本文是VBScript系列的第二部分,主要介绍如何利用ADSIEdit.msc工具找到和配置AD中的隐藏属性,如Employee ID字段。警告:在生产环境中操作需谨慎。通过实例展示了如何设置用户IP电话和邮箱限制,以及查看属性语法确定值类型。
vbscript
Welcome back! My apologies for taking so long to write part two of this series; it's been a long time coming! As I promised in Part 1, this article will focus on how to locate those elusive AD properties that you are searching for. Why is this useful? Well, for instance, did you know that each user account in AD has an Employee ID field? Don't go look, you can't find it in the regular Active Directory Users & Computers (hereafter referred to as ADU&C) GUI. But, I'll show you how to find, and configure, this field and many, many more.
欢迎回来! 我很抱歉花了这么长时间写了本系列的第二部分。 好久不见了! 就像我在第1部分中保证的那样,本文将重点介绍如何找到要搜索的那些难以捉摸的AD属性。 为什么这有用? 好吧,例如,您是否知道AD中的每个用户帐户都有一个Employee ID字段? 别看,您无法在常规的Active Directory用户和计算机(以下称为ADU&C)GUI中找到它。 但是,我将向您展示如何查找和配置此字段以及更多其他内容。
First things first. In order to follow along, you're going to need an AD environment you can use as a sandbox. That's right, kids, don't run this stuff on your production network. BAD THINGS can happen! I remember an incident about 10 years ago when I deleted every single user in AD. Luckily, the company hadn't yet switched to AD (it was a clean migration from NT4 to 2000, not an upgrade), so I just re-ran the script to recreate all the users. But had that been production, I'm sure I would have spent some time brushing the dust off my resume!
首先是第一件事。 为了进行后续操作,您将需要一个可用作沙箱的AD环境。 是的,孩子们,不要在您的生产网络上运行这些东西。 可能发生坏事! 我记得大约十年前的一次事件,当时我删除了AD中的每个用户。 幸运的是,该公司尚未切换到AD(这是从NT4到2000的干净迁移,而不是升级),所以我只是重新运行了脚本以重新创建所有用户。 但是,如果那是生产的话,我敢肯定我会花一些时间清理简历上的灰尘!
So, to get started, the main tool we will be using here is ADSIEdit.msc. This is a free tool, and is included with the Windows Support tools. Download the package, install it, and then just click Start -> Run and type "adsiedit.msc" and viola! There it is. WARNING: BE CAREFUL! Anything you modify in here directly changes Active Directory, and can cause corrupted objects, or other undesireable results. Hence my recommendation of a sandbox!! Now, back to your regularly scheduled programming: Expand the Domain container, then expand the domain DN, and then drill into an OU until you find a user account. Right-click the user object and then click properties. There are several checkboxes at the top: "Show mandatory attributes", "Show optional attributes" and "Show only attributes that have values". Let's step back for a moment and show the practical use for this.
因此,首先,我们将在这里使用的主要工具是ADSIEdit.msc。 这是一个免费工具,并且包含在Windows支持工具中。 下载该软件包,安装它,然后单击开始->运行,然后键入“ adsiedit.msc”和中提琴! 在那里。 警告:要小心! 您在此处所做的任何修改都会直接更改Active Directory,并可能导致对象损坏或其他不良后果。 因此,我建议您使用沙箱!! 现在,返回到定期计划的编程:展开“域”容器,然后展开域DN,然后钻取到OU中,直到找到用户帐户为止。 用鼠标右键单击用户对象,然后单击属性。 顶部有几个复选框:“显示必填属性”,“显示可选属性”和“仅显示具有值的属性”。 让我们退后一会儿,并展示其实际用法。
For example, say you're trying to figure out how to access the "IP phone" field from the Telephones tab programmatically, so you can set a user's extension or phone number via a script. Open the user object, and enter an easily identifiable string in there, like 999-999-9999. Now, open ADSIEdit.msc, and browse to the user properties. Then, check the box for "Show only attributes that have values". All the objects that are not set will be hidden, making it easier to find the string you are looking for. As a result, we see that the field name we are looking for is called ipphone. So it would be
例如,假设您试图通过编程方式找出如何从“电话”选项卡访问“ IP电话”字段,以便可以通过脚本设置用户的分机号或电话号码。 打开用户对象,然后在其中输入易于识别的字符串,例如999-999-9999。 现在,打开ADSIEdit.msc,并浏览到用户属性。 然后,选中“仅显示具有值的属性”框。 所有未设置的对象将被隐藏,从而使查找所需字符串变得更加容易。 结果,我们看到我们要查找的字段名称称为ipphone。 原来如此
Set oUser = GetObject("CN=Test User,OU=Employees,DC=mydom
设置oUser = GetObject(“ CN = Test User,OU = Employees,DC = mydom ain,DC = loc al“)
oUser.ipPhone = "999-999-9999"
oUser.ipPhone =“ 999-999-9999”
oUser.SetInfo
oUser.SetInfo
Congratulations, you've just successfully located and configured the IP Phone for this user! So, if you scroll through the properties in ADSIEdit, you can see everything that's available to you. EmployeeID is one field that is available, but doesn't show up in the GUI.
恭喜,您已经成功找到并配置了该用户的IP电话! 因此,如果您滚动浏览ADSIEdit中的属性,则可以看到所有可用的内容。 EmployeeID是一个可用字段,但不会显示在GUI中。
Set oUser = GetObject("CN=Test User,OU=Employees,DC=mydom
设置oUser = GetObject(“ CN = Test User,OU = Employees,DC = mydom ain,DC = loc al“)
oUser.employeeID = "123456"
oUser.employeeID =“ 123456”
oUser.SetInfo
oUser.SetInfo
There are lots of other cases in which you'll want to have this weapon in your scripting arsenal. Consider: In order to create a mailbox for a user, you need to know the full path to the Exchange server. This can be long and ugly, but it can be easily found on a user that is already configured. The attribute is called msExchHomeServerName.
在许多其他情况下,您可能需要在脚本库中使用此武器。 考虑:为了为用户创建邮箱,您需要知道Exchange服务器的完整路径。 这可能很长很丑,但是可以在已经配置的用户上轻松找到。 该属性称为msExchHomeServerName。
Set oUser = GetObject("CN=Test User,OU=Employees,DC=mydom
设置oUser = GetObject(“ CN = Test User,OU = Employees,DC = mydom ain,DC = loc al“)
WScript.Echo oUser.msExchHomeServerName
WScript.Echo oUser.msExchHomeServerName
Output:
输出:
/o=Organization/ou=Exchang
/ o =组织/ ou =交换 管理组(FRDWBOHF34SPDPQ)/ cn = Confi guration / c n =服务器/ cn =邮件 VER
Want to figure out how to set mailbox limits? In ADU&C enter some numbers in the "Issue Warning" box, the "Prohibit Send" box and the "Prohibit Send and Receive" box. Then, open ADSIEdit and go look for them. Here's the code:
是否想找出如何设置邮箱限制? 在ADU&C中,在“问题警告”框中,“禁止发送”框中和“禁止发送和接收”框中输入一些数字。 然后,打开ADSIEdit并查找它们。 这是代码:
Set oUser = GetObject("CN=Test User,OU=Employees,DC=mydom
设置oUser = GetObject(“ CN = Test User,OU = Employees,DC = mydom ain,DC = loc al“)
oUser.mDBStorageQuota = 250000
oUser.mDBStorageQuota = 250000
oUser.mDBOverQuotaLimit = 275000
oUser.mDBOverQuotaLimit = 275000
oUser.mDBOverHardQuotaLimi
oUser.mDBOverHardQuotaLimi t = 300000
oUser.SetInfo
oUser.SetInfo
And there you have it. Test User is now restricted on the amount of information that can be in his mailbox. But now you ask "Why are the values not in quotes? How did you know they were supposed to be integers instead of strings?" Ah HA! Yet another value of ADSIEdit. Not only do you get to see the attribute and the value, you also get to see the syntax, meaning it tells you if it should be an Integer, Boolean, String, etc.
那里有。 现在,“测试用户”受其邮箱中可以包含的信息量限制。 但是现在您问“为什么值不用引号引起来?您怎么知道它们应该是整数而不是字符串?” 啊哈! ADSIEdit的另一个价值。 您不仅可以看到属性和值,还可以看到语法,这意味着它可以告诉您是否应为Integer,Boolean,String等。
The next installment of this series (which will not take another year and a half, I promise), I think will be about file manipulation. Unless anyone has any requests? Feel free to leave them in the comments, and I'll take them under advisement.
我认为本系列的下一部分(我保证不会花一年半的时间)将涉及文件操作。 除非有人有任何要求? 随时将其留在评论中,我将在建议下接受他们。
Until next time...
直到下一次...
-exx1976
-exx1976
vbscript
扫一扫
204
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
