Guy’s Scripting Ezine 101 – Binding to Active Directory and Creating OUs

Contents for Ezine 101 – Binding to Active Directory and Creating OUs

• This Week’s Secret
• This Week’s Mission
• Binding to Active Directory
• Example Script: To Create a Top Level OU
• Summary Bind to Active Directory and Create an OU

 ♣

This Week’s Secret

This is week five of my series of ten newsletters.  Together they combine to give you an ‘Introduction to VBScript’.  As I write my ezine, so I keep in mind a picture of my readers.   My twist this week is that I believe that most people read the ezine for period of 10 to 20 weeks, by which time they have either mastered VBScript or give up.  So this is one reason why I concentrate on the basics of VBScript.

This Week’s Mission

Overall Mission

Our overall mission is to control Active Directory objects such as Users, Computers and OUs (Organizational Units) with VBScript.  This week’s skirmish is to understand how VBScript extracts LDAP names from Active Directory, a process known as binding.  It’s appropriate that we use the container object OU as the vehicle for this week’s script, because the OU can hold future test objects.

My reason for selecting the OU for this week’s script is twofold.

1) Use Short Names for OUs
When people name their OUs, they give little thought to scripting.  Consequently they end up with OU names which make life difficult for script writers.  Either the names are too long, have spaces or contain non-alpha numeric characters.  Let me be clear, as far as Windows is concerned you can have 255 characters and all manner of characters and spaces.  It’s only Guy the script writer who objects to more that 12 words (no spaces).  My point that learning scripting syntax is hard enough without introducing errors caused by spelling mistakes in the object’s name.

2) Favour Short Trees
I would want a good reason to have more than two levels of OUs.  Aside from introducing spelling errors, deep nesting causes sequencing problem when scripting OUs.  The rule is OU=Child,OU=Parent.  This may sound counter intuitive, until you remember that the full path to an object would be:

cn=name, OU=Child, OU=Parent, DC=domain, DC=org.  Once you realise how LDAP constructs names, then the order for scripting Child / Parent OUs becomes obvious.

So if you ignore my advice and have a three tier structure such as:

Headquarters #1 /Child Section 4 /Grand Child Out.Reach

Then the LDAP name is OU=Headquarters #1,OU=Child Section 4, OU=Grand Child Out Reach.  Woops I made a mistake, there is a missing full stop, it should be OU=Headquarters #1,OU=Child Section 4, OU=Grand Child Out.Reach.  Pedantic, yes; pathetic, possibly; difficult to detect the typo – certainly.  My point, if you are going to script, choose short punchy names with no spaces or punctuation.

Admission: I have dealt with both LDAP binding and creating OUs before, however those new comers may have missed the ezine, also my old faithful readers may appreciate a refresher before next week when we deal with user objects.

Guy Recommends:  SolarWinds’ Free Bulk Import Tool

Import users from a spreadsheet.  Just provide a list of the users with their fields in the top row, and save as .csv file.  Then launch this FREE utility and match your fields with AD’s attributes, click and import the users.

Optionally, you can provide the name of the OU where the new accounts will be born. Download your FREE bulk import tool.

If you need more comprehensive software, download a free trial of SAM (Server & Application Monitor)

Binding to Active Directory

It is vital to be able to connect to your domain name.  There are two ways of doing binding to Active Directory, the smart way and the staid, old-fashioned way.  I love the smart way, because one script works on any domain.  I dislike the old-fashioned way because it means you have to hard-code the domain name in the script, as I result I predict that 7 out of 10 my readers will ignore the instruction to substitute their own domain for the name that I use in the script.

Guy’s Favoured Way to Bind to ANY active Directory

Note 1: Observe how we build the objDomain in stages.  First we GetObject, then we use the .Get method to retrieve the defaultNamingContext.  (Only later will we use the .Create method)

Example Script: To Create a Top Level OU

Instructions for Binding with Active Directory and Creating an OU

This script is designed for Windows Active Directory.  You really need to run this script on a domain controller rather than an XP workstation.

1. Copy and paste the example script below into notepad or use a VBScript editor.

2. One advantage of a good script editor such as OnScript is that you can see the line numbers, which helps when you have to troubleshoot error messages.

3. Save the file with a .vbs extension, for example: TopOU.vbs 

4. Double click TopOU.vbs, and check Active Directory Users and Computers for your new OU.

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM) v11.5

SolarWinds’ Orion performance monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

What I like best is the way NPM suggests solutions to network problems.  Its also has the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.

Download a free trial of Solarwinds’ Network Performance Monitor

Learning Points – Alternative Methods to Bind to Active Directory

Binding Variation 1) Maximum Efficiency

I call Variation 1 the Maximum Efficiency method because it has only two lines and fewer instructions to achieve the binding.  This method is even better than my method, however I stick with my trusted 3-line method because I find it easier to understand and troubleshoot.  Hidden agenda, there are always at least 3 ways of scripting anything.

Binding Variation 2) Dinosaur Method

I call Variation 2 the Dinosaur method because it’s set in its ways.  You have to hard-code the domain name, in this case dc=cp,dc=mosel.  Incidentally, dc means domain context and not domain controller.  If I use this variation in my example, I have to persuade readers to substitute their own domain for cp.mosel  (I can imagine 50% failing to read the instruction).

To tell the truth, hard-coding is not a big problem in the real world, because once a script works for you domain, it will continue to work without further modification.  Variation 2 does have the advantage of only requiring one line.

Guy Recommends: Tools4ever’s UMRA

Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.

It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.

Learning Points – Creating the Organizational Unit (OU)

Note 1:  See how the .Create method builds the OU with the name specified by strContainer.
Set objOU = objDomain.Create("organizationalUnit", strContainer)

Note 2:  Understand how the instruction: objOU.SetInfo, mimics you clicking the OK button.   Hidden agenda, remember how scripting merely reflects the way you click menus and buttons manually.

Challenge

Try and create a child OU.  Make a prediction, should it be:
strContainer ="OU=child,OU=Accounts"  or strContainer ="OU=Accounts,OU=child"

Summary Binding to Active Directory and Creating OUs

Scripting Active Directory object requires many skills.  This week we have concentrated on two concepts, binding to active directory, understanding the OU parent child relationship.

See More Active Directory VBScripts featuring Active Directory

• Create Users  •PB 55 CSVDE  • Ezine 56 OU  • Ezine 123 Ad Tree  •Ezine 124 Ad Tree  •IPAM 3 Review

• Ezine 23 enable accounts  •UserAccountControl Values  •Ezine 27 Move Computers  • Ezine 42 LDAP

• Ezine 44 CSVDE  • Ezines  • PowerShell Add Computer  • LDAP Properties  • Free CSVDE Importer