Microsoft KB Archive/222525

= Automating the Creation of Computer Accounts =

PSS ID Number: 222525

Article Last Modified on 11/21/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q222525





SUMMARY
This article describes how to automate the creation of computer accounts. Two methods are described:
 * NETDOM (a Windows 2000 Resource Kit tool also available in X86\Support\Tools\Support.cab on the operating system CD-ROM).
 * Scripting the computer account using ADSI and Windows Script Host



Creating Computer Accounts Using NETDOM
NOTE: Only the Windows 2000 version of NETDOM, included with the Windows Resource Kit, should be used. Previous versions do not work correctly for all features in Windows 2000.

You can use NETDOM from the command line (or optionally called from a batch file) to script computer account creation using the syntax listed below. This sample creates only the computer account and displays how credentials of an authorized user who has permissions to create computer accounts in the domain can be specified.

NETDOM /Domain:MYDOMAIN /user:adminuser /password:apassword MEMBER MYCOMPUTER /ADD

For additional information about using NETDOM, click the article number below to view the article in the Microsoft Knowledge Base:

150493 How To Join a Domain From the Command Line

Scripting the Computer Account Using ADSI and Windows Script Host
Using Active Directory Services Interfaces (ADSI) and Windows Script Host (WSH), an administrator can create a Visual Basic Script (VBScript) to automate the creation of computer accounts.

For more information about Visual Basic Scripting, visit the following Microsoft Web site:

http://msdn.microsoft.com/scripting

To use this method, create a script as outlined in the sample script listed below and then save the file with a .vbs extension. To run the file, double-click it or type cscript myscript.vbs at a command prompt.

Sample Script
'*********************** '* Start Script '***********************

Dim sComputerName, sUserOrGroup, sPath, computerContainer, rootDSE, lFlag Dim secDescriptor, dACL, ACE, oComputer, sPwd

'********************************************************************* '* Declare constants used in defining the default location for the '* machine account, flags to identify the object as a machine account, '* and security flags '*********************************************************************

Const UF_WORKSTATION_TRUST_ACCOUNT = &H1000 Const UF_ACCOUNTDISABLE = &H2 Const UF_PASSWD_NOTREQD = &H20 Const ADS_GUID_COMPUTRS_CONTAINER = "aa312825768811d1aded00c04fd8d5cd" Const ADS_ACETYPE_ACCESS_ALLOWED = 0 Const ADS_ACEFLAG_INHERIT_ACE = 2

'********************************************************************* '* Set the flags on this object to identify it as a machine account '* and determine the name. The name is used statically here, but may '* be determined by a command line parameter or by using an InputBox '*********************************************************************

lFlag = UF_WORKSTATION_TRUST_ACCOUNT Or UF_ACCOUNTDISABLE Or UF_PASSWD_NOTREQD sComputerName = "TestAccount"

'********************************************************************* '* Establish a path to the container in the Active Directory where '* the machine account will be created. In this example, this will '* automatically locate a domain controller for the domain, read the '* domain name, and bind to the default "Computers" container '*********************************************************************

Set rootDSE = GetObject("LDAP://RootDSE") sPath = "LDAP://" Set computerContainer = GetObject(sPath) sPath = "LDAP://" & computerContainer.Get("distinguishedName") Set computerContainer = GetObject(sPath)

'********************************************************************* '* Here, the computer account is created. Certain attributes must '* have a value before calling .SetInfo to commit (write) the object '* to the Active Directory '*********************************************************************

Set oComputer = computerContainer.Create("computer", "CN=" & sComputerName) oComputer.Put "samAccountName", sComputerName + "$" oComputer.Put "userAccountControl", lFlag oComputer.SetInfo

'********************************************************************* '* Establish a default password for the machine account '*********************************************************************

sPwd = sComputerName & "$" sPwd = LCase(sPwd) oComputer.SetPassword sPwd

'********************************************************************* '* Specify which user or group may activate/join this computer to the '* domain. In this example, "MYDOMAIN" is the domain name and '* "JoeSmith" is the account being given the permission. Note that '* this is the downlevel naming convention used in this example. '*********************************************************************

sUserOrGroup = "MYDOMAIN\joesmith"

'********************************************************************* '* Bind to the Discretionary ACL on the newly created computer account '* and create an Access Control Entry (ACE) that gives the specified '* user or group full control on the machine account '*********************************************************************

Set secDescriptor = oComputer.Get("ntSecurityDescriptor") Set dACL = secDescriptor.DiscretionaryAcl Set ACE = CreateObject("AccessControlEntry")

'********************************************************************* '* An AccessMask of "-1" grants Full Control '*********************************************************************

ACE.AccessMask = -1 ACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED ACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE

'********************************************************************* '* Grant this control to the user or group specified earlier. '*********************************************************************

ACE.Trustee = sUserOrGroup

'********************************************************************* '* Now, add this ACE to the DACL on the machine account '*********************************************************************

dACL.AddAce ACE secDescriptor.DiscretionaryAcl = dACL

'********************************************************************* '* Commit (write) the security changes to the machine account '*********************************************************************

oComputer.Put "ntSecurityDescriptor", Array(secDescriptor) oComputer.SetInfo

'********************************************************************* '* Once all parameters and permissions have been set, enable the '* account. '*********************************************************************

oComputer.AccountDisabled = False oComputer.SetInfo

'********************************************************************* '* Create an Access Control Entry (ACE) that gives the specified user '* or group full control on the machine account '*********************************************************************

wscript.echo "The command completed successfully."

'***************** '* End Script '*****************

Additional query words: kbadsi

Keywords: kbhowto KB222525

Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000DataServ kbwin2000DataServSearch kbwin2000Pro kbwin2000ProSearch kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbWinAdvServSearch kbWinDataServSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.