Database Search

TechHome

• !!DISCLAIMER!!
• AD Syncronization
• Add Computer to an Active Directory Group
• ADSI COM Find Primary Group
• ADSI COM List Groups
• ADSI Create Group
• ADSI Extender Security Descriptor Sample
• ADSI Get OU Properties
• ADSI Get Subgroups of Group
• ADSI List Group Names and Email Property
• ADSI Primer
• ADSI Query String Creator
• Create a Mail Enabled Contact
• Create Enable and Disable User Account
• Create Exchange 2000 User Account
• Create IIS Virtual Directory
• Create User in AD with CSV file
• Delete Computer Account
• Determine if a WS and a server are in the same AD Site
• Determine LastLogin
• DsGetDcName
• Figure out User Account Attributes
• Get a list of users and write out to CSV file
• Get all Domain printers
• Get Date User Account was Created
• Get Nested User Groups
• Get TCP IP Configuration From Each Domain Controller
• Get User Information From Another Domain
• Getting E-Mail Address for all users in OU
• Group Exist
• Hierarchically Adding Users to Groups
• JoinDomain
• List ADSI Paths of Groups and their Members
• List All Servers in the Current Domain
• List Users
• OLE COM dsGetMemGrps Alternative
• Recursive DsGetMemGrp Example
• REmove User from Printer Object
• Set Home Directory for User
• Translate NT Name to LDAP Path
• Traverse OU and Generate a Report of Objects
• Useful ADSI Site server functions

Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.

ADSI Extender Security Descriptor Sample

 Keywords: ADSI dsSetSecProp DiscretionaryAcl ntSecurityDescriptor userAccountControl Accessmask AceType AceFlag Create Computer Container Account Discretionary ACL DACL Access Control Entry ACE 

;***********************
; Create a win2k computer account.
;**********************
AddExtender("wwads44i.dll")

;**********************
; Set credntials.
;**********************
dsSetCredent("guesswho", "*topsecret*")

;********************************************************************
; Declare constants used in defining the default location for the
; machine account, flags to identify the object as a machine account,
; and security flags. Can be found in constants.wbt
;********************************************************************
UF_WORKSTATION_TRUST_ACCOUNT  = 4096      ; This is a computer account that is a member of this domain.
UF_ACCOUNTDISABLE             = 2         ; The user's account is disabled.
UF_PASSWD_NOTREQD             = 32         ; No password is required.
ACCESS_ALLOWED                = 0         ; The ACE is of the standard ACCESS ALLOWED type, where the ObjectType and
                                          ; InheritedOjectType fields are NULL.
INHERIT_ACE                   = 2         ; Child objects will inherit this access-control entry (ACE). The inherited
                                          ; ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE flag is set.
GENERIC_ALL                   = 268435456 ; The right to create or delete children, delete a subtree, read and write
                                          ; properties, examine children and the object itself, add and remove the
                                          ; object from the directory, and read or write with an extended right.

;*********************************************************************
;* Set the flags on this object to identify it as a machine account
;* and determine the name.  The name is used statically here, but may
;* be determined by a command line parameter or by using an InputBox
;*********************************************************************

lFlag = UF_WORKSTATION_TRUST_ACCOUNT | UF_ACCOUNTDISABLE | UF_PASSWD_NOTREQD
sComputerName = "TestComputer"

;*********************************************************************
;* Establish a path to the container in the Active Directory where
;* the machine account will be created.
;* For simplisities sake we are hard coding the path. Normally this
;* is not the best way to do it.
;*********************************************************************

sComputerContainer = "LDAP://shamrock/OU=Test OU,DC=jclass,DC=org"

;*********************************************************************
;* Here, the computer account is created.  Certain attributes must
;* have a value before committing the object to the Active
;*  Directory  with dsSetObj
;*********************************************************************

sComputerPath = dsCreateObj(sComputerContainer, "computer", "CN=%sComputerName%")
dsSetProperty(sComputerPath, "samAccountName", "%sComputerName%$")
dsSetProperty(sComputerPath, "userAccountControl", lFlag)
dsSetObj(sComputerPath)

;*********************************************************************
;* Establish a default password for the machine account
;*********************************************************************

sPwd = "%sComputerName%$"
sPwd = StrLower(sPwd)
dsSetPassword(sComputerPath, "", sPwd)

;*********************************************************************
;* Specify which user or group may activate/join this computer to the
;* domain.  Note that
;* this is the downlevel naming convention used in this example.
;*********************************************************************

sUserOrGroup = "jclass\hsimpson"   ; Our buddy

;*********************************************************************
;* Bind to the Discretionary ACL on the newly created computer account
;* and create an Access Control Entry (ACE) that gives the specified
;* user or group full control on the machine account
;* Note: the second parameter to the dsCreatSecObj function can have the
;*       following values:
;*       1 = Security desciptor.
;*       2 = ACL.
;*       3 = ACE.
;*********************************************************************

secDescriptor = dsGetProperty(sComputerPath, "ntSecurityDescriptor")
dACL          = dsGetSecProp(secDescriptor, "DiscretionaryAcl")
ACE           = dsCreatSecObj(sComputerPath, 3)

;*********************************************************************
;* Grant Full Control
;*********************************************************************

dsSetSecProp(ACE, "AccessMask",  GENERIC_ALL)
dsSetSecProp(ACE, "AceType",  ACCESS_ALLOWED)
dsSetSecProp(ACE, "AceFlags", INHERIT_ACE)

;*********************************************************************
;* Grant this control to the user or group specified earlier.
;*********************************************************************

dsSetSecProp(ACE, "Trustee", sUserOrGroup)

;*********************************************************************
;* Now, add this ACE to the DACL on the machine account
;*********************************************************************
dsAclAddAce(dACL, ACE, -1)
dsAclOrderAce(dACL)
dsSetSecProp(secDescriptor, "DiscretionaryAcl", dACL)

;*********************************************************************
;* Commit the security changes to the machine account
;*********************************************************************

dsSetProperty(sComputerPath, "ntSecurityDescriptor", secDescriptor)

;*********************************************************************
;* Once all parameters and permissions have been set, enable the
;* account.
;*********************************************************************

lFlag = dsGetProperty(sComputerpath, "userAccountControl" )
lFlag = lFlag & (~UF_ACCOUNTDISABLE)
dsSetProperty(sComputerPath, "userAccountControl", lFlag)

;*****************
;* End Script
;*****************

Article ID:   W17542

Filename:   ADSI Extender Security Descriptor Sample.txt

File Created: 2010:01:28:09:47:00

Last Updated: 2010:01:28:09:47:00