221 6.29.2 Solution 6.29.2.1 Using a graphical user interface 1. Open the Active Directory Users and Computers snap-in. 2. In the left pane, right-click on the domain and select Find. 3. Select the appropriate domain beside In. 4. Beside Name, type the name of the user and click Find Now. 5. In the Search Results, double-click on the user. 6. Click the Profile tab. 7. Modify the various profile settings as necessary. 8. Click OK. 6.29.2.2 Using a command-line interface > dsmod user "<UserDN>" -loscr <ScriptPath> -profile <ProfilePath> - hmdir[RETURN] <HomeDir> -hmdrv <DriveLetter> 6.29.2.3 Using VBScript ' This code sets the various profile related attributes for a user. strUserDN = "<UserDN>" ' e.g. cn=jsmith,cn=Users,dc=rallencorp,dc=com set objUser = GetObject("LDAP://" & strUserDN) objUser.Put "homeDirectory", "\\fileserver\" & objUser.Get("sAMAccountName") objUser.Put "homeDrive", "z:" objUser.Put "profilePath", "\\fileserver\" & _ objUser.Get("sAMAccountName") & "\profile" objUser.Put "scriptPath", "login.vbs" objUser.SetInfo Wscript.Echo "Profile info for " & objUser.Get("sAMAccountName") & " updated" 6.29.3 Discussion The four attributes that make up a user's profile settings include the following: homeDirectory UNC path to home directory homeDrive Drive letter (e.g., z:) to map home directory profilePath UNC path to profile directory scriptPath 222 Path to logon script When you set the homeDirectory attribute, the folder being referenced needs to already exist. For an example on creating shares for users, see MS KB 234746. 6.29.4 See Also MS KB 234746 (How to Create User Shares for All Users in a Domain with ADSI), MS KB 271657 (Scripted Home Directory Paths Require That Folders Exist), and MS KB 320043 (HOW TO: Assign a Home Directory to a User) Recipe 6.30 Viewing a User's Managed Objects 6.30.1 Problem You want to view the objects owned by a user. 6.30.2 Solution 6.30.2.1 Using a graphical user interface 1. Open ADSI Edit. 2. If an entry for the naming context you want to browse is not already displayed, do the following: 3. Right-click on ADSI Edit in the right pane and click Connect to. 4. Fill in the information for the naming context, container, or OU you want to add an object to. Click on the Advanced button if you need to enter alternate credentials. 5. In the left pane, browse to the naming context, container, or OU the object you want to view. Once you've found the object, right-click on it and select Properties. 6. View the managedObjects attribute. 6.30.2.2 Using a command-line interface > enumprop /ATTR:managedObjects "LDAP://<UserDN>" 6.30.2.3 Using VBScript ' This code displays the managed objects for a user ' SCRIPT CONFIGURATION strUserDN = "<UserDN>" ' e.g. cn=jsmith,cn=Users,dc=rallencorp,dc=com ' END CONFIGURATION on error resume next set objUser = GetObject("LDAP://" & strUserDN) Wscript.Echo objUser.Get("cn") & "'s Managed Objects:" colObjects = objUser.GetEx("managedObjects") if Err.Number = -2147463155 then Wscript.Echo " none" else for each strObjectDN in colObjects 223 Wscript.Echo " " & strObjectDN next end if 6.30.3 Discussion The managedObjects attribute is linked to the managedBy attribute that can be set on certain objects in Active Directory like computers and groups. Setting the managedBy attribute provides a quick and dirty way to define who owns an object. If you do use it, you can use the managedObjects attribute on user objects to get the list of objects the user has been configured in the managedBy attribute for. Recipe 6.31 Modifying the Default Display Name Used When Creating Users in ADUC 6.31.1 Problem You want to modify how the default display name gets generated when you create a new user through the Active Directory Users and Computers snap-in. 6.31.2 Solution 6.31.2.1 Using a graphical user interface 1. Open ADSI Edit. 2. In the Configuration Naming Context browse to DisplaySpecifiers <Locale> where <Locale> is the locale for your language (e.g., the US English locale is 409). 3. Double-click on cn=user-Display. 4. Edit the createDialog attribute with the value you want the new default to be (e.g., % <sn>, %<givenName>). 5. Click OK. 6.31.2.2 Using VBScript ' This code modifies the default ADUC display name. ' SCRIPT CONFIGURATION strNewDefault = "%<sn>, %<givenName>" strForestName = "<ForestDNSName>" ' e.g. rallencorp.com ' END CONFIGURATION Set objRootDSE = GetObject("LDAP://" & strForestName & "/RootDSE") Set objDispSpec = GetObject("LDAP://cn=User-Display,cn=409," & _ "cn=DisplaySpecifiers," & _ objRootDSE.Get("ConfigurationNamingContext")) objDispSpec.Put "createDialog", strNewDefault objDispSpec.SetInfo WScript.Echo "New default for user's display name has been set to: " & _ strNewDefault 224 6.31.3 Discussion When you create a new user object in the Active Directory Users and Computers snap-in, it will automatically fill in the Full Name field as you type in the First Name, Initials, and Last Name fields. As a convenience, you may want to alter that behavior so that it automatically fills in a different value. To do that, you need to modify the User-Display display specifier, which has the following distinguished name: cn=user- Display,cn=<Locale>,cn=DisplaySpecifiers,cn=Configuration,<ForestRootDN> <Locale> should be replaced with your language specific locale and <ForestRootDN> should contain the distinguished name for your forest root domain. You need to modify the createDialog attribute, which by default has no value. Replacement variables are presented by %<attribute>, where attribute is an attribute name. For example, if you wanted to make the default be "LastName, FirstName" you would use the following value: %<sn>, %<givenName> 6.31.4 See Also MS KB 250455 (XADM: How to Change Display Names of Active Directory Users) Recipe 6.32 Creating a UPN Suffix for a Forest 6.32.1 Problem You want users to have a different User Principal Name (UPN) suffix from the default provided by your forest. 6.32.2 Solution 6.32.2.1 Using a graphical user interface 1. Open the Active Directory Domains and Trusts snap-in. 2. In the left pane, right-click Active Directory Domains and Trusts and select Properties. 3. Under Alternate UPN suffixes, type the name of the suffix you want to add. 4. Click Add and OK. 6.32.2.2 Using VBScript ' This code adds a new UPN suffix. ' SCRIPT CONFIGURATION strNewSuffix = "<NewSuffix>" ' e.g. othercorp.com strDomain = "<DomainDNSName>" ' e.g. rallencorp.com ' END CONFIGURATION set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE") 225 set objPartitions = GetObject("LDAP://cn=Partitions," & _ objRootDSE.Get("ConfigurationNamingContext")) objPartitions.PutEx ADS_PROPERTY_APPEND, "uPNSuffixes", Array(strNewSuffix) objPartitions.SetInfo 6.32.3 Discussion The UPN allows users to log on with a friendly name that may even correspond to their email address. UPN logons also do not require the domain to be known so that it can be abstracted away from the user. You may need to create an additional UPN suffix (e.g., @rallencorp.com) if you want UPNs to map to email addresses, but your AD forest is rooted at a different domain name (e.g., ad.rallencorp.com) than the domain name used in email addresses (e.g., rallencorp.com). 6.32.3.1 Using VBScript UPN suffixes are stored in the multivalued uPNSuffixes attribute on the Partitions container in the configuration-naming context. The default forest UPN suffix is assumed and not stored in that attribute. 6.32.4 See Also MS KB 243280 (Users Can Log On Using User Name or User Principal Name), MS KB 243629 (HOW TO: Add UPN Suffixes to a Forest), and MS KB 269441 (HOWTO: Use ADSI to List the UPN Suffixes That Are Defined in Active Directory) 226 Chapter 7. Groups Introduction Recipe 7.1. Creating a Group Recipe 7.2. Viewing the Direct Members of a Group Recipe 7.3. Viewing the Nested Members of a Group Recipe 7.4. Adding and Removing Members of a Group Recipe 7.5. Moving a Group Recipe 7.6. Changing the Scope or Type of a Group Recipe 7.7. Delegating Control for Managing Membership of a Group Recipe 7.8. Resolving a Primary Group ID Recipe 7.9. Enabling Universal Group Membership Caching Introduction A group is a simple concept that has been used in many different types of systems over the years. In generic terms, a group is just a collection of things. Groups are used most frequently in a security context whereby you set up a group of users and apply certain permissions or rights to that group. Using a group is much easier when applying security than using individual users because you have to apply the security only once instead of once per user. In Active Directory, groups are flexible objects that can contain virtually any other type of object as a member. Active Directory groups can be used for many different purposes including controlling access to resources, defining a filter for the application of group policies, and as an email distribution list. The scope and type of a group defines how the group can be used in a forest. The type of a group can be either security or distribution. Security groups can be used to restrict access to resources whereas distribution groups can be used only as a simple grouping mechanism. Both group types can be used as email lists. The scope of a group determines where members of the group can be located in the forest and where in the forest you can use the group in ACLs. The supported group scopes include universal, global, and domain local. Universal groups and domain local groups 227 can have members that are part of any domain in the forest. Global groups can only have members that are part of the same domain the group is in. The Anatomy of a Group Groups are represented in Active Directory by group objects. Table 7-1 contains a list of some of the noteworthy attributes that are available on group objects. Table 7-1. Attributes of group objects Attribute Description cn Relative distinguished name of group objects. createTimestamp Timestamp of when the OU was created. description Textual description of the group. groupType Flag containing the group scope and type. See Recipe 7.6 for more information. info Additional notes about a group. primaryGroupToken Local RID for the group. This matches the primaryGroupID attribute that is set on user objects. managedBy DN of a user or group that is the owner of the group. managedObjects List of DNs of objects this group is listed in the managedBy attribute for. member List of DNs of members of the group. memberOf List of DNs of the groups this group is a member of. modifyTimestamp Timestamp of when the OU was last modified. sAMAccountName Down-level account name for the group. Typically this is the same as the cn attribute. wWWHomePage URL of the home page for the group. Recipe 7.1 Creating a Group 7.1.1 Problem You want to create a group. 7.1.2 Solution 7.1.2.1 Using a graphical user interface 228 1. Open the Active Directory Users and Computers (ADUC) snap-in. 2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name and click OK. 3. In the left pane, browse to the parent container of the new group, right-click on it, and select New Group. 4. Enter the name of the group and select the group scope (global, domain local, or universal) and group type (security or distribution). 5. Click OK. 7.1.2.2 Using a command-line interface In the following example, <GroupDN> should be replaced with the DN of the group to create, <GroupScope> should be l, g, or u for domain local, global, and universal groups, respectively, and -secgroup should be set to yes if the group is a security group or no otherwise. Another recommended option is to set -desc for specifying a group description. > dsadd group "<GroupDN>" -scope <GroupScope> -secgrp yes|no -desc "<GroupDesc>" 7.1.2.3 Using VBScript ' The following code creates a global security group. ' SCRIPT CONFIGURATION strGroupParentDN = "<GroupParentDN>" ' e.g. ou=Groups,dc=rallencorp,dc=com strGroupName = "<GroupName>" ' e.g. ExecAdminsSales strGroupDescr = "<GroupDesc>" ' e.g. Executive Admins for Sales group ' END CONFIGURATION ' Constants taken from ADS_GROUP_TYPE_ENUM Const ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = 1 Const ADS_GROUP_TYPE_GLOBAL_GROUP = 2 Const ADS_GROUP_TYPE_LOCAL_GROUP = 4 Const ADS_GROUP_TYPE_SECURITY_ENABLED = -2147483648 Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = 8 set objOU = GetObject("LDAP://" & strGroupParentDN) set objGroup = objDomain.Create("group","cn=" & strGroupName) objGroup.Put "groupType", ADS_GROUP_TYPE_GLOBAL_GROUP _ Or ADS_GROUP_TYPE_SECURITY_ENABLED objOU.Put "description", strGroupDescr objOU.SetInfo 7.1.3 Discussion In each solution, a group was created with no members. For more information on how to add and remove members, see Recipe 7.4. The groupType attribute contains a flag indicating both group scope and type. The available flag values are defined in the ADS_GROUP_TYPE_ENUM enumeration. Recipe 7.6 contains more information on setting the group scopes and types. 229 7.1.4 See Also Recipe 7.4 for adding and removing group members, Recipe 7.6 for setting group scope and type, MS KB 231273 (Group Type and Scope Usage in Windows), MS KB 232241 (Group Management with ADSI in Windows 2000), MS KB 320054 (HOW TO: Manage Groups in Active Directory in Windows 2000), and MSDN: ADS_GROUP_TYPE_ENUM Recipe 7.2 Viewing the Direct Members of a Group 7.2.1 Problem You want to view the direct members of a group. 7.2.2 Solution 7.2.2.1 Using a graphical user interface 1. Open the Active Directory Users and Computers snap-in. 2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK. 3. In the left pane, right-click on the domain and select Find. 4. Enter the name of the group and click Find Now. 5. Double-click on the group in the bottom results pane. 6. Click the Members tab. 7.2.2.2 Using a command-line interface > dsget group "<GroupDN>" -members 7.2.2.3 Using VBScript ' This code prints the direct members of the specified group. ' SCRIPT CONFIGURATION strGroupDN = "<GroupDN>" ' e.g. cn=SalesGroup,ou=Groups,dc=rallencorp,dc=com ' END CONFIGURATION set objGroup = GetObject("LDAP://" & strGroupDN) Wscript.Echo "Members of " & objGroup.Name & ":" for each objMember in objGroup.Members Wscript.Echo objMember.Name next 7.2.3 Discussion The member attribute of a group object contains the distinguished names of the direct members of the group. By direct members, I mean the members that have been directly added to the group. This is in contrast to indirect group members, which are members of the group due to nested group membership. See Recipe 7.3 for how to find the nested membership of a group. 230 7.2.4 See Also Recipe 7.3 for viewing nested group membership Recipe 7.3 Viewing the Nested Members of a Group 7.3.1 Problem You want to view the nested members of a group. 7.3.2 Solution 7.3.2.1 Using a graphical user interface 1. Open the Active Directory Users and Computers snap-in. 2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK. 3. In the left pane, right-click on the domain and select Find. 4. Enter the name of the group and click Find Now. 5. Double-click on the group in the bottom results pane. 6. Click the Members tab. 7. You now have to double-click on each group member to view its membership. 7.3.2.2 Using a command-line interface > dsget group "<GroupDN>" -members -expand 7.3.2.3 Using VBScript ' This code prints the nested membership of a group. ' SCRIPT CONFIGURATION strGroupDN = "<GroupDN>" ' e.g. cn=SalesGroup,ou=Groups,dc=rallencorp,dc=com ' END CONFIGURATION strSpaces = " " set dicSeenGroupMember = CreateObject("Scripting.Dictionary") Wscript.Echo "Members of " & strGroupDN & ":" DisplayMembers "LDAP://" & strGroupDN, strSpaces, dicSeenGroupMember Function DisplayMembers ( strGroupADsPath, strSpaces, dicSeenGroupMember) set objGroup = GetObject(strGroupADsPath) for each objMember In objGroup.Members Wscript.Echo strSpaces & objMember.Name if objMember.Class = "group" then if dicSeenGroupMember.Exists(objMember.ADsPath) then Wscript.Echo strSpaces & " ^ already seen group member " & _ "(stopping to avoid loop)" else dicSeenGroupMember.Add objMember.ADsPath, 1 DisplayMembers objMember.ADsPath, strSpaces & " ", _ dicSeenGroupMember . provided by your forest. 6.32.2 Solution 6.32.2.1 Using a graphical user interface 1. Open the Active Directory Domains and Trusts snap-in. 2. In the left pane, right-click Active Directory Domains. of once per user. In Active Directory, groups are flexible objects that can contain virtually any other type of object as a member. Active Directory groups can be used for many different purposes. (Group Type and Scope Usage in Windows) , MS KB 232241 (Group Management with ADSI in Windows 2000), MS KB 320054 (HOW TO: Manage Groups in Active Directory in Windows 2000), and MSDN: ADS_GROUP_TYPE_ENUM