Re: Creating Computer Accounts in the Active Directory
From: Greg K Wong (Nunya_at_biddness.com)
Date: 01/08/05
- Next message: Greg K Wong: "Re: Creating Computer Accounts in the Active Directory"
- Previous message: drlin2000: "Frozen screen after login on client"
- In reply to: Dennis Chung: "Re: Creating Computer Accounts in the Active Directory"
- Next in thread: Ulf B. Simon-Weidner [MVP]: "Re: Creating Computer Accounts in the Active Directory"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 08 Jan 2005 09:49:56 -0600
Dennis,
I did try using "Domain Users", but that did not work either.
I know if you create the computer account manually in the AD you CAN
specify "Everyone" may join the computer, but I cannot find how to do
this programatically.
Greg
On Sat, 8 Jan 2005 14:29:09 +0800, "Dennis Chung"
<dennischung@avantustraining.com> wrote:
>Hi Greg,
>
>instead of "Everyone", try Domain Users. I didn't see through your codes.
>Don't remember there is a Everyone in AD.
>
>Anyway, let us know your outcome. ;-)
>
>Dennis
>
>"Greg K Wong" <Nunya@biddness.com> wrote in message
>news:80out0piif3sa04jeb15mktho2lqvgn41e@4ax.com...
>> I am looking for input on how to create multiple computer
>> accounts in the Active Directory using VBScript. I have been
>> successful in creating the machine accounts, but I need to be able to
>> specify a GROUP that may join to the machine to the domain other than
>> the Domain Administrators. Specifically, when the accounts are
>> created I would like to enable "Everyone" to join the PC to the
>> domain.
>> The script below is directly from Microsoft. It seems to show
>> how to specify a user or group that can join the machine to a domain,
>> but I am having trouble getting this to work correctly.
>>
>> '***********************
>> '* Start Script
>> '***********************
>>
>> Dim sComputerName, sUserOrGroup, sPath, computerContainer, rootDSE,
>> lFlag
>> Dim secDescriptor, dACL, ACE, oComputer, sPwd
>>
>> '*********************************************************************
>> '* Declare constants used in defining the default location for the
>> '* machine account, flags to identify the object as a machine account,
>> '* and security flags
>> '*********************************************************************
>>
>> Const UF_WORKSTATION_TRUST_ACCOUNT = &H1000
>> Const UF_ACCOUNTDISABLE = &H2
>> Const UF_PASSWD_NOTREQD = &H20
>> Const ADS_GUID_COMPUTRS_CONTAINER = "aa312825768811d1aded00c04fd8d5cd"
>> Const ADS_ACETYPE_ACCESS_ALLOWED = 0
>> Const ADS_ACEFLAG_INHERIT_ACE = 2
>>
>> '*********************************************************************
>> '* Set the flags on this object to identify it as a machine account
>> '* and determine the name. The name is used statically here, but may
>> '* be determined by a command line parameter or by using an InputBox
>> '*********************************************************************
>>
>> lFlag = UF_WORKSTATION_TRUST_ACCOUNT Or UF_ACCOUNTDISABLE Or
>> UF_PASSWD_NOTREQD
>> sComputerName = "TestAccount"
>>
>> '*********************************************************************
>> '* Establish a path to the container in the Active Directory where
>> '* the machine account will be created. In this example, this will
>> '* automatically locate a domain controller for the domain, read the
>> '* domain name, and bind to the default "Computers" container
>> '*********************************************************************
>>
>> Set rootDSE = GetObject("LDAP://RootDSE")
>> sPath = "LDAP://<WKGUID=" & ADS_GUID_COMPUTRS_CONTAINER
>> sPath = sPath + ","
>> sPath = sPath + rootDSE.Get("defaultNamingContext")
>> sPath = sPath + ">"
>> Set computerContainer = GetObject(sPath)
>> sPath = "LDAP://" & computerContainer.Get("distinguishedName")
>> Set computerContainer = GetObject(sPath)
>>
>> '*********************************************************************
>> '* Here, the computer account is created. Certain attributes must
>> '* have a value before calling .SetInfo to commit (write) the object
>> '* to the Active Directory
>> '*********************************************************************
>>
>> Set oComputer = computerContainer.Create("computer", "CN=" &
>> sComputerName)
>> oComputer.Put "samAccountName", sComputerName + "$"
>> oComputer.Put "userAccountControl", lFlag
>> oComputer.SetInfo
>>
>> '*********************************************************************
>> '* Establish a default password for the machine account
>> '*********************************************************************
>>
>> sPwd = sComputerName & "$"
>> sPwd = LCase(sPwd)
>> oComputer.SetPassword sPwd
>>
>> '*********************************************************************
>> '* Specify which user or group may activate/join this computer to the
>> '* domain. In this example, "MYDOMAIN" is the domain name and
>> '* "JoeSmith" is the account being given the permission. Note that
>> '* this is the downlevel naming convention used in this example.
>> '*********************************************************************
>>
>> sUserOrGroup = "MYDOMAIN\joesmith"
>>
>> '*********************************************************************
>> '* Bind to the Discretionary ACL on the newly created computer account
>> '* and create an Access Control Entry (ACE) that gives the specified
>> '* user or group full control on the machine account
>> '*********************************************************************
>>
>> Set secDescriptor = oComputer.Get("ntSecurityDescriptor")
>> Set dACL = secDescriptor.DiscretionaryAcl
>> Set ACE = CreateObject("AccessControlEntry")
>>
>> '*********************************************************************
>> '* An AccessMask of "-1" grants Full Control
>> '*********************************************************************
>>
>> ACE.AccessMask = -1
>> ACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
>> ACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE
>>
>> '*********************************************************************
>> '* Grant this control to the user or group specified earlier.
>> '*********************************************************************
>>
>> ACE.Trustee = sUserOrGroup
>>
>> '*********************************************************************
>> '* Now, add this ACE to the DACL on the machine account
>> '*********************************************************************
>>
>> dACL.AddAce ACE
>> secDescriptor.DiscretionaryAcl = dACL
>>
>> '*********************************************************************
>> '* Commit (write) the security changes to the machine account
>> '*********************************************************************
>>
>> oComputer.Put "ntSecurityDescriptor", Array(secDescriptor)
>> oComputer.SetInfo
>>
>> '*********************************************************************
>> '* Once all parameters and permissions have been set, enable the
>> '* account.
>> '*********************************************************************
>>
>> oComputer.AccountDisabled = False
>> oComputer.SetInfo
>>
>> '*********************************************************************
>> '* Create an Access Control Entry (ACE) that gives the specified user
>> '* or group full control on the machine account
>> '*********************************************************************
>>
>> wscript.echo "The command completed successfully."
>>
>> '*****************
>> '* End Script
>> '*****************
>>
>> I may be specifying the incorrect "Downlevel Naming Convention" for
>> "Everyone". I have tried "BUILTIN\Everyone", "Everyone", and
>> "MYDOMAIN\Everyone", but nothing has worked yet. Anyone have any
>> Ideas?
>>
>> TYIA
>
>
- Next message: Greg K Wong: "Re: Creating Computer Accounts in the Active Directory"
- Previous message: drlin2000: "Frozen screen after login on client"
- In reply to: Dennis Chung: "Re: Creating Computer Accounts in the Active Directory"
- Next in thread: Ulf B. Simon-Weidner [MVP]: "Re: Creating Computer Accounts in the Active Directory"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
