provider, since this provider considers this the name
of the object.
Using the LDAP provider, you can modify sAMAccountName by simply assigning a
new value. However, since the value of the "cn" attribute is the RDN of the
object, you must use the MoveHere method of the user object exposed by the
LDAP provider to rename the object (change the value of the "cn" attribute).
This of course also modifies the distinguishedName. Of course, the MoveHere
object can also move the object to another container/OU, which changes the
distinguishedName (even if the RDN does not change).
If you are dealing with Active Directory, I would recommend using the LDAP
provider. If nothing else, many attributes (such as cn) are not exposed by
the WinNT provider.
Question. What do you mean by username in A) above?
If you mean sAMAccountName, then you can use the NameTranslate object to
convert this to the distinguishedName. If you mean the value of the "cn"
attribute (Common Name), then you can use ADO to search AD for user objects
with the cn value. There could be more than one. Once found, you can
retrieve sAMAccountName and distinguishedName.
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab -http://www.rlmueller.net
--
Hi Richard,
Thanks for this information. I managed to get it working using the
following code. I ended up using an LDAP search and then incorporating
the movehere method to complete the request.
Thanks again for all your help.
Sub RenameAccountAD(username, newusername, strNTDomain)
'Open connection to AD using LDAP
Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection
'***Set the ou and gets the Parent ID based on the username***
strBase = "<LDAP://"; & strNTDomain & ">"
strFilter = "(&(objectCategory=person)(sAMAccountName=" & username &
"))"
strAttributes = "sAMAccountName,Name,userPrincipalName,AdsPath"
strQuery = strBase & ";" & strFilter & ";" & strAttributes
objCommand.CommandText = strQuery
Set ADSIRecordSet = objCommand.Execute
strName = ADSIRecordSet.Fields("sAMAccountName").Value
errorNum = err.number
errorDesc = err.description
if err.number = -2147022675 then
msgbox "The account could not be found for " & username
exit sub
end if
strAdsPath = ADSIRecordSet.Fields("AdsPath").Value
strUPN = ADSIRecordSet.Fields("userPrincipalName").Value
strusername = strAdsPath
MyArray = Split(strAdsPath,",",-1,1)
intUbound = Ubound(MyArray)
i = 1
Do While i <= intUbound
If i <> intUbound Then
strParentDN = strParentDN & MyArray(i) & ","
i = i + 1
Else
strParentDN = strParentDN & MyArray(i)
i = i + 1
End If
Loop
MyArray1 = Split(strUPN,"@",-1,1)
intUbound1 = Ubound(MyArray1)
strNewUPN = strNewUPN & "@" & MyArray1(1)
set objCont = GetObject("LDAP://"; & strParentDN)
objCont.MoveHere strusername, "cn=" & newusername
set objUser = GetObject("LDAP://cn="; & newusername & "," &
strParentDN)
objUser.Put "sAMAccountName", newusername
objUser.Put "userPrincipalName", newusername & strNewUPN
strDesc = objUser.Description
objUser.Put "Description", "Account Renamed by Script on: " & Now() &
" - " & strDesc
objUser.SetInfo
'***Disable the user Account in the domain.
objUser.Accountdisabled = TRUE
objUser.SetInfo
MsgBox "Account: " & username & " has been renamed to: " &
newusername & " and has been disabled."
End sub
I hope this code can help others. I have also included my code for
deleting an AD User in case this helps anyone.
Sub DeleteAccountAD(username, strNTDomain)
'Open connection to AD using LDAP
Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection
'***Set the ou and gets the Parent ID based on the username***
strBase = "<LDAP://"; & strNTDomain & ">"
strFilter = "(&(objectCategory=person)(sAMAccountName=" & username &
"))"
strAttributes = "sAMAccountName,Name,AdsPath"
strQuery = strBase & ";" & strFilter & ";" & strAttributes
objCommand.CommandText = strQuery
Set ADSIRecordSet = objCommand.Execute
strName = ADSIRecordSet.Fields("sAMAccountName").Value
errorNum = err.number
errorDesc = err.description
if err.number = -2147022675 then
msgbox "The account could not be found for " & username
exit sub
end if
strAdsPath = ADSIRecordSet.Fields("AdsPath").Value
strusername = strAdsPath
MyArray = Split(strAdsPath,",",-1,1)
intUbound = Ubound(MyArray)
i = 1
Do While i <= intUbound
If i <> intUbound Then
strParentDN = strParentDN & MyArray(i) & ","
i = i + 1
Else
strParentDN = strParentDN & MyArray(i)
i = i + 1
End If
Loop
set objCont = GetObject("LDAP://"; & strParentDN)
objCont.Delete "user","cn=" & strName
MsgBox "Account: " & username & " has been deleted."
End sub
Thanks Again.
Chris
.
- References:
- Renaming AD User Accounts using the WinNT Provider
- From: meridean
- Re: Renaming AD User Accounts using the WinNT Provider
- From: Richard Mueller [MVP]
- Renaming AD User Accounts using the WinNT Provider
- Prev by Date: sending email from within a script
- Next by Date: VBScript to interrogate Domino Lotus Notes Servers
- Previous by thread: Re: Renaming AD User Accounts using the WinNT Provider
- Next by thread: Handle is invalid
- Index(es):
Relevant Pages
|
