Learning ADSI - Part 2: Editing Users and Administering Groups

原创 2005年05月23日 16:44:00
Introduction

When I started ASP, I tried reading a couple of phone directory-sized $50 books. Each of them was filled with samples that didn't make sense to me. I then found a Web site with simple ASP code samples, which I used to create some ASP pages. Today, when I look back at those pages, I'm truly embarrassed. When I revist those books, everything finally makes sense. But with ADSI, making sense simply means learning the syntax. How do you know the right syntax? Read this article, which covers how to edit an existing user and administer groups.

Caveat

Caveat

Please keep in mind that you are going to modify the basics of the Windows NT security model. You should be very alert when dealing with ADSI. Keep in mind that a simple mistype could mean reformatting and reinstalling your system. Don't do it on a operational machine! Please know that I have tried to make the following code as accurate as possible. Yet I can't guarantee their outcome. So please don't just copy and paste. I know it is very attractive, but it could cause you to spend the next couple of hours looking at a very appealing Windows installation screen.

EXTRA NOTE:
For those who read my first article, please heed the following. In that article I forgot one of the most important aspects of programming. The codes I provided could cause a memory leak since I forgot to cleanup the objects I used. So please add this to the codes in order to prevent this (The first article has been updated with this change).


Please keep in mind that you are going to modify the basics of the Windows NT security model. You should be very alert when dealing with ADSI. Keep in mind that a simple mistype could mean reformatting and reinstalling your system. Don't do it on a operational machine! Please know that I have tried to make the following code as accurate as possible. Yet I can't guarantee their outcome. So please don't just copy and paste. I know it is very attractive, but it could cause you to spend the next couple of hours looking at a very appealing Windows installation screen.

EXTRA NOTE:
For those who read my first article, please heed the following. In that article I forgot one of the most important aspects of programming. The codes I provided could cause a memory leak since I forgot to cleanup the objects I used. So please add this to the codes in order to prevent this (The first article has been updated with this change).


Please keep in mind that you are going to modify the basics of the Windows NT security model. You should be very alert when dealing with ADSI. Keep in mind that a simple mistype could mean reformatting and reinstalling your system. Don't do it on a operational machine! Please know that I have tried to make the following code as accurate as possible. Yet I can't guarantee their outcome. So please don't just copy and paste. I know it is very attractive, but it could cause you to spend the next couple of hours looking at a very appealing Windows installation screen.

EXTRA NOTE:
For those who read my first article, please heed the following. In that article I forgot one of the most important aspects of programming. The codes I provided could cause a memory leak since I forgot to cleanup the objects I used. So please add this to the codes in order to prevent this (The first article has been updated with this change).


Editing an Existing User

As I explained in my first article, every action performed here goes directly through the Windows SAM. In response to my first article, there were some questions on how to change the logon hours or the terminal server home path. Sorry, but I have to disappoint you . This , as well as some other vital functions, can't be changed by ADSI. Then again, ADSI does do a lot. In the upcoming articles we are going to dive into the IIS metabase. But before we do that, let's start with editing a user.

Renaming Users


There isn't much to explain. The computer just grabs all the information about a user (the user.ADsPath) and projects that to the new user, deleting the old. 

Changing User-Properties


In the above code we changed some basic elements of a user account. It isn't that different from adding a user. The only thing difference is the way a password is changed. Because of security reasons you can only change a password by providing the old password. The outcome of this subroutine is very simple. The user "MyUser" now has "MyFullname","MyDescription", and "MyNewpass" as a fullname, description and password. The next part is a bit harder since we are going into Hex/Decimal codes with the User-Flags. Again the code looks a lot like the code I used in my first article, but with one difference. Because we are now changing the user settings we use XOR instead of OR when dealing with userflags. 

Changing Specific User Boundaries


I'm not going to explain this code since it is an almost exact copy of the coding in the first article. Please make sure that you use XOR to change a userflag and OR to initially set it. The following part is a direct copy since nothing has changed. In order to change the logon script, profile path, etc., we use the same code as we used to initially set it. 

Now we edited the same information that we applied to the computer in the previous article. After doing this we might as well remove the user we created, leaving us with nothing.

Removing Users


In the next article I will provide codes on how to query specific user information. For now we are going to order our thousands of users by making groups. 

As I explained in my first article, every action performed here goes directly through the Windows SAM. In response to my first article, there were some questions on how to change the logon hours or the terminal server home path. Sorry, but I have to disappoint you . This , as well as some other vital functions, can't be changed by ADSI. Then again, ADSI does do a lot. In the upcoming articles we are going to dive into the IIS metabase. But before we do that, let's start with editing a user.

Renaming Users


There isn't much to explain. The computer just grabs all the information about a user (the user.ADsPath) and projects that to the new user, deleting the old. 

Changing User-Properties


In the above code we changed some basic elements of a user account. It isn't that different from adding a user. The only thing difference is the way a password is changed. Because of security reasons you can only change a password by providing the old password. The outcome of this subroutine is very simple. The user "MyUser" now has "MyFullname","MyDescription", and "MyNewpass" as a fullname, description and password. The next part is a bit harder since we are going into Hex/Decimal codes with the User-Flags. Again the code looks a lot like the code I used in my first article, but with one difference. Because we are now changing the user settings we use XOR instead of OR when dealing with userflags. 

Changing Specific User Boundaries


I'm not going to explain this code since it is an almost exact copy of the coding in the first article. Please make sure that you use XOR to change a userflag and OR to initially set it. The following part is a direct copy since nothing has changed. In order to change the logon script, profile path, etc., we use the same code as we used to initially set it. 

Now we edited the same information that we applied to the computer in the previous article. After doing this we might as well remove the user we created, leaving us with nothing.

Removing Users


In the next article I will provide codes on how to query specific user information. For now we are going to order our thousands of users by making groups. 

As I explained in my first article, every action performed here goes directly through the Windows SAM. In response to my first article, there were some questions on how to change the logon hours or the terminal server home path. Sorry, but I have to disappoint you . This , as well as some other vital functions, can't be changed by ADSI. Then again, ADSI does do a lot. In the upcoming articles we are going to dive into the IIS metabase. But before we do that, let's start with editing a user.

Renaming Users


There isn't much to explain. The computer just grabs all the information about a user (the user.ADsPath) and projects that to the new user, deleting the old. 

Changing User-Properties


In the above code we changed some basic elements of a user account. It isn't that different from adding a user. The only thing difference is the way a password is changed. Because of security reasons you can only change a password by providing the old password. The outcome of this subroutine is very simple. The user "MyUser" now has "MyFullname","MyDescription", and "MyNewpass" as a fullname, description and password. The next part is a bit harder since we are going into Hex/Decimal codes with the User-Flags. Again the code looks a lot like the code I used in my first article, but with one difference. Because we are now changing the user settings we use XOR instead of OR when dealing with userflags. 

Changing Specific User Boundaries


I'm not going to explain this code since it is an almost exact copy of the coding in the first article. Please make sure that you use XOR to change a userflag and OR to initially set it. The following part is a direct copy since nothing has changed. In order to change the logon script, profile path, etc., we use the same code as we used to initially set it. 

Now we edited the same information that we applied to the computer in the previous article. After doing this we might as well remove the user we created, leaving us with nothing.

Removing Users


In the next article I will provide codes on how to query specific user information. For now we are going to order our thousands of users by making groups. 

Creating, Editing and Populating Groups

Groups are made to make the life of system administrators a bit easier. By creating groups you don't have to give folder rights to each specific user. You only have to give folder rights to the group. With ADSI and some good old DOS programming we can automate both.

Creating a Group


You may have noticed that in the first code sample the grouptype is 4, and in the second it is 2. The grouptype defines if the group is a local group, or a global group. Local groups are created to make independent groups on a workstation, and global groups are made for the whole domain. By default ADSI creates a Global group, so if you want to make a group without thinking, use the second sample and remove the Group.Put "groupType", 2 part. 

Adding Users to a Group


Removing Users from a Group 

Editing the Group Description Field

Maybe some of you missed my explanation here. But I couldn't think of anything to comment on. The creation of a group doesn't involve difficult pieces of coding. Frankly, the only thing that is different between adding and removing a user in a group is the words "add" and "remove". There is nothing as easy as making new groups; you just have to know the syntax. So that is what I've provided here. Let's cleanup our little experiment by removing the group.

Removing a Group


That is all there is to say about groups in the ADSI. So now for the special bonus: Automatically changing the Folder Rights. After creating a group, or a user, you can automatically set the folder rights by using old fashion DOS methods. Every Windows server has a little program called cacls.exe. This program changes the user rights on folders. You can just run it by using Windows Scripting, but then you will get stuck. Why? Because the cacls.exe is waiting for confirmation. In order to do this you should pipe a Y to the cacls.exe, forcing it to accept the new settings. 

The code creates a commandline that is executed in by the Windows Script Host. In that commandline I specify a few different things:

The first thing I do is open a command window and pointing out that I want to see the what's happening. After that I pipe the letter Y to the CACLS.exe by using the y| symbol. By piping Y, I avoid the "Are you Sure" question. Then I give the name of the folder (or file) I want to edit, followed by /E and /C. The /E says that I want to edit the user rights. Without the /E the rights will be overwritten. The /C says that the code should continue even if an error occurs. The last part is where I grant to user strUser (this can also be a group) a specific right. In the example I use C. But there are more rights:

Please note that if you want to change the rights of a user you have to use "/P " & strUser & ":" & strPermission

I'm going to end with some answers to questions I received concerning my previous article. Hope you enjoyed it, and happy programming.

Groups are made to make the life of system administrators a bit easier. By creating groups you don't have to give folder rights to each specific user. You only have to give folder rights to the group. With ADSI and some good old DOS programming we can automate both.

Creating a Group


You may have noticed that in the first code sample the grouptype is 4, and in the second it is 2. The grouptype defines if the group is a local group, or a global group. Local groups are created to make independent groups on a workstation, and global groups are made for the whole domain. By default ADSI creates a Global group, so if you want to make a group without thinking, use the second sample and remove the Group.Put "groupType", 2 part. 

Adding Users to a Group


Removing Users from a Group 

Editing the Group Description Field

Maybe some of you missed my explanation here. But I couldn't think of anything to comment on. The creation of a group doesn't involve difficult pieces of coding. Frankly, the only thing that is different between adding and removing a user in a group is the words "add" and "remove". There is nothing as easy as making new groups; you just have to know the syntax. So that is what I've provided here. Let's cleanup our little experiment by removing the group.

Removing a Group


That is all there is to say about groups in the ADSI. So now for the special bonus: Automatically changing the Folder Rights. After creating a group, or a user, you can automatically set the folder rights by using old fashion DOS methods. Every Windows server has a little program called cacls.exe. This program changes the user rights on folders. You can just run it by using Windows Scripting, but then you will get stuck. Why? Because the cacls.exe is waiting for confirmation. In order to do this you should pipe a Y to the cacls.exe, forcing it to accept the new settings. 

The code creates a commandline that is executed in by the Windows Script Host. In that commandline I specify a few different things:

The first thing I do is open a command window and pointing out that I want to see the what's happening. After that I pipe the letter Y to the CACLS.exe by using the y| symbol. By piping Y, I avoid the "Are you Sure" question. Then I give the name of the folder (or file) I want to edit, followed by /E and /C. The /E says that I want to edit the user rights. Without the /E the rights will be overwritten. The /C says that the code should continue even if an error occurs. The last part is where I grant to user strUser (this can also be a group) a specific right. In the example I use C. But there are more rights:

Please note that if you want to change the rights of a user you have to use "/P " & strUser & ":" & strPermission

I'm going to end with some answers to questions I received concerning my previous article. Hope you enjoyed it, and happy programming.

Groups are made to make the life of system administrators a bit easier. By creating groups you don't have to give folder rights to each specific user. You only have to give folder rights to the group. With ADSI and some good old DOS programming we can automate both.

Creating a Group


You may have noticed that in the first code sample the grouptype is 4, and in the second it is 2. The grouptype defines if the group is a local group, or a global group. Local groups are created to make independent groups on a workstation, and global groups are made for the whole domain. By default ADSI creates a Global group, so if you want to make a group without thinking, use the second sample and remove the Group.Put "groupType", 2 part. 

Adding Users to a Group


Removing Users from a Group 

Editing the Group Description Field

Maybe some of you missed my explanation here. But I couldn't think of anything to comment on. The creation of a group doesn't involve difficult pieces of coding. Frankly, the only thing that is different between adding and removing a user in a group is the words "add" and "remove". There is nothing as easy as making new groups; you just have to know the syntax. So that is what I've provided here. Let's cleanup our little experiment by removing the group.

Removing a Group


That is all there is to say about groups in the ADSI. So now for the special bonus: Automatically changing the Folder Rights. After creating a group, or a user, you can automatically set the folder rights by using old fashion DOS methods. Every Windows server has a little program called cacls.exe. This program changes the user rights on folders. You can just run it by using Windows Scripting, but then you will get stuck. Why? Because the cacls.exe is waiting for confirmation. In order to do this you should pipe a Y to the cacls.exe, forcing it to accept the new settings. 

The code creates a commandline that is executed in by the Windows Script Host. In that commandline I specify a few different things:

The first thing I do is open a command window and pointing out that I want to see the what's happening. After that I pipe the letter Y to the CACLS.exe by using the y| symbol. By piping Y, I avoid the "Are you Sure" question. Then I give the name of the folder (or file) I want to edit, followed by /E and /C. The /E says that I want to edit the user rights. Without the /E the rights will be overwritten. The /C says that the code should continue even if an error occurs. The last part is where I grant to user strUser (this can also be a group) a specific right. In the example I use C. But there are more rights:

Please note that if you want to change the rights of a user you have to use "/P " & strUser & ":" & strPermission

I'm going to end with some answers to questions I received concerning my previous article. Hope you enjoyed it, and happy programming.

FAQ

Q: I can't set the AccountExpirationDate
A: This could be because the user has the "Password Never Expires" toggled on. If so, the account won't expire, and therefore ADSI isn't able to set it.

Q: I get a "General Access Denied Error" when I apply the codes
A: The server will only allow changes to be made to the SAM using an Administrator username and password. So the IUSR_machinename (IIS anonymous account) isn't allowed to execute the codes. Make sure that you toggle off the anonymous access in IIS, and let people login using a valid Administrator account.

Q: Can I Automatically create an exchange Mail account?
A: Yes you can, but I will handle that later.

Q: can I set the Terminal Services Properties using ADSI.
A: No you can't. ADSI can't set the terminal services properties, as well as it can't change logon hours.

Beside these questions, there were some question about LDAP. This article doesn't involve LDAP; it just refers to the ADSI language. If you do have question about LDAP, you can e-mail me. I'm not really good at it, but I can help to figure out a solution.

Q: I can't set the AccountExpirationDate
A: This could be because the user has the "Password Never Expires" toggled on. If so, the account won't expire, and therefore ADSI isn't able to set it.

Q: I get a "General Access Denied Error" when I apply the codes
A: The server will only allow changes to be made to the SAM using an Administrator username and password. So the IUSR_machinename (IIS anonymous account) isn't allowed to execute the codes. Make sure that you toggle off the anonymous access in IIS, and let people login using a valid Administrator account.

Q: Can I Automatically create an exchange Mail account?
A: Yes you can, but I will handle that later.

Q: can I set the Terminal Services Properties using ADSI.
A: No you can't. ADSI can't set the terminal services properties, as well as it can't change logon hours.

Beside these questions, there were some question about LDAP. This article doesn't involve LDAP; it just refers to the ADSI language. If you do have question about LDAP, you can e-mail me. I'm not really good at it, but I can help to figure out a solution.

Q: I can't set the AccountExpirationDate
A: This could be because the user has the "Password Never Expires" toggled on. If so, the account won't expire, and therefore ADSI isn't able to set it.

Q: I get a "General Access Denied Error" when I apply the codes
A: The server will only allow changes to be made to the SAM using an Administrator username and password. So the IUSR_machinename (IIS anonymous account) isn't allowed to execute the codes. Make sure that you toggle off the anonymous access in IIS, and let people login using a valid Administrator account.

Q: Can I Automatically create an exchange Mail account?
A: Yes you can, but I will handle that later.

Q: can I set the Terminal Services Properties using ADSI.
A: No you can't. ADSI can't set the terminal services properties, as well as it can't change logon hours.

Beside these questions, there were some question about LDAP. This article doesn't involve LDAP; it just refers to the ADSI language. If you do have question about LDAP, you can e-mail me. I'm not really good at it, but I can help to figure out a solution.

Allow Users to Authenticate With Username Only Using Devise, ActiveAdmin, Rails 4 and Ruby 2

转自:http://alexvpopov.github.io/blog/2013/10/31/allow-users-to-authenticate-with-username-only-using-...

CS231n Neural Networks Part 3: Learning and Evaluation Gradient Checks

本来我觉得Gradient Check应该没什么内容,但是后来发现其实还是有些东西的。首先先来看看CS229的梯度检查,对于梯度检查其实有这么几点是需要注意的,首先就是精度问题,最好使用double来...

Machine Learning Project 2 Part B

Strategy A : Bayes classifi cationOur strategy will attempt to classify a test shape based on naive ...
  • Phoeus
  • Phoeus
  • 2015年04月25日 18:20
  • 303

Deep Learning (Yoshua Bengio, Ian Goodfellow, Aaron Courville) 翻译 Part 2 第6章

6.3 hidden unitsRELU是hidden单元很好的默认选择,rectified linear函数在0点不是可微分的,这貌似会使rectified linear函数不能使用基于梯度的训练算...

data.table Way - Learning Note Part 2

We resume the learning note.

跟着Andrew Ng挑战Machine Learning(第三周)Part 2:逻辑回归的代价函数

注意:   上一章已经说明了逻辑回归解决的是什么类型的问题,以及拟合函数的形式。接下来就看看代价函数以及如何得到特征向量的最优解...
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:Learning ADSI - Part 2: Editing Users and Administering Groups
举报原因:
原因补充:

(最多只允许输入30个字)