Microsoft KB Archive/313038

= How to create a computer account in a Windows 2000 domain by using ADSI with Visual Basic =

Article ID: 313038

Article Last Modified on 10/17/2007

-

APPLIES TO


 * Microsoft Active Directory Service Interfaces 2.5
 * Microsoft Active Directory Service Interfaces 2.5
 * Microsoft Visual Basic 6.0 Enterprise Edition
 * Microsoft Visual Basic 6.0 Professional Edition

-



This article was previously published under Q313038





INTRODUCTION
This article describes how to make a computer object in a Microsoft Windows 2000 domain by using Active Directory Services Interface (ADSI) with Microsoft Visual Basic.

Create the computer object in the Active Directory
To create the computer object, follow these steps:  Bind to the container of the parent computer.

This is the location where all the computer objects for the domain are stored. Create a computer object in this container. Set the samAccountName attribute and the userAccountControl attribute on this computer object.

The userAccountControl attribute can be set to enable or to disable the following flags:  UF_WORKSTATION_TRUST UF_ACCOUNTDISABLE

The previous flags are defined as constants in the sample code in step 2 of the &quot;Build the sample in Visual Basic&quot; section. Set the initial password for the computer object by using the SetPassword method.</li> Modify the security descriptor for the computer object to add an Access Control Entry (ACE).

You add the ACE for the user or for the group that you want to have permissions to the computer object.</li> Enable the computer account.</li></ol>

Build the sample in Visual Basic
To build the sample, follow these steps: <ol> Start Visual Basic 6.0, and then open a new Standard EXE project.

Note Make sure that you are logged on to the client as a domain administrator for the targeted domain. You must do this so that you can create computer objects in the Active Directory.</li>  Double-click Form View. Add the following code to the Form_Load subroutine.

Note Make sure that you have made the appropriate modifications to the sections that are indicated in the sample code. 'Constants

Const UF_WORKSTATION_TRUST_ACCOUNT = &H1000 Const UF_ACCOUNTDISABLE = &H2 Const ADS_GUID_COMPUTRS_CONTAINER = &quot;aa312825768811d1aded00c04fd8d5cd&quot; Const ADS_ACETYPE_ACCESS_ALLOWED = 0 Const ADS_ACEFLAG_INHERIT_ACE = 2

'Parameters

lFlag = UF_WORKSTATION_TRUST_ACCOUNT Or UF_ACCOUNTDISABLE 'Modify the following two variants based on the name of the computer 'object that you want to create and the name of the group that you want 'to have permissions to this computer object. sComputer = &quot;myMachine&quot; sUserOrGroup = &quot;MYDOMAIN\MyGroup&quot; 'Who can join this computer?

'Build a well-known guid adspath for the computer container.

Set rootDSE = GetObject(&quot;LDAP://RootDSE&quot;) sPath = &quot;LDAP://<WKGUID=&quot; & ADS_GUID_COMPUTRS_CONTAINER sPath = sPath + &quot;,&quot; sPath = sPath + rootDSE.Get(&quot;defaultNamingContext&quot;) sPath = sPath + &quot;>&quot;

Set compCont = GetObject(sPath)

'Bind again to get the correct ADsPath. sPath = &quot;LDAP://&quot; & compCont.Get(&quot;distinguishedName&quot;) Set compCont = GetObject(sPath)

'Create a computer object.

Set comp = compCont.Create(&quot;computer&quot;, &quot;CN=&quot; & sComputer) comp.Put &quot;samAccountName&quot;, sComputer + &quot;$&quot; comp.Put &quot;userAccountControl&quot;, lFlag comp.SetInfo

'Set an initial password.

sPwd = sComputer sPwd = StrConv(sPwd, vbLowerCase) comp.SetPassword sPwd

'Set security.

Set sd = comp.Get(&quot;ntSecurityDescriptor&quot;) Set dacl = sd.DiscretionaryAcl

'Set ACE.

Set ace = CreateObject(&quot;AccessControlEntry&quot;) ace.AccessMask = -1 'Full Permission (Allowed) ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED ace.Trustee = sUserOrGroup

'ACL

dacl.AddAce ace sd.DiscretionaryAcl = dacl

'SD

comp.Put &quot;ntSecurityDescriptor&quot;, Array(sd)

comp.SetInfo

'Enable the account. ' A Windows 2000 domain computer account does not have to be enabled. comp.AccountDisabled = False comp.SetInfo </li> Click Project, click Add Reference, click the COM tab, and then add the references to the Active DS Type Library.</li> Click OK to close the Add Reference dialog box.</li> Click Start, and then click Run.

After you run the code, the enabled computer account object is created in the Computers container in the Active Directory. The name of the enabled computer account object is the name that you specified in the code.

You can also run this code from a VBScript file.</li> Verify that the computer account object was created. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> Locate the Administrative Tools application group on a domain controller for this domain.</li> Click Active Directory Users and Computers.</li> Click the Computers container.

The newly created computer account object appears in this container.</li></ol> </li></ol>

<div class="references_section">