Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.
Keywords: ADSI dsSetSecProp DiscretionaryAcl ntSecurityDescriptor userAccountControl Accessmask AceType AceFlag Create Computer Container Account Discretionary ACL DACL Access Control Entry ACE
;*********************** ; Create a win2k computer account. ;********************** AddExtender("wwads44i.dll") ;********************** ; Set credntials. ;********************** dsSetCredent("guesswho", "*topsecret*") ;******************************************************************** ; Declare constants used in defining the default location for the ; machine account, flags to identify the object as a machine account, ; and security flags. Can be found in constants.wbt ;******************************************************************** UF_WORKSTATION_TRUST_ACCOUNT = 4096 ; This is a computer account that is a member of this domain. UF_ACCOUNTDISABLE = 2 ; The user's account is disabled. UF_PASSWD_NOTREQD = 32 ; No password is required. ACCESS_ALLOWED = 0 ; The ACE is of the standard ACCESS ALLOWED type, where the ObjectType and ; InheritedOjectType fields are NULL. INHERIT_ACE = 2 ; Child objects will inherit this access-control entry (ACE). The inherited ; ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE flag is set. GENERIC_ALL = 268435456 ; The right to create or delete children, delete a subtree, read and write ; properties, examine children and the object itself, add and remove the ; object from the directory, and read or write with an extended right. ;********************************************************************* ;* Set the flags on this object to identify it as a machine account ;* and determine the name. The name is used statically here, but may ;* be determined by a command line parameter or by using an InputBox ;********************************************************************* lFlag = UF_WORKSTATION_TRUST_ACCOUNT | UF_ACCOUNTDISABLE | UF_PASSWD_NOTREQD sComputerName = "TestComputer" ;********************************************************************* ;* Establish a path to the container in the Active Directory where ;* the machine account will be created. ;* For simplisities sake we are hard coding the path. Normally this ;* is not the best way to do it. ;********************************************************************* sComputerContainer = "LDAP://shamrock/OU=Test OU,DC=jclass,DC=org" ;********************************************************************* ;* Here, the computer account is created. Certain attributes must ;* have a value before committing the object to the Active ;* Directory with dsSetObj ;********************************************************************* sComputerPath = dsCreateObj(sComputerContainer, "computer", "CN=%sComputerName%") dsSetProperty(sComputerPath, "samAccountName", "%sComputerName%$") dsSetProperty(sComputerPath, "userAccountControl", lFlag) dsSetObj(sComputerPath) ;********************************************************************* ;* Establish a default password for the machine account ;********************************************************************* sPwd = "%sComputerName%$" sPwd = StrLower(sPwd) dsSetPassword(sComputerPath, "", sPwd) ;********************************************************************* ;* Specify which user or group may activate/join this computer to the ;* domain. Note that ;* this is the downlevel naming convention used in this example. ;********************************************************************* sUserOrGroup = "jclass\hsimpson" ; Our buddy ;********************************************************************* ;* Bind to the Discretionary ACL on the newly created computer account ;* and create an Access Control Entry (ACE) that gives the specified ;* user or group full control on the machine account ;* Note: the second parameter to the dsCreatSecObj function can have the ;* following values: ;* 1 = Security desciptor. ;* 2 = ACL. ;* 3 = ACE. ;********************************************************************* secDescriptor = dsGetProperty(sComputerPath, "ntSecurityDescriptor") dACL = dsGetSecProp(secDescriptor, "DiscretionaryAcl") ACE = dsCreatSecObj(sComputerPath, 3) ;********************************************************************* ;* Grant Full Control ;********************************************************************* dsSetSecProp(ACE, "AccessMask", GENERIC_ALL) dsSetSecProp(ACE, "AceType", ACCESS_ALLOWED) dsSetSecProp(ACE, "AceFlags", INHERIT_ACE) ;********************************************************************* ;* Grant this control to the user or group specified earlier. ;********************************************************************* dsSetSecProp(ACE, "Trustee", sUserOrGroup) ;********************************************************************* ;* Now, add this ACE to the DACL on the machine account ;********************************************************************* dsAclAddAce(dACL, ACE, -1) dsAclOrderAce(dACL) dsSetSecProp(secDescriptor, "DiscretionaryAcl", dACL) ;********************************************************************* ;* Commit the security changes to the machine account ;********************************************************************* dsSetProperty(sComputerPath, "ntSecurityDescriptor", secDescriptor) ;********************************************************************* ;* Once all parameters and permissions have been set, enable the ;* account. ;********************************************************************* lFlag = dsGetProperty(sComputerpath, "userAccountControl" ) lFlag = lFlag & (~UF_ACCOUNTDISABLE) dsSetProperty(sComputerPath, "userAccountControl", lFlag) ;***************** ;* End Script ;*****************
Article ID: W17542
Filename: ADSI Extender Security Descriptor Sample.txt
File Created: 2010:01:28:09:47:00
Last Updated: 2010:01:28:09:47:00