Re: Creating Computer accounts in the AD with VBScript
From: Andrei Ungureanu (andreix.nospam_at_msn.com)
Date: 01/08/05
- Next message: Cary Shultz [A.D. MVP]: "Re: Replacing Domain Controller with new server"
- Previous message: Cary Shultz [A.D. MVP]: "Re: Replacing Domain Controller with new server"
- In reply to: Greg K Wong: "Creating Computer accounts in the AD with VBScript"
- Next in thread: lforbes: "Re: Re: Creating Computer accounts in the AD with VBScript"
- Reply: lforbes: "Re: Re: Creating Computer accounts in the AD with VBScript"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 8 Jan 2005 13:41:02 +0200
Hi,
I haven't uset your script but I have used this script
http://www.microsoft.com/technet/scriptcenter/scripts/ad/computer/cptrvb02.mspx
Set the strComputerUser to domainname\Domain Users and it will work.
-- Andrei Ungureanu www.eventid.net Free Windows event logs reports http://www.altairtech.ca/evlog/ "Greg K Wong" <Nunya@biddness.com> wrote in message news:52mut054kq6c09gp0qfmmsqihk5h68nuve@4ax.com... > I am looking for input on how to create multiple computer > accounts in the Active Directory using VBScript. I have been > successful in creating the machine accounts, but I need to be able to > specify a GROUP that may join to the machine to the domain other than > the Domain Administrators. Specifically, when the accounts are > created I would like to enable "Everyone" to join the PC to the > domain. > The script below is directly from Microsoft. It seems to show > how to specify a user or group that can join the machine to a domain, > but I am having trouble getting this to work correctly. > > '*********************** > '* Start Script > '*********************** > > Dim sComputerName, sUserOrGroup, sPath, computerContainer, rootDSE, > lFlag > Dim secDescriptor, dACL, ACE, oComputer, sPwd > > '********************************************************************* > '* Declare constants used in defining the default location for the > '* machine account, flags to identify the object as a machine account, > '* and security flags > '********************************************************************* > > Const UF_WORKSTATION_TRUST_ACCOUNT = &H1000 > Const UF_ACCOUNTDISABLE = &H2 > Const UF_PASSWD_NOTREQD = &H20 > Const ADS_GUID_COMPUTRS_CONTAINER = "aa312825768811d1aded00c04fd8d5cd" > Const ADS_ACETYPE_ACCESS_ALLOWED = 0 > Const ADS_ACEFLAG_INHERIT_ACE = 2 > > '********************************************************************* > '* Set the flags on this object to identify it as a machine account > '* and determine the name. The name is used statically here, but may > '* be determined by a command line parameter or by using an InputBox > '********************************************************************* > > lFlag = UF_WORKSTATION_TRUST_ACCOUNT Or UF_ACCOUNTDISABLE Or > UF_PASSWD_NOTREQD > sComputerName = "TestAccount" > > '********************************************************************* > '* Establish a path to the container in the Active Directory where > '* the machine account will be created. In this example, this will > '* automatically locate a domain controller for the domain, read the > '* domain name, and bind to the default "Computers" container > '********************************************************************* > > Set rootDSE = GetObject("LDAP://RootDSE") > sPath = "LDAP://<WKGUID=" & ADS_GUID_COMPUTRS_CONTAINER > sPath = sPath + "," > sPath = sPath + rootDSE.Get("defaultNamingContext") > sPath = sPath + ">" > Set computerContainer = GetObject(sPath) > sPath = "LDAP://" & computerContainer.Get("distinguishedName") > Set computerContainer = GetObject(sPath) > > '********************************************************************* > '* Here, the computer account is created. Certain attributes must > '* have a value before calling .SetInfo to commit (write) the object > '* to the Active Directory > '********************************************************************* > > Set oComputer = computerContainer.Create("computer", "CN=" & > sComputerName) > oComputer.Put "samAccountName", sComputerName + "$" > oComputer.Put "userAccountControl", lFlag > oComputer.SetInfo > > '********************************************************************* > '* Establish a default password for the machine account > '********************************************************************* > > sPwd = sComputerName & "$" > sPwd = LCase(sPwd) > oComputer.SetPassword sPwd > > '********************************************************************* > '* Specify which user or group may activate/join this computer to the > '* domain. In this example, "MYDOMAIN" is the domain name and > '* "JoeSmith" is the account being given the permission. Note that > '* this is the downlevel naming convention used in this example. > '********************************************************************* > > sUserOrGroup = "MYDOMAIN\joesmith" > > '********************************************************************* > '* Bind to the Discretionary ACL on the newly created computer account > '* and create an Access Control Entry (ACE) that gives the specified > '* user or group full control on the machine account > '********************************************************************* > > Set secDescriptor = oComputer.Get("ntSecurityDescriptor") > Set dACL = secDescriptor.DiscretionaryAcl > Set ACE = CreateObject("AccessControlEntry") > > '********************************************************************* > '* An AccessMask of "-1" grants Full Control > '********************************************************************* > > ACE.AccessMask = -1 > ACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED > ACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE > > '********************************************************************* > '* Grant this control to the user or group specified earlier. > '********************************************************************* > > ACE.Trustee = sUserOrGroup > > '********************************************************************* > '* Now, add this ACE to the DACL on the machine account > '********************************************************************* > > dACL.AddAce ACE > secDescriptor.DiscretionaryAcl = dACL > > '********************************************************************* > '* Commit (write) the security changes to the machine account > '********************************************************************* > > oComputer.Put "ntSecurityDescriptor", Array(secDescriptor) > oComputer.SetInfo > > '********************************************************************* > '* Once all parameters and permissions have been set, enable the > '* account. > '********************************************************************* > > oComputer.AccountDisabled = False > oComputer.SetInfo > > '********************************************************************* > '* Create an Access Control Entry (ACE) that gives the specified user > '* or group full control on the machine account > '********************************************************************* > > wscript.echo "The command completed successfully." > > '***************** > '* End Script > '***************** > > I may be specifying the incorrect "Downlevel Naming Convention" for > "Everyone". I have tried "BUILTIN\Everyone", "Everyone", and > "MYDOMAIN\Everyone", but nothing has worked yet. Anyone have any > Ideas? > > TYIA
- Next message: Cary Shultz [A.D. MVP]: "Re: Replacing Domain Controller with new server"
- Previous message: Cary Shultz [A.D. MVP]: "Re: Replacing Domain Controller with new server"
- In reply to: Greg K Wong: "Creating Computer accounts in the AD with VBScript"
- Next in thread: lforbes: "Re: Re: Creating Computer accounts in the AD with VBScript"
- Reply: lforbes: "Re: Re: Creating Computer accounts in the AD with VBScript"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
