Microsoft KB Archive/232241

= Group Management with ADSI in Windows 2000 =

Article ID: 232241

Article Last Modified on 2/22/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q232241



SUMMARY
The Active Directory Services Interface tool (ADSI) provides a single consistent set of interfaces that can be called in scripts using Microsoft Windows Script Host (WSH), or other scripting languages (VBScript and JScript are supported natively).

This article demonstrates how an administrator can use ADSI to script the creation, deletion, and management of groups and group membership within Active Directory.



MORE INFORMATION
The following sample scripts are provided for demonstration purposes only.

NOTE: These scripts require the appropriate security context to operate. They must be run from a session in which the logged-on user has permission to create a group object, delete a group object, and add or remove members from groups.

Creating a Group
'  '' CREATEGROUP.VBS   Creates the specified group in the specified container   usage: CreateGroup PROVIDER: CONTAINERSUFFIX GROUPNAME ADMIN PASSWORD LOGFILE  ' Option Explicit

Public Const ForReading = 1 Public Const ForWriting = 2 Public Const ForAppending = 8

'  Sub LogMessage - writes a message to the screen and logfile ''' Sub LogMessage(fsOut, Msg)

WScript.Echo msg fsOut.WriteLine msg

End Sub

'  main ''' Dim oArgs Dim oOpenDsObject Dim oObject Dim oGroup Dim szProvider Dim szContainer Dim szGroupName Dim szAdmin Dim szPassword Dim szLogFile Dim fs Dim fsOut Dim lngError

On Error Resume Next

'Stop

Set oArgs = WScript.Arguments If (oArgs.Count <> 6) Then WScript.Echo "usage: CreateGroup      " '"For example, CreateGroup LDAP:  O=VBS_Org,DC=NW01T1DOM,DC=NTDEV,DC=MICROSOFT,DC=COM ADSGROUP  CN=Administrator,CN=Users,DC=NW01T1DOM,DC=NTDEV,DC=MICROSOFT,DC=COM  \"\" creatgrp.log" Else szProvider = oArgs(0) szContainer = oArgs(0) + "//" + oArgs(1) szGroupName = oArgs(2) szAdmin = oArgs(3) szPassword = oArgs(4) szLogfile = oArgs(5)

Set fs = CreateObject("Scripting.FileSystemObject") Set fsOut = fs.OpenTextFile(szLogFile, ForAppending, True)

'Stop

If (szProvider = "WinNT:") Then Set oObject = GetObject(szContainer) Else Set oOpenDSObject = GetObject(szProvider) Set oObject = oOpenDSObject.OpenDSObject(szContainer, szAdmin, szPassword, 1) End If

Select Case (szProvider) Case "LDAP:" 'LogMessage fsOut, "Creating group CN=" & szGroupName & " in Container " & szContainer Set oGroup = oObject.Create("group", "CN="+szGroupName) oGroup.sAMAccountName = szGroupName

Case "NDS:" 'LogMessage fsOut, "Creating group CN=" & szGroupName & " in Container " & szContainer Set oGroup = oObject.Create("group", "CN="+szGroupName)

Case "NWCOMPAT:"

Case "WinNT:" 'LogMessage fsOut, "Creating group " & szGroupName & " in Container " & szContainer Set oGroup = oObject.Create("globalGroup", szGroupName)

End Select

lngError = Err.Number Err.Clear

If (lngError <> 0) Then LogMessage fsOut, "Error 0x" + CStr(Hex(lngError)) + " occurred invoking Create" Else oGroup.SetInfo lngError = Err.Number Err.Clear

If (lngError <> 0) Then LogMessage fsOut, "Error 0x" + CStr(Hex(lngError)) + " occurred invoking SetInfo" End If       End If

If (lngError = 0) Then LogMessage fsOut, "CreateGroup: PASS" Else LogMessage fsOut, "CreateGroup: FAIL Error 0x" & Hex(lngError) LogMessage fsOut, "  Provider = " & szProvider LogMessage fsOut, "  Container = " & szContainer LogMessage fsOut, "  GroupName = " & szGroupName LogMessage fsOut, "  Admin = " & szAdmin LogMessage fsOut, "  Password = " + Chr(34) + szPassword + Chr(34) End If

fsOut.Close WScript.Quit(lngError)

End If

Deleting a Group
'  '' DELETEGROUP.VBS   Deletes the specified group in the specified container   usage: deleteGroup PROVIDER: CONTAINERSUFFIX GROUPNAME ADMIN PASSWORD LOGFILE  ' Option Explicit

Public Const ForReading = 1 Public Const ForWriting = 2 Public Const ForAppending = 8

'  Sub LogMessage - writes a message to the screen and logfile ''' Sub LogMessage(fsOut, Msg)

WScript.Echo(msg) fsOut.WriteLine(msg)

End Sub

'  main ''' Dim oArgs Dim oOpenDsObject Dim oObject Dim oGroup Dim szProvider Dim szContainer Dim szGroupName Dim szAdmin Dim szPassword Dim szLogFile Dim fs Dim fsOut Dim lngError

On Error Resume Next

'Stop

Set oArgs = WScript.Arguments If (oArgs.Count <> 6) Then WScript.Echo "usage: DeleteGroup      " '"For example, DeleteGroup LDAP:  O=VBS_ORG,DC=NW01T1DOM,DC=NTDEV,DC=MICROSOFT,DC=COM ADSGROUP  CN=Administrator,CN=Users,DC=NW01T1DOM,DC=NTDEV,DC=MICROSOFT,DC=COM  \"\" delgroup.log" Else szProvider = oArgs(0) szContainer = oArgs(0) + "//" + oArgs(1) szGroupName = oArgs(2) szAdmin = oArgs(3) szPassword = oArgs(4) szLogfile = oArgs(5)

Set fs = CreateObject("Scripting.FileSystemObject") Set fsOut = fs.OpenTextFile(szLogFile, ForAppending, True)

Set oOpenDsObject = GetObject(szProvider) Set oObject = oOpenDsObject.OpenDSObject(szContainer, szAdmin, szPassword, 1)

Select Case (szProvider) Case "LDAP:" 'LogMessage fsOut, "Deleting Group CN=" & szGroupName & " from Container " & szContainer oObject.Delete "group", "CN=" + szGroupName

Case "NDS:" 'LogMessage fsOut, "Deleting Group CN=" & szGroupName & " from Container " & szContainer oObject.Delete "group", "CN=" + szGroupName

Case "NWCOMPAT:"

Case "WinNT:"

End Select

lngError = Err.Number Err.Clear

If (lngError = 0) Then LogMessage fsOut, "DeleteGroup: PASS" Else LogMessage fsOut, "DeleteGroup: FAIL Error 0x" & Hex(lngError) LogMessage fsOut, "  Provider = " & szProvider LogMessage fsOut, "  Container = " & szContainer LogMessage fsOut, "  GroupName = " & szGroupName LogMessage fsOut, "  Admin = " & szAdmin LogMessage fsOut, "  Password = " + Chr(34) + szPassword + Chr(34) End If

fsOut.Close WScript.Quit(lngError)

End If

Adding a User to a Group
'  '' GROUPUSERADD.VBS   Adds the specified user to the specified group   usage: CreateGroup PROVIDER: GROUPSUFFIX USERSUFFIX ADMIN PASSWORD LOGFILE  ' Option Explicit

Public Const ForReading = 1 Public Const ForWriting = 2 Public Const ForAppending = 8

'  Sub LogMessage - writes a message to the screen and logfile ''' Sub LogMessage(fsOut, Msg)

WScript.Echo msg fsOut.WriteLine msg

End Sub

'  Sub BailOnFailure - writes a message to the screen and logfile ''' Sub BailOnFailure(fsOut, ErrNum, ErrText)

LogMessage fsOut, "GroupUserAdd: FAIL Error 0x" & Hex(ErrNum) & " " & ErrText LogMessage fsOut, "  Provider = " & szProvider LogMessage fsOut, "  Group    = " & szGroupPath LogMessage fsOut, "  User     = " & szUserPath LogMessage fsOut, "  Admin    = " & szAdmin LogMessage fsOut, "  Password = " + Chr(34) + szPassword + Chr(34)

fsOut.Close WScript.Quit

End Sub

'  main ''' Dim oArgs Dim oOpenDsObject Dim oObject Dim oGroup Dim szProvider Dim szGroupPath Dim szUserPath Dim szAdmin Dim szPassword Dim szLogFile Dim fs Dim fsOut

On Error Resume Next

'Stop

Set oArgs = WScript.Arguments If (oArgs.Count <> 6) Then WScript.Echo "usage: GroupUserAdd    <Admin> <Password> " '"For example, GroupUserAdd LDAP:  CN=VBS_GROUP,OU=VBS_ORGUNIT,O=VBS_ORG,DC=NW01T1DOM,DC=NTDEV,DC=MICROSOFT,DC=COM   CN=Administrator,CN=Users,DC=NW01T1DOM,DC=NTDEV,DC=MICROSOFT,DC=COM  " + Chr$(34) + Chr$(34) + " grpusrad.log" Else szProvider = oArgs(0) szGroupPath = oArgs(0) + "//" + oArgs(1) szUserPath = oArgs(0) + "//" + oArgs(2) szAdmin = oArgs(3) szPassword = oArgs(4) szLogfile = oArgs(5)

Set fs = CreateObject("Scripting.FileSystemObject") Set fsOut = fs.OpenTextFile(szLogFile, ForAppending, True)

Set oOpenDSObject = GetObject(szProvider) Set oGroup = oOpenDSObject.OpenDSObject(szGroupPath, szAdmin, szPassword, 1)

If (Err.Number <> 0) Then BailOnFailure fsOut, Err.Number, "binding to group object" End If

'Stop

oGroup.Add szUserPath

If (Err.Number <> 0) Then BailOnFailure fsOut, Err.Number, "invoking Add method" End If

LogMessage fsOut, "GroupUserAdd: PASS" fsOut.Close WScript.Quit(Err.Number)

End If

Deleting a User from a Group
'  '' GROUPUSERemove.VBS  Remove the specified user from the specified group   usage: CreateGroup PROVIDER: GROUPSUFFIX USERSUFFIX ADMIN PASSWORD LOGFILE  ' Option Explicit

Public Const ForReading = 1 Public Const ForWriting = 2 Public Const ForAppending = 8

'  Sub LogMessage - writes a message to the screen and logfile ''' Sub LogMessage(fsOut, Msg)

WScript.Echo msg fsOut.WriteLine msg

End Sub

'  Sub BailOnFailure - writes a message to the screen and logfile ''' Sub BailOnFailure(fsOut, ErrNum, ErrText)

LogMessage fsOut, "GroupUserRemove: FAIL Error 0x" & Hex(ErrNum) & " " & ErrText LogMessage fsOut, "  Provider = " & szProvider LogMessage fsOut, "  Group    = " & szGroupPath LogMessage fsOut, "  User     = " & szUserPath LogMessage fsOut, "  Admin = " & szAdmin LogMessage fsOut, "  Password = " + Chr(34) + szPassword + Chr(34)

fsOut.Close WScript.Quit

End Sub

'  main ''' Dim oArgs Dim oOpenDsObject Dim oObject Dim oGroup Dim szProvider Dim szGroupPath Dim szUserPath Dim szAdmin Dim szPassword Dim szLogFile Dim fs Dim fsOut

On Error Resume Next

'Stop

Set oArgs = WScript.Arguments If (oArgs.Count <> 6) Then WScript.Echo "usage: GroupUserAdd <Provider:> <GroupSuffix> <UserSuffix> <Admin> <Password> " '"For example, GroupUserAdd LDAP:  CN=VBS_GROUP,OU=VBS_ORGUNIT,O=VBS_ORG,DC=NW01T1DOM,DC=NTDEV,DC=MICROSOFT,DC=COM ADSGROUP  CN=Administrator,CN=Users,DC=NW01T1DOM,DC=NTDEV,DC=MICROSOFT,DC=COM  " + Chr$(34) + Chr$(34) + " grpusrad.log" Else szProvider = oArgs(0) szGroupPath = oArgs(0) + "//" + oArgs(1) szUserPath = oArgs(0) + "//" + oArgs(2) szAdmin = oArgs(3) szPassword = oArgs(4) szLogfile = oArgs(5)

Set fs = CreateObject("Scripting.FileSystemObject") Set fsOut = fs.OpenTextFile(szLogFile, ForAppending, True)

Set oOpenDSObject = GetObject(szProvider) Set oGroup = oOpenDSObject.OpenDSObject(szGroupPath, szAdmin, szPassword, 1)

If (Err.Number <> 0) Then BailOnFailure fsOut, Err.Number, "binding to group object" End If

'Stop

oGroup.Remove szUserPath

If (Err.Number <> 0) Then BailOnFailure fsOut, Err.Number, "invoking Remove method" End If

LogMessage fsOut, "GroupUserRemove: PASS" fsOut.Close WScript.Quit(Err.Number)

End If

Keywords: kbinfo KB232241

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.