Guy's Scripting Ezine 101 -
Binding to Active Directory and Creating OUs
Contents for Ezine 101 - Binding to Active Directory and Creating OUs
♣
This is week five of my series of ten newsletters. Together they combine to give you an 'Introduction to VBScript'. As I write my ezine, so I keep in mind a picture of my readers. My twist this week is that I believe that most
people read the ezine for period of 10 to 20 weeks, by which time they have either mastered VBScript or give up. So this is one reason why I concentrate on the basics of VBScript.
Overall Mission
Our overall mission is to control Active Directory objects such as Users, Computers and OUs (Organizational Units) with VBScript. This week's skirmish is to understand how VBScript extracts LDAP names
from Active Directory, a process known as binding. It's appropriate that we use the container object OU as the vehicle for this week's script, because the OU can hold future test objects.
My reason for selecting the OU for this week's script is twofold.
1) Use Short Names for OUs
When people name their OUs, they give little thought to scripting. Consequently they end up with OU names which make life difficult for script writers. Either the names are too long, have spaces or
contain non-alpha numeric characters. Let me be clear, as far as Windows is concerned you can have 255 characters and all manner of characters and spaces. It's only Guy the script writer who objects to more that 12 words (no spaces). My point that learning scripting syntax is hard enough without introducing errors caused by spelling mistakes in the object's
name.
2) Favour Short Trees
I would want a good reason to have more than two levels of OUs. Aside from introducing spelling errors, deep nesting causes sequencing problem when scripting
OUs. The rule is OU=Child,OU=Parent. This may sound counter intuitive, until you remember that the full path to an object would be:
cn=name, OU=Child, OU=Parent, DC=domain, DC=org. Once you
realise how LDAP constructs names, then the order for scripting Child / Parent OUs becomes obvious.
So if you ignore my advice and have a three tier structure such as:
Headquarters #1 /Child Section 4 /Grand Child Out.Reach
Then the LDAP name is OU=Headquarters #1,OU=Child Section 4, OU=Grand Child Out Reach. Woops I made a mistake, there is a missing full stop, it should be OU=Headquarters #1,OU=Child Section 4, OU=Grand
Child Out.Reach. Pedantic, yes; pathetic, possibly; difficult to detect the typo - certainly. My point, if you are going to script, choose short punchy names with no spaces or punctuation.
Admission: I have dealt with both LDAP binding and creating OUs before, however those new comers may have missed the ezine, also my old faithful readers may appreciate a refresher before next week when we deal with user objects.
Guy Recommends: Solarwinds' Free Bulk Import Tool
Import users from a spreadsheet. Just provide a list of the
users with their fields in the
top row, and save as .csv file. Then launch this FREE utility and match
your fields with AD's
attributes, click and import the users. Optionally, you can
provide the name of the OU where the new accounts will be born.
There are also two bonus tools in the free download, and all 3 have been approved by Microsoft:
- Bulk-import new users into Active Directory.
- Seek and zap unwanted user accounts.
- Find inactive computers.
Download your FREE bulk import tool.
It is vital to be able to connect to your domain name. There are two ways of doing binding to Active Directory, the smart way and the staid, old-fashioned way. I love the smart way, because one script works on any domain.
I dislike the old-fashioned way because it means you have to hard-code the domain name in the script, as I result I predict that 7 out of 10 my readers will ignore the instruction to substitute their own domain
for the name that I use in the script.
Guy's Favoured Way to Bind to ANY active Directory ' Section to bind to ANY Active
Directory.
Set objRoot = GetObject("LDAP://rootDSE")
objDomain = objRoot.Get("defaultNamingContext")
Set objDomain = GetObject("LDAP://" & objDomain)
Note 1: Observe how we build the objDomain in stages. First we GetObject, then we use the .Get method to retrieve the defaultNamingContext. (Only later will we use the .Create method)
Instructions for Binding with Active Directory and Creating an OU This script is designed for Windows Active Directory. You really need to run this script on a domain controller rather than
an XP workstation. Copy and paste the example script below
into notepad or use a VBScript editor. One advantage of a good script editor such as OnScript is that you can see the line numbers, which helps when you have to troubleshoot error messages. Save the file with a .vbs extension, for example:
TopOU.vbs Double click TopOU.vbs, and check Active Directory Users and Computers for your new OU.
' TopOU.vbs
' VBscript to create an OU (Organizational Unit)
' Note two steps to set domain
' Author Guy Thomas http://computerperformance.co.uk/
' Version 1.5 - February
2006
' ----------------------------------------------------------'
Option Explicit
Dim objRoot, objDomain, objOU
Dim strContainer
strContainer ="OU=Accounts"
' Section to bind to ANY
Active Directory.
Set objRoot = GetObject("LDAP://rootDSE")
objDomain = objRoot.Get("defaultNamingContext")
Set objDomain = GetObject("LDAP://" & objDomain)
' Section to create the OU defined by
strContainer
' Also note the use of: .SetInfo
'On Error Resume next
Set objOU = objDomain.Create("organizationalUnit", strContainer)
objOU.SetInfo
WScript.Echo "New Top Level OU created
= " & strContainer
WScript.quit
Guy Recommends: A Free Trial of the Network Performance Monitor
(NPM)
Solarwinds'
Orion performance monitor
will help you discover what's happening on your network. This
utility will also guide you through troubleshooting; the dashboard will
indicate whether the root cause is a broken link, faulty equipment or
resource overload.
Perhaps the NPM's best feature is the way it suggests solutions to network
problems. Its
second best feature is the ability to monitor the health of individual VMWare
virtual machines. If you are interested in troubleshooting, and creating
network maps, then I recommend that you take advantage of Solarwinds' offer.
Download a free trial of
the Network Performance Monitor.
Learning Points - Alternative Methods to Bind to Active Directory
Binding Variation 1) Maximum Efficiency
Set objRoot = GetObject("LDAP://rootDSE")
Set ObjDomain = GetObject( "LDAP://" & objRoot.Get("defaultNamingContext"))
I call Variation 1 the Maximum Efficiency method because it has only two lines and fewer instructions to achieve the binding. This method is even better than my method, however I stick with my trusted 3-line
method because I find it easier to understand and troubleshoot. Hidden agenda, there are always at least 3 ways of scripting anything.
Binding Variation 2) Dinosaur Method Set objDomain = GetObject("LDAP://dc=cp,dc=mosel")
I call Variation 2 the Dinosaur method because it's set in its ways. You have to hard-code the domain name, in this case dc=cp,dc=mosel. Incidentally, dc means domain context and not domain
controller. If I use this variation in my example, I have to
persuade readers to substitute their own domain for cp.mosel (I can imagine 50% failing to read the instruction).
To tell the truth, hard-coding is not a big problem in the real world, because once
a script works for you domain, it will continue to work without further modification. Variation 2 does have the advantage of only requiring one line.
If you are looking for handy network utilities, try some of the free downloads at
Tools4Ever
Learning Points - Creating the Organizational Unit (OU)
Note 1: See how the .Create method builds the OU with the name specified by strContainer.
Set objOU = objDomain.Create("organizationalUnit", strContainer)
Note 2: Understand how the instruction: objOU.SetInfo, mimics you clicking the OK button. Hidden agenda, remember how scripting merely reflects the way you click menus and buttons manually.
Challenge
Try and create a child OU. Make a prediction, should it be:
strContainer ="OU=child,OU=Accounts" or strContainer ="OU=Accounts,OU=child"
Scripting Active Directory object requires many skills. This week we have concentrated on two concepts, binding to active directory, understanding the OU parent child relationship.
See More Active Directory VBScripts featuring Active Directory
• Create
Users • Ezines • PowerShell
Add Computer •
LDAP Properties
• Free
CSV Importer
•
Ezine 23 enable accounts •
UserAccountControl Values •
Ezine 27 Move Computers •
Ezine 42 LDAP
• Ezine 44 CSVDE •
PB 55 CSVDE • Ezine
56 OU • Ezine 123 Ad Tree •
Ezine 124 Ad Tree •
IPAM
| 
