191 6.11.3.3 Using VBScript The VBScript solution required quite a bit of code to perform a simple task; printing out the account lockout and password policy settings. First, I created a Dictionary object with each of the six attributes as the keys and the unit's designation for each key (e.g., minutes) as the value. I then iterated over each key, printing it along with the value retrieved from the domain object. Some additional code was necessary to distinguish between the values returned from some of the attributes. In the case of the time-based attributes, such as lockoutDuration, a IADsLargeInteger object was returned from the Get method instead of a pure integer or string value. IADsLargeInteger objects represent 64-bit, also known as Integer8, numbers. 32-bit systems, which make up the majority of systems today, have to break 64-bit numbers into two parts (a high and low part) in order to store them. Unfortunately, VBScript cannot natively handle a 64-bit number and stores it as a double precision. To convert a 64-bit number into something VBScript can handle, we have to first multiply the high part by 4,294,967,296 (2^32) and then add the low part to the result. value = Abs(objLargeInt.HighPart * 2^32 + objLargeInt.LowPart) Then I divided by 10,000,000 or 10^7, which represents the number of 100 nanosecond intervals per second. value = int ( value / 10000000 ) I then used the int function to discard any remainder and finally divided the result by 60 (number of seconds). value = int ( value / 60 ) Note that the result is only an approximation in minutes and can be off by several minutes, hours, or even days depending on the original value. The last part of the code iterates over another Dictionary object that contains constants representing various flags that can be set as part of the pwdProperties attribute. 6.11.4 See Also MS KB 221930 (Domain Security Policy in Windows 2000), MS KB 255550 (Configuring Account Policies in Active Directory), MSDN: IADsLargeInteger, and MSDN: DOMAIN_PASSWORD_INFORMATION Recipe 6.12 Enabling and Disabling a User 6.12.1 Problem You want to enable or disable a user. 192 6.12.2 Solution 6.12.2.1 Using a graphical user interface 1. Open the Active Directory Users and Computers snap-in. 2. In the left pane, right-click on the domain and select Find. 3. Select the appropriate domain beside In. 4. Type the name of the user beside Name and click Find Now. 5. In the Search Results, right-click on the user and select Enable Account to enable or Disable Account to disable. 6. Click OK. 6.12.2.2 Using a command-line interface To enable a user, use the following command: > dsmod user <UserDN> -disabled no To disable a user, use the following command: > dsmod user <UserDN> -disabled yes 6.12.2.3 Using VBScript ' This code will enable or disable a user. ' SCRIPT CONFIGURATION ' Set to FALSE to disable account or TRUE to enable account strDisableAccount = FALSE strUserDN = "<UserDN>" ' e.g. cn=jsmith,cn=Users,dc=rallencorp,dc=com ' END CONFIGURATION set objUser = GetObject("LDAP://" & strUserDN) if objUser.AccountDisabled = TRUE then WScript.Echo "Account for " & objUser.Get("cn") & " currently disabled" if strDisableAccount = FALSE then objUser.AccountDisabled = strDisableAccount objUser.SetInfo WScript.Echo "Account enabled" end if else WScript.Echo "Account currently enabled" if strDisableAccount = TRUE then objUser.AccountDisabled = strDisableAccount objUser.SetInfo WScript.Echo "Account disabled" end if end if 6.12.3 Discussion Account status is used to control if a user is allowed to log on or not. When an account is disabled, the user is not allowed to log on to her workstation with the account or access AD 193 controlled resources. Much like the lockout status, the account status is stored as a flag in the userAccountControl attribute (see Recipe 6.24). There is an IADsUser::AccountDisabled property that allows you to determine and change the status. Set the method FALSE to enable the account or TRUE to disable. 6.12.4 See Also Recipe 6.13 for finding disabled users, and Recipe 6.24 for more on the userAccountControl attribute Recipe 6.13 Finding Disabled Users 6.13.1 Problem You want to find disabled users in a domain. 6.13.2 Solution 6.13.2.1 Using a graphical user interface 1. Open the Active Directory Users and Computers snap-in. 2. In the left pane, connect to the domain you want to query. 3. Right-click on the domain and select Find. 4. Beside Find, select Common Queries. 5. Check the box beside "disabled accounts." 6. Click the Find Now button. 6.13.2.2 Using a command-line interface > dsquery user <DomainDN> -disabled 6.13.2.3 Using VBScript ' This code finds all disabled user accounts in a domain. ' SCRIPT CONFIGURATION strDomainDN = "<DomainDN>" ' e.g. dc=rallencorp,dc=com ' END CONFIGURATION strBase = "<LDAP://" & strDomainDN & ">;" strFilter = "(&(objectclass=user)(objectcategory=person)" & _ "(useraccountcontrol:1.2.840.113556.1.4.803:=2));" strAttrs = "name;" strScope = "subtree" set objConn = CreateObject("ADODB.Connection") objConn.Provider = "ADsDSOObject" objConn.Open "Active Directory Provider" set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope) objRS.MoveFirst while Not objRS.EOF 194 Wscript.Echo objRS.Fields(0).Value objRS.MoveNext wend 6.13.3 Discussion Users in Active Directory can either be enabled or disabled. A disabled user cannot log in to the domain. Unlike account lockout, which is an automatic process that is based on the number of times a user incorrectly enters a password, an account has to be manually enabled or disabled. All disabled user accounts have the bit that represents 2 (0010) set in their userAccountControl attribute. This doesn't mean that the attribute will be equal to 2, it just means that the bit that equals 2 will be enabled—other bits may also be set. See Recipe 4.9 and Recipe 4.12 for a more detailed explanation of bit flags. 6.13.4 See Also Recipe 6.12 for enabling and disabling users Recipe 6.14 Viewing a User's Group Membership 6.14.1 Problem You want to view the group membership of a user. 6.14.2 Solution 6.14.2.1 Using a graphical user interface 1. Open the Active Directory Users and Computers snap-in. 2. In the left pane, right-click on the domain and select Find. 3. Select the appropriate domain beside In. 4. Type the name of the user beside Name and click Find Now. 5. In the Search Results, double-click on the user. 6. Click the Member Of tab. 7. To view all indirect group membership (from nested groups), you'll need to double-click on each group. 6.14.2.2 Using a command-line interface The following command displays the groups <UserDN> is a member of. Use the -expand switch to list nested group membership as well: > dsget user <UserDN> -memberof [-expand] 6.14.2.3 Using VBScript 195 ' This code displays the group membership of a user. ' It avoids infinite loops due to circular group nesting by ' keeping track of the groups that have already been seen. ' SCRIPT CONFIGURATION strUserDN = "<UserDN>" ' e.g. cn=jsmith,cn=Users,dc=rallencorp,dc=com ' END CONFIGURATION set objUser = GetObject("LDAP://" & strUserDN) Wscript.Echo "Group membership for " & objUser.Get("cn") & ":" strSpaces = "" set dicSeenGroup = CreateObject("Scripting.Dictionary") DisplayGroups "LDAP://" & strUserDN, strSpaces, dicSeenGroup Function DisplayGroups ( strObjectADsPath, strSpaces, dicSeenGroup) set objObject = GetObject(strObjectADsPath) WScript.Echo strSpaces & objObject.Name on error resume next ' Doing this to avoid an error when memberOf is empty if IsArray( objObject.Get("memberOf") ) then colGroups = objObject.Get("memberOf") else colGroups = Array( objObject.Get("memberOf") ) end if for each strGroupDN In colGroups if Not dicSeenGroup.Exists(strGroupDN) then dicSeenGroup.Add strGroupDN, 1 DisplayGroups "LDAP://" & strGroupDN, strSpaces & " ", dicSeenGroup end if next End Function 6.14.3 Discussion The memberOf attribute on user objects is multivalued and contains the list of distinguished names for the groups the user is a member. memberOf is actually linked with the member attribute on group objects, which holds the distinguished names of its members. For this reason, you cannot directly modify the memberOf attribute; you must instead modify the member attribute on the group. The primary group of a user, which the user is technically a member of, will not be shown in either the CLI or VBScript solutions. This is due to the fact that the primary group is not stored in the memberOf attribute like the rest of the groups. See Recipe 6.15 and Recipe 7.8 for more on finding the primary group of a user. 6.14.4 See Also Recipe 7.3 for more on viewing the nested members of a group and Recipe 10.16 for more information on linked attributes 196 Recipe 6.15 Changing a User's Primary Group 6.15.1 Problem You want to change the primary group of a user. 6.15.2 Solution 6.15.2.1 Using a graphical user interface 1. Open the Active Directory Users and Computers snap-in. 2. In the left pane, right-click on the domain and select Find. 3. Select the appropriate domain beside In. 4. Type the name of the user beside Name and click Find Now. 5. In the Search Results, double-click on the user. 6. Click the Member Of tab. 7. Click on the name of the group you want to set as the primary group. 8. Click the Set Primary Group button. 9. Click OK. 6.15.2.2 Using VBScript ' This code first checks to see if the user's primary group is already ' set to the specified group. If not it will a) add the user to the group ' if not already a member and b) set the primary group id to the group. ' SCRIPT CONFIGURATION strUserDN = "<UserDN>" ' e.g. cn=rallen,ou=Sales,dc=rallencorp,dc=com strGroupDN = "<GroupDN>" ' e.g. cn=SalesGroup,ou=Sales,dc=rallencorp,dc=com ' END CONFIGURATION Const ADS_PROPERTY_APPEND = 3 set objUser = GetObject("LDAP://" & strUserDN ) WScript.Echo set objGroup = GetObject("LDAP://" & strGroupDN ) objGroup.GetInfoEx Array("primaryGroupToken"), 0 if objGroup.Get("primaryGroupToken") = objUser.Get("primaryGroupID") then WScript.Echo "Primary group for user already set to " & strGroupDN WScript.Quit end if intAddMember = 1 for each strMemberDN in objUser.GetEx("memberOf") if LCase(strMemberDN) = LCase(strGroupDN) then intAddMember = 0 Exit for end if next if intAddMember > 0 then objGroup.PutEx ADS_PROPERTY_APPEND, "member", Array(strUserDN) 197 objGroup.SetInfo WScript.Echo "Added " & strUserDN & " as member of " & strGroupDN end if objUser.Put "primaryGroupID", objGroup.Get("primaryGroupToken") objUser.SetInfo WScript.Echo "Changed primary group id of " & strUserDN & _ " to " & objGroup.Get("primaryGroupToken") 6.15.3 Discussion The primary group is a holdover from Windows NT that was used to support Macintosh and POSIX clients, but it is not used actively in Active Directory. That said, you might have some legacy applications that depend on the primary group, and therefore, you may have to change some users' primary group. Changing the primary group is not difficult, but it is not straightforward either. The primary group is stored on user objects in the primaryGroupID attribute, which contains the RID of the primary group. You can obtain this value by querying the primaryGroupToken attribute on the target group object. Before you can set the primaryGroupID on the user object, you have to first make sure the user is a member of the group. If you try to set the primaryGroupID for a group in which the user is not a member, you will get an error. The default primaryGroupID is set to 513 (Domain Users) for all users. 6.15.4 See Also Recipe 7.8 for determining the group name given a group ID, MS KB 297951 (HOWTO: Use the PrimaryGroupID Attribute to Find the Primary Group for a User), MS KB 321360 (How to Use Native ADSI Components to Find the Primary Group), and MS KB 243330 (Well Known Security Identifiers in Windows 2000) Recipe 6.16 Transferring a User's Group Membership to Another User 6.16.1 Problem You want to transfer the group membership for one user to another. 6.16.2 Solution 6.16.2.1 Using a graphical user interface 1. Open the Active Directory Users and Computers snap-in. 2. In the left pane, right-click on the domain and select Find. 3. Select the appropriate domain beside In. 198 4. Beside Name, type the name of the user you want to transfer groups from and click Find Now. 5. In the Search Results, double-click on the user. 6. Click the Member Of tab. 7. For each group you want to add another user in, do the following: a. Double-click on the group. b. Click the Members tab. c. Click the Add button. d. Find the user you want to add in the object picker and click OK. e. Click OK. 6.16.2.2 Using a command-line interface The following command line will add <NewUserDN> to all of the groups that <CurrentUserDN> is a member of: > for /F "usebackq delims=""" %i in (`dsget user "<CurrentUserDN>" -memberof`) do[RETURN] dsmod group %i -addmbr "<NewUserDN>" If you want to get fancy and remove <CurrentUserDN> from each of the groups in the same operation, simply add an -rmmbr option on the end: > for /F "usebackq delims=""" %i in (`dsget user "<CurrentUserDN>" -memberof`) do[RETURN] dsmod group %i -addmbr "<NewUserDN>" -rmmbr "<CurrentUserDN>" 6.16.2.3 Using VBScript ' This code adds the "new" user to the groups the "current" ' user is a member of ' SCRIPT CONFIGURATION strCurrentUserDN = "<CurrentUserDN>" ' e.g. cn=jsmith,ou=Sales,dc=rallencorp,dc=com strNewUserDN = "<NewUserDN>" ' e.g. cn=rallen,ou=Sales,dc=rallencorp,dc=com" ' SCRIPT CONFIGURATION Const ADS_PROPERTY_APPEND = 3 set objCurrentUser = GetObject("LDAP://" & strCurrentUserDN ) set objNewUser = GetObject("LDAP://" & strNewUserDN ) on error resume next WScript.Echo "Transfering groups from " & strCurrentUserDN & " to " & strNewUserDN for each strGroupDN in objCurrentUser.GetEx("memberOf") set objGroup = GetObject("LDAP://" & strGroupDN) objGroup.PutEx ADS_PROPERTY_APPEND, "member", Array( strNewUserDN ) objGroup.SetInfo if Err then WScript.Echo "Error adding user to group: " & strGroupDN else 199 WScript.Echo "Added user to group: " & strGroupDN end if next 6.16.3 Discussion Employees come and go; people take on new responsibilities and move on to new jobs. It is common to have movement within an organization. When this happens, typically someone is replacing the person that is moving on. The new person needs to get up to speed as quickly as possible, including getting accounts set up and access to any necessary resources. A big part of this includes getting added to the correct groups. You can help facilitate this by using one of the processes outlined in the Solution section to help the user gain access to the exact same groups that the former employee was a member of. One important issue to point out is that the memberOf attribute, which was used in the Solution section to determine a user's group membership, contains only the groups in the same domain as the user. Any groups the user is a member of outside of the user's domain, will not be transferred. To transfer group membership outside of a domain, you will need to perform a query against the global catalog for all group objects that have a member attribute that contains the DN of the user. 6.16.4 See Also Recipe 7.4 for adding and removing members of a group Recipe 6.17 Setting a User's Password 6.17.1 Problem You want to set the password for a user. 6.17.2 Solution 6.17.2.1 Using a graphical user interface 1. Open the Active Directory Users and Computers snap-in. 2. In the left pane, right-click on the domain and select Find. 3. Select the appropriate domain beside In. 4. Type the name of the user beside Name and click Find Now. 5. In the Search Results, right-click on the user and select Reset Password. 6. Enter and confirm the new password. 7. Click OK. 6.17.2.2 Using a command-line interface This command changes the password for the user specified by <UserDN>. Using * after the -pwd option prompts you for the new password. You can replace * with the password you want to set, 200 but it is not a good security practice since other users that are logged into the machine may be able to see it. > dsmod user <UserDN> -pwd * 6.17.2.3 Using VBScript ' This code sets the password for a user. ' SCRIPT CONFIGURATION strUserDN = "<UserDN>" ' e.g. cn=jsmith,cn=Users,dc=rallencorp,dc=com strNewPasswd = "NewPasword" ' END CONFIGURATION set objUser = GetObject("LDAP://" & strUserDN) objUser.SetPassword(strNewPasswd) Wscript.Echo "Password set for " & objUser.Get("cn") 6.17.3 Discussion The password for a user is stored in the unicodePwd attribute. You cannot directly modify that attribute, but have to use one of the supported APIs. See Recipe 6.18 to see how to set the password using native LDAP and Recipe 6.19 for changing the password via Kerberos. With the VBScript solution, you can use the IADsUser::SetPassword method or IADsUser::ChangePassword. The latter requires the existing password to be known before setting it. This is the method you'd want to use if you've created a web page that accepts the previous password before allowing a user to change it. 6.17.4 See Also Recipe 6.18 for setting the password via LDAP, Recipe 6.19 for setting the password via Kerberos, MS KB 225511 (New Password Change and Conflict Resolution Functionality in Windows), MS KB 264480 (Description of Password-Change Protocols in Windows 2000), MSDN: IADsUser::SetPassword, and MSDN: IADsUser::ChangePassword Recipe 6.18 Setting a User's Password via LDAP 6.18.1 Problem You want to set the password for a user using LDAP. 6.18.2 Solution You have to first enable SSL/TLS support in your Active Directory domain. See Recipe 14.1 for more on this. You can then set the unicodePwd attribute of a user object using LDAP operations over an SSL or TLS connection. . 221930 (Domain Security Policy in Windows 2000), MS KB 255550 (Configuring Account Policies in Active Directory) , MSDN: IADsLargeInteger, and MSDN: DOMAIN_PASSWORD_INFORMATION Recipe 6.12 Enabling. 6.15 and Recipe 7.8 for more on finding the primary group of a user. 6.14.4 See Also Recipe 7.3 for more on viewing the nested members of a group and Recipe 10.16 for more information on linked. Discussion The primary group is a holdover from Windows NT that was used to support Macintosh and POSIX clients, but it is not used actively in Active Directory. That said, you might have some legacy