Learning ADSI - Part 2: Editing Users and Administering Groups

原创 2005年05月23日 16:44:00
Introduction

When I started ASP, I tried reading a couple of phone directory-sized $50 books. Each of them was filled with samples that didn't make sense to me. I then found a Web site with simple ASP code samples, which I used to create some ASP pages. Today, when I look back at those pages, I'm truly embarrassed. When I revist those books, everything finally makes sense. But with ADSI, making sense simply means learning the syntax. How do you know the right syntax? Read this article, which covers how to edit an existing user and administer groups.

Caveat

Caveat

Please keep in mind that you are going to modify the basics of the Windows NT security model. You should be very alert when dealing with ADSI. Keep in mind that a simple mistype could mean reformatting and reinstalling your system. Don't do it on a operational machine! Please know that I have tried to make the following code as accurate as possible. Yet I can't guarantee their outcome. So please don't just copy and paste. I know it is very attractive, but it could cause you to spend the next couple of hours looking at a very appealing Windows installation screen.

EXTRA NOTE:
For those who read my first article, please heed the following. In that article I forgot one of the most important aspects of programming. The codes I provided could cause a memory leak since I forgot to cleanup the objects I used. So please add this to the codes in order to prevent this (The first article has been updated with this change).


Please keep in mind that you are going to modify the basics of the Windows NT security model. You should be very alert when dealing with ADSI. Keep in mind that a simple mistype could mean reformatting and reinstalling your system. Don't do it on a operational machine! Please know that I have tried to make the following code as accurate as possible. Yet I can't guarantee their outcome. So please don't just copy and paste. I know it is very attractive, but it could cause you to spend the next couple of hours looking at a very appealing Windows installation screen.

EXTRA NOTE:
For those who read my first article, please heed the following. In that article I forgot one of the most important aspects of programming. The codes I provided could cause a memory leak since I forgot to cleanup the objects I used. So please add this to the codes in order to prevent this (The first article has been updated with this change).


Please keep in mind that you are going to modify the basics of the Windows NT security model. You should be very alert when dealing with ADSI. Keep in mind that a simple mistype could mean reformatting and reinstalling your system. Don't do it on a operational machine! Please know that I have tried to make the following code as accurate as possible. Yet I can't guarantee their outcome. So please don't just copy and paste. I know it is very attractive, but it could cause you to spend the next couple of hours looking at a very appealing Windows installation screen.

EXTRA NOTE:
For those who read my first article, please heed the following. In that article I forgot one of the most important aspects of programming. The codes I provided could cause a memory leak since I forgot to cleanup the objects I used. So please add this to the codes in order to prevent this (The first article has been updated with this change).


Editing an Existing User

As I explained in my first article, every action performed here goes directly through the Windows SAM. In response to my first article, there were some questions on how to change the logon hours or the terminal server home path. Sorry, but I have to disappoint you . This , as well as some other vital functions, can't be changed by ADSI. Then again, ADSI does do a lot. In the upcoming articles we are going to dive into the IIS metabase. But before we do that, let's start with editing a user.

Renaming Users


There isn't much to explain. The computer just grabs all the information about a user (the user.ADsPath) and projects that to the new user, deleting the old. 

Changing User-Properties


In the above code we changed some basic elements of a user account. It isn't that different from adding a user. The only thing difference is the way a password is changed. Because of security reasons you can only change a password by providing the old password. The outcome of this subroutine is very simple. The user "MyUser" now has "MyFullname","MyDescription", and "MyNewpass" as a fullname, description and password. The next part is a bit harder since we are going into Hex/Decimal codes with the User-Flags. Again the code looks a lot like the code I used in my first article, but with one difference. Because we are now changing the user settings we use XOR instead of OR when dealing with userflags. 

Changing Specific User Boundaries


I'm not going to explain this code since it is an almost exact copy of the coding in the first article. Please make sure that you use XOR to change a userflag and OR to initially set it. The following part is a direct copy since nothing has changed. In order to change the logon script, profile path, etc., we use the same code as we used to initially set it. 

Now we edited the same information that we applied to the computer in the previous article. After doing this we might as well remove the user we created, leaving us with nothing.

Removing Users


In the next article I will provide codes on how to query specific user information. For now we are going to order our thousands of users by making groups. 

As I explained in my first article, every action performed here goes directly through the Windows SAM. In response to my first article, there were some questions on how to change the logon hours or the terminal server home path. Sorry, but I have to disappoint you . This , as well as some other vital functions, can't be changed by ADSI. Then again, ADSI does do a lot. In the upcoming articles we are going to dive into the IIS metabase. But before we do that, let's start with editing a user.

Renaming Users


There isn't much to explain. The computer just grabs all the information about a user (the user.ADsPath) and projects that to the new user, deleting the old. 

Changing User-Properties


In the above code we changed some basic elements of a user account. It isn't that different from adding a user. The only thing difference is the way a password is changed. Because of security reasons you can only change a password by providing the old password. The outcome of this subroutine is very simple. The user "MyUser" now has "MyFullname","MyDescription", and "MyNewpass" as a fullname, description and password. The next part is a bit harder since we are going into Hex/Decimal codes with the User-Flags. Again the code looks a lot like the code I used in my first article, but with one difference. Because we are now changing the user settings we use XOR instead of OR when dealing with userflags. 

Changing Specific User Boundaries


I'm not going to explain this code since it is an almost exact copy of the coding in the first article. Please make sure that you use XOR to change a userflag and OR to initially set it. The following part is a direct copy since nothing has changed. In order to change the logon script, profile path, etc., we use the same code as we used to initially set it. 

Now we edited the same information that we applied to the computer in the previous article. After doing this we might as well remove the user we created, leaving us with nothing.

Removing Users


In the next article I will provide codes on how to query specific user information. For now we are going to order our thousands of users by making groups. 

As I explained in my first article, every action performed here goes directly through the Windows SAM. In response to my first article, there were some questions on how to change the logon hours or the terminal server home path. Sorry, but I have to disappoint you . This , as well as some other vital functions, can't be changed by ADSI. Then again, ADSI does do a lot. In the upcoming articles we are going to dive into the IIS metabase. But before we do that, let's start with editing a user.

Renaming Users


There isn't much to explain. The computer just grabs all the information about a user (the user.ADsPath) and projects that to the new user, deleting the old. 

Changing User-Properties


In the above code we changed some basic elements of a user account. It isn't that different from adding a user. The only thing difference is the way a password is changed. Because of security reasons you can only change a password by providing the old password. The outcome of this subroutine is very simple. The user "MyUser" now has "MyFullname","MyDescription", and "MyNewpass" as a fullname, description and password. The next part is a bit harder since we are going into Hex/Decimal codes with the User-Flags. Again the code looks a lot like the code I used in my first article, but with one difference. Because we are now changing the user settings we use XOR instead of OR when dealing with userflags. 

Changing Specific User Boundaries


I'm not going to explain this code since it is an almost exact copy of the coding in the first article. Please make sure that you use XOR to change a userflag and OR to initially set it. The following part is a direct copy since nothing has changed. In order to change the logon script, profile path, etc., we use the same code as we used to initially set it. 

Now we edited the same information that we applied to the computer in the previous article. After doing this we might as well remove the user we created, leaving us with nothing.

Removing Users


In the next article I will provide codes on how to query specific user information. For now we are going to order our thousands of users by making groups. 

Creating, Editing and Populating Groups

Groups are made to make the life of system administrators a bit easier. By creating groups you don't have to give folder rights to each specific user. You only have to give folder rights to the group. With ADSI and some good old DOS programming we can automate both.

Creating a Group


You may have noticed that in the first code sample the grouptype is 4, and in the second it is 2. The grouptype defines if the group is a local group, or a global group. Local groups are created to make independent groups on a workstation, and global groups are made for the whole domain. By default ADSI creates a Global group, so if you want to make a group without thinking, use the second sample and remove the Group.Put "groupType", 2 part. 

Adding Users to a Group


Removing Users from a Group 

Editing the Group Description Field

Maybe some of you missed my explanation here. But I couldn't think of anything to comment on. The creation of a group doesn't involve difficult pieces of coding. Frankly, the only thing that is different between adding and removing a user in a group is the words "add" and "remove". There is nothing as easy as making new groups; you just have to know the syntax. So that is what I've provided here. Let's cleanup our little experiment by removing the group.

Removing a Group


That is all there is to say about groups in the ADSI. So now for the special bonus: Automatically changing the Folder Rights. After creating a group, or a user, you can automatically set the folder rights by using old fashion DOS methods. Every Windows server has a little program called cacls.exe. This program changes the user rights on folders. You can just run it by using Windows Scripting, but then you will get stuck. Why? Because the cacls.exe is waiting for confirmation. In order to do this you should pipe a Y to the cacls.exe, forcing it to accept the new settings. 

The code creates a commandline that is executed in by the Windows Script Host. In that commandline I specify a few different things:

The first thing I do is open a command window and pointing out that I want to see the what's happening. After that I pipe the letter Y to the CACLS.exe by using the y| symbol. By piping Y, I avoid the "Are you Sure" question. Then I give the name of the folder (or file) I want to edit, followed by /E and /C. The /E says that I want to edit the user rights. Without the /E the rights will be overwritten. The /C says that the code should continue even if an error occurs. The last part is where I grant to user strUser (this can also be a group) a specific right. In the example I use C. But there are more rights:

Please note that if you want to change the rights of a user you have to use "/P " & strUser & ":" & strPermission

I'm going to end with some answers to questions I received concerning my previous article. Hope you enjoyed it, and happy programming.

Groups are made to make the life of system administrators a bit easier. By creating groups you don't have to give folder rights to each specific user. You only have to give folder rights to the group. With ADSI and some good old DOS programming we can automate both.

Creating a Group


You may have noticed that in the first code sample the grouptype is 4, and in the second it is 2. The grouptype defines if the group is a local group, or a global group. Local groups are created to make independent groups on a workstation, and global groups are made for the whole domain. By default ADSI creates a Global group, so if you want to make a group without thinking, use the second sample and remove the Group.Put "groupType", 2 part. 

Adding Users to a Group


Removing Users from a Group 

Editing the Group Description Field

Maybe some of you missed my explanation here. But I couldn't think of anything to comment on. The creation of a group doesn't involve difficult pieces of coding. Frankly, the only thing that is different between adding and removing a user in a group is the words "add" and "remove". There is nothing as easy as making new groups; you just have to know the syntax. So that is what I've provided here. Let's cleanup our little experiment by removing the group.

Removing a Group


That is all there is to say about groups in the ADSI. So now for the special bonus: Automatically changing the Folder Rights. After creating a group, or a user, you can automatically set the folder rights by using old fashion DOS methods. Every Windows server has a little program called cacls.exe. This program changes the user rights on folders. You can just run it by using Windows Scripting, but then you will get stuck. Why? Because the cacls.exe is waiting for confirmation. In order to do this you should pipe a Y to the cacls.exe, forcing it to accept the new settings. 

The code creates a commandline that is executed in by the Windows Script Host. In that commandline I specify a few different things:

The first thing I do is open a command window and pointing out that I want to see the what's happening. After that I pipe the letter Y to the CACLS.exe by using the y| symbol. By piping Y, I avoid the "Are you Sure" question. Then I give the name of the folder (or file) I want to edit, followed by /E and /C. The /E says that I want to edit the user rights. Without the /E the rights will be overwritten. The /C says that the code should continue even if an error occurs. The last part is where I grant to user strUser (this can also be a group) a specific right. In the example I use C. But there are more rights:

Please note that if you want to change the rights of a user you have to use "/P " & strUser & ":" & strPermission

I'm going to end with some answers to questions I received concerning my previous article. Hope you enjoyed it, and happy programming.

Groups are made to make the life of system administrators a bit easier. By creating groups you don't have to give folder rights to each specific user. You only have to give folder rights to the group. With ADSI and some good old DOS programming we can automate both.

Creating a Group


You may have noticed that in the first code sample the grouptype is 4, and in the second it is 2. The grouptype defines if the group is a local group, or a global group. Local groups are created to make independent groups on a workstation, and global groups are made for the whole domain. By default ADSI creates a Global group, so if you want to make a group without thinking, use the second sample and remove the Group.Put "groupType", 2 part. 

Adding Users to a Group


Removing Users from a Group 

Editing the Group Description Field

Maybe some of you missed my explanation here. But I couldn't think of anything to comment on. The creation of a group doesn't involve difficult pieces of coding. Frankly, the only thing that is different between adding and removing a user in a group is the words "add" and "remove". There is nothing as easy as making new groups; you just have to know the syntax. So that is what I've provided here. Let's cleanup our little experiment by removing the group.

Removing a Group


That is all there is to say about groups in the ADSI. So now for the special bonus: Automatically changing the Folder Rights. After creating a group, or a user, you can automatically set the folder rights by using old fashion DOS methods. Every Windows server has a little program called cacls.exe. This program changes the user rights on folders. You can just run it by using Windows Scripting, but then you will get stuck. Why? Because the cacls.exe is waiting for confirmation. In order to do this you should pipe a Y to the cacls.exe, forcing it to accept the new settings. 

The code creates a commandline that is executed in by the Windows Script Host. In that commandline I specify a few different things:

The first thing I do is open a command window and pointing out that I want to see the what's happening. After that I pipe the letter Y to the CACLS.exe by using the y| symbol. By piping Y, I avoid the "Are you Sure" question. Then I give the name of the folder (or file) I want to edit, followed by /E and /C. The /E says that I want to edit the user rights. Without the /E the rights will be overwritten. The /C says that the code should continue even if an error occurs. The last part is where I grant to user strUser (this can also be a group) a specific right. In the example I use C. But there are more rights:

Please note that if you want to change the rights of a user you have to use "/P " & strUser & ":" & strPermission

I'm going to end with some answers to questions I received concerning my previous article. Hope you enjoyed it, and happy programming.

FAQ

Q: I can't set the AccountExpirationDate
A: This could be because the user has the "Password Never Expires" toggled on. If so, the account won't expire, and therefore ADSI isn't able to set it.

Q: I get a "General Access Denied Error" when I apply the codes
A: The server will only allow changes to be made to the SAM using an Administrator username and password. So the IUSR_machinename (IIS anonymous account) isn't allowed to execute the codes. Make sure that you toggle off the anonymous access in IIS, and let people login using a valid Administrator account.

Q: Can I Automatically create an exchange Mail account?
A: Yes you can, but I will handle that later.

Q: can I set the Terminal Services Properties using ADSI.
A: No you can't. ADSI can't set the terminal services properties, as well as it can't change logon hours.

Beside these questions, there were some question about LDAP. This article doesn't involve LDAP; it just refers to the ADSI language. If you do have question about LDAP, you can e-mail me. I'm not really good at it, but I can help to figure out a solution.

Q: I can't set the AccountExpirationDate
A: This could be because the user has the "Password Never Expires" toggled on. If so, the account won't expire, and therefore ADSI isn't able to set it.

Q: I get a "General Access Denied Error" when I apply the codes
A: The server will only allow changes to be made to the SAM using an Administrator username and password. So the IUSR_machinename (IIS anonymous account) isn't allowed to execute the codes. Make sure that you toggle off the anonymous access in IIS, and let people login using a valid Administrator account.

Q: Can I Automatically create an exchange Mail account?
A: Yes you can, but I will handle that later.

Q: can I set the Terminal Services Properties using ADSI.
A: No you can't. ADSI can't set the terminal services properties, as well as it can't change logon hours.

Beside these questions, there were some question about LDAP. This article doesn't involve LDAP; it just refers to the ADSI language. If you do have question about LDAP, you can e-mail me. I'm not really good at it, but I can help to figure out a solution.

Q: I can't set the AccountExpirationDate
A: This could be because the user has the "Password Never Expires" toggled on. If so, the account won't expire, and therefore ADSI isn't able to set it.

Q: I get a "General Access Denied Error" when I apply the codes
A: The server will only allow changes to be made to the SAM using an Administrator username and password. So the IUSR_machinename (IIS anonymous account) isn't allowed to execute the codes. Make sure that you toggle off the anonymous access in IIS, and let people login using a valid Administrator account.

Q: Can I Automatically create an exchange Mail account?
A: Yes you can, but I will handle that later.

Q: can I set the Terminal Services Properties using ADSI.
A: No you can't. ADSI can't set the terminal services properties, as well as it can't change logon hours.

Beside these questions, there were some question about LDAP. This article doesn't involve LDAP; it just refers to the ADSI language. If you do have question about LDAP, you can e-mail me. I'm not really good at it, but I can help to figure out a solution.

Learning ADSI - Part 1: Adding Users To W2K

Introduction <!--OAS_AD(flex);//--> As the desire and need for the Internet grew, Microsoft cr...
  • calven1003
  • calven1003
  • 2005年05月21日 08:39
  • 740

【Person Re-ID】Deep Representation Learning with Part Loss for Person Re-Identification

paper下载地址:https://arxiv.org/abs/1707.00798IntroductionPerson Re-ID需要解决什么问题? 测试集中的人在训练集中是不可见的,因此需要学习...
  • q295684174
  • q295684174
  • 2018年01月04日 10:33
  • 69

运动捕捉-1

运动捕捉学习心得开学有大半个月了,来学校也有将近两个月了,对自己学到的东西进行总结。机器学习1 论文阅读 机器学习算法学习 代码理解和测试机器学习由于刚刚接触到机器学习内容,对其较多概念都不了解...
  • u011276025
  • u011276025
  • 2016年09月23日 21:44
  • 246

笔记——TensorFlow and deep learning, without a PhD

看了一篇用tensorflow搭建神经网络的教程《TensorFlow and deep learning, without a PhD》,链接为TensorFlow and deep learnin...
  • sundan93
  • sundan93
  • 2017年08月16日 14:53
  • 248

Machine Learning is Fun!

英文出处: https://medium.com/@ageitgey/machine-learning-is-fun-80ea3ec3c471#.xj9vcyte6 本指南的读者对象是所有对...
  • djd1234567
  • djd1234567
  • 2015年12月18日 14:53
  • 1842

AD & ADSI入门

AD简介Active Directory(以下简称AD)可以认为是一个大的层次结构数据库,集中存储的内容必须遵循AD当前所定义的Schema。我觉得AD中最重要的内容就是Schema,然后是ADSI。...
  • Mittermeyer
  • Mittermeyer
  • 2003年10月12日 23:51
  • 5054

Users and Groups in Linux

用户(user)和用户组(group)概念; 1、用户(user)的概念; 通过前面对Linux 多用户的理解,我们明白Linux 是真正意义上的多用户操作系统,所以我们能在Linux系统中建...
  • Graveworm
  • Graveworm
  • 2010年06月26日 22:27
  • 1687

使用AdsiEdit工具查看GC数据

阅读前请参考:         深入理解全局编录服务器(http://blog.csdn.net/superitpro/article/details/8097488)           全局...
  • SuperITPro
  • SuperITPro
  • 2012年10月22日 10:45
  • 1314

通过ADSI管理 IIS

通过ADSI管理 Internet Information Server 邓振波   活动目录是集成在Windows2000的目录服务。活动目录类似数据库。用户可以向活动目录添加或者清除项目,并且在大...
  • hbu_dcf
  • hbu_dcf
  • 2009年03月06日 17:17
  • 1550

Spark集群安装和使用

本文主要记录 CDH5 集群中 Spark 集群模式的安装过程配置过程并测试 Spark 的一些基本使用方法。 安装环境如下: 操作系统:CentOs 6.5Hadoop 版本:cdh-5.3...
  • libing13810124573
  • libing13810124573
  • 2015年04月12日 13:41
  • 2320
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:Learning ADSI - Part 2: Editing Users and Administering Groups
举报原因:
原因补充:

(最多只允许输入30个字)