Learning ADSI - Part I: Adding Users To W2K

答案：Learning ADSI - Part I: Adding Users To W2K
By Remie Bolte 

print this article 

email this article to a colleague 


Introduction

As the desire and need for the Internet grew, Microsoft created new products and modified its old ones. Windows OS required features that gave developers and administrators the option to perform tasks remotely. Microsoft responded in part with Active Directory Services Inte易做图ce (ADSI). ADSI provides a single set of directory inte易做图ces for accessing and managing network resources. So for instance, an administrator could change user permissions or add a user to a network, independent of network environment, using a Web inte易做图ce or a VB program. 

 
Caveat

Please keep in mind that you are going to modify the basics of the Windows NT security model. You should be very alert when dealing with ADSI. Keep in mind that a 易做图 mistype could mean reformatting and reinstalling your system. Don't do it on a operational machine! Please know that I have tried to make the following code as accurate as possible. Yet I can't guarantee their outcome. So please don't just copy and paste. I know it is very attractive, but it could cause you to spend the next couple of hours looking at a very appealing Windows installation screen. 

 
Windows Security Account Manager

The Security Account Manager (SAM) is the portion of Windows which registers and holds all user information and knows all the default configuration settings. Our first meeting with SAM entails the process of creating a user. This applies to Windows 2000 as well as Windows NT 4.0. 

NOTE: In order for the following code to work, administrator rights are required. 

 
Adding A User to The SAM


<%

1. AddUser  "newuser","mydomain"
2. 
3.   Sub AddUser(strUser,strDomain)
4.     Dim Computer
5.     Dim User
6.
7.     Set Computer = Getobject("WinNT://" & strDomain)
8.     Set User = computer.create("User",strUser)
9.     User.setinfo
10. End sub

%>


This code can be activated by calling it anywhere in the ASP page (line 1). Also, make sure to spell winnt like the example given in line 7. ADSI is very case sensitive and will refuse to work if you spell it differently. As you can see there are no attributes given; this user is created without a password. Let's do something about that. 

<%

1. AddUser  "newuser","mydomain","New user","adsi","Our best employee"
2. 
3.   Sub AddUser(strUser,strDomain,strFullname,strPassword,strDesc)
4.     Dim Computer
5.     Dim User
6.
7.     Set Computer = Getobject("WinNT://" & strDomain)
8.     Set User = computer.create("User",strUser)
8.     User.fullname = strFullname
9.     User.Description = strDesc
10.   call User.SetPassword(strPassword)
11.   User.setinfo
12. End sub
%>


As you can see, I added more than just a password. I also added the fullname and the description. These aren't really important if you have a system with 5 users, but large corporations usually have a policy about that. Please be advised that the above code is for adding a new user. I will cover modifying an existing user in a future article. The problem about ADSI is that you can't guess the code. It's not as easy as only punching up user.[attribute_name]. 
Next stop is the userflags. These control options such as "Password Never Expires" and "Account Disabled". 


<%

1.  UserFlags "newuser","mydomain",0,False,True,True,True
2. 
3.   Sub UserFlags(strUser,strDomain,strPas易做图pires,strNochange,strNoexpire, & _        
                               strDisable,strLocked)
4.      Dim User
5.      Dim Flags
6.
7.      Set User = Getobject("WinNT://" & strDomain & "/" & strUser & ",user")
8.      Flags = User.Get("UserFlags")
9.
10.    User.put "PasswordExpired",strPas易做图pires
11.    User.Accountdisabled = strDisable
12.    if strNochange = "true" then 
13.      User.put "UserFlags", Flags OR &H00040
14.    End if
15.    If strNoexpire = "true" then
16.      User.put "Userflags", flags OR &H10000
17.    end if
18.    User.IsAccountLocked = strLocked
19.  End sub

%>


In the example above I gave my new user some restrictions. The outcome of this subroutine is that my new user will have a valid password (password isn't expired because it's set on 0. If you change it to 1, the password isn't valid anymore. If the password is expired, the user will be forced to change it at the next login). He will be unable to change his own password; his password will never expire; and his account is disabled and locked. In order to change, this you should modify the subroutine call. 
So now we have a new user with all the default settings. Maybe this is enough for your home situation, but many companies want to set more boundaries for their users. Also, a lot of companies have the personal settings of their users stored on a separate network drive. ADSI allows you to make sure your new users have the same configuration as every other employee. 


<%

1. userconfig "newuser","mydomain","c:\myprofiles\","myscript.cmd","c:\","z:\", & _
                         #mm/dd/yyyy#,"true"
2.
3.    sub userconfig(strUser,strDomain,strProfile,strScript,strHomedir, & _
                               strHomedirdrive,strAccountexpire,strPassrequired)
4.      Dim User
5.      Dim Flags
6.
7.      Set User = Getobject("WinNT://" & strDomain & "/" & strUser & ",user")
8.      
9.      User.Profile = strProfile
10.    User.LoginScript = strScript
11.    User.Homedirectory = strHomedir
12.    User.Put("HomeDirDrive"),strHomedirdrive
13.    User.AccountExpirationDate = strAccountexpire
14.    User.Passwordrequired = strPassrequired
15.
16.  end sub

%>


Now we have all the information we need to make a new user. I'm not going to explain these options because if you don't know them, you don't need to use them. The three subroutines we created

上一个：asp创建用户、目录和站点(转)
下一个：WSH Script to remove un-needed IIS Script-Mappings using ADSI