Shortcut Menu

Skip

Main Navigation

Choose your language


ActiveXperts Network Monitor
Monitor servers, workstations, devices and applications in your network

Quicklinks


Active Directory Computer Account Scripts

Copy an Active Directory Computer Account
Create a Computer Account For a Specific User
Delete a Computer Account
Disable a Global Catalog Server
Enable a Global Catalog Server
Join a Computer to a Domain
List All Computer Accounts in Active Directory
List FSMO Role Holders
List Selected Computer Account Attributes
Modify Computer Location Attribute
Move a Computer Account
Move a Computer Account to a New Domain
Rename a Computer Account
Rename a Computer and Computer Account
Reset a Computer Account Password
Search for Specific Computer Accounts
Verify Computer Role
Verify that a Computer is a Global Catalog Server


You can use any of the VBScript programs below in ActiveXperts Network Monitor. Click here for an explanation about how to include scripts in ActiveXperts Network Monitor.



Copy an Active Directory Computer Account


Retrieves the attributes of an existing computer object and copies the attributes to a new computer object created by the script.
Set objCompt = _
    GetObject("LDAP://cn=Computers,dc=NA,dc=fabrikam,dc=com")
Set objComptCopy = objCompt.Create("computer", "cn=SEA-SQL-01")
objComptCopy.Put "sAMAccountName", "sea-sql-01"
objComptCopy.SetInfo
 
Set objComptTemplate = GetObject _
    ("LDAP://cn=SEA-PM-01,cn=Computers,dc=NA,dc=fabrikam,dc=com")
arrAttributes = Array("description", "location")
 
For Each strAttrib in arrAttributes
    strValue = objComptTemplate.Get(strAttrib)
    objComptCopy.Put strAttrib, strValue
Next
 
objComptCopy.SetInfo

Create a Computer Account For a Specific User


Creates and enables a computer account in Active Directory. A specific, authenticated user can then use this account to add his or her workstation to the domain.
strComputer = "atl-pro-002"
strComputerUser = "fabrikam\lewjudy"
 
Const ADS_UF_PASSWD_NOTREQD = &h0020
Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = &h1000
Const ADS_ACETYPE_ACCESS_ALLOWED = &h0
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1
Const ADS_RIGHT_GENERIC_READ = &h80000000
Const ADS_RIGHT_DS_SELF = &h8
Const ADS_RIGHT_DS_WRITE_PROP = &h20
Const ADS_RIGHT_DS_CONTROL_ACCESS = &h100
 
Const ALLOWED_TO_AUTHENTICATE = _
    "{68B1D179-0D15-4d4f-AB71-46152E79A7BC}"
Const RECEIVE_AS = "{AB721A56-1E2f-11D0-9819-00AA0040529B}"
Const SEND_AS = "{AB721A54-1E2f-11D0-9819-00AA0040529B}"
Const USER_CHANGE_PASSWORD = _
    "{AB721A53-1E2f-11D0-9819-00AA0040529b}"
Const USER_FORCE_CHANGE_PASSWORD = _
    "{00299570-246D-11D0-A768-00AA006E0529}"
Const USER_ACCOUNT_RESTRICTIONS = _
    "{4C164200-20C0-11D0-A768-00AA006E0529}"
Const VALIDATED_DNS_HOST_NAME = _
    "{72E39547-7B18-11D1-ADEF-00C04FD8D5CD}"
Const VALIDATED_SPN = "{F3A64788-5306-11D1-A9C5-0000F80367C1}"
 
Set objRootDSE = GetObject("LDAP://rootDSE")
Set objContainer = GetObject("LDAP://cn=Computers," & _
    objRootDSE.Get("defaultNamingContext"))
 
Set objComputer = objContainer.Create _
    ("Computer", "cn=" & strComputer)
objComputer.Put "sAMAccountName", strComputer & "$"
objComputer.Put "userAccountControl", _
    ADS_UF_PASSWD_NOTREQD Or ADS_UF_WORKSTATION_TRUST_ACCOUNT
objComputer.SetInfo
 
Set objSecurityDescriptor = objComputer.Get("ntSecurityDescriptor")
Set objDACL = objSecurityDescriptor.DiscretionaryAcl
 
Set objACE1 = CreateObject("AccessControlEntry")
objACE1.Trustee    = strComputerUser
objACE1.AccessMask = ADS_RIGHT_GENERIC_READ
objACE1.AceFlags   = 0
objACE1.AceType    = ADS_ACETYPE_ACCESS_ALLOWED
 
Set objACE2 = CreateObject("AccessControlEntry")
objACE2.Trustee    = strComputerUser
objACE2.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
objACE2.AceFlags   = 0
objACE2.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE2.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE2.ObjectType = ALLOWED_TO_AUTHENTICATE
 
Set objACE3 = CreateObject("AccessControlEntry")
objACE3.Trustee    = strComputerUser
objACE3.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
objACE3.AceFlags   = 0
objACE3.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE3.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE3.ObjectType = RECEIVE_AS
 
Set objACE4 = CreateObject("AccessControlEntry")
objACE4.Trustee    = strComputerUser
objACE4.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
objACE4.AceFlags   = 0
objACE4.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE4.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE4.ObjectType = SEND_AS
 
Set objACE5 = CreateObject("AccessControlEntry")
objACE5.Trustee    = strComputerUser
objACE5.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
objACE5.AceFlags   = 0
objACE5.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE5.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE5.ObjectType = USER_CHANGE_PASSWORD
 
Set objACE6 = CreateObject("AccessControlEntry")
objACE6.Trustee    = strComputerUser
objACE6.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
objACE6.AceFlags   = 0
objACE6.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE6.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE6.ObjectType = USER_FORCE_CHANGE_PASSWORD
 
Set objACE7 = CreateObject("AccessControlEntry")
objACE7.Trustee    = strComputerUser
objACE7.AccessMask = ADS_RIGHT_DS_WRITE_PROP
objACE7.AceFlags   = 0
objACE7.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE7.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE7.ObjectType = USER_ACCOUNT_RESTRICTIONS
 
Set objACE8 = CreateObject("AccessControlEntry")
objACE8.Trustee    = strComputerUser
objACE8.AccessMask = ADS_RIGHT_DS_SELF
objACE8.AceFlags   = 0
objACE8.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE8.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE8.ObjectType = VALIDATED_DNS_HOST_NAME
 
Set objACE9 = CreateObject("AccessControlEntry")
objACE9.Trustee    = strComputerUser
objACE9.AccessMask = ADS_RIGHT_DS_SELF
objACE9.AceFlags   = 0
objACE9.AceType  = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE9.Flags  =  ADS_FLAG_OBJECT_TYPE_PRESENT
objACE9.ObjectType = VALIDATED_SPN
 
objDACL.AddAce objACE1
objDACL.AddAce objACE2
objDACL.AddAce objACE3
objDACL.AddAce objACE4
objDACL.AddAce objACE5
objDACL.AddAce objACE6
objDACL.AddAce objACE7
objDACL.AddAce objACE8
objDACL.AddAce objACE9
 
objSecurityDescriptor.DiscretionaryAcl = objDACL
objComputer.Put "ntSecurityDescriptor", objSecurityDescriptor
objComputer.SetInfo

Delete a Computer Account


Deletes an individual computer account in Active Directory.
strComputer = "atl-pro-040"

set objComputer = GetObject("LDAP://CN=" & strComputer & _
    ",CN=Computers,DC=fabrikam,DC=com")
objComputer.DeleteObject (0)

Disable a Global Catalog Server


Disables the global catalog service on the domain controller atl-dc-01.
strComputer = "atl-dc-01"
 
Const NTDSDSA_OPT_IS_GC = 1
 
Set objRootDSE = GetObject("LDAP://" & strComputer & "/rootDSE")
strDsServiceDN = objRootDSE.Get("dsServiceName")
Set objDsRoot  = GetObject _
    ("LDAP://" & strComputer & "/" & strDsServiceDN)
intOptions = objDsRoot.Get("options")
 
If intOptions And NTDSDSA_OPT_IS_GC Then
    objDsRoot.Put "options", intOptions Xor NTDSDSA_OPT_IS_GC
    objDsRoot.Setinfo
End If

Enable a Global Catalog Server


Enables the global catalog service on the domain controller atl-dc-01.
strComputer = "atl-dc-01"
 
Const NTDSDSA_OPT_IS_GC = 1
 
Set objRootDSE = GetObject("LDAP://" & strComputer & "/RootDSE")
strDsServiceDN = objRootDSE.Get("dsServiceName")
Set objDsRoot  = GetObject _
    ("LDAP://" & strComputer & "/" & strDsServiceDN)
intOptions = objDsRoot.Get("options")
 
If (intOptions And NTDSDSA_OPT_IS_GC) = FALSE Then
    objDsRoot.Put "options" , intOptions Or NTDSDSA_OPT_IS_GC
    objDsRoot.Setinfo
End If

Join a Computer to a Domain


Joins the local computer to a domain and creates the computer's account in Active Directory.
Const JOIN_DOMAIN = 1
Const ACCT_CREATE = 2
Const ACCT_DELETE = 4
Const WIN9X_UPGRADE = 16
Const DOMAIN_JOIN_IF_JOINED = 32
Const JOIN_UNSECURE = 64
Const MACHINE_PASSWORD_PASSED = 128
Const DEFERRED_SPN_SET = 256
Const INSTALL_INVOCATION = 262144
 
strDomain = "FABRIKAM"
strPassword = "ls4k5ywA"
strUser = "shenalan"
 
Set objNetwork = CreateObject("WScript.Network")
strComputer = objNetwork.ComputerName
 
Set objComputer = GetObject("winmgmts:{impersonationLevel=Impersonate}!\\" & _
    strComputer & "\root\cimv2:Win32_ComputerSystem.Name='" & _
        strComputer & "'")
 
ReturnValue = objComputer.JoinDomainOrWorkGroup(strDomain, _
    strPassword, strDomain & "\" & strUser, NULL, _
        JOIN_DOMAIN + ACCT_CREATE)

List All Computer Accounts in Active Directory


Returns the name and location for all the computer accounts in Active Directory.
Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Set objCOmmand.ActiveConnection = objConnection
objCommand.CommandText = _
    "Select Name, Location from 'LDAP://DC=fabrikam,DC=com' " _
        & "Where objectClass='computer'"  
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

Do Until objRecordSet.EOF
    Wscript.Echo "Computer Name: " & objRecordSet.Fields("Name").Value
    Wscript.Echo "Location: " & objRecordSet.Fields("Location").Value
    objRecordSet.MoveNext
Loop

List FSMO Role Holders


Identifies the Active Directory domain controllers providing the five FSMO roles: Schema Master, Domain Naming Master, PDC Emulator, RID Master, and Infrastructure Master.
Set objRootDSE = GetObject("LDAP://rootDSE")
 
Set objSchema = GetObject _
    ("LDAP://" & objRootDSE.Get("schemaNamingContext"))
strSchemaMaster = objSchema.Get("fSMORoleOwner")
Set objNtds = GetObject("LDAP://" & strSchemaMaster)
Set objComputer = GetObject(objNtds.Parent)
WScript.Echo "Forest-wide Schema Master FSMO: " & objComputer.Name
 
Set objNtds = Nothing
Set objComputer = Nothing
 
Set objPartitions = GetObject("LDAP://CN=Partitions," & _ 
    objRootDSE.Get("configurationNamingContext"))
strDomainNamingMaster = objPartitions.Get("fSMORoleOwner")
Set objNtds = GetObject("LDAP://" & strDomainNamingMaster)
Set objComputer = GetObject(objNtds.Parent)
WScript.Echo "Forest-wide Domain Naming Master FSMO: " & objComputer.Name
 
Set objDomain = GetObject _
    ("LDAP://" & objRootDSE.Get("defaultNamingContext"))
strPdcEmulator = objDomain.Get("fSMORoleOwner")
Set objNtds = GetObject("LDAP://" & strPdcEmulator)
Set objComputer = GetObject(objNtds.Parent)
WScript.Echo "Domain's PDC Emulator FSMO: " & objComputer.Name
 
Set objRidManager = GetObject("LDAP://CN=RID Manager$,CN=System," & _
    objRootDSE.Get("defaultNamingContext"))
strRidMaster = objRidManager.Get("fSMORoleOwner")
Set objNtds = GetObject("LDAP://" & strRidMaster)
Set objComputer = GetObject(objNtds.Parent)
WScript.Echo "Domain's RID Master FSMO: " & objComputer.Name
 
Set objInfrastructure = GetObject("LDAP://CN=Infrastructure," & _
    objRootDSE.Get("defaultNamingContext"))
strInfrastructureMaster = objInfrastructure.Get("fSMORoleOwner")
Set objNtds = GetObject("LDAP://" & strInfrastructureMaster)
Set objComputer = GetObject(objNtds.Parent)
WScript.Echo "Domain's Infrastructure Master FSMO: " & objComputer.Name
	

List Selected Computer Account Attributes


Demonstration script that retrieves the location and description attributes for a computer account in Active Directory.
On Error Resume Next

Set objComputer = GetObject _
    ("LDAP://CN=atl-dc-01,CN=Computers,DC=fabrikam,DC=com")

objProperty = objComputer.Get("Location")
If IsNull(objProperty) Then
    Wscript.Echo "The location has not been set."
Else
    Wscript.Echo "Location: " & objProperty
    objProperty = Null
End If

objProperty = objComputer.Get("Description")
If IsNull(objProperty) Then
    Wscript.Echo "The description has not been set."
Else
    Wscript.Echo "Description: " & objProperty
    objProperty = Null
End If
	

Modify Computer Location Attribute


Demonstration script that changes the location attribute for a computer account in Active Directory.
Set objComputer = GetObject _ 
    ("LDAP://CN=atl-dc-01,CN=Computers,DC=fabrikam,DC=com")

objComputer.Put "Location" , "Building 37, Floor 2, Room 2133"
objComputer.SetInfo

Move a Computer Account


Moves a computer account from the Computers container in Active Directory to the Finance OU in the same domain.
Set objNewOU = GetObject("LDAP://OU=Finance,DC=fabrikam,DC=com")

Set objMoveComputer = objNewOU.MoveHere _
    ("LDAP://CN=atl-pro-03,CN=Computers,DC=fabrikam,DC=com", "CN=atl-pro-03")
	

Move a Computer Account to a New Domain


Uses the MoveHere method to move an object to another domain. Note that there are a number of restrictions associated with performing this type of move operation. For details, see the Directory Services Platform SDK.
Set objOU = GetObject("LDAP://cn=Computers,dc=NA,dc=fabrikam,dc=com")

objOU.MoveHere "LDAP://cn=Computer01,cn=Users,dc=fabrikam,dc=com", _
    vbNullString
	

Rename a Computer Account


Renames an Active Directory computer account.
Set objNewOU = GetObject("LDAP://OU=Finance,DC=fabrikam,DC=com")

Set objMoveComputer = objNewOU.MoveHere _
    ("LDAP://CN=atl-pro-037,OU=Finance,DC=fabrikam,DC=com", _
        "CN=atl-pro-003")
	

Rename a Computer and Computer Account


Renames a computer and its corresponding Active Directory computer account. Requires Windows XP or Windows Server 2003, and must be run on the local computer.
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colComputers = objWMIService.ExecQuery _
    ("Select * from Win32_ComputerSystem")

For Each objComputer in colComputers
    err = objComputer.Rename("WebServer")
Next
	

Reset a Computer Account Password


Resets a computer account password in Active Directory.
Set objComputer = GetObject _
    ("LDAP://CN=atl-dc-01,CN=Computers,DC=Reskit,DC=COM")

objComputer.SetPassword "atl-dc-01$"

Search for Specific Computer Accounts


Returns the name and location for all the computers in the domain that are running Windows Server 2003.
Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Set objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
    "Select Name, Location, operatingSystemVersion from " & _
        "'LDAP://DC=fabrikam,DC=com' where objectClass='computer'" & _
            " and operatingSystemVersion = '5.1 (3600)'"  
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

Do Until objRecordSet.EOF
    Wscript.Echo "Computer Name: " & objRecordSet.Fields("Name").Value
    Wscript.Echo "Location: " & objRecordSet.Fields("Location").Value
    objRecordSet.MoveNext
Loop
	

Verify Computer Role


Returns the basic role (domain controller, member server, workstation, etc.) for a computer.
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colComputers = objWMIService.ExecQuery _
    ("Select DomainRole from Win32_ComputerSystem")

For Each objComputer in colComputers
    Select Case objComputer.DomainRole 
        Case 0 
            strComputerRole = "Standalone Workstation"
        Case 1        
            strComputerRole = "Member Workstation"
        Case 2
            strComputerRole = "Standalone Server"
        Case 3
            strComputerRole = "Member Server"
        Case 4
            strComputerRole = "Backup Domain Controller"
        Case 5
            strComputerRole = "Primary Domain Controller"
    End Select
    Wscript.Echo strComputerRole
Next
	

Verify that a Computer is a Global Catalog Server


Indicates whether or not the atl-dc-01 domain controller is a global catalog server.
strComputer = "atl-dc-01"
 
Const NTDSDSA_OPT_IS_GC = 1
 
Set objRootDSE = GetObject("LDAP://" & strComputer & "/rootDSE")
strDsServiceDN = objRootDSE.Get("dsServiceName")
Set objDsRoot  = GetObject("LDAP://" & strComputer & "/" & strDsServiceDN)
intOptions = objDsRoot.Get("options")
 
If intOptions And NTDSDSA_OPT_IS_GC Then
    WScript.Echo strComputer & " is a global catalog server."
Else
    Wscript.Echo strComputer & " is not a global catalog server."
End If