Sign in with
Sign up | Sign in
Your question

Creating Computer accounts in the AD with VBScript

Last response: in Windows 2000/NT
Share
Anonymous
January 8, 2005 12:58:41 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I am looking for input on how to create multiple computer
accounts in the Active Directory using VBScript. I have been
successful in creating the machine accounts, but I need to be able to
specify a GROUP that may join to the machine to the domain other than
the Domain Administrators. Specifically, when the accounts are
created I would like to enable "Everyone" to join the PC to the
domain.
The script below is directly from Microsoft. It seems to show
how to specify a user or group that can join the machine to a domain,
but I am having trouble getting this to work correctly.

'***********************
'* Start Script
'***********************

Dim sComputerName, sUserOrGroup, sPath, computerContainer, rootDSE,
lFlag
Dim secDescriptor, dACL, ACE, oComputer, sPwd

'*********************************************************************
'* Declare constants used in defining the default location for the
'* machine account, flags to identify the object as a machine account,
'* and security flags
'*********************************************************************

Const UF_WORKSTATION_TRUST_ACCOUNT = &H1000
Const UF_ACCOUNTDISABLE = &H2
Const UF_PASSWD_NOTREQD = &H20
Const ADS_GUID_COMPUTRS_CONTAINER = "aa312825768811d1aded00c04fd8d5cd"
Const ADS_ACETYPE_ACCESS_ALLOWED = 0
Const ADS_ACEFLAG_INHERIT_ACE = 2

'*********************************************************************
'* Set the flags on this object to identify it as a machine account
'* and determine the name. The name is used statically here, but may
'* be determined by a command line parameter or by using an InputBox
'*********************************************************************

lFlag = UF_WORKSTATION_TRUST_ACCOUNT Or UF_ACCOUNTDISABLE Or
UF_PASSWD_NOTREQD
sComputerName = "TestAccount"

'*********************************************************************
'* Establish a path to the container in the Active Directory where
'* the machine account will be created. In this example, this will
'* automatically locate a domain controller for the domain, read the
'* domain name, and bind to the default "Computers" container
'*********************************************************************

Set rootDSE = GetObject("LDAP://RootDSE")
sPath = "LDAP://<WKGUID=" & ADS_GUID_COMPUTRS_CONTAINER
sPath = sPath + ","
sPath = sPath + rootDSE.Get("defaultNamingContext")
sPath = sPath + ">"
Set computerContainer = GetObject(sPath)
sPath = "LDAP://" & computerContainer.Get("distinguishedName")
Set computerContainer = GetObject(sPath)

'*********************************************************************
'* Here, the computer account is created. Certain attributes must
'* have a value before calling .SetInfo to commit (write) the object
'* to the Active Directory
'*********************************************************************

Set oComputer = computerContainer.Create("computer", "CN=" &
sComputerName)
oComputer.Put "samAccountName", sComputerName + "$"
oComputer.Put "userAccountControl", lFlag
oComputer.SetInfo

'*********************************************************************
'* Establish a default password for the machine account
'*********************************************************************

sPwd = sComputerName & "$"
sPwd = LCase(sPwd)
oComputer.SetPassword sPwd

'*********************************************************************
'* Specify which user or group may activate/join this computer to the
'* domain. In this example, "MYDOMAIN" is the domain name and
'* "JoeSmith" is the account being given the permission. Note that
'* this is the downlevel naming convention used in this example.
'*********************************************************************

sUserOrGroup = "MYDOMAIN\joesmith"

'*********************************************************************
'* Bind to the Discretionary ACL on the newly created computer account
'* and create an Access Control Entry (ACE) that gives the specified
'* user or group full control on the machine account
'*********************************************************************

Set secDescriptor = oComputer.Get("ntSecurityDescriptor")
Set dACL = secDescriptor.DiscretionaryAcl
Set ACE = CreateObject("AccessControlEntry")

'*********************************************************************
'* An AccessMask of "-1" grants Full Control
'*********************************************************************

ACE.AccessMask = -1
ACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
ACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE

'*********************************************************************
'* Grant this control to the user or group specified earlier.
'*********************************************************************

ACE.Trustee = sUserOrGroup

'*********************************************************************
'* Now, add this ACE to the DACL on the machine account
'*********************************************************************

dACL.AddAce ACE
secDescriptor.DiscretionaryAcl = dACL

'*********************************************************************
'* Commit (write) the security changes to the machine account
'*********************************************************************

oComputer.Put "ntSecurityDescriptor", Array(secDescriptor)
oComputer.SetInfo

'*********************************************************************
'* Once all parameters and permissions have been set, enable the
'* account.
'*********************************************************************

oComputer.AccountDisabled = False
oComputer.SetInfo

'*********************************************************************
'* Create an Access Control Entry (ACE) that gives the specified user
'* or group full control on the machine account
'*********************************************************************

wscript.echo "The command completed successfully."

'*****************
'* End Script
'*****************

I may be specifying the incorrect "Downlevel Naming Convention" for
"Everyone". I have tried "BUILTIN\Everyone", "Everyone", and
"MYDOMAIN\Everyone", but nothing has worked yet. Anyone have any
Ideas?

TYIA
Anonymous
January 8, 2005 9:28:42 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Greg,

You have posted this to many of the newsgroups individually. You should
have sent this one post to several news groups at once. That way if I were
to respond to your post in this specific news group my answer would show up
everywhere. Instead, were I to answer in this specific newsgroup you will
see my answer only in this specific news group. Same as for all of the
people who might respond to your post in the other news groups. Not really
the way to do things......

Cary


"Greg K Wong" <Nunya@biddness.com> wrote in message
news:52mut054kq6c09gp0qfmmsqihk5h68nuve@4ax.com...
> I am looking for input on how to create multiple computer
> accounts in the Active Directory using VBScript. I have been
> successful in creating the machine accounts, but I need to be able to
> specify a GROUP that may join to the machine to the domain other than
> the Domain Administrators. Specifically, when the accounts are
> created I would like to enable "Everyone" to join the PC to the
> domain.
> The script below is directly from Microsoft. It seems to show
> how to specify a user or group that can join the machine to a domain,
> but I am having trouble getting this to work correctly.
>
> '***********************
> '* Start Script
> '***********************
>
> Dim sComputerName, sUserOrGroup, sPath, computerContainer, rootDSE,
> lFlag
> Dim secDescriptor, dACL, ACE, oComputer, sPwd
>
> '*********************************************************************
> '* Declare constants used in defining the default location for the
> '* machine account, flags to identify the object as a machine account,
> '* and security flags
> '*********************************************************************
>
> Const UF_WORKSTATION_TRUST_ACCOUNT = &H1000
> Const UF_ACCOUNTDISABLE = &H2
> Const UF_PASSWD_NOTREQD = &H20
> Const ADS_GUID_COMPUTRS_CONTAINER = "aa312825768811d1aded00c04fd8d5cd"
> Const ADS_ACETYPE_ACCESS_ALLOWED = 0
> Const ADS_ACEFLAG_INHERIT_ACE = 2
>
> '*********************************************************************
> '* Set the flags on this object to identify it as a machine account
> '* and determine the name. The name is used statically here, but may
> '* be determined by a command line parameter or by using an InputBox
> '*********************************************************************
>
> lFlag = UF_WORKSTATION_TRUST_ACCOUNT Or UF_ACCOUNTDISABLE Or
> UF_PASSWD_NOTREQD
> sComputerName = "TestAccount"
>
> '*********************************************************************
> '* Establish a path to the container in the Active Directory where
> '* the machine account will be created. In this example, this will
> '* automatically locate a domain controller for the domain, read the
> '* domain name, and bind to the default "Computers" container
> '*********************************************************************
>
> Set rootDSE = GetObject("LDAP://RootDSE")
> sPath = "LDAP://<WKGUID=" & ADS_GUID_COMPUTRS_CONTAINER
> sPath = sPath + ","
> sPath = sPath + rootDSE.Get("defaultNamingContext")
> sPath = sPath + ">"
> Set computerContainer = GetObject(sPath)
> sPath = "LDAP://" & computerContainer.Get("distinguishedName")
> Set computerContainer = GetObject(sPath)
>
> '*********************************************************************
> '* Here, the computer account is created. Certain attributes must
> '* have a value before calling .SetInfo to commit (write) the object
> '* to the Active Directory
> '*********************************************************************
>
> Set oComputer = computerContainer.Create("computer", "CN=" &
> sComputerName)
> oComputer.Put "samAccountName", sComputerName + "$"
> oComputer.Put "userAccountControl", lFlag
> oComputer.SetInfo
>
> '*********************************************************************
> '* Establish a default password for the machine account
> '*********************************************************************
>
> sPwd = sComputerName & "$"
> sPwd = LCase(sPwd)
> oComputer.SetPassword sPwd
>
> '*********************************************************************
> '* Specify which user or group may activate/join this computer to the
> '* domain. In this example, "MYDOMAIN" is the domain name and
> '* "JoeSmith" is the account being given the permission. Note that
> '* this is the downlevel naming convention used in this example.
> '*********************************************************************
>
> sUserOrGroup = "MYDOMAIN\joesmith"
>
> '*********************************************************************
> '* Bind to the Discretionary ACL on the newly created computer account
> '* and create an Access Control Entry (ACE) that gives the specified
> '* user or group full control on the machine account
> '*********************************************************************
>
> Set secDescriptor = oComputer.Get("ntSecurityDescriptor")
> Set dACL = secDescriptor.DiscretionaryAcl
> Set ACE = CreateObject("AccessControlEntry")
>
> '*********************************************************************
> '* An AccessMask of "-1" grants Full Control
> '*********************************************************************
>
> ACE.AccessMask = -1
> ACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
> ACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE
>
> '*********************************************************************
> '* Grant this control to the user or group specified earlier.
> '*********************************************************************
>
> ACE.Trustee = sUserOrGroup
>
> '*********************************************************************
> '* Now, add this ACE to the DACL on the machine account
> '*********************************************************************
>
> dACL.AddAce ACE
> secDescriptor.DiscretionaryAcl = dACL
>
> '*********************************************************************
> '* Commit (write) the security changes to the machine account
> '*********************************************************************
>
> oComputer.Put "ntSecurityDescriptor", Array(secDescriptor)
> oComputer.SetInfo
>
> '*********************************************************************
> '* Once all parameters and permissions have been set, enable the
> '* account.
> '*********************************************************************
>
> oComputer.AccountDisabled = False
> oComputer.SetInfo
>
> '*********************************************************************
> '* Create an Access Control Entry (ACE) that gives the specified user
> '* or group full control on the machine account
> '*********************************************************************
>
> wscript.echo "The command completed successfully."
>
> '*****************
> '* End Script
> '*****************
>
> I may be specifying the incorrect "Downlevel Naming Convention" for
> "Everyone". I have tried "BUILTIN\Everyone", "Everyone", and
> "MYDOMAIN\Everyone", but nothing has worked yet. Anyone have any
> Ideas?
>
> TYIA
Anonymous
January 8, 2005 4:41:02 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,
I haven't uset your script but I have used this script
http://www.microsoft.com/technet/scriptcenter/scripts/a...

Set the strComputerUser to domainname\Domain Users and it will work.


--
Andrei Ungureanu
www.eventid.net
Free Windows event logs reports
http://www.altairtech.ca/evlog/

"Greg K Wong" <Nunya@biddness.com> wrote in message
news:52mut054kq6c09gp0qfmmsqihk5h68nuve@4ax.com...
> I am looking for input on how to create multiple computer
> accounts in the Active Directory using VBScript. I have been
> successful in creating the machine accounts, but I need to be able to
> specify a GROUP that may join to the machine to the domain other than
> the Domain Administrators. Specifically, when the accounts are
> created I would like to enable "Everyone" to join the PC to the
> domain.
> The script below is directly from Microsoft. It seems to show
> how to specify a user or group that can join the machine to a domain,
> but I am having trouble getting this to work correctly.
>
> '***********************
> '* Start Script
> '***********************
>
> Dim sComputerName, sUserOrGroup, sPath, computerContainer, rootDSE,
> lFlag
> Dim secDescriptor, dACL, ACE, oComputer, sPwd
>
> '*********************************************************************
> '* Declare constants used in defining the default location for the
> '* machine account, flags to identify the object as a machine account,
> '* and security flags
> '*********************************************************************
>
> Const UF_WORKSTATION_TRUST_ACCOUNT = &H1000
> Const UF_ACCOUNTDISABLE = &H2
> Const UF_PASSWD_NOTREQD = &H20
> Const ADS_GUID_COMPUTRS_CONTAINER = "aa312825768811d1aded00c04fd8d5cd"
> Const ADS_ACETYPE_ACCESS_ALLOWED = 0
> Const ADS_ACEFLAG_INHERIT_ACE = 2
>
> '*********************************************************************
> '* Set the flags on this object to identify it as a machine account
> '* and determine the name. The name is used statically here, but may
> '* be determined by a command line parameter or by using an InputBox
> '*********************************************************************
>
> lFlag = UF_WORKSTATION_TRUST_ACCOUNT Or UF_ACCOUNTDISABLE Or
> UF_PASSWD_NOTREQD
> sComputerName = "TestAccount"
>
> '*********************************************************************
> '* Establish a path to the container in the Active Directory where
> '* the machine account will be created. In this example, this will
> '* automatically locate a domain controller for the domain, read the
> '* domain name, and bind to the default "Computers" container
> '*********************************************************************
>
> Set rootDSE = GetObject("LDAP://RootDSE")
> sPath = "LDAP://<WKGUID=" & ADS_GUID_COMPUTRS_CONTAINER
> sPath = sPath + ","
> sPath = sPath + rootDSE.Get("defaultNamingContext")
> sPath = sPath + ">"
> Set computerContainer = GetObject(sPath)
> sPath = "LDAP://" & computerContainer.Get("distinguishedName")
> Set computerContainer = GetObject(sPath)
>
> '*********************************************************************
> '* Here, the computer account is created. Certain attributes must
> '* have a value before calling .SetInfo to commit (write) the object
> '* to the Active Directory
> '*********************************************************************
>
> Set oComputer = computerContainer.Create("computer", "CN=" &
> sComputerName)
> oComputer.Put "samAccountName", sComputerName + "$"
> oComputer.Put "userAccountControl", lFlag
> oComputer.SetInfo
>
> '*********************************************************************
> '* Establish a default password for the machine account
> '*********************************************************************
>
> sPwd = sComputerName & "$"
> sPwd = LCase(sPwd)
> oComputer.SetPassword sPwd
>
> '*********************************************************************
> '* Specify which user or group may activate/join this computer to the
> '* domain. In this example, "MYDOMAIN" is the domain name and
> '* "JoeSmith" is the account being given the permission. Note that
> '* this is the downlevel naming convention used in this example.
> '*********************************************************************
>
> sUserOrGroup = "MYDOMAIN\joesmith"
>
> '*********************************************************************
> '* Bind to the Discretionary ACL on the newly created computer account
> '* and create an Access Control Entry (ACE) that gives the specified
> '* user or group full control on the machine account
> '*********************************************************************
>
> Set secDescriptor = oComputer.Get("ntSecurityDescriptor")
> Set dACL = secDescriptor.DiscretionaryAcl
> Set ACE = CreateObject("AccessControlEntry")
>
> '*********************************************************************
> '* An AccessMask of "-1" grants Full Control
> '*********************************************************************
>
> ACE.AccessMask = -1
> ACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
> ACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE
>
> '*********************************************************************
> '* Grant this control to the user or group specified earlier.
> '*********************************************************************
>
> ACE.Trustee = sUserOrGroup
>
> '*********************************************************************
> '* Now, add this ACE to the DACL on the machine account
> '*********************************************************************
>
> dACL.AddAce ACE
> secDescriptor.DiscretionaryAcl = dACL
>
> '*********************************************************************
> '* Commit (write) the security changes to the machine account
> '*********************************************************************
>
> oComputer.Put "ntSecurityDescriptor", Array(secDescriptor)
> oComputer.SetInfo
>
> '*********************************************************************
> '* Once all parameters and permissions have been set, enable the
> '* account.
> '*********************************************************************
>
> oComputer.AccountDisabled = False
> oComputer.SetInfo
>
> '*********************************************************************
> '* Create an Access Control Entry (ACE) that gives the specified user
> '* or group full control on the machine account
> '*********************************************************************
>
> wscript.echo "The command completed successfully."
>
> '*****************
> '* End Script
> '*****************
>
> I may be specifying the incorrect "Downlevel Naming Convention" for
> "Everyone". I have tried "BUILTIN\Everyone", "Everyone", and
> "MYDOMAIN\Everyone", but nothing has worked yet. Anyone have any
> Ideas?
>
> TYIA
Anonymous
January 8, 2005 11:07:52 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"user493" wrote:
> Hi,
> I haven't uset your script but I have used this script
> http://www.microsoft.com/technet/scriptcenter/scripts/a...
>
> Set the strComputerUser to domainnameDomain Users and it will
> work.
>
>
> --
> Andrei Ungureanu
> www.eventid.net
> Free Windows event logs reports
> http://www.altairtech.ca/evlog/
>
> "Greg K Wong" <Nunya@biddness.com> wrote in message
> news:52mut054kq6c09gp0qfmmsqihk5h68nuve@4ax.com...
> > I am looking for input on how to create multiple computer
> > accounts in the Active Directory using VBScript. I have
> been
> > successful in creating the machine accounts, but I need to
> be able to
> > specify a GROUP that may join to the machine to the domain
> other than
> > the Domain Administrators. Specifically, when the accounts
> are
> > created I would like to enable "Everyone" to join the PC to
> the
> > domain.
> > The script below is directly from Microsoft. It seems to
> show
> > how to specify a user or group that can join the machine to
> a domain,
> > but I am having trouble getting this to work correctly.
> >
> > '***********************
> > '* Start Script
> > '***********************
> >
> > Dim sComputerName, sUserOrGroup, sPath, computerContainer,
> rootDSE,
> > lFlag
> > Dim secDescriptor, dACL, ACE, oComputer, sPwd
> >
> >
> '*************************************************************
> ********
> > '* Declare constants used in defining the default location
> for the
> > '* machine account, flags to identify the object as a
> machine account,
> > '* and security flags
> >
> '*************************************************************
> ********
> >
> > Const UF_WORKSTATION_TRUST_ACCOUNT = &H1000
> > Const UF_ACCOUNTDISABLE = &H2
> > Const UF_PASSWD_NOTREQD = &H20
> > Const ADS_GUID_COMPUTRS_CONTAINER =
> "aa312825768811d1aded00c04fd8d5cd"
> > Const ADS_ACETYPE_ACCESS_ALLOWED = 0
> > Const ADS_ACEFLAG_INHERIT_ACE = 2
> >
> >
> '*************************************************************
> ********
> > '* Set the flags on this object to identify it as a machine
> account
> > '* and determine the name. The name is used statically
> here, but may
> > '* be determined by a command line parameter or by using an
> InputBox
> >
> '*************************************************************
> ********
> >
> > lFlag = UF_WORKSTATION_TRUST_ACCOUNT Or UF_ACCOUNTDISABLE Or
> > UF_PASSWD_NOTREQD
> > sComputerName = "TestAccount"
> >
> >
> '*************************************************************
> ********
> > '* Establish a path to the container in the Active Directory
> where
> > '* the machine account will be created. In this example,
> this will
> > '* automatically locate a domain controller for the domain,
> read the
> > '* domain name, and bind to the default "Computers"
> container
> >
> '*************************************************************
> ********
> >
> > Set rootDSE = GetObject("LDAP://RootDSE")
> > sPath = "LDAP://<WKGUID=" & ADS_GUID_COMPUTRS_CONTAINER
> > sPath = sPath + ","
> > sPath = sPath + rootDSE.Get("defaultNamingContext")
> > sPath = sPath + ">"
> > Set computerContainer = GetObject(sPath)
> > sPath = "LDAP://" &
> computerContainer.Get("distinguishedName")
> > Set computerContainer = GetObject(sPath)
> >
> >
> '*************************************************************
> ********
> > '* Here, the computer account is created. Certain
> attributes must
> > '* have a value before calling .SetInfo to commit (write)
> the object
> > '* to the Active Directory
> >
> '*************************************************************
> ********
> >
> > Set oComputer = computerContainer.Create("computer", "CN=" &
> > sComputerName)
> > oComputer.Put "samAccountName", sComputerName + "$"
> > oComputer.Put "userAccountControl", lFlag
> > oComputer.SetInfo
> >
> >
> '*************************************************************
> ********
> > '* Establish a default password for the machine account
> >
> '*************************************************************
> ********
> >
> > sPwd = sComputerName & "$"
> > sPwd = LCase(sPwd)
> > oComputer.SetPassword sPwd
> >
> >
> '*************************************************************
> ********
> > '* Specify which user or group may activate/join this
> computer to the
> > '* domain. In this example, "MYDOMAIN" is the domain name
> and
> > '* "JoeSmith" is the account being given the permission.
> Note that
> > '* this is the downlevel naming convention used in this
> example.
> >
> '*************************************************************
> ********
> >
> > sUserOrGroup = "MYDOMAINjoesmith"
> >
> >
> '*************************************************************
> ********
> > '* Bind to the Discretionary ACL on the newly created
> computer account
> > '* and create an Access Control Entry (ACE) that gives the
> specified
> > '* user or group full control on the machine account
> >
> '*************************************************************
> ********
> >
> > Set secDescriptor = oComputer.Get("ntSecurityDescriptor")
> > Set dACL = secDescriptor.DiscretionaryAcl
> > Set ACE = CreateObject("AccessControlEntry")
> >
> >
> '*************************************************************
> ********
> > '* An AccessMask of "-1" grants Full Control
> >
> '*************************************************************
> ********
> >
> > ACE.AccessMask = -1
> > ACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
> > ACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE
> >
> >
> '*************************************************************
> ********
> > '* Grant this control to the user or group specified
> earlier.
> >
> '*************************************************************
> ********
> >
> > ACE.Trustee = sUserOrGroup
> >
> >
> '*************************************************************
> ********
> > '* Now, add this ACE to the DACL on the machine account
> >
> '*************************************************************
> ********
> >
> > dACL.AddAce ACE
> > secDescriptor.DiscretionaryAcl = dACL
> >
> >
> '*************************************************************
> ********
> > '* Commit (write) the security changes to the machine
> account
> >
> '*************************************************************
> ********
> >
> > oComputer.Put "ntSecurityDescriptor", Array(secDescriptor)
> > oComputer.SetInfo
> >
> >
> '*************************************************************
> ********
> > '* Once all parameters and permissions have been set, enable
> the
> > '* account.
> >
> '*************************************************************
> ********
> >
> > oComputer.AccountDisabled = False
> > oComputer.SetInfo
> >
> >
> '*************************************************************
> ********
> > '* Create an Access Control Entry (ACE) that gives the
> specified user
> > '* or group full control on the machine account
> >
> '*************************************************************
> ********
> >
> > wscript.echo "The command completed successfully."
> >
> > '*****************
> > '* End Script
> > '*****************
> >
> > I may be specifying the incorrect "Downlevel Naming
> Convention" for
> > "Everyone". I have tried "BUILTINEveryone", "Everyone", and
> > "MYDOMAINEveryone", but nothing has worked yet. Anyone
> have any
> > Ideas?
> >
> > TYIA

Hi,

I create 1000 users via VBscript every year. I have all my scripts
posted on my website along with a .doc to modify for different
attributes.
http://www.sd61.bc.ca/windows2000

Cheers,

Lara

--
Posted using the http://www.WindowsForumz.com/ interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.WindowsForumz.com/Active-Directory-Creating-...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=757894
!