Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.
Keywords: Adding workstation NT4 and W2k domain specify OU
If it is possible to specify the Correct OU when adding a device to the Win2k Domain then that would be Ideal!
The dsMoveObj moves an ADSI object from one container to another. The object can optionally be renamed by providing a new name in the third parameter. If you wish to rename an object without moving it, place the path of the object's current parent in the second parameter."
You can use "dsFindPath" to determine the path of an object if you don't know where it is and you can use "dsIsObject" to determine if an object exists, if you known the path.
Here is a sample script:
;******************************************************************** ; Declare constants used in defining the default location for the ; machine account, flags to identify the object as a machine account, ; and security flags. Can be found in constants.wbt ;******************************************************************** UF_WORKSTATION_TRUST_ACCOUNT = 4096 ; This is a computer account that is a member of this domain. UF_ACCOUNTDISABLE = 2 ; The user's account is disabled. UF_PASSWD_NOTREQD = 32 ; No password is required. ACCESS_ALLOWED = 0 ; The ACE is of the standard ACCESS ALLOWED type, where the ObjectType and ; InheritedOjectType fields are NULL. INHERIT_ACE = 2 ; Child objects will inherit this access-control entry (ACE). The inherited ; ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE flag is set. GENERIC_ALL = 268435456 ; The right to create or delete children, delete a subtree, read and write ; properties, examine children and the object itself, add and remove the ; object from the directory, and read or write with an extended right. ;********************************************************************* ;* Set the flags on this object to identify it as a machine account ;* and determine the name. The name is used statically here, but may ;* be determined by a command line parameter or by using an InputBox ;********************************************************************* lFlag = UF_WORKSTATION_TRUST_ACCOUNT | UF_ACCOUNTDISABLE | UF_PASSWD_NOTREQD sComputerName = "TestComputer" ;********************************************************************* ;* Establish a path to the container in the Active Directory where ;* the machine account will be created. ;* For simplisities sake we are hard coding the path. Normally this ;* is not the best way to do it. ;********************************************************************* sComputerContainer = "LDAP://myserver/OU=MyOU,DC=myWin2kdomain,DC=mysubdomain,DC=com" ;********************************************************************* ;* Here, the computer account is created. Certain attributes must ;* have a value beforecommitting the object to the Active ;* Directory with dsSetObj ;********************************************************************* sComputerPath = dsCreateobj(sComputerContainer, "computer", "CN=%sComputerName%") dsSetProperty(sComputerPath, "samAccountName", "%sComputerName%$") dsSetProperty(sComputerPath, "userAccountControl", lFlag) dsSetObj(sComputerPath) ;********************************************************************* ;* Establish a default password for the machine account ;********************************************************************* sPwd = "%sComputerName%$" sPwd = StrLower(sPwd) dsSetPassword(sComputerPath, "", sPwd) ;********************************************************************* ;* Specify which user or group may activate/join this computer to the ;* domain. Note that ;* this is the downlevel naming convention used in this example. ;********************************************************************* sUserOrGroup = "mydomain\rtest" ;********************************************************************* ;* Bind to the Discretionary ACL on the newly created computer account ;* and create an Access Control Entry (ACE) that gives the specified ;* user or group full control on the machine account ;* Note: the second parameter to the dsCreatSecObj function can have the ;* following values: ;* 1 = Security desciptor. ;* 2 = ACL. ;* 3 = ACE. ;********************************************************************* secDescriptor = dsGetProperty(sComputerPath, "ntSecurityDescriptor") dACL = dsGetSecProp(secDescriptor, "DiscretionaryAcl") ACE = dsCreatSecObj(sComputerPath, 3) ;********************************************************************* ;* Grant Full Control ;********************************************************************* dsSetSecProp(ACE, "AccessMask", GENERIC_ALL) dsSetSecProp(ACE, "AceType", ACCESS_ALLOWED) dsSetSecProp(ACE, "AceFlags", INHERIT_ACE) ;********************************************************************* ;* Grant this control to the user or group specified earlier. ;********************************************************************* dsSetSecProp(ACE, "Trustee", sUserOrGroup) ;********************************************************************* ;* Now, add this ACE to the DACL on the machine account ;********************************************************************* dsAclAddAce(dACL, ACE, -1) dsAclOrderAce(dACL) dsSetSecProp(secDescriptor, "DiscretionaryAcl", dACL) ;********************************************************************* ;* Commit the security changes to the machine account ;********************************************************************* dsSetProperty(sComputerPath, "ntSecurityDescriptor", secDescriptor) ;********************************************************************* ;* Once all parameters and permissions have been set, enable the ;* account. ;********************************************************************* lFlag = dsGetProperty(sComputerpath, "userAccountControl" ) lFlag = lFlag & (~UF_ACCOUNTDISABLE) dsSetProperty(sComputerPath, "userAccountControl", lFlag) ;***************** ;* End Script ;*****************
Article ID: W15376
File Created: 2003:05:13:11:27:24
Last Updated: 2003:05:13:11:27:24