You are here:
ActiveXperts.com > ActiveXperts Network Monitor > WindowsManagement > Scripts > Active Directory > OUs
Quicklinks
- Download ActiveXperts Network Monitor 7.2 (11276 KB)
- Download Manual (925 KB)
Active Directory Organizational Unit Scripts
Assign a New Group Policy Link to an OUAssign a New Manager to an OU
Clear COM+ Attributes from a User Account
Clear the COM+ Partition Link Set of an OU
Clear the General Properties of an OU
Clear the Group Policy Links Assigned to an OU
Create an OU
Create an OU in an Existing OU
Delete an OU
List the System Access Control List of an OU
List the Attributes of the organizationalUnit Class
List COM+ Partition Sets
List the General Properties of an OU
List Group Policy Information for an OU
Modify the General Properties of an OU
Remove an OU Manager
You can use any of the VBScript programs below in ActiveXperts Network Monitor. Click here for an explanation about how to include scripts in ActiveXperts Network Monitor.
Assign a New Group Policy Link to an OU
Assigns the Group Policy link Sales Policy to the Sales OU in Active Directory.
On Error Resume Next
Set objContainer = GetObject _
("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
strExistingGPLink = objContainer.Get("gPLink")
strGPODisplayName = "Sales Policy"
strGPOLinkOptions = 2
strNewGPLink = "[" & GetGPOADsPath & ";" & strGPOLinkOptions & "]"
objContainer.Put "gPLink", strExistingGPLink & strNewGPLink
objContainer.Put "gPOptions", "0"
objContainer.SetInfo
Function GetGPOADsPath
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
";;" & _
"distinguishedName,displayName;onelevel"
Set objRecordSet = objCommand.Execute
Do Until objRecordSet.EOF
If objRecordSet.Fields("displayName") = strGPODisplayName Then
GetGPOADsPath = "LDAP://" & objRecordSet.Fields("distinguishedName")
objConnection.Close
Exit Function
End If
objRecordSet.MoveNext
Loop
objConnection.Close
End Function
Assign a New Manager to an OU
Assigns the user account AkersKim as manager of the Sales OU in Active Directory.
Set objContainer = GetObject _
("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
objContainer.Put "managedBy", "cn=AkersKim,ou=Sales,dc=NA,dc=fabrikam,dc=com"
objContainer.SetInfo
Clear COM+ Attributes from a User Account
Removes all information from the msCOM-UserPartitionSetLink attribute of the MyerKen user account in Active Directory.
Const ADS_PROPERTY_CLEAR = 1
Set objUser = GetObject _
("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
objUser.PutEx ADS_PROPERTY_CLEAR, "msCOM-UserPartitionSetLink", 0
objUser.SetInfo
Clear the COM+ Partition Link Set of an OU
Removes the COM+ partition link set assigned to the Sales OU in Active Directory.
Const ADS_PROPERTY_CLEAR = 1
Set objContainer = GetObject _
("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
objContainer.PutEx ADS_PROPERTY_CLEAR, "msCOM-UserPartitionSetLink", 0
objContainer.SetInfo
Clear the General Properties of an OU
Modifies the attribute values found on the General Properties page in Active Directory Users and Computers for an OU named Sales.
Const ADS_PROPERTY_CLEAR = 1
Set objContainer = GetObject _
("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
objContainer.PutEx ADS_PROPERTY_CLEAR, "description", 0
objContainer.PutEx ADS_PROPERTY_CLEAR, "street", 0
objContainer.PutEx ADS_PROPERTY_CLEAR, "l", 0
objContainer.PutEx ADS_PROPERTY_CLEAR, "st", 0
objContainer.PutEx ADS_PROPERTY_CLEAR, "postalCode", 0
objContainer.PutEx ADS_PROPERTY_CLEAR, "c", 0
objContainer.SetInfo
Clear the Group Policy Links Assigned to an OU
Removes all the Group Policy links assigned to the Sales OU in Active Directory.
Const ADS_PROPERTY_CLEAR = 1
Set objContainer = GetObject _
("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
objContainer.PutEx ADS_PROPERTY_CLEAR, "gPLink", 0
objContainer.PutEx ADS_PROPERTY_CLEAR, "gPOptions", 0
objContainer.SetInfo
Create an OU
Creates a new organizational unit within Active Directory.
Set objDomain = GetObject("LDAP://dc=fabrikam,dc=com")
Set objOU = objDomain.Create("organizationalUnit", "ou=Management")
objOU.SetInfo
Create an OU in an Existing OU
Creates a new organizational unit (OU2) in an existing organizational unit (OU1).
Set objOU1 = GetObject("LDAP://ou=OU1,dc=na,dc=fabrikam,dc=com")
Set objOU2 = objOU1.Create("organizationalUnit", "ou=OU2")
objOU2.SetInfo
Delete an OU
Deletes an organizational unit named HR from the domain fabrikam.com.
Set objDomain = GetObject("LDAP://dc=fabrikam,dc=com")
objDomain.Delete "organizationalUnit", "ou=hr"
List the System Access Control List of an OU
Returns information found on the System Access Control List (SACL) for the Sales OU in Active Directory.
Const SE_SACL_PROTECTED = &H2000
Const ADS_SECURITY_INFO_OWNER = &H1
Const ADS_SECURITY_INFO_GROUP = &H2
Const ADS_OPTION_SECURITY_MASK =&H3
Const ADS_SECURITY_INFO_DACL = &H4
Const ADS_SECURITY_INFO_SACL = &H8
Set objContainer = GetObject _
("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
objContainer.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_OWNER _
Or ADS_SECURITY_INFO_GROUP Or ADS_SECURITY_INFO_DACL _
Or ADS_SECURITY_INFO_SACL
Set objNtSecurityDescriptor = objContainer.Get("ntSecurityDescriptor")
intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control
WScript.Echo "Auditing Tab"
strMessage = "Allow inheritable auditing entries from" & _
"the parent to propogate to this object and all child objects "
If (intNtSecurityDescriptorControl And SE_SACL_PROTECTED) Then
Wscript.Echo strMessage & "is disabled."
Else
WScript.Echo strMessage & "is enabled."
End If
WScript.Echo
Set objSacl = objNtSecurityDescriptor.SystemAcl
DisplayAceInformation objSacl, "SACL"
Sub DisplayAceInformation(SecurityStructure, strType)
Const ADS_ACETYPE_SYSTEM_AUDIT = &H2
Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7
intAceCount = 0
For Each objAce In SecurityStructure
strTrustee = Mid(objAce.Trustee,1,12)
If StrComp(strTrustee, "NT AUTHORITY", 1) <> 0 Then
intAceCount = intAceCount + 1
WScript.Echo strType & " permission entry: " & intAceCount
WScript.Echo "Name: " & objAce.Trustee
intAceType = objAce.AceType
WScript.Echo "ACETYPE IS: " & intAceType
If (intAceType = ADS_ACETYPE_SYSTEM_AUDIT or _
intAceType = ADS_ACETYPE_SYSTEM_AUDIT_OBJECT) Then
WScript.StdOut.Write "Type: Success or Failure Audit"
Else
WScript.StdOut.Write "Audit Type Unknown."
End If
ReadBitsInAccessMask(objAce.AccessMask)
WScript.Echo
End If
Next
End Sub
Sub ReadBitsInAccessMask(AccessMask)
Const ADS_RIGHT_DELETE = &H10000
Const ADS_RIGHT_READ_CONTROL = &H20000
Const ADS_RIGHT_WRITE_DAC = &H40000
Const ADS_RIGHT_WRITE_OWNER = &H80000
Const ADS_RIGHT_DS_CREATE_CHILD = &H1
Const ADS_RIGHT_DS_DELETE_CHILD = &H2
Const ADS_RIGHT_ACTRL_DS_LIST = &H4
Const ADS_RIGHT_DS_SELF = &H8
Const ADS_RIGHT_DS_READ_PROP = &H10
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_RIGHT_DS_DELETE_TREE = &H40
Const ADS_RIGHT_DS_LIST_OBJECT = &H80
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
WScript.Echo VbCrLf & "Standard Access Rights"
If (AccessMask And ADS_RIGHT_DELETE) Then _
WScript.Echo vbTab & "-Delete an object."
If (AccessMask And ADS_RIGHT_READ_CONTROL) Then _
WScript.Echo vbTab & "-Read permissions."
If (AccessMask And ADS_RIGHT_WRITE_DAC) Then _
WScript.Echo vbTab & "-Write permissions."
If (AccessMask And ADS_RIGHT_WRITE_OWNER) Then _
WScript.Echo vbTab & "-Modify owner."
WScript.Echo VbCrLf & "Directory Service Specific Access Rights"
If (AccessMask And ADS_RIGHT_DS_CREATE_CHILD) Then _
WScript.Echo vbTab & "-Create child objects."
If (AccessMask And ADS_RIGHT_DS_DELETE_CHILD) Then _
WScript.Echo vbTab & "-Delete child objects."
If (AccessMask And ADS_RIGHT_ACTRL_DS_LIST) Then _
WScript.Echo vbTab & "-Enumerate an object."
If (AccessMask And ADS_RIGHT_DS_READ_PROP) Then _
WScript.Echo vbTab & "-Read the properties of an object."
If (AccessMask And ADS_RIGHT_DS_WRITE_PROP) Then _
WScript.Echo vbTab & "-Write the properties of an object."
If (AccessMask And ADS_RIGHT_DS_DELETE_TREE) Then _
WScript.Echo vbTab & "-Delete a tree of objects"
If (AccessMask And ADS_RIGHT_DS_LIST_OBJECT) Then _
WScript.Echo vbTab & "-List a tree of objects."
WScript.Echo VbCrLf & "Control Access Rights"
If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) + _
(AccessMask And ADS_RIGHT_DS_SELF) = 0 Then
WScript.Echo "-None"
Else
If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) Then _
WScript.Echo vbTab & "-Extended access rights."
If (AccessMask And ADS_RIGHT_DS_SELF) Then
WScript.Echo vbTab & "-Active Directory must validate a property "
WScript.Echo vbTab & " write operation beyond the schema " & _
"definition "
WScript.Echo vbTab & " for the attribute."
End If
End If
End Sub
List the Attributes of the organizationalUnit Class
Returns both the mandatory and optional attributes for the organizationalUnit class (as found in the Active Directory schema).
Set objOrganizationalUnitClass = _
GetObject("LDAP://schema/organizationalUnit")
Set objSchemaClass = GetObject(objOrganizationalUnitClass.Parent)
i = 0
WScript.Echo "Mandatory attributes:"
For Each strAttribute in objOrganizationalUnitClass.MandatoryProperties
i= i + 1
WScript.Echo i & vbTab & strAttribute
Set objAttribute = objSchemaClass.GetObject("Property", strAttribute)
WScript.Echo " (Syntax: " & objAttribute.Syntax & ")"
If objAttribute.MultiValued Then
WScript.Echo " Multivalued"
Else
WScript.Echo " Single-valued"
End If
Next
WScript.Echo VbCrLf & "Optional attributes:"
For Each strAttribute in objOrganizationalUnitClass.OptionalProperties
i= i + 1
WScript.StdOut.Write i & vbTab & strAttribute
Set objAttribute = objSchemaClass.GetObject("Property", strAttribute)
Wscript.Echo " [Syntax: " & objAttribute.Syntax & "]"
If objAttribute.MultiValued Then
WScript.Echo " Multivalued"
Else
WScript.Echo " Single-valued"
End If
Next
List COM+ Partition Sets
Returns a list of Active Directory COM+ partition sets.
Set objCOMPartitionSets = GetObject _
("LDAP://cn=ComPartitionSets,cn=System,dc=NA,dc=fabrikam,dc=com")
For Each objPartitionSet in objCOMPartitionSets
WScript.Echo "Name: " & objPartitionSet.Name
Next
List the General Properties of an OU
Returns information found on the General Properties page in Active Directory Users and Computers for an OU named Sales.
On Error Resume Next
Set objContainer = GetObject _
("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
For Each strValue in objContainer.description
WScript.Echo "Description: " & strValue
Next
Wscript.Echo "Street Address: " & strStreetAddress
Wscript.Echo "Locality: " &
Wscript.Echo "State/porvince: " & objContainer.st
Wscript.Echo "Postal Code: " & objContainer.postalCode
Wscript.Echo "Country: " & objContainer.c
List Group Policy Information for an OU
Returns the values found on the Group Policy page in Active Directory Users and Computers for the Sales OU.
On Error Resume Next
Set objContainer = GetObject _
("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
strGpLink = objContainer.Get("gPLink")
intGpOptions = objContainer.Get("gPOptions")
If strGpLink <> " " Then
arrGpLinkItems = Split(strGpLink,"]")
For i = UBound(arrGPLinkItems) to LBound(arrGpLinkItems) + 1 Step -1
arrGPLink = Split(arrGpLinkItems(i-1),";")
strDNGPLink = Mid(arrGPLink(0),9)
WScript.Echo GetGPOName
Select Case arrGPLink(1)
Case 0
WScript.Echo "No Override is cleared and the GPO is enabled."
Case 1
WScript.Echo "No Override is cleared and the GPO is disabled."
Case 2
WScript.Echo "No Override is checked and the GPO is enabled."
Case 3
WScript.Echo "No Override is checked and the GPO is disabled."
End Select
Next
WScript.Echo VbCrLf
End If
If intGpOptions = 1 Then
WScript.Echo "Block Policy Inheritance is checked."
Else
WScript.Echo "Block Policy Inheritance is not checked."
End If
Function GetGPOName
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
";;" & _
"distinguishedName,displayName;onelevel"
Set objRecordSet = objCommand.Execute
Do Until objRecordSet.EOF
If objRecordSet.Fields("distinguishedName") = strDNGPLink Then
GetGPOName = objRecordSet.Fields("displayName")
objConnection.Close
Exit Function
End If
objRecordSet.MoveNext
Loop
objConnection.Close
End Function
Modify the General Properties of an OU
Modifies the attribute values found on the General Properties page in Active Directory Users and Computers for an OU named Sales.
Const ADS_PROPERTY_UPDATE = 2
Set objContainer = GetObject _
("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
objContainer.Put "street", "Building 43" & vbCrLf & "One Microsoft Way"
objContainer.Put "l", "Redmond"
objContainer.Put "st", "Washington"
objContainer.Put "postalCode", "98053"
objContainer.Put "c", "US"
objContainer.PutEx ADS_PROPERTY_UPDATE, _
"description", Array("Sales staff")
objContainer.SetInfo
Remove an OU Manager
Removes the manager entry for the Active Directory OU named Sales. When this group is run, the OU will no longer have an assigned manager.
Const ADS_PROPERTY_CLEAR = 1
Set objContainer = GetObject _
("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
objContainer.PutEx ADS_PROPERTY_CLEAR, "managedBy", 0
objContainer.SetInfo