Creating new users in ACTIVE DIRECTORY by VBScript

  • igore
  • Born
  • Born
  • igore
  • Posts: 3

Post 3+ Months Ago

I can create users but I have problem to set properties.

I want to create user with this properties:

USER CAN'T CHANGE PASSWORD
PASSWORD NEWER EXPIRED

I use this script. This script creates user but attribute USER CAN'T CHANGE PASSWORD can't install:

[code]
Const ADS_UF_SCRIPT = &H1
Const ADS_UF_ACCOUNTDISABLE = &H2
Const ADS_UF_HOMEDIR_REQUIRED = &H8
Const ADS_UF_LOCKOUT = &H10
Const ADS_UF_PASSWD_NOTREQD = &H20
Const ADS_UF_PASSWD_CANT_CHANGE = &H40
Const ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = &H80
Const ADS_UF_TEMP_DUPLICATE_ACCOUNT = &H100
Const ADS_UF_NORMAL_ACCOUNT = &H200
Const ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = &H800
Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = &H1000
Const ADS_UF_SERVER_TRUST_ACCOUNT = &H2000
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
Const ADS_UF_MNS_LOGON_ACCOUNT = &H20000
Const ADS_UF_SMARTCARD_REQUIRED = &H40000
Const ADS_UF_TRUSTED_FOR_DELEGATION = &H80000
Const ADS_UF_NOT_DELEGATED = &H100000
Const ADS_UF_USE_DES_KEY_ONLY = &H200000
Const ADS_UF_DONT_REQUIRE_PREAUTH = &H400000
Const ADS_UF_PASSWORD_EXPIRED = &H800000
Const ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = &H1000000



msgbox "calling the sub"
call CreateUser("name1","n1","123456")


Public Sub CreateUser(strName, strSAMAccountName, strInitialPassword)
Dim objRootDSE
Dim objUsers
Dim objNewUser
Dim sOU1
Dim sRoot

On Error Resume Next

' Bind to the rootDSE object.
Set objRootDSE = GetObject("LDAP://rootDSE")
If (Err.Number <> 0) Then
msgbox "error of Bind to the rootDSE object: "&Err.Number
Exit Sub
End If


sRoot = objRootDSE.Get("defaultNamingContext")

' Bind to the Users folder in the domain.
'Set objUsers = GetObject("LDAP://CN=tcb," & objRootDSE.Get("defaultNamingContext"))
sOU1 = "tcb"
Set objUsers = GetObject("LDAP://OU=" & sOU1 & "," & sRoot)

If (Err.Number <> 0) Then
msgbox "LDAP://OU=" & sOU1 & "," & sRoot
msgbox "error of Bind to the Users folder in the domain.: "&Err.Number
Exit Sub
End If

' Create the user object.
Set objNewUser = objUsers.Create("user", "CN=" + strName)
If (Err.Number <> 0) Then
msgbox "error of Create the user object..: "&Err.Number
Exit Sub
End If

' Set the sAMAccountName property.
objNewUser.Put "sAMAccountName", strSAMAccountName
If (Err.Number <> 0) Then
msgbox "error of Set the sAMAccountName property.: "&Err.Number
Exit Sub
End If


' Commit the new user.
objNewUser.SetInfo
If (Err.Number <> 0) Then
msgbox "error of Commit the new user: "&Err.Number
Exit Sub
End If

' Set the initial password. This must be performed after
' SetInfo is called because the user object must
' already exist on the server.
objNewUser.SetPassword strInitialPassword
If (Err.Number <> 0) Then
msgbox "error of Set the initial password: "&Err.Number
Exit Sub
End If

' Set the pwdLastSet property to zero, which forces the
' user to change their password at next log on.
'objNewUser.Put "pwdLastSet", 0
'If (Err.Number <> 0) Then
' msgbox "error of Set the initial password: "&Err.Number
' Exit Sub
'End If

' To enable the user account, remove the
' ADS_UF_ACCOUNTDISABLE flag from the userAccountControl
' property. Also, remove the ADS_UF_PASSWD_NOTREQD and
' ADS_UF_DONT_EXPIRE_PASSWD flags from the
' userAccountControl property.
userActCtrl = objNewUser.Get("userAccountControl")
userActCtrl = userActCtrl And ADS_UF_DONT_EXPIRE_PASSWD Or ADS_UF_PASSWD_CANT_CHANGE Or Not (ADS_UF_ACCOUNTDISABLE)
objNewUser.Put "userAccountControl", userActCtrl
If (Err.Number <> 0) Then
Exit Sub
End If

' Commit the updated properties.
objNewUser.SetInfo
End Sub[code][/code]
  • grinch2171
  • Moderator
  • Genius
  • User avatar
  • Posts: 6810
  • Loc: Martinsburg, WV

Post 3+ Months Ago

I got this from technet for setting non-expiring passwords. I'm not much of a scripter so it is up to you to figure out where to put it.
Code: [ Select ]
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000

Set objUser = GetObject _
  ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
intUAC = objUser.Get("userAccountControl")

If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
  Wscript.Echo "Already enabled"
Else
  objUser.Put "userAccountControl", intUAC XOR _
    ADS_UF_DONT_EXPIRE_PASSWD
  objUser.SetInfo
  WScript.Echo "Password never expires is now enabled"
End If
  1. Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
  2. Set objUser = GetObject _
  3.   ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
  4. intUAC = objUser.Get("userAccountControl")
  5. If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
  6.   Wscript.Echo "Already enabled"
  7. Else
  8.   objUser.Put "userAccountControl", intUAC XOR _
  9.     ADS_UF_DONT_EXPIRE_PASSWD
  10.   objUser.SetInfo
  11.   WScript.Echo "Password never expires is now enabled"
  12. End If

And for not changing passwords.
Code: [ Select ]
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const ADS_ACEFLAG_OBJECT_TYPE_PRESENT = &H1
Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100

Set objUser = GetObject _
  ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
Set objSD = objUser.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryAcl
arrTrustees = array("nt authority\self", "EVERYONE")

For Each strTrustee in arrTrustees
  Set objACE = CreateObject("AccessControlEntry")
  objACE.Trustee = strTrustee
  objACE.AceFlags = 0
  objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
  objACE.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
  objACE.ObjectType = CHANGE_PASSWORD_GUID
  objACE.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
  objDACL.AddAce objACE
Next

objSD.DiscretionaryAcl = objDACL
objUser.Put "nTSecurityDescriptor", objSD
objUser. SetInfo
  1. Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
  2. Const ADS_ACEFLAG_OBJECT_TYPE_PRESENT = &H1
  3. Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
  4. Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
  5. Set objUser = GetObject _
  6.   ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
  7. Set objSD = objUser.Get("ntSecurityDescriptor")
  8. Set objDACL = objSD.DiscretionaryAcl
  9. arrTrustees = array("nt authority\self", "EVERYONE")
  10. For Each strTrustee in arrTrustees
  11.   Set objACE = CreateObject("AccessControlEntry")
  12.   objACE.Trustee = strTrustee
  13.   objACE.AceFlags = 0
  14.   objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
  15.   objACE.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
  16.   objACE.ObjectType = CHANGE_PASSWORD_GUID
  17.   objACE.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
  18.   objDACL.AddAce objACE
  19. Next
  20. objSD.DiscretionaryAcl = objDACL
  21. objUser.Put "nTSecurityDescriptor", objSD
  22. objUser. SetInfo
  • bigcheeez
  • Graduate
  • Graduate
  • bigcheeez
  • Posts: 243

Post 3+ Months Ago

What server os are you using?
  • igore
  • Born
  • Born
  • igore
  • Posts: 3

Post 3+ Months Ago

grinch2171 wrote:
I got this from technet for setting non-expiring passwords. I'm not much of a scripter so it is up to you to figure out where to put it.
Code: [ Select ]
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000

Set objUser = GetObject _
  ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
intUAC = objUser.Get("userAccountControl")

If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
  Wscript.Echo "Already enabled"
Else
  objUser.Put "userAccountControl", intUAC XOR _
    ADS_UF_DONT_EXPIRE_PASSWD
  objUser.SetInfo
  WScript.Echo "Password never expires is now enabled"
End If
  1. Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
  2. Set objUser = GetObject _
  3.   ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
  4. intUAC = objUser.Get("userAccountControl")
  5. If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
  6.   Wscript.Echo "Already enabled"
  7. Else
  8.   objUser.Put "userAccountControl", intUAC XOR _
  9.     ADS_UF_DONT_EXPIRE_PASSWD
  10.   objUser.SetInfo
  11.   WScript.Echo "Password never expires is now enabled"
  12. End If

And for not changing passwords.
Code: [ Select ]
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const ADS_ACEFLAG_OBJECT_TYPE_PRESENT = &H1
Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100

Set objUser = GetObject _
  ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
Set objSD = objUser.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryAcl
arrTrustees = array("nt authority\self", "EVERYONE")

For Each strTrustee in arrTrustees
  Set objACE = CreateObject("AccessControlEntry")
  objACE.Trustee = strTrustee
  objACE.AceFlags = 0
  objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
  objACE.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
  objACE.ObjectType = CHANGE_PASSWORD_GUID
  objACE.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
  objDACL.AddAce objACE
Next

objSD.DiscretionaryAcl = objDACL
objUser.Put "nTSecurityDescriptor", objSD
objUser. SetInfo
  1. Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
  2. Const ADS_ACEFLAG_OBJECT_TYPE_PRESENT = &H1
  3. Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
  4. Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
  5. Set objUser = GetObject _
  6.   ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
  7. Set objSD = objUser.Get("ntSecurityDescriptor")
  8. Set objDACL = objSD.DiscretionaryAcl
  9. arrTrustees = array("nt authority\self", "EVERYONE")
  10. For Each strTrustee in arrTrustees
  11.   Set objACE = CreateObject("AccessControlEntry")
  12.   objACE.Trustee = strTrustee
  13.   objACE.AceFlags = 0
  14.   objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
  15.   objACE.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
  16.   objACE.ObjectType = CHANGE_PASSWORD_GUID
  17.   objACE.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
  18.   objDACL.AddAce objACE
  19. Next
  20. objSD.DiscretionaryAcl = objDACL
  21. objUser.Put "nTSecurityDescriptor", objSD
  22. objUser. SetInfo





Thank you ! It is really works
Operation system Windows 2000 server
  • grinch2171
  • Moderator
  • Genius
  • User avatar
  • Posts: 6810
  • Loc: Martinsburg, WV

Post 3+ Months Ago

Glad it helped you out. :D
  • pelele
  • Born
  • Born
  • pelele
  • Posts: 1

Post 3+ Months Ago

How could we do this same process batch (batch) importing users from a csv file?

In other words, take all the users from a csv file and run this code for each user so that passwords never expire.

Code: [ Select ]
  Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
  Set objUser = GetObject _
   ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
  intUAC = objUser.Get("userAccountControl")
  If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
   Wscript.Echo "Already enabled"
  Else
   objUser.Put "userAccountControl", intUAC XOR _
    ADS_UF_DONT_EXPIRE_PASSWD
   objUser.SetInfo
   WScript.Echo "Password never expires is now enabled"
  End If
  1.   Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
  2.   Set objUser = GetObject _
  3.    ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
  4.   intUAC = objUser.Get("userAccountControl")
  5.   If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
  6.    Wscript.Echo "Already enabled"
  7.   Else
  8.    objUser.Put "userAccountControl", intUAC XOR _
  9.     ADS_UF_DONT_EXPIRE_PASSWD
  10.    objUser.SetInfo
  11.    WScript.Echo "Password never expires is now enabled"
  12.   End If

Post Information

  • Total Posts in this topic: 6 posts
  • Users browsing this forum: No registered users and 68 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.