Active Directory Scripts
Changing Computer Account AttributesCopying an Active Directory Computer Account
Creating a Computer Account For a User
Deleting a Computer Account
Disabling a Global Catalog Server
Enabling a Global Catalog Server
Enumerating Computer Account Attributes
Enumerating Computer Accounts in Active Directory
Identifying Computer Roles
Identifying Computer Roles Using Services
Identifying a Global Catalog Server
Joining Computer to a Domain
Moving a Computer Account
Renaming a Computer Account
Renaming a Computer and Computer Account
Searching for Computer Accounts
Changing Computer Account Attributes
Demonstration script that changes the location attribute for a computer account in Active Directory.
Set objComputer = GetObject _
("LDAP://CN=atl-dc-01,CN=Computers,DC=fabrikam,DC=com")
objComputer.Put "Location" , "Building 37, Floor 2, Room 2133"
objComputer.SetInfoCopying an Active Directory Computer Account
Retrieves the attributes of an existing computer object and copies the attributes to a new computer object that the script creates.
Set objCompt = GetObject("LDAP://cn=Computers,dc=NA,dc=fabrikam,dc=com")
Set objComptCopy = objCompt.Create("computer", "cn=SEA-SQL-01")
objComptCopy.Put "sAMAccountName", "sea-sql-01"
objComptCopy.SetInfo
Set objComptTemplate = _
GetObject("LDAP://cn=SEA-PM-01,cn=Computers,dc=NA,dc=fabrikam,dc=com")
arrAttributes = Array("description", "location")
For Each strAttrib in arrAttributes
strValue = objComptTemplate.Get(strAttrib)
objComptCopy.Put strAttrib, strValue
Next
objComptCopy.SetInfoCreating a Computer Account For a User
Creates and enables a computer account in Active Directory, which a specific, authenticated user can use to add his or her workstation to the domain.
Option Explicit
Dim strComputer, strComputerUser
Dim objRootDSE, objContainer, objComputer
Dim objSecurityDescriptor, objDACL
Dim objACE1, objACE2, objACE3, objACE4, objACE5
Dim objACE6, objACE7, objACE8, objACE9
strComputer = "atl-pro-002"
strComputerUser = "fabrikam\lewjudy"
' ADS_USER_FLAG_ENUM
Const ADS_UF_PASSWD_NOTREQD = &h0020
Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = &h1000
' ADS_ACETYPE_ENUM
Const ADS_ACETYPE_ACCESS_ALLOWED = &h0
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5
' ADS_FLAGTYPE_ENUM
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1
' ADS_RIGHTS_ENUM
Const ADS_RIGHT_GENERIC_READ = &h80000000
Const ADS_RIGHT_DS_SELF = &h8
Const ADS_RIGHT_DS_WRITE_PROP = &h20
Const ADS_RIGHT_DS_CONTROL_ACCESS = &h100
'controlAccessRight rightsGuid values
Const ALLOWED_TO_AUTHENTICATE = "{68B1D179-0D15-4d4f-AB71-46152E79A7BC}"
Const RECEIVE_AS = "{AB721A56-1E2f-11D0-9819-00AA0040529B}"
Const SEND_AS = "{AB721A54-1E2f-11D0-9819-00AA0040529B}"
Const USER_CHANGE_PASSWORD = "{AB721A53-1E2f-11D0-9819-00AA0040529b}"
Const USER_FORCE_CHANGE_PASSWORD = "{00299570-246D-11D0-A768-00AA006E0529}"
Const USER_ACCOUNT_RESTRICTIONS = "{4C164200-20C0-11D0-A768-00AA006E0529}"
Const VALIDATED_DNS_HOST_NAME = "{72E39547-7B18-11D1-ADEF-00C04FD8D5CD}"
Const VALIDATED_SPN = "{F3A64788-5306-11D1-A9C5-0000F80367C1}"
Set objRootDSE = GetObject("LDAP://rootDSE")
Set objContainer = GetObject("LDAP://cn=Computers," & _
objRootDSE.Get("defaultNamingContext"))
Set objComputer = objContainer.Create("Computer", "cn=" & strComputer)
objComputer.Put "sAMAccountName", strComputer & "$"
objComputer.Put "userAccountControl", _
ADS_UF_PASSWD_NOTREQD Or ADS_UF_WORKSTATION_TRUST_ACCOUNT
objComputer.SetInfo
Set objSecurityDescriptor = objComputer.Get("ntSecurityDescriptor")
Set objDACL = objSecurityDescriptor.DiscretionaryAcl
Set objACE1 = CreateObject("AccessControlEntry")
objACE1.Trustee = strComputerUser
objACE1.AccessMask = ADS_RIGHT_GENERIC_READ
objACE1.AceFlags = 0
objACE1.AceType = ADS_ACETYPE_ACCESS_ALLOWED
' objACE2 through objACE6: Extended Rights
Set objACE2 = CreateObject("AccessControlEntry")
objACE2.Trustee = strComputerUser
objACE2.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
objACE2.AceFlags = 0
objACE2.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE2.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE2.ObjectType = ALLOWED_TO_AUTHENTICATE
Set objACE3 = CreateObject("AccessControlEntry")
objACE3.Trustee = strComputerUser
objACE3.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
objACE3.AceFlags = 0
objACE3.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE3.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE3.ObjectType = RECEIVE_AS
Set objACE4 = CreateObject("AccessControlEntry")
objACE4.Trustee = strComputerUser
objACE4.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
objACE4.AceFlags = 0
objACE4.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE4.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE4.ObjectType = SEND_AS
Set objACE5 = CreateObject("AccessControlEntry")
objACE5.Trustee = strComputerUser
objACE5.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
objACE5.AceFlags = 0
objACE5.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE5.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE5.ObjectType = USER_CHANGE_PASSWORD
Set objACE6 = CreateObject("AccessControlEntry")
objACE6.Trustee = strComputerUser
objACE6.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
objACE6.AceFlags = 0
objACE6.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE6.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE6.ObjectType = USER_FORCE_CHANGE_PASSWORD
' objACE7: Property Sets
Set objACE7 = CreateObject("AccessControlEntry")
objACE7.Trustee = strComputerUser
objACE7.AccessMask = ADS_RIGHT_DS_WRITE_PROP
objACE7.AceFlags = 0
objACE7.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE7.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE7.ObjectType = USER_ACCOUNT_RESTRICTIONS
' objACE8 and objACE9: Validated Rights
Set objACE8 = CreateObject("AccessControlEntry")
objACE8.Trustee = strComputerUser
objACE8.AccessMask = ADS_RIGHT_DS_SELF
objACE8.AceFlags = 0
objACE8.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE8.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE8.ObjectType = VALIDATED_DNS_HOST_NAME
Set objACE9 = CreateObject("AccessControlEntry")
objACE9.Trustee = strComputerUser
objACE9.AccessMask = ADS_RIGHT_DS_SELF
objACE9.AceFlags = 0
objACE9.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE9.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE9.ObjectType = VALIDATED_SPN
objDACL.AddAce objACE1
objDACL.AddAce objACE2
objDACL.AddAce objACE3
objDACL.AddAce objACE4
objDACL.AddAce objACE5
objDACL.AddAce objACE6
objDACL.AddAce objACE7
objDACL.AddAce objACE8
objDACL.AddAce objACE9
objSecurityDescriptor.DiscretionaryAcl = objDACL
objComputer.Put "ntSecurityDescriptor", objSecurityDescriptor
objComputer.SetInfo
Deleting a Computer Account
Deletes an individual computer account in Active Directory.
strComputer = "atl-pro-040"
set objComputer = GetObject("LDAP://CN=" & strComputer & _
",CN=Computers,DC=fabrikam,DC=com")
objComputer.DeleteObject (0)Disabling a Global Catalog Server
Disables the global catalog service on a domain controller.
strComputer = "atl-dc-01"
Const NTDSDSA_OPT_IS_GC = 1
Set objRootDSE = GetObject("LDAP://" & strComputer & "/rootDSE")
strDsServiceDN = objRootDSE.Get("dsServiceName")
Set objDsRoot = GetObject("LDAP://" & strComputer & "/" & strDsServiceDN)
intOptions = objDsRoot.Get("options")
If intOptions And NTDSDSA_OPT_IS_GC Then
objDsRoot.Put "options", intOptions Xor NTDSDSA_OPT_IS_GC
objDsRoot.Setinfo
End IfEnabling a Global Catalog Server
Enables the global catalog service on a domain controller.
strComputer = "atl-dc-01"
Const NTDSDSA_OPT_IS_GC = 1
Set objRootDSE = GetObject("LDAP://" & strComputer & "/RootDSE")
strDsServiceDN = objRootDSE.Get("dsServiceName")
Set objDsRoot = GetObject("LDAP://" & strComputer & "/" & strDsServiceDN)
intOptions = objDsRoot.Get("options")
If (intOptions And NTDSDSA_OPT_IS_GC) = FALSE Then
objDsRoot.Put "options" , intOptions Or NTDSDSA_OPT_IS_GC
objDsRoot.Setinfo
End IfEnumerating Computer Account Attributes
Demonstration script that retrieves the location and description attributes for a computer account in Active Directory.
On Error Resume Next
Set objComputer = GetObject _
("LDAP://CN=atl-dc-01,CN=Computers,DC=fabrikam,DC=com")
objProperty = objComputer.Get("Location")
If IsNull(objProperty) Then
Wscript.Echo "The location has not been set for this computer."
Else
Wscript.Echo "Location: " & objProperty
objProperty = Null
End If
objProperty = objComputer.Get("Description")
If IsNull(objProperty) Then
Wscript.Echo "The description has not been set for this computer."
Else
Wscript.Echo "Description: " & objProperty
objProperty = Null
End If
Enumerating Computer Accounts in Active Directory
Returns the name and location for all the computer accounts in Active Directory.
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCOmmand.ActiveConnection = objConnection
objCommand.CommandText = _
"Select Name, Location from 'LDAP://DC=fabrikam,DC=com' " _
& "where objectClass='computer'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 30
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
Wscript.Echo "Computer Name: " & objRecordSet.Fields("Name").Value
Wscript.Echo "Location: " & objRecordSet.Fields("Location").Value
objRecordSet.MoveNext
LoopIdentifying Computer Roles
Returns the basic role (domain controller, member server, workstation, etc.) for a computer.
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colComputers = objWMIService.ExecQuery _
("Select DomainRole from Win32_ComputerSystem")
For Each objComputer in colComputers
Select Case objComputer.DomainRole
Case 0
strComputerRole = "Standalone Workstation"
Case 1
strComputerRole = "Member Workstation"
Case 2
strComputerRole = "Standalone Server"
Case 3
strComputerRole = "Member Server"
Case 4
strComputerRole = "Backup Domain Controller"
Case 5
strComputerRole = "Primary Domain Controller"
End Select
Wscript.Echo strComputerRole
NextIdentifying Computer Roles Using Services
Indicates whether SQL Server is running on a computer.
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where Name = 'MSSQLServer'")
If colServices.Count > 0 Then
For Each objService in colServices
Wscript.Echo "SQL Server is " & objService.State & "."
Next
Else
Wscript.Echo "SQL Server is not installed on this computer."
End IfIdentifying a Global Catalog Server
Indicates whether or not a specified domain controller is a global catalog server.
strComputer = "atl-dc-01"
Const NTDSDSA_OPT_IS_GC = 1
Set objRootDSE = GetObject("LDAP://" & strComputer & "/rootDSE")
strDsServiceDN = objRootDSE.Get("dsServiceName")
Set objDsRoot = GetObject("LDAP://" & strComputer & "/" & strDsServiceDN)
intOptions = objDsRoot.Get("options")
If intOptions And NTDSDSA_OPT_IS_GC Then
WScript.Echo strComputer & " is a global catalog server."
Else
Wscript.Echo strComputer & " is not a global catalog server."
End If
Joining Computer to a Domain
Joins a computer to a domain and creates the computer's account in Active Directory.
Const JOIN_DOMAIN = 1
Const ACCT_CREATE = 2
Const ACCT_DELETE = 4
Const WIN9X_UPGRADE = 16
Const DOMAIN_JOIN_IF_JOINED = 32
Const JOIN_UNSECURE = 64
Const MACHINE_PASSWORD_PASSED = 128
Const DEFERRED_SPN_SET = 256
Const INSTALL_INVOCATION = 262144
strDomain = "FABRIKAM"
strPassword = "ls4k5ywA"
strUser = "shenalan"
Set objNetwork = CreateObject("WScript.Network")
strComputer = objNetwork.ComputerName
Set objComputer = GetObject("winmgmts:{impersonationLevel=Impersonate}!\\" & _
strComputer & "\root\cimv2:Win32_ComputerSystem.Name='" & _
strComputer & "'")
ReturnValue = objComputer.JoinDomainOrWorkGroup(strDomain, _
strPassword, _
strDomain & "\" & strUser, _
NULL, _
JOIN_DOMAIN + ACCT_CREATE)
Moving a Computer Account
Moves a computer account from the Computers container in Active Directory to an OU.
Set objNewOU = GetObject("LDAP://OU=Finance,DC=fabrikam,DC=com")
Set objMoveComputer = objNewOU.MoveHere _
("LDAP://CN=atl-pro-03,CN=Computers,DC=fabrikam,DC=com", "CN=atl-pro-03")Renaming a Computer Account
Renames an Active Directory computer account.
Set objNewOU = GetObject("LDAP://OU=Finance,DC=fabrikam,DC=com")
Set objMoveComputer = objNewOU.MoveHere _
("LDAP://CN=atl-pro-037,OU=Finance,DC=fabrikam,DC=com", _
"CN=atl-pro-003")Renaming a Computer and Computer Account
Renames a computer and its corresponding Active Directory computer account. Requires Windows XP or Windows .NET Server, and must be run on the local computer.
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colComputers = objWMIService.ExecQuery _
("Select * from Win32_ComputerSystem")
For Each objComputer in colComputers
err = ObjComputer.Rename("WebServer")
Wscript.Echo err
NextSearching for Computer Accounts
Returns the name and location for all the computer accounts in Active Directory that are running Windows .NET Server.
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
"Select Name, Location, operatingSystemVersion from 'LDAP://DC=fabrikam,DC=com'" _
& " where objectClass='computer' and operatingSystemVersion = '5.1 (3600)'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 30
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
Wscript.Echo "Computer Name: " & objRecordSet.Fields("Name").Value
Wscript.Echo "Location: " & objRecordSet.Fields("Location").Value
objRecordSet.MoveNext
Loop