如何利用ADSI创建一个NT用户

如何利用ADSI创建一个NT用户和组？

下面就是一个ADSI脚本，它的作用就是在域中创建一个用户帐户：

On Error Resume Next strUser="UserID" Set oDomain=GetObject("WinNT://YourDomain") Set oUser=oDomain.Create ("user", strUser) If (err.number=0) Then '如果不为0，则说明此用户名已经存在 oUser.SetInfo oUser.SetPassword "mypassword" oUser.SetInfo End If

如果你安装了resource kit，这段代码主要利用netcom这条命令进行工作，下面是netcom的一个例子：

NETDOM /Domain:MYDOMAIN /user:adminuser /password:apassword MEMBER MYCOMPUTER /ADD

下面是一段代码：

'***********************
'* Start Script
'***********************

Dim sComputerName, sUserOrGroup, sPath, computerContainer, rootDSE, lFlag
Dim secDescriptor, dACL, ACE, oComputer, sPwd

'*********************************************************************
'* 声明机器帐户，定义机器帐户标记和安全标记
'*********************************************************************

Const UF_WORKSTATION_TRUST_ACCOUNT = &H1000
Const UF_ACCOUNTDISABLE = &H2
Const UF_PASSWD_NOTREQD = &H20
Const ADS_GUID_COMPUTRS_CONTAINER = "aa312825768811d1aded00c04fd8d5cd"
Const ADS_ACETYPE_ACCESS_ALLOWED = 0
Const ADS_ACEFLAG_INHERIT_ACE = 2

lFlag = UF_WORKSTATION_TRUST_ACCOUNT Or UF_ACCOUNTDISABLE Or UF_PASSWD_NOTREQD
sComputerName = "TestAccount"

'*********************************************************************
'* 创建AD窗口用于容纳客户
'*********************************************************************

Set rootDSE = GetObject("LDAP://RootDSE")
sPath = "LDAP://<WKGUID=" & ADS_GUID_COMPUTRS_CONTAINER
sPath = sPath + ","
sPath = sPath + rootDSE.Get("defaultNamingContext")
sPath = sPath + ">"
Set computerContainer = GetObject(sPath)
sPath = "LDAP://" & computerContainer.Get("distinguishedName")
Set computerContainer = GetObject(sPath)

Set oComputer = computerContainer.Create("computer", "CN=" & sComputerName)
oComputer.Put "samAccountName", sComputerName + "$"
oComputer.Put "userAccountControl", lFlag
oComputer.SetInfo

'*********************************************************************
'* 设置密码
'*********************************************************************

sPwd = sComputerName & "$"
sPwd = LCase(sPwd)
oComputer.SetPassword sPwd

sUserOrGroup = "MYDOMAIN\joesmith"

Set secDescriptor = oComputer.Get("ntSecurityDescriptor")
Set dACL = secDescriptor.DiscretionaryAcl
Set ACE = CreateObject("AccessControlEntry")

'*********************************************************************
'* -1代码完全控制
'*********************************************************************

ACE.AccessMask = -1
ACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
ACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE

ACE.Trustee = sUserOrGroup

dACL.AddAce ACE
secDescriptor.DiscretionaryAcl = dACL

oComputer.Put "ntSecurityDescriptor", Array(secDescriptor)
oComputer.SetInfo

oComputer.AccountDisabled = False
oComputer.SetInfo

wscript.echo "The command completed successfully."

'*****************
'* End Script
'*****************

如果希望更新一个已存在用户的信息可以使用下面的代码：

set user=GetObject("WinNT://domain/user") User.FullName=FirstNameVar User.HomeDirectory=UserHome User.Profile="\\Server\Share\user" User.LoginScript=LogonScript User.Description="Description" User.setinfo

至于创建一个组，下面的代码就可以了：

strGroup="NewGroupName"
Set oDomain = GetObject("WinNT://YourDomain")
Set oGroup = oDomain.Create ("group", strGroup)
oGroup.SetInfo