mcse注:其实这是 按照adsi(active directory services interface:活动目录服务接口)写的程序。如果你安装了resource kit,这段代码可以用netcom这条命令进行工作,下面是netcom的一个例子:
netdom /domain:mydomain /user:adminuser /password:apassword member mycomputer /add
***********************
'* start script
'***********************
dim scomputername, suserorgroup, spath, computercontainer, rootdse, lflag
dim secdescriptor, dacl, ace, ocomputer, spwd
'
'* declare constants used in defining the default location for the
'* machine account, flags to identify the object as a machine account,
'* and security flags
'const uf_workstation_trust_account = &h1000
const uf_accountdisable = &h2
const uf_passwd_notreqd = &h20
const ads_guid_computrs_container = "aa312825768811d1aded00c04fd8d5cd"
const ads_acetype_access_allowed = 0
const ads_aceflag_inherit_ace = 2
'
'* set the flags on this object to identify it as a machine account
'* and determine the name. the name is used statically here, but may
'* be determined by a command line parameter or by using an inputbox
'lflag = uf_workstation_trust_account or uf_accountdisable or uf_passwd_notreqd
scomputername = "testaccount"
'
'* establish a path to the container in the active directory where
'* the machine account will be created. in this example, this will
'* automatically locate a domain controller for the domain, read the
'* domain name, and bind to the default "computers" container
'*********************************************************************
set rootdse = getobject("ldap://rootdse")
spath = "ldap:// set computercontainer = getobject(spath)
spath = "ldap://" & computercontainer.get("distinguishedname")
set computercontainer = getobject(spath)
''* here, the computer account is created. certain attributes must
'* have a value before calling .setinfo to commit (write) the object
'* to the active directory
'set ocomputer = computercontainer.create("computer", "cn=" & scomputername)
ocomputer.put "samaccountname", scomputername + "$"
ocomputer.put "useraccountcontrol", lflag
ocomputer.setinfo
'
'* establish a default password for the machine account
'spwd = scomputername & "$"
spwd = lcase(spwd)
ocomputer.setpassword spwd
''* specify which user or group may activate/join this computer to the
'* domain. in this example, "mydomain" is the domain name and
'* "joesmith" is the account being given the permission. note that
'* this is the downlevel naming convention used in this example.
'suserorgroup = "mydomain\joesmith"
''* bind to the discretionary acl on the newly created computer account
'* and create an access control entry (ace) that gives the specified
'* user or group full control on the machine account
'set secdescriptor = ocomputer.get("ntsecuritydescriptor")
set dacl = secdescriptor.discretionaryacl
set ace = createobject("accesscontrolentry")
'
'* an accessmask of "-1" grants full control
'
ace.accessmask = -1
ace.acetype = ads_acetype_access_allowed
ace.aceflags = ads_aceflag_inherit_ace
''* grant this control to the user or group specified earlier.
'ace.trustee = suserorgroup
'
'* now, add this ace to the dacl on the machine account
'dacl.addace ace
secdescriptor.discretionaryacl = dacl
'
'* commit (write) the security changes to the machine account
'ocomputer.put "ntsecuritydescriptor", array(secdescriptor)
ocomputer.setinfo
''* once all parameters and permissions have been set, enable the
'* account.
'
ocomputer.accountdisabled = false
ocomputer.setinfo
''* create an access control entry (ace) that gives the specified user
'* or group full control on the machine account
'wscript.echo "the command completed successfully."
'*****************
'* end script
扫一扫
324
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
