Database Search
TechHome
- !!DISCLAIMER!!
- AD Syncronization
- Add Computer to an Active Directory Group
- ADSI COM Find Primary Group
- ADSI COM List Groups
- ADSI Create Group
- ADSI Extender Security Descriptor Sample
- ADSI Get OU Properties
- ADSI Get Subgroups of Group
- ADSI List Group Names and Email Property
- ADSI Primer
- ADSI Query String Creator
- Create a Mail Enabled Contact
- Create Enable and Disable User Account
- Create Exchange 2000 User Account
- Create IIS Virtual Directory
- Create User in AD with CSV file
- Delete Computer Account
- Determine if a WS and a server are in the same AD Site
- Determine LastLogin
- DsGetDcName
- Figure out User Account Attributes
- Get a list of users and write out to CSV file
- Get all Domain printers
- Get Date User Account was Created
- Get Nested User Groups
- Get TCP IP Configuration From Each Domain Controller
- Get User Information From Another Domain
- Getting E-Mail Address for all users in OU
- Group Exist
- Hierarchically Adding Users to Groups
- JoinDomain
- List ADSI Paths of Groups and their Members
- List All Servers in the Current Domain
- List Users
- OLE COM dsGetMemGrps Alternative
- Recursive DsGetMemGrp Example
- REmove User from Printer Object
- Set Home Directory for User
- Translate NT Name to LDAP Path
- Traverse OU and Generate a Report of Objects
- Useful ADSI Site server functions
Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.
Create Exchange 2000 User Account
This program assumes many things and works for our purposes. It may not work for you.
This program has been tested with Win2K Server SP1 and Exchange 2000.
This program requires several objects to be present on the system. All needed objects should be on the server after Exchange 2000 is installed.
This program was only tested from the desktop of the Exchange server.
Several CDO objects will need to be added or updated for this to work on a workstation (I may test this later).
As part of the program, after the user account is created and the mailbox is created, an SMTP message is sent to the new mailbox. If this is not done, the "mailbox Rights" button on the MMC will produce an error when accessed. According to MS, the ACL for the mailbox is not created until the user logs on and opens the mailbox or a message is received in the mailbox.
Since the "createMailbox" call seems to actually call upon an exchange 2000 agent to create the mailbox, some time has to pass between the "createMailbox" request and sending a message to mailbox. This is done with a shelled program that delays, then sends a message. The timing is dubious, since we never know how long it will take before the agent has finished creating the mailbox. In the worst case, when the SMTP message is not delivered, the ACL for the mailbox cannot be edited until after the user has accessed the mailbox.
Some setting on Exchange IMC can prevent it from accepting SMTP messages from anyone other than certain IP addresses (like the firewall). This is done to prevent SPAM'ing. It might be a good idea to use a different methods for sending an e-mail to the new mailbox. Some will require an e-mail client on the workstation or server. I found no way to edit the ACL for the mailbox once it was created.
--------------------------------------------------------------------------------
NEWUSER.WBT
;generic debug setting
progname=itemextract(1,winexename(""),".")
gosub dbgchk
gosub constants
addextender("WWADS34I.DLL")
addextender("wwwnt34i.dll")
AddExtender("wwwsk34i.dll ")
IntControl( 52, 0, 0, 0, 0 )
types="User Templates (*.usr)|*.usr|Text Files (*.txt)|*.txt|All Files (*.*)|*.*|"
ACCESS_ALLOWED = 0 ; AceType
GENERIC_ALL = 268435456 ; AccessMask
currentdir = dirget()
;load default user template
filename=strcat(currentdir,"default.usr")
gosub loadtemplate
while @true
gosub getinfo
; Define some constants.
MANDATORY = 1
OPTIONAL = 2
MANANDOPT = 3
sAdsiPath = "LDAP://rootDSE"
sValue = dsGetProperty(sAdsiPath , "defaultNamingContext")
sDomainDNS = "LDAP://%sValue%"
domain = dsGetProperty("LDAP://rootDSE" , "defaultNamingContext")
UsersPath = "LDAP://cn=users,%domain%"
xxx=itemextract(1,domain,",")
xxx=itemextract(2,xxx,"=")
yyy=itemextract(2,domain,",")
yyy=itemextract(2,yyy,"=")
subdom=xxx
dnsdomain1=strcat(xxx,".",yyy)
dnsdomain2=strcat(xxx,".com")
if MI <> ""
if strsub(MI,strlen(MI),1) == "."
displayname=strcat(FirstName," ",MI," ",LastName)
else
displayname=strcat(FirstName," ",MI,". ",LastName)
endif
else
displayname=strcat(FirstName," ", LastName)
endif
displayname=strtrim(displayname)
username=strlower(strtrim(strfixchars(strcat(strsub(firstname,1,1),lastname)," ",15)))
; Memberof="CN=Home_%homeserver%_G,CN=Users,DC=tc1,DC=priv"
; List all objects in the user container of the default domain.
;lValues = dsGetChldPath(UsersPath, "")
;message("Object in Users", lValues)
; Create a user in the default user container on a
; Windows 2000 server with Active directory.
; Create a new user object
sObjectClass = "user"
while @true
UserPath = "LDAP://cn=%displayname%,cn=users,%domain%"
err=dsIsObject(UserPath)
if err==1
newname = askline("User Name Already Exists","User %displayname% already exists. Please enter a new Full Name for this user account.", displayname)
if newname <> ""
displayname= newname
endif
else
break
endif
endwhile
while @true
err=dsFindPath(UsersPath,"SamAccountName=%username%")
if err<>""
newname = askline("User Name Already Exists","User %Username% already exists. Please enter a new User Name for this user account.", username)
if newname <> ""
username= newname
endif
else
break
endif
endwhile
profilepath=strcat("\\",homeserver,"\profiles$\",username)
sObjectPath = dsCreateObj(UsersPath, sObjectClass, strcat("cn=",displayname))
mail=strcat(username,"@",dnsdomain2)
mailnickname=username
;
; Set the mandatory property.
dsSetProperty(sObjectPath, "samAccountName", username)
;set optional properties
dsSetProperty(sObjectPath, "c", "US")
dsSetProperty(sObjectPath, "co", "United States")
if companyname <> "" then dsSetProperty(sObjectPath, "company", CompanyName)
dsSetProperty(sObjectPath, "CountryCode", "840" )
if department <> "" then dsSetProperty(sObjectPath, "Department", department)
if description <> "" then dsSetProperty(sObjectPath, "description", description)
if displayname <> "" then dsSetProperty(sObjectPath, "displayname", displayname)
if faxnumber <> "" then dsSetProperty(sObjectPath, "FacsimileTelephoneNumber", faxnumber )
if firstname <> "" then dsSetProperty(sObjectPath, "givenname", FirstName )
if homephone <> "" then dsSetProperty(sObjectPath, "HomePhone", homephone)
if MI <> "" then dsSetProperty(sObjectPath, "initials", MI)
if city <> "" then dsSetProperty(sObjectPath, "L", city)
;dsSetProperty(sObjectPath, "MemberOf", memberof)
if mobilephone <> "" then dsSetProperty(sObjectPath, "Mobile", mobilephone)
if PagerNumber <> "" then dsSetProperty(sObjectPath, "Pager", pagernumber)
if zipcode <> "" then dsSetProperty(sObjectPath, "PostalCode", ZipCode)
if profilepath <> "" then dsSetProperty(sObjectPath, "profilepath", profilepath)
if logonscript <> "" then dsSetProperty(sObjectPath, "scriptpath", logonscript)
if lastname <> "" then dsSetProperty(sObjectPath, "SN", lastname)
if state <> "" then dsSetProperty(sObjectPath, "ST", State)
if address <> "" then dsSetProperty(sObjectPath, "StreetAddress", Address)
if workphone <> "" then dsSetProperty(sObjectPath, "TelephoneNumber", WorkPhone)
if mail <> "" then dsSetProperty(sObjectPath, "userprincipalname", mail)
;e-mail properties:
homeMDB="CN=Mailbox Store (%homeserver%),CN=First Storage Group,CN=InformationStore,CN=%homeserver%,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=%subdom%,CN=Microsoft Exchange,CN=Services,CN=Configuration,%domain%"
homeMTA="CN=Microsoft MTA,CN=%homeserver%,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=%subdom%,CN=Microsoft Exchange,CN=Services,CN=Configuration,%domain%"
LegacyExchangeDN="/o=%subdom%/ou=First Administrative Group/cn=Recipients/cn=%username%"
msExchHomeServerName="/o=%subdom%/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=%homeserver%"
mdbUseDefaults="1"
if mail <> "" then dsSetProperty(sObjectPath, "mail",mail)
if mailnickname <> "" then dsSetProperty(sObjectPath, "MailNickName", MailNickName)
if homeMDB <> "" then dsSetProperty(sObjectPath, "homemdb", homemdb)
if homeMTA <> "" then dsSetProperty(sObjectPath, "homemta", homemta)
if legacyExchangeDN <> "" then dsSetProperty(sObjectPath, "legacyexchangedn", legacyexchangedn)
if msExchHomeServerName <> "" then dsSetProperty(sObjectPath, "msExchHomeServerName", msExchHomeServerName)
if mdbUseDefaults <> "" then dsSetProperty(sObjectPath, "mdbUseDefaults",mdbUseDefaults)
; Now, commit the object to the DS
dsSetObj(sObjectPath)
;password may not be accepted by domain
errormode(@off)
While @true
lasterror()
dsSetPassword(sObjectPath, "", password)
if lasterror() == 1026
gosub fixpwd
else
break
endif
endwhile
errormode(@notify)
;can't enable the account until the password is set
dsSetProperty(sObjectPath, "UserAccountControl", "512")
dsSetProperty(sObjectPath, "msExchUserAccountControl","0")
debugtrace(1,"%progname%.log")
; now switch to CDO COM object to create the mailbox
; Open the CDO.Person object and go to the account just created
objperson=objectopen("CDO.Person")
OPdatasource=objperson.datasource
opdatasource.open(userpath)
thisfn=objperson.firstname ; unnecessary, but it shows you are on the correct user account
thisln=objperson.lastname
;don't know where the getinterface method came from or why we need to call it, but it works
objMailbox=objPerson.GetInterface("IMailboxStore")
;Use the same homeMDB used when creating the account
objmailbox.CreateMailbox(homemdb)
;no need to call the save method, we changed nothing, so just close the object
objectclose(objperson)
; give the e-mail server a chance to create the mailbox - come back to this later
;Now add group membership:
groupname = "Home_%homeserver%_G"
grouppath = "LDAP://cn=%groupname%,cn=users,%domain%"
dsAddtoGrp(GroupPath, UserPath)
;Make home dir
err=dirmake("\\%homeserver%\home$\%username%")
;make required dirs
err=dirmake("\\%homeserver%\home$\%username%\My Documents")
err=dirmake("\\%homeserver%\home$\%username%\Application Data")
;Make profile dir
err=dirmake("\\%homeserver%\profiles$\%username%")
;Boxopen("Checking For Server Synchronization","")
errormode(@off)
;wait for the user to show up at the server
;this may be unnecessary if the server is a Win2K DC
;but can be needed if homeserver is not the DC changes are
;being made on - AD can take a few secs to replicate
t=0
tm = 15 ;secs
x = 0
while t==0
groups=wntMemberGrps("\\%homeserver%",username,@GLOBALGROUP,0)
err=lasterror()
if err == 562
x=x+(tm/60.0) ;min
;boxtext("Waiting for %param2% account%@CRLF%to appear on %param1%%@crlf%Time waited So Far: %x% min")
timedelay(tm)
else
t=1
endif
endwhile
;boxshut()
errormode(@notify)
; Homeserver knows about the new user account, so we can now set ACLS
err=wntAccessAdd(homeserver, "\\%homeserver%\home$\%username%", username, 303, "Win2000:Modify")
err=wntAccessAdd(homeserver, "\\%homeserver%\profiles$\%username%", username, 303, "Win2000:Modify")
; send a message to this mailbox to make sure it gets created now, and to create the ACL
; Messages sent to this account immediately after account creation seem to fail.
; shell hidden program to send mail in 3 minutes
; I choose SMTP so I need no e-mail client. This program will be run from the e-mail server.
; Server must be able to accept SMPT messages from internal addresses.
; Server must be able to resolve the from address (in most cases)
; could use MAPI, POSTIE or SMTP.
; param1 = full server name
; param2 = users Internet e-mail address
; param3 = delay time
tm = timeymdhms()
x=strcat(homeserver,".",dnsdomain1)
y=mail
err=runshell("emailwelcome.exe","%x% %mail% 180","",@hidden,@nowait)
department=""
description=""
FirstName=""
LAstName=""
MI=""
workphone=""
pagernumber=""
faxnumber=""
homephone=""
mobilephone=""
pw_password=""
password=""
pw_confirm=""
confirm=""
Title=""
endwhile ;
exit
;===================================================================
:getinfo
MyDialogFormat=`WWWDLGED,5.0`
MyDialogCaption=`UnaVia New User`
MyDialogX=187
MyDialogY=109
MyDialogWidth=359
MyDialogHeight=230
MyDialogNumControls=47
MyDialog01=`130,0,92,DEFAULT,STATICTEXT,DEFAULT,"Create a New User Account"`
MyDialog02=`14,20,40,DEFAULT,STATICTEXT,DEFAULT,"First Name:"`
MyDialog03=`8,32,46,DEFAULT,STATICTEXT,DEFAULT,"Middle Initial:"`
MyDialog04=`14,44,40,DEFAULT,STATICTEXT,DEFAULT,"Last Name:"`
MyDialog05=`6,56,48,DEFAULT,STATICTEXT,DEFAULT,"Home Server:"`
MyDialog06=`8,68,46,DEFAULT,STATICTEXT,DEFAULT,"Logon Script:"`
MyDialog07=`10,80,44,DEFAULT,STATICTEXT,DEFAULT,"Work Phone:"`
MyDialog08=`8,128,46,DEFAULT,STATICTEXT,DEFAULT,"Home Phone:"`
MyDialog09=`4,92,50,DEFAULT,STATICTEXT,DEFAULT,"Pager Number:"`
MyDialog10=`12,140,42,DEFAULT,STATICTEXT,DEFAULT,"Department:"`
MyDialog11=`10,116,44,DEFAULT,STATICTEXT,DEFAULT,"FAX Number:"`
MyDialog12=`6,104,48,DEFAULT,STATICTEXT,DEFAULT,"Mobile Phone:"`
MyDialog13=`12,152,42,DEFAULT,STATICTEXT,DEFAULT,"Description:"`
MyDialog14=`22,164,36,DEFAULT,STATICTEXT,DEFAULT,"Address:"`
MyDialog15=`36,176,36,DEFAULT,STATICTEXT,DEFAULT,"City:"`
MyDialog16=`34,188,36,DEFAULT,STATICTEXT,DEFAULT,"State:"`
MyDialog17=`22,200,36,DEFAULT,STATICTEXT,DEFAULT,"Zip Code:"`
MyDialog18=`56,18,134,DEFAULT,EDITBOX,FirstName,"FirstName"`
MyDialog19=`56,30,36,DEFAULT,EDITBOX,MI,"MI"`
MyDialog20=`56,42,134,DEFAULT,EDITBOX,LastName,"LastName"`
MyDialog21=`200,30,134,DEFAULT,EDITBOX,PW_password,""`
MyDialog22=`200,54,134,DEFAULT,EDITBOX,PW_Confirm,""`
MyDialog23=`56,54,134,DEFAULT,EDITBOX,HomeServer,"HomeServer"`
MyDialog24=`56,66,134,DEFAULT,EDITBOX,logonscript,"LogonScript"`
MyDialog25=`56,78,134,DEFAULT,EDITBOX,WorkPhone,"WorkPhone"`
MyDialog27=`56,90,134,DEFAULT,EDITBOX,Pagernumber,"PagerNumber"`
MyDialog28=`56,102,134,DEFAULT,EDITBOX,MobilePhone,"MobilePhone"`
MyDialog29=`56,114,134,DEFAULT,EDITBOX,FAXNumber,"FAXNumber"`
MyDialog30=`56,126,134,DEFAULT,EDITBOX,HomePhone,"HomePhone"`
MyDialog31=`56,138,134,DEFAULT,EDITBOX,Department,"Department"`
MyDialog32=`56,150,134,DEFAULT,EDITBOX,Description,"Description"`
MyDialog33=`56,162,134,DEFAULT,EDITBOX,Address,"Address"`
MyDialog35=`56,174,134,DEFAULT,EDITBOX,City,"City"`
MyDialog36=`56,186,36,DEFAULT,EDITBOX,State,"State"`
MyDialog37=`56,198,134,DEFAULT,EDITBOX,ZipCode,"ZipCode"`
MyDialog38=`56,210,134,DEFAULT,EDITBOX,CompanyName,"Company Name"`
MyDialog39=`196,192,74,DEFAULT,PUSHBUTTON,DEFAULT,"&Create Account",1`
MyDialog40=`278,192,74,DEFAULT,PUSHBUTTON,DEFAULT,"&Load Template",2`
MyDialog41=`278,210,74,DEFAULT,PUSHBUTTON,DEFAULT,"&Save Template",3`
MyDialog42=`196,210,74,DEFAULT,PUSHBUTTON,DEFAULT,"Ca&ncel",4`
MyDialog43=`20,212,36,DEFAULT,STATICTEXT,DEFAULT,"Company:"`
MyDialog44=`202,18,36,DEFAULT,STATICTEXT,DEFAULT,"Password:"`
MyDialog45=`202,42,36,DEFAULT,STATICTEXT,DEFAULT,"Confirm:"`
MyDialog46=`202,66,36,DEFAULT,STATICTEXT,DEFAULT,"Title:"`
MyDialog26=`200,78,134,DEFAULT,EDITBOX,Title,"Title"`
MyDialog47=`202,150,36,DEFAULT,STATICTEXT,DEFAULT,"P.O. Box:"`
MyDialog34=`200,162,136,DEFAULT,EDITBOX,POBOX,"POBox"`
ButtonPushed=Dialog("MyDialog")
select buttonpushed
case 1
password = pw_password
confirm = pw_confirm
if password <> confirm
message("Password error","Password Not Confirmed. Please re-enter password and confirm.")
break
endif
return
case 2
filename=AskFileName("Load User Template", currentdir, types, "Default.usr", 1)
if filename == "" then break
password = ""
confirm = ""
gosub loadtemplate
break
case 3
gosub savetemplate
break
case 4
exit
endselect
goto getinfo
;===================================================================
:dbgchk
if fileexist("%progname%.dbg")
debugtrace(1,"%progname%.log")
else
debugtrace(0,"%progname%.log")
endif
return
;====================================================================
:loadtemplate
if fileexist(filename)
hndl=fileopen(filename,"read")
while @true
xxx=fileread(hndl)
if xxx == "*EOF*" then break
;line in file is of form propname = "value"
%xxx%
endwhile
err=fileclose(hndl)
endif
return
;====================================================================
:savetemplate
filename=AskFileName("Save User Template", currentdir, types, "Default.usr", 0)
if filename == "" then return
hndl=fileopen(filename,"Write")
err=filewrite(hndl,'firstname = "%firstname%"')
err=filewrite(hndl,'MI = "%mi%"')
err=filewrite(hndl,'lastname = "%lastname%"')
err=filewrite(hndl,'homeserver = "%homeserver%"')
err=filewrite(hndl,'logonscript = "%logonscript%"')
err=filewrite(hndl,'workphone = "%workphone%"')
err=filewrite(hndl,'pagernumber = "%pagernumber%"')
err=filewrite(hndl,'mobilephone = "%mobilephone%"')
err=filewrite(hndl,'faxnumber = "%faxnumber%"')
err=filewrite(hndl,'HomePhone = "%HomePhone%"')
err=filewrite(hndl,'Department = "%Department%"')
err=filewrite(hndl,'Description = "%description%"')
err=filewrite(hndl,'Address = "%address%"')
err=filewrite(hndl,'city = "%city%"')
err=filewrite(hndl,'State = "%state%"')
err=filewrite(hndl,'zipcode = "%zipcode%"')
err=filewrite(hndl,'Companyname = "%companyname%"')
err=filewrite(hndl,'title = "%title%"')
err=filewrite(hndl,'POBox = "%pobox%"')
;err=filewrite(hndl,' = "%%"')
err=fileclose(hndl)
return
;====================================================================
:fixpwd
while @true
MyDialogFormat=`WWWDLGED,5.0`
MyDialogCaption=`Password Does Not Pass Minimum Requirements`
MyDialogX=89
MyDialogY=115
MyDialogWidth=293
MyDialogHeight=110
MyDialogNumControls=9
MyDialog01=`12,8,174,DEFAULT,STATICTEXT,DEFAULT,"The password you entered did not pass the minimum"`
MyDialog02=`186,8,100,DEFAULT,STATICTEXT,DEFAULT,"requirements for this domain."`
MyDialog03=`12,20,184,DEFAULT,STATICTEXT,DEFAULT,"The password may be too short or not complex enough."`
MyDialog04=`12,32,142,DEFAULT,STATICTEXT,DEFAULT,"Please Enter a new password and confirm:"`
MyDialog05=`12,48,38,DEFAULT,STATICTEXT,DEFAULT,"Password:"`
MyDialog06=`12,60,132,DEFAULT,EDITBOX,pw_password,""`
MyDialog07=`12,76,36,DEFAULT,STATICTEXT,DEFAULT,"Confirm:"`
MyDialog08=`12,88,132,DEFAULT,EDITBOX,pw_confirm,""`
MyDialog09=`210,88,64,DEFAULT,PUSHBUTTON,DEFAULT,"&OK",1`
ButtonPushed=Dialog("MyDialog")
password = pw_password
confirm = pw_confirm
if password <> confirm
message("Password error","Password Not Confirmed. Please re-enter password and confirm.")
continue
endif
break
endwhile
return
;=====================================================================================
:Constants
; This file contains a list of constants commonly used with the ADSI extender.
; Meaning of bits in userFlags properties of a WinNT: and the userAccountControl property of a LDAP: namespaces' user object.
; Operating System = Windows NT 4.0 / Windows 2000
; Namespace = WinNT, LDAP
; object class = user
; properties = userFlags (WinNT), userAccountControl (LDAP on Windows 2000)
; The following used with both userFlags and userAccountControl
UF_SCRIPT = 1 ; The logon script will be executed.
UF_ACCOUNTDISABLE = 2 ; The user's account is disabled.
UF_HOMEDIR_REQUIRED = 8 ; The home directory is required.
UF_LOCKOUT = 16 ; The account is currently locked out.
UF_PASSWD_NOTREQD = 32 ; No password is required.
UF_PASSWD_CANT_CHANGE = 64 ; The user cannot change the password. You can read this flag
; but you cannot set it directly.
UF_DONT_EXPIRE_PASSWD = 65536 ; The password, which should never expire on the account.
UF_TEMP_DUPLICATE_ACCOUNT = 256 ; This is an account for users whose primary account is in another domain.
; This account provides user access to this domain, but not to any domain
; that trusts this domain. Sometimes it is referred to as a local user account.
UF_NORMAL_ACCOUNT = 512 ; This is a default account type that represents a typical user.
UF_INTERDOMAIN_TRUST_ACCOUNT = 2048 ; This is a permit to trust account for a system domain that trusts other domains.
UF_WORKSTATION_TRUST_ACCOUNT = 4096 ; This is a computer account that is a member of this domain.
UF_SERVER_TRUST_ACCOUNT = 8192 ; This is a computer account for a system backup domain controller that is a member of this domain.
; The following used with userFlags only.
UF_ENCRYPTED_PASSWORD_ALLOWED = 128 ; The user can send an encrypted password. (Windows 2000 only)
UF_MNS_LOGON_ACCOUNT = 131072 ; This is an MNS logon account.
UF_SMARTCARD_REQUIRED = 262144 ; When set, this flag will force the user to log on using smart card. (Windows 2000 only)
UF_TRUSTED_FOR_DELEGATION = 524288 ; When set, the service account (user or computer account), under which a service runs,
; is trusted for Kerberos delegation. Any such service can impersonate a client requesting
; the service. To enable a service for Kerberos delegation, you must set this flag on the
; userAccountControl property of the service account. (Windows 2000 only)
UF_NOT_DELEGATED = 1048576 ; When set, the security context of the user will not be delegated to a service even
; if the service account is set as trusted for Kerberos delegation
; Guid used to prevent a user from changing their password.
; Operating System = Windows 2000
; Namespace = LDAP:
; Object class = user
; Property = ntSecurityDescriptor
; Security object = ACE
; Security Property = ObjectType
CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
; Constant used it indicate that a user has unlimited disk storage rights.
; Operating System = Windows NT 4.0 / Windows 2000
; Namespace = LDAP:
; object class = user
; properties = maxStorage
USER_MAXSTORAGE_UNLIMITED = -1 ; Use all available disk space.
; Meaning of bits in groupType property of a LDAP namespace's group object.
; Operating System = Windows 2000
; Namespace = LDAP
; object class = group
; properties = groupType
GLOBAL_GROUP = 2 ; Group that contains only accounts and other account groups from its own domain.
; This group may be exported to a different domain.
DOMAIN_LOCAL_GROUP = 4 ; Group that can contain accounts and universal groups from any domains. It may
; not be included in either access-control lists of resources in other domains or
; groups other than global groups in the same domain.
LOCAL_GROUP = 4 ; This bit is for the WinNT provider as the DOMAIN_LOCAL_GROUP bit
; is for the LDAP provider.
UNIVERSAL_GROUP = 8 ; Group that can contain accounts and account groups from any domains, but not domain local groups.
SECURITY_ENABLED = 2147483648 ; If this bit is set, the group is a security group. If this bit is not set,
; the group is a distribution group.
; The following values are for security objects all accessed through the ntSecurityDescriptor property.
; Some can also be used with the NT-Security-Descriptor property of a mailbox object
; Current revision of security descriptor .
; Operating System = Windows 2000
; Namespace = LDAP
; Security object = Security Descriptor
; Property = Revision
ACL_REVISION = 2
ACL_REVISION_DS = 4 ; If the DACL contains an object-specific ACE you must use this.
; Current revision of Access Control List.
; Operating System = Windows 2000
; Namespace = LDAP
; Security object = Access Control List
; Property = AclRevision
ACL_REVISION = 2
ACL_REVISION_DS = 4 ; If the ACL contains an object-specific ACE you must use this.
; Bit values associated with the Security Descriptor Control property.
; Operating System = Windows 2000
; Namespace = LDAP
; Security object = Security Descriptor
; Property = Control
OWNER_DEFAULTED = 1 ; A default mechanism, rather than the the original provider of the
; security descriptor, provided the security descriptor's owner security identifier (SID).
GROUP_DEFAULTED = 2 ; A default mechanism, rather than the the original provider of the security descriptor,
; provided the security descriptor's group SID.
DACL_PRESENT = 4 ; Indicates a security descriptor that has a DACL. If this flag is not set, or if this
; flag is set and the DACL is NULL, the security descriptor allows full access to everyone.
DACL_DEFAULTED = 8 ; Indicates a security descriptor with a default DACL. For example, if an
; object's creator does not specify a DACL, the object receives the default DACL
; from the creator's access token.
SACL_PRESENT = 16 ; Indicates a security descriptor that has a DACL. This flag is used to hold the
; security information specified by a caller until the security descriptor is associated
; with a securable object.
SACL_DEFAULTED = 32 ; A default mechanism, rather than the the original provider of the security descriptor, provided the SACL.
DACL_AUTO_INHERIT_REQ = 256 ; The DACL of the security descriptor must be inherited.
SACL_AUTO_INHERIT_REQ = 512 ; The SACL of the security descriptor must be inherited.
DACL_AUTO_INHERITED = 1024 ; Indicates a security descriptor in which the DACL is set up
; to support automatic propagation of inheritable ACEs to existing child objects.
SACL_AUTO_INHERITED = 2048 ; The SACL of the security descriptor supports automatic propagation of inheritable
; ACEs to existing child objects.
DACL_PROTECTED = 4096 ; The security descriptor will not allow inheritable ACEs to modify the DACL.
SACL_PROTECTED = 8192 ; The security descriptor will not allow inheritable ACEs to modify the SACL.
SELF_RELATIVE = 32768 ; The security descriptor is of self-relative format with all the security information in
; a continuous block of memory.
; Bit values associated with an Access Control Entry's AccessMask property.
; Operating System = Windows 2000
; Namespace = LDAP
; Security object = ACE
; Property = AccessMask
DELETE = 65536 ; The right to delete the object.
READ_CONTROL = 131072 ; The right to read information from the security descriptor of the object,
; not including the information in the SACL.
WRITE_DAC = 262144 ; The right to modify the discretionary access-control list (DACL) in the
; object's security descriptor.
WRITE_OWNER = 524288 ; The right to assume ownership of the object. The user must be a trustee
; of the object. The user cannot transfer the ownership to other users.
SYNCHRONIZE = 1048576 ; The right to use the object for synchronization. This enables a thread
; to wait until the object is in the signaled state.
ACCESS_SYSTEM_SECURITY = 16777216 ; The right to get or set the SACL in the object's security descriptor.
GENERIC_READ = 2147483648 ; The right to read from the security descriptor, examine the object as
; well as its children, and read all properties.
GENERIC_WRITE = 1073741824 ; The right to write all the properties and write to the DACL. The user
; can add and remove the object to and from the directory.
GENERIC_EXECUTE = 536870912 ; The right to list children of this object.
GENERIC_ALL = 268435456 ; The right to create or delete children, delete a subtree, read and write
; properties, examine children and the object itself, add and remove the
; object from the directory, and read or write with an extended right.
DS_CREATE_CHILD = 1 ; The right to create children of the object. The ObjectType member of an
; ACE can contain a GUID that identifies the type of child object whose
; creation is being controlled. If ObjectType does not contain a GUID, the
; ACE controls the creation of all child object types.
DS_DELETE_CHILD = 2 ; The right to delete children of the object. The ObjectType member of an
; ACE can contain a GUID that identifies a type of child object whose
; deletion is being controlled. If ObjectType does not contain a GUID, the
; ACE controls the deletion of all child object types.
ACTRL_DS_LIST = 4 ; The right to list children of this object.
DS_SELF = 8 ; The right to modify the group membership of a group object.
DS_READ_PROP = 16 ; The right to read properties of the object. The ObjectType member of an
; ACE can contain a GUID that identifies a property set or property. If
; ObjectType does not contain a GUID, the ACE controls the right to read
; all of the object's properties.
DS_WRITE_PROP = 32 ; The right to write properties of the object. The ObjectType member of
; an ACE can contain a GUID that identifies a property set or property.
; If ObjectType does not contain a GUID, the ACE controls the right to
; write all of the object's properties.
DS_DELETE_TREE = 64 ; The right to delete all children of this object, regardless of the
; permission on the children.
DS_LIST_OBJECT = 128 ; The right to list a particular object. If the user is not granted such
; a right, the object is hidden from the user.
DS_CONTROL_ACCESS = 256 ; The right to perform an operation controlled by an extended access right.
; The ObjectType member of an ACE can contain a GUID that identifies the
; extended right. If ObjectType does not contain a GUID, the ACE controls
; the right to perform all extended right operations associated with the object.
;************************************Exchange 5.5 only**********************************************
; The Exchange 5.5's mailbox security descriptor has different meanings for several AccessMask bits.
; Operating System = Windows 2000, NT 4.0
; Namespace = LDAP
; Security object = ACE
; Property = AccessMask
EXCH_MODIFY_USER_ATT = 2 ; Modify User Attributes
EXCH_MAIL_SEND_AS = 8 ; Send As
EXCH_MAIL_RECEIVE_AS = 16 ; Mailbox Owner
; The Exchange 5.5 secuirty descriptors for container objects have these bit values associated with
; their Access Control Entry's AccessMask property.
; Operating System = Windows 2000, NT 4.0
; Namespace = LDAP
; Security object = ACE
; Property = AccessMask
RIGHT_DS_ADD_CHILD = 1
RIGHT_DS_MODIFY_USER_ATT = 2
RIGHT_DS_MODIFY_ADMIN_ATT = 4
RIGHT_DS_DELETE = 65536
RIGHT_MAIL_SEND_AS = 8
RIGHT_MAIL_RECEIVE_AS = 16
RIGHT_MAIL_ADMIN_AS = 32
RIGHT_DS_REPLICATION = 64
RIGHT_DS_MODIFY_SEC_ATT = 128
RIGHT_DS_SEARCH = 256
;***********************************End Exchange 5.5 only*******************************************
; Values associated with an Access Control Entry's AceType property.
; Operating System = Windows 2000
; Namespace = LDAP
; Security object = ACE
; Property = AceType
ACCESS_ALLOWED = 0 ; The ACE is of the standard ACCESS ALLOWED type, where the ObjectType and
; InheritedOjectType fields are NULL.
ACCESS_DENIED = 1 ; The ACE is of the standard ACCESS_DENIED type, where the ObjectType and
; InheritedObjectType fields are NULL.
SYSTEM_AUDIT = 2 ; The ACE is of the standard system type, where the ObjectType and
; InheritedObjectType fields are NULL.
ACCESS_ALLOWED_OBJECT = 5 ; The ACE is of the ADSI extension of the ACCESS ALLOWED type, where either
; ObjectType or InheritedObjectType or both contain a GUID.
ACCESS_DENIED_OBJECT = 6 ; The ACE is of the ADSI extension of the ACCCESS_DENIED type, where either
; ObjectType or InheritedObjectType or both contain a GUID.
SYSTEM_AUDIT_OBJECT = 7 ; The ACE is of the ADSI extension of the system type, where either ObjectType
; or InheritedObjectType or both contain a GUID.
; Bit values associated with an Access Control Entry's AceFlag property.
; Operating System = Windows 2000
; Namespace = LDAP
; Security object = ACE
; Property = AceFlags
INHERIT_ACE = 2 ; Child objects will inherit this access-control entry (ACE). The inherited
; ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE flag is set.
NO_PROPAGATE_INHERIT_ACE = 4 ; ADSI will clear the INHERIT_ACE flag for the inherited ACEs of
; child objects. This prevents the ACE from being inherited by subsequent
; generations of objects.
INHERIT_ONLY_ACE = 8 ; Indicates an inherit-only ACE that does not exercise access control on the
; object to which it is attached. If this flag is not set, the ACE is an
; effective ACE that exerts access control on the object to which it is attached.
INHERITED_ACE = 16 ; Indicates whether or not the ACE was inherited. The system sets this bit.
VALID_INHERIT_FLAGS = 31 ; Indicates whether the inherit flags are valid. The system sets this bit.
SUCCESSFUL_ACCESS = 64 ; Generates audit messages for successful access attempts, used with ACEs that
; audit the system in a system access-control list (SACL).
FAILED_ACCESS = 128 ; Generates audit messages for failed access attempts, used with ACEs that audit
; the system in a SACL.
; Bit values associated with an Access Control Entry's Flags property.
; Operating System = Windows 2000
; Namespace = LDAP
; Security object = ACE
; Property = Flags
OBJECT_TYPE_PRESENT = 1 ; The ObjectType field is present in the ACE, but InheritedObjectType is not.
INHERITED_OBJECT_TYPE_PRESENT = 2 ; The InheritedObjectType field is present in the ACE, but ObjectType is not.
; Possible values for the Authentication method (3rd) parameter of the dsSetCredentx function.
; Use these values to control the
CLEAR_TEXT = 0 ; Use basic authentication to bind to directory service objects.
SECURE_AUTHENTICATION = 1 ; Requests secure authentication. When this flag is set, the WinNT provider uses NTLM
; to authenticate the client. Active Directory will use Kerberos, and possibly NTLM,
; to authenticate the client. When the user name and password are NULL, the extender
; binds to the object using the security context of the user account under which
; WinBatch is running.
USE_ENCRYPTION = 2 ; Use encryption for data exchange over the network.
USE_SSL = 2 ; Data will be encrypted using SSL.
READONLY_SERVER = 4 ; For a WinNT provider, the extender tries to connect to a primary domain
; controller (PDC) or a backup domain controller (BDC). For Active Directory, this
; flag indicates that a writeable server is not required for a serverless binding.
PROMPT_CREDENTIALS = 8 ; Not supported.
NO_AUTHENTICATION = 16 ; The providers may attempt to bind the client to an object, as an anonymous user.
; The WinNT provider does not support this flag.
FAST_BIND = 32 ; This flag is not supported by the extender.
USE_SIGNING = 64 ; Verifies data integrity to ensure the data received is the same as the data sent.
; The SECURE_AUTHENTICATION flag must be set also.
USE_SEALING = 128 ; Encrypts data using Kerberos. The SECURE_AUTHENTICATION flag must be set also.
USE_DELEGATION = 256 ; Enables the extender to delegate the user's security context, which is necessary
; for moving objects across domains.
SERVER_BIND = 512 ; Windows 2000 SP1 and later: Specify this flag when using the LDAP provider if your
; ADsPath includes a server name. Do not use this flag for paths that include a domain
; name or for serverless paths. If you specify a server name without also specifying
; this flag, unnecessary network traffic is the result.
; The SECURE_AUTHENTICATION flag can be used in combination with other flags such as READONLY_SERVER,
; PROMPT_CREDENTIALS, FAST_BIND, USE_SIGNING, USE_SEALING AND SERVER_BIND.
return
Article ID: W16811
File Created: 2007:07:03:14:26:22
Last Updated: 2007:07:03:14:26:22