Creating new users in ACTIVE DIRECTORY by VBScript
- igore
- Born
- Joined: Jul 05, 2005
- Posts: 3
- Status: Offline
July 5th, 2005, 2:15 am
I can create users but I have problem to set properties.
I want to create user with this properties:
USER CAN'T CHANGE PASSWORD
PASSWORD NEWER EXPIRED
I use this script. This script creates user but attribute USER CAN'T CHANGE PASSWORD can't install:
[code]
Const ADS_UF_SCRIPT = &H1
Const ADS_UF_ACCOUNTDISABLE = &H2
Const ADS_UF_HOMEDIR_REQUIRED = &H8
Const ADS_UF_LOCKOUT = &H10
Const ADS_UF_PASSWD_NOTREQD = &H20
Const ADS_UF_PASSWD_CANT_CHANGE = &H40
Const ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = &H80
Const ADS_UF_TEMP_DUPLICATE_ACCOUNT = &H100
Const ADS_UF_NORMAL_ACCOUNT = &H200
Const ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = &H800
Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = &H1000
Const ADS_UF_SERVER_TRUST_ACCOUNT = &H2000
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
Const ADS_UF_MNS_LOGON_ACCOUNT = &H20000
Const ADS_UF_SMARTCARD_REQUIRED = &H40000
Const ADS_UF_TRUSTED_FOR_DELEGATION = &H80000
Const ADS_UF_NOT_DELEGATED = &H100000
Const ADS_UF_USE_DES_KEY_ONLY = &H200000
Const ADS_UF_DONT_REQUIRE_PREAUTH = &H400000
Const ADS_UF_PASSWORD_EXPIRED = &H800000
Const ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = &H1000000
msgbox "calling the sub"
call CreateUser("name1","n1","123456")
Public Sub CreateUser(strName, strSAMAccountName, strInitialPassword)
Dim objRootDSE
Dim objUsers
Dim objNewUser
Dim sOU1
Dim sRoot
On Error Resume Next
' Bind to the rootDSE object.
Set objRootDSE = GetObject("LDAP://rootDSE")
If (Err.Number <> 0) Then
msgbox "error of Bind to the rootDSE object: "&Err.Number
Exit Sub
End If
sRoot = objRootDSE.Get("defaultNamingContext")
' Bind to the Users folder in the domain.
'Set objUsers = GetObject("LDAP://CN=tcb," & objRootDSE.Get("defaultNamingContext"))
sOU1 = "tcb"
Set objUsers = GetObject("LDAP://OU=" & sOU1 & "," & sRoot)
If (Err.Number <> 0) Then
msgbox "LDAP://OU=" & sOU1 & "," & sRoot
msgbox "error of Bind to the Users folder in the domain.: "&Err.Number
Exit Sub
End If
' Create the user object.
Set objNewUser = objUsers.Create("user", "CN=" + strName)
If (Err.Number <> 0) Then
msgbox "error of Create the user object..: "&Err.Number
Exit Sub
End If
' Set the sAMAccountName property.
objNewUser.Put "sAMAccountName", strSAMAccountName
If (Err.Number <> 0) Then
msgbox "error of Set the sAMAccountName property.: "&Err.Number
Exit Sub
End If
' Commit the new user.
objNewUser.SetInfo
If (Err.Number <> 0) Then
msgbox "error of Commit the new user: "&Err.Number
Exit Sub
End If
' Set the initial password. This must be performed after
' SetInfo is called because the user object must
' already exist on the server.
objNewUser.SetPassword strInitialPassword
If (Err.Number <> 0) Then
msgbox "error of Set the initial password: "&Err.Number
Exit Sub
End If
' Set the pwdLastSet property to zero, which forces the
' user to change their password at next log on.
'objNewUser.Put "pwdLastSet", 0
'If (Err.Number <> 0) Then
' msgbox "error of Set the initial password: "&Err.Number
' Exit Sub
'End If
' To enable the user account, remove the
' ADS_UF_ACCOUNTDISABLE flag from the userAccountControl
' property. Also, remove the ADS_UF_PASSWD_NOTREQD and
' ADS_UF_DONT_EXPIRE_PASSWD flags from the
' userAccountControl property.
userActCtrl = objNewUser.Get("userAccountControl")
userActCtrl = userActCtrl And ADS_UF_DONT_EXPIRE_PASSWD Or ADS_UF_PASSWD_CANT_CHANGE Or Not (ADS_UF_ACCOUNTDISABLE)
objNewUser.Put "userAccountControl", userActCtrl
If (Err.Number <> 0) Then
Exit Sub
End If
' Commit the updated properties.
objNewUser.SetInfo
End Sub[code][/code]
I want to create user with this properties:
USER CAN'T CHANGE PASSWORD
PASSWORD NEWER EXPIRED
I use this script. This script creates user but attribute USER CAN'T CHANGE PASSWORD can't install:
[code]
Const ADS_UF_SCRIPT = &H1
Const ADS_UF_ACCOUNTDISABLE = &H2
Const ADS_UF_HOMEDIR_REQUIRED = &H8
Const ADS_UF_LOCKOUT = &H10
Const ADS_UF_PASSWD_NOTREQD = &H20
Const ADS_UF_PASSWD_CANT_CHANGE = &H40
Const ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = &H80
Const ADS_UF_TEMP_DUPLICATE_ACCOUNT = &H100
Const ADS_UF_NORMAL_ACCOUNT = &H200
Const ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = &H800
Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = &H1000
Const ADS_UF_SERVER_TRUST_ACCOUNT = &H2000
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
Const ADS_UF_MNS_LOGON_ACCOUNT = &H20000
Const ADS_UF_SMARTCARD_REQUIRED = &H40000
Const ADS_UF_TRUSTED_FOR_DELEGATION = &H80000
Const ADS_UF_NOT_DELEGATED = &H100000
Const ADS_UF_USE_DES_KEY_ONLY = &H200000
Const ADS_UF_DONT_REQUIRE_PREAUTH = &H400000
Const ADS_UF_PASSWORD_EXPIRED = &H800000
Const ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = &H1000000
msgbox "calling the sub"
call CreateUser("name1","n1","123456")
Public Sub CreateUser(strName, strSAMAccountName, strInitialPassword)
Dim objRootDSE
Dim objUsers
Dim objNewUser
Dim sOU1
Dim sRoot
On Error Resume Next
' Bind to the rootDSE object.
Set objRootDSE = GetObject("LDAP://rootDSE")
If (Err.Number <> 0) Then
msgbox "error of Bind to the rootDSE object: "&Err.Number
Exit Sub
End If
sRoot = objRootDSE.Get("defaultNamingContext")
' Bind to the Users folder in the domain.
'Set objUsers = GetObject("LDAP://CN=tcb," & objRootDSE.Get("defaultNamingContext"))
sOU1 = "tcb"
Set objUsers = GetObject("LDAP://OU=" & sOU1 & "," & sRoot)
If (Err.Number <> 0) Then
msgbox "LDAP://OU=" & sOU1 & "," & sRoot
msgbox "error of Bind to the Users folder in the domain.: "&Err.Number
Exit Sub
End If
' Create the user object.
Set objNewUser = objUsers.Create("user", "CN=" + strName)
If (Err.Number <> 0) Then
msgbox "error of Create the user object..: "&Err.Number
Exit Sub
End If
' Set the sAMAccountName property.
objNewUser.Put "sAMAccountName", strSAMAccountName
If (Err.Number <> 0) Then
msgbox "error of Set the sAMAccountName property.: "&Err.Number
Exit Sub
End If
' Commit the new user.
objNewUser.SetInfo
If (Err.Number <> 0) Then
msgbox "error of Commit the new user: "&Err.Number
Exit Sub
End If
' Set the initial password. This must be performed after
' SetInfo is called because the user object must
' already exist on the server.
objNewUser.SetPassword strInitialPassword
If (Err.Number <> 0) Then
msgbox "error of Set the initial password: "&Err.Number
Exit Sub
End If
' Set the pwdLastSet property to zero, which forces the
' user to change their password at next log on.
'objNewUser.Put "pwdLastSet", 0
'If (Err.Number <> 0) Then
' msgbox "error of Set the initial password: "&Err.Number
' Exit Sub
'End If
' To enable the user account, remove the
' ADS_UF_ACCOUNTDISABLE flag from the userAccountControl
' property. Also, remove the ADS_UF_PASSWD_NOTREQD and
' ADS_UF_DONT_EXPIRE_PASSWD flags from the
' userAccountControl property.
userActCtrl = objNewUser.Get("userAccountControl")
userActCtrl = userActCtrl And ADS_UF_DONT_EXPIRE_PASSWD Or ADS_UF_PASSWD_CANT_CHANGE Or Not (ADS_UF_ACCOUNTDISABLE)
objNewUser.Put "userAccountControl", userActCtrl
If (Err.Number <> 0) Then
Exit Sub
End If
' Commit the updated properties.
objNewUser.SetInfo
End Sub[code][/code]
- Anonymous
- Bot
- Joined: 25 Feb 2008
- Posts: ?
- Loc: Ozzuland
- Status: Online
July 5th, 2005, 2:15 am
- grinch2171
- Moderator
- Joined: Feb 11, 2004
- Posts: 6737
- Loc: Martinsburg, WV
- Status: Offline
July 5th, 2005, 8:22 pm
I got this from technet for setting non-expiring passwords. I'm not much of a scripter so it is up to you to figure out where to put it.
And for not changing passwords.
Code: [ Select ]
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Set objUser = GetObject _
("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
intUAC = objUser.Get("userAccountControl")
If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
Wscript.Echo "Already enabled"
Else
objUser.Put "userAccountControl", intUAC XOR _
ADS_UF_DONT_EXPIRE_PASSWD
objUser.SetInfo
WScript.Echo "Password never expires is now enabled"
End If
Set objUser = GetObject _
("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
intUAC = objUser.Get("userAccountControl")
If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
Wscript.Echo "Already enabled"
Else
objUser.Put "userAccountControl", intUAC XOR _
ADS_UF_DONT_EXPIRE_PASSWD
objUser.SetInfo
WScript.Echo "Password never expires is now enabled"
End If
- Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
- Set objUser = GetObject _
- ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
- intUAC = objUser.Get("userAccountControl")
- If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
- Wscript.Echo "Already enabled"
- Else
- objUser.Put "userAccountControl", intUAC XOR _
- ADS_UF_DONT_EXPIRE_PASSWD
- objUser.SetInfo
- WScript.Echo "Password never expires is now enabled"
- End If
And for not changing passwords.
Code: [ Select ]
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const ADS_ACEFLAG_OBJECT_TYPE_PRESENT = &H1
Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
Set objUser = GetObject _
("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
Set objSD = objUser.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryAcl
arrTrustees = array("nt authority\self", "EVERYONE")
For Each strTrustee in arrTrustees
Set objACE = CreateObject("AccessControlEntry")
objACE.Trustee = strTrustee
objACE.AceFlags = 0
objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
objACE.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
objACE.ObjectType = CHANGE_PASSWORD_GUID
objACE.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
objDACL.AddAce objACE
Next
objSD.DiscretionaryAcl = objDACL
objUser.Put "nTSecurityDescriptor", objSD
objUser. SetInfo
Const ADS_ACEFLAG_OBJECT_TYPE_PRESENT = &H1
Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
Set objUser = GetObject _
("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
Set objSD = objUser.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryAcl
arrTrustees = array("nt authority\self", "EVERYONE")
For Each strTrustee in arrTrustees
Set objACE = CreateObject("AccessControlEntry")
objACE.Trustee = strTrustee
objACE.AceFlags = 0
objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
objACE.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
objACE.ObjectType = CHANGE_PASSWORD_GUID
objACE.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
objDACL.AddAce objACE
Next
objSD.DiscretionaryAcl = objDACL
objUser.Put "nTSecurityDescriptor", objSD
objUser. SetInfo
- Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
- Const ADS_ACEFLAG_OBJECT_TYPE_PRESENT = &H1
- Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
- Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
- Set objUser = GetObject _
- ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
- Set objSD = objUser.Get("ntSecurityDescriptor")
- Set objDACL = objSD.DiscretionaryAcl
- arrTrustees = array("nt authority\self", "EVERYONE")
- For Each strTrustee in arrTrustees
- Set objACE = CreateObject("AccessControlEntry")
- objACE.Trustee = strTrustee
- objACE.AceFlags = 0
- objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
- objACE.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
- objACE.ObjectType = CHANGE_PASSWORD_GUID
- objACE.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
- objDACL.AddAce objACE
- Next
- objSD.DiscretionaryAcl = objDACL
- objUser.Put "nTSecurityDescriptor", objSD
- objUser. SetInfo
"Be polite, be professional, but have a plan to kill everybody you meet." Maj. Gen. James Mattis
- bigcheeez
- Graduate
- Joined: Mar 30, 2004
- Posts: 243
- Status: Offline
July 5th, 2005, 9:53 pm
What server os are you using?
- igore
- Born
- Joined: Jul 05, 2005
- Posts: 3
- Status: Offline
July 7th, 2005, 8:41 am
grinch2171 wrote:
I got this from technet for setting non-expiring passwords. I'm not much of a scripter so it is up to you to figure out where to put it.
And for not changing passwords.
Code: [ Select ]
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Set objUser = GetObject _
("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
intUAC = objUser.Get("userAccountControl")
If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
Wscript.Echo "Already enabled"
Else
objUser.Put "userAccountControl", intUAC XOR _
ADS_UF_DONT_EXPIRE_PASSWD
objUser.SetInfo
WScript.Echo "Password never expires is now enabled"
End If
Set objUser = GetObject _
("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
intUAC = objUser.Get("userAccountControl")
If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
Wscript.Echo "Already enabled"
Else
objUser.Put "userAccountControl", intUAC XOR _
ADS_UF_DONT_EXPIRE_PASSWD
objUser.SetInfo
WScript.Echo "Password never expires is now enabled"
End If
- Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
- Set objUser = GetObject _
- ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
- intUAC = objUser.Get("userAccountControl")
- If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
- Wscript.Echo "Already enabled"
- Else
- objUser.Put "userAccountControl", intUAC XOR _
- ADS_UF_DONT_EXPIRE_PASSWD
- objUser.SetInfo
- WScript.Echo "Password never expires is now enabled"
- End If
And for not changing passwords.
Code: [ Select ]
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const ADS_ACEFLAG_OBJECT_TYPE_PRESENT = &H1
Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
Set objUser = GetObject _
("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
Set objSD = objUser.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryAcl
arrTrustees = array("nt authority\self", "EVERYONE")
For Each strTrustee in arrTrustees
Set objACE = CreateObject("AccessControlEntry")
objACE.Trustee = strTrustee
objACE.AceFlags = 0
objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
objACE.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
objACE.ObjectType = CHANGE_PASSWORD_GUID
objACE.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
objDACL.AddAce objACE
Next
objSD.DiscretionaryAcl = objDACL
objUser.Put "nTSecurityDescriptor", objSD
objUser. SetInfo
Const ADS_ACEFLAG_OBJECT_TYPE_PRESENT = &H1
Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
Set objUser = GetObject _
("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
Set objSD = objUser.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryAcl
arrTrustees = array("nt authority\self", "EVERYONE")
For Each strTrustee in arrTrustees
Set objACE = CreateObject("AccessControlEntry")
objACE.Trustee = strTrustee
objACE.AceFlags = 0
objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
objACE.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
objACE.ObjectType = CHANGE_PASSWORD_GUID
objACE.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
objDACL.AddAce objACE
Next
objSD.DiscretionaryAcl = objDACL
objUser.Put "nTSecurityDescriptor", objSD
objUser. SetInfo
- Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
- Const ADS_ACEFLAG_OBJECT_TYPE_PRESENT = &H1
- Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
- Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
- Set objUser = GetObject _
- ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
- Set objSD = objUser.Get("ntSecurityDescriptor")
- Set objDACL = objSD.DiscretionaryAcl
- arrTrustees = array("nt authority\self", "EVERYONE")
- For Each strTrustee in arrTrustees
- Set objACE = CreateObject("AccessControlEntry")
- objACE.Trustee = strTrustee
- objACE.AceFlags = 0
- objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
- objACE.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
- objACE.ObjectType = CHANGE_PASSWORD_GUID
- objACE.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
- objDACL.AddAce objACE
- Next
- objSD.DiscretionaryAcl = objDACL
- objUser.Put "nTSecurityDescriptor", objSD
- objUser. SetInfo
Thank you ! It is really works
Operation system Windows 2000 server
- grinch2171
- Moderator
- Joined: Feb 11, 2004
- Posts: 6737
- Loc: Martinsburg, WV
- Status: Offline
July 7th, 2005, 9:35 am
Glad it helped you out. 
"Be polite, be professional, but have a plan to kill everybody you meet." Maj. Gen. James Mattis
- pelele
- Born
- Joined: Sep 21, 2011
- Posts: 1
- Status: Offline
September 21st, 2011, 2:27 am
How could we do this same process batch (batch) importing users from a csv file?
In other words, take all the users from a csv file and run this code for each user so that passwords never expire.
In other words, take all the users from a csv file and run this code for each user so that passwords never expire.
Code: [ Select ]
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Set objUser = GetObject _
("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
intUAC = objUser.Get("userAccountControl")
If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
Wscript.Echo "Already enabled"
Else
objUser.Put "userAccountControl", intUAC XOR _
ADS_UF_DONT_EXPIRE_PASSWD
objUser.SetInfo
WScript.Echo "Password never expires is now enabled"
End If
Set objUser = GetObject _
("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
intUAC = objUser.Get("userAccountControl")
If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
Wscript.Echo "Already enabled"
Else
objUser.Put "userAccountControl", intUAC XOR _
ADS_UF_DONT_EXPIRE_PASSWD
objUser.SetInfo
WScript.Echo "Password never expires is now enabled"
End If
- Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
- Set objUser = GetObject _
- ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
- intUAC = objUser.Get("userAccountControl")
- If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
- Wscript.Echo "Already enabled"
- Else
- objUser.Put "userAccountControl", intUAC XOR _
- ADS_UF_DONT_EXPIRE_PASSWD
- objUser.SetInfo
- WScript.Echo "Password never expires is now enabled"
- End If
Page 1 of 1
To Reply to this topic you need to LOGIN or REGISTER. It is free.
Post Information
- Total Posts in this topic: 6 posts
- Users browsing this forum: No registered users and 102 guests
- You cannot post new topics in this forum
- You cannot reply to topics in this forum
- You cannot edit your posts in this forum
- You cannot delete your posts in this forum
- You cannot post attachments in this forum
