Professional Documents
Culture Documents
Scripting:
TFM ™
Cade Fassett
SAPIEN Press
Napa,California
ADSI Scripting: TFM™
ii
ADSI Scripting: TFM™
iii
ADSI Scripting: TFM™
Find Computer Accounts by Attribute ......................................................................... 64
Services ............................................................................................... 68
Get Service Status ...................................................................................................... 68
Start a Service ............................................................................................................ 69
Stop a Service ............................................................................................................ 69
Restart a Service ........................................................................................................ 70
Printers ................................................................................................ 72
Pausing and Resuming a Print Queue ....................................................................... 72
Purging a Print Queue ................................................................................................ 73
Manage Individual Print Jobs...................................................................................... 73
Domains .............................................................................................. 74
Get Domain Password Policy ..................................................................................... 74
iv
ADSI Scripting: TFM™
Location Tab ............................................................................................................. 104
Managed By Tab ...................................................................................................... 106
Object Tab ................................................................................................................ 108
vi
ADSI Scripting: TFM™
Methods .................................................................................................................... 181
vii
ADSI Scripting: TFM™
Methods .................................................................................................................... 209
viii
ADSI Scripting: TFM™
ix
ADSI Scripting: TFM™
Chapter 1
Introduction to ADSI
Welcome to the wonderful world of Active Directory Service
Interfaces, or ADSI. ADSI is a powerful tool provided by Microsoft
that enables you to manage directory services such as Active
Directory programmatically from your scripts and applications.
Unfortunately, documentation on ADSI has either been difficult to
find, or when you could find it, it turned out to be incredibly dense
and technical.
This book aims to change all of that by providing comprehensive
coverage of virtually everything ADSI has to offer. What’s more, I
hope to accomplish this without boring you to tears, which might be
what you’d experience if you tried to learn all of this from
Microsoft’s official ADSI documentation.
So sit back, relax, and enjoy the ride.
1
ADSI Scripting: TFM™
What Is ADSI?
Before I can really get down to teaching you much about how
ADSI works, you need to understand exactly what ADSI is, as well as
how it works and why you should even care. So that’s what the rest of
this chapter is about. Even if you think you already know this stuff,
please bear with me. There are a lot of misconceptions about the
details of ADSI, and I hope to clear a lot of those up in this chapter.
At its most basic, ADSI is simply a way of accessing information
from a directory service using a scripting language such as VBScript
or a full-blown programming language like C#. Using ADSI, you can
do things like creating and deleting user accounts, changing
passwords, and managing group memberships.
One other thing worth mentioning is that the name “Active
Directory Service Interfaces” can be a bit misleading. Most people
group the words in their minds as “(Active Directory) Service
Interfaces.” This implies that ADSI works only with Active
Directory, which is definitely not the case. ADSI works with a wide
variety of directory services including Windows NT and Novell
NetWare.
2
ADSI Scripting: TFM™
As you can see in Figure 1-1, ADSI abstracts away the details of
the underlying directory structure. You never need to know exactly
what is going on under the hood of the directory. Instead, all you need
to know is how to access some fairly standardized COM objects from
within your program. ADSI then takes your requests as passed to the
COM objects, parses them into proper commands for the directory,
and sends them along. It does the same process in reverse to translate
any output from the directory back to your program.
3
ADSI Scripting: TFM™
4
ADSI Scripting: TFM™
my $objComputer = Win32::OLE->GetObject("WinNT://.,computer");
my $obj = Win32::OLE::Enum->new($objComputer);
foreach ($obj->All) {
if(lc($_->{'Class'}) eq "User") {
print "$_->{'Name'}\t$_->{'Description'}\n";
print "\tLastLogon: $_->{'PasswordExpirationDate'}\n";
}
}
The Perl code is a bit longer than the VBScript code because you
have to explicitly add references to Perl scripts to enable support for
COM objects. That’s what you see in the three “use Win32” lines at
the beginning of Code 1-2. However, once you have enabled this
feature in Perl, the syntax for accessing ADSI is remarkably similar,
allowing for the often drastic differences in syntax between VBScript
and Perl.
5
ADSI Scripting: TFM™
Automation-Friendly
Related to multiple language support is the idea of being
automation-friendly. Virtually all scripting and automation languages
that run on Windows support COM including VBScript, Perl, and
Python. Since ADSI is also based on COM, you are not required to
learn a new programming language to develop scripts for automating
administrative tasks. As long as you can get to COM objects from a
language you know, you can continue to use that language for ADSI
scripting. This enables you to capitalize on the time you have already
spent learning that particular language instead of having to take the
time to learn a new language to automate directory service operations.
Simplicity
To put it mildly, compared to a lot of the directory-specific
protocols, ADSI is incredibly simple. Often the architecture of the
directory service is rather complex, as is the vendor-provided way of
accessing the service directly. However, by pulling this functionality
out into ADSI, you can use the ADSI programming model, which is
generally easier to learn.
6
ADSI Scripting: TFM™
• Get a list of all the accounts in your domain that have passwords
that expire within a certain number of days.
• Assign users to groups based on information from a file or
available in the directory.
• Create a command-line utility that allows you to instantly reset a
user’s password, assign a temporary random password, and set
the flag that requires users to change their password the next time
they log on.
• Get a list of open files on a fileserver, along with the user that has
a certain file open.
• Change the password for a local user account (e.g. Administrator)
on a list of computers over the network.
• Query the directory for a list of computers in an organizational
unit (OU), and then perform management operations on the
computers returned by the query using another management
technology such as WMI.
There are many other cool things you can do with ADSI, many of
which I will cover in this book. Most of the examples above can be
found in Chapter 3. You can also find a lot of useful ADSI scripts on
various Web sites. One of the best is Microsoft’s TechNet Script
Repository, which is available at
http://www.microsoft.com/technet/scriptcenter/scripts/.
7
ADSI Scripting: TFM™
If strPingStatus = 0 Then
Set objWMI = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\cimv2")
Consider the VBScript code in Code 1-3. This code first uses an
InputBox to prompt the user for a domain name. Once you have the
domain name, use ADSI’s WinNT provider to connect to the domain
and retrieve a list of all computers in the directory. Then, for every
computer you find, first use WMI to ping the machine and ensure that
it is alive, then use WMI again to retrieve every IP address associated
with every NIC card on that computer. Next, echo (display) these IP
addresses back to the user.
8
ADSI Scripting: TFM™
As you can see, this is a handy tool to have because other network
tools such as IP scanners can only display IP addresses on the same
subnet as the scanning machine. With this script you can display
every IP address for every accessible machine even if the machine
has multiple NIC cards on multiple LAN segments.
No Hard-Coded Passwords
This is one of the most important practices that those of us in the
scripting community try to get people to employ. There is a good
reason for this - if your credentials are hard-coded into your script,
then anyone who has read access to that script file can gain access to
the account using those credentials. It also makes maintenance more
difficult since every time the password changes, the script fails to
function unless you remember to edit the password in the file. The
best solution is to prompt for a password when the script runs.
9
ADSI Scripting: TFM™
10
ADSI Scripting: TFM™
11
ADSI Scripting: TFM™
Chapter 4
80
ADSI Scripting: TFM™
81
ADSI Scripting: TFM™
User Object
For more information on the User object, see the following pages:
• WinNT Provider: Chapter 5, “User Object”
• LDAP Provider: Chapter 6. “User Object”
General Tab
83
ADSI Scripting: TFM™
Address Tab
84
ADSI Scripting: TFM™
85
ADSI Scripting: TFM™
Account Tab
86
ADSI Scripting: TFM™
87
ADSI Scripting: TFM™
Profile Tab
88
ADSI Scripting: TFM™
89
ADSI Scripting: TFM™
Telephones Tab
90
ADSI Scripting: TFM™
91
ADSI Scripting: TFM™
Organization Tab
92
ADSI Scripting: TFM™
93
ADSI Scripting: TFM™
Member Of Tab
94
ADSI Scripting: TFM™
95
ADSI Scripting: TFM™
Object Tab
96
ADSI Scripting: TFM™
97
ADSI Scripting: TFM™
Computer Object
For more information on the Computer object, see the following
pages:
• WinNT Provider: Chapter 5, “Computer Object”
• LDAP Provider: Chapter 6, “Computer Object”
General Tab
98
ADSI Scripting: TFM™
99
ADSI Scripting: TFM™
100
ADSI Scripting: TFM™
101
ADSI Scripting: TFM™
Member Of Tab
102
ADSI Scripting: TFM™
103
ADSI Scripting: TFM™
Location Tab
104
ADSI Scripting: TFM™
105