Tutorial for Creating a Group Account with VBScriptControlling which type of group you create is difficult. My advice is start by creating a computer object and then progress to my simple group example. Only attempt this script if you have at least a passing knowledge of VBScript. The heart of the difficult is this, whilst there is only one type of computer or user object, there are 6 types of groups. Furthermore, no other common Active Directory object needs the CONST ADS_GROUP_TYPE statement to control its construction. Topics for Creating a Group Account with a VBScript ♦ Whenever you consider groups, pay close attention to the Group scope and Group types and Scope, for example there are 3 scopes and 2 types of group, which makes a total of 6 different combinations. The default of Global Security is relatively easy to script, but if you wish to create a Universal Distribution groups then you have to master the ADS_GROUP_TYPE constant. No other object requires this CONST statement, which is one reason why creating groups is so tricky. We are not going to get far creating groups without mastering the CONST hexadecimal values that define groups: ADS_GROUP_TYPE_GLOBAL_GROUP = &H2
ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = &H4
ADS_GROUP_TYPE_LOCAL_GROUP = &H4
ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = &H4
ADS_GROUP_TYPE_UNIVERSAL_GROUP = &H8
ADS_GROUP_TYPE_SECURITY_ENABLED = &H80000000 Note 1: Do not worry about the apparent inconsistency that Active Directory Users and Computers refers to Global as a Group scope but VBScript refers to it as a ‘TYPE as in; TYPE_GLOBAL_GROUP. Note 2: The H in &H2 tells VBScript that this is a hex number. Just for interest, below are the decimal equivalent values. Admire, but on no account use the decimal numbers, they will not work. My point is that VBScript is fussy about CONST. I mean really fussy, to take another example, spaces are not allowed, either (&H 8) or (& H8) will raise a syntax error. It must be precisely (&H8) with no spaces. ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = 0x00000004
ADS_GROUP_TYPE_LOCAL_GROUP = 0x00000004
ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = 0x00000004
ADS_GROUP_TYPE_UNIVERSAL_GROUP = 0x00000008
ADS_GROUP_TYPE_SECURITY_ENABLED = 0x80000000 When we analyzed groups, we discovered that they have two properties, type and scope. This is why creating groups is more difficult than scripting computers or OUs. There is a knack to combining both properties, it is eccentric, but the statement needs the word ‘Or’. Surprisingly nothing else works. Forget ‘and’, say no to ampersand, I repeat, just type, ‘or’ between the two halves. objGroup.Put "groupType", _
ADS_GROUP_TYPE_UNIVERSAL_GROUP Or ADS_GROUP_TYPE_SECURITY_ENABLED As you may know, the first _ (Underscore) tells VBScript to interpret both lines as a single command. The CONST names have zillions of underscores which may be confusing, but that’s just the way VBScript defines them. (Remember I did advise starting with a simple script such as creating a computer) Guy Recommends: SolarWinds’ Free Bulk Import Tool Import users from a spreadsheet. Just provide a list of the users with their fields in the top row, and save as .csv file. Then launch this FREE utility and match your fields with AD’s attributes, click and import the users. Optionally, you can provide the name of the OU where the new accounts will be born. Download your FREE bulk import tool. If you need more comprehensive software, download a free trial of SAM (Server & Application Monitor) While this script creates a Universal Security group, you could amend the CONST ADS statement to create a Security Distribution group. The reason I chose this particular combination of Universal and Security was that I wanted a different group from my simple create group script. This is what we are aiming for, see Newport Bosses in the diagram below:
 PrerequisitesI recommend that you logon at a domain controller. If you are a long way from the server, Remote Desktop would be a suitable alternative. If that is not possible, you could get these scripts to work from an XP machine as a non-administrator. However, why introduce extra complications? Especially at the beginning, you want easy success, with fewest obstacles. Instructions for Creating Group Accounts in Active Directory - You should run this VBScript on a Windows Active Directory domain.
- Copy and paste the example script below into notepad or a VBScript editor.
- Decide whether to change the value for strGroup.
- Save the file with a .vbs extension, for example: Groups .vbs.
- Double click Groups .vbs and check the strOU for your new group.
Sample Script to Create a Universal Security Group ‘ UniversalSecurityGroup.vbs
‘ Sample VBScript to create a Universal Security Group
‘ Author Guy Thomas https://computerperformance.co.uk/
‘ Version 2.2 – May 2010
‘ ———————————————————-‘
Option Explicit
Dim strOU, strNewGroup, strNewGroupLong, strDNSDomain
Dim objOU, objGroup, objRootDSE
Dim strGuyGp, strGPType Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8
Const ADS_GROUP_TYPE_SECURITY_ENABLED = &H80000000
‘ If you want a Universal group, here is the CONST
‘ Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2 ‘ Make sure the OU referenced by strOU exists
‘ Option change the strNewGroup = "UniNewportManagers"
strOU = "OU=Newport ,"
strNewGroup = "Newport Bosses"
strNewGroupLong = "CN=" & strNewGroup ‘ Bind to Active Directory
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext") ‘ Create new Group
Set objOU = GetObject("LDAP://" & strOU & strDNSDomain )
Set objGroup = objOU.Create("Group",strNewGroupLong)
objGroup.Put "sAMAccountName", strNewGroup ‘ Here is where you set the group Type and Scope
objGroup.Put "groupType", ADS_GROUP_TYPE_UNIVERSAL_GROUP _
or ADS_GROUP_TYPE_SECURITY_ENABLED
objGroup.setInfo Wscript.Echo "Created " & strNewGroup
Wscript.Quit ‘ End of Sample Universal Group VBScript Note 1: I divided the example script into 5 Sections. At the top is the usual header section with extra statements to declare the CONST values. Note 2: As with most of my sample scripts, check that your strOU variable matches the reality of your domain. Decide on the name of your group, mine was ‘Newport Bosses’. Note 3: In the middle is a short section that binds to Active Directory. Note 4: objOU.Create("Group",strNewGroupLong) is where the group is created. Note 5: The key part of the script is objGroup.Put "groupType", here is where we assign the group characteristics, in this case Universal and Security. Note 6: Curiously, there is no specific command to create a Distribution Group, as opposed to a security group. What you must do is rely on the fact that distribution is the default, so if you declare only a scope, then it will automatically create that group as a distribution group. Example of (global) distribution group:
objGroup.Put "groupType", ADS_GROUP_TYPE_GLOBAL_GROUP
objGroup.setInfo. To master creating Active Directory groups, find out all you can about how the CONST ADS defines the 6 possible types of group. My advice is to practice creating a simpler object such as computer or contact, then move on to scripting groups. It is also worth ‘walking through’, how you create a group in Active Directory Users and Computers.
If you like this page then please share it with your friends
See more VBScript examples:• VBScript create users • VBScript create contact • Create contact Exchange • VBS PwdLastSet • VBScript create computer • PowerShell create computer from spreadsheet • Free Import Users Tool • VBScript change password • VBScript to create group • SolarWinds Free WMI Monitor About The Author
ComputerPerfomance.co.uk uses cookies. More info.
| 
