Microsoft KB Archive/313038

From BetaArchive Wiki

Article ID: 313038

Article Last Modified on 10/17/2007


APPLIES TO

  • Microsoft Active Directory Service Interfaces 2.5
  • Microsoft Active Directory Service Interfaces 2.5
  • Microsoft Visual Basic 6.0 Enterprise Edition
  • Microsoft Visual Basic 6.0 Professional Edition


This article was previously published under Q313038


INTRODUCTION

This article describes how to make a computer object in a Microsoft Windows 2000 domain by using Active Directory Services Interface (ADSI) with Microsoft Visual Basic.

Create the computer object in the Active Directory

To create the computer object, follow these steps:

  1. Bind to the container of the parent computer.

    This is the location where all the computer objects for the domain are stored.
  2. Create a computer object in this container.
  3. Set the samAccountName attribute and the userAccountControl attribute on this computer object.

    The userAccountControl attribute can be set to enable or to disable the following flags:
    • UF_WORKSTATION_TRUST
    • UF_ACCOUNTDISABLE
    The previous flags are defined as constants in the sample code in step 2 of the "Build the sample in Visual Basic" section.
  4. Set the initial password for the computer object by using the SetPassword method.
  5. Modify the security descriptor for the computer object to add an Access Control Entry (ACE).

    You add the ACE for the user or for the group that you want to have permissions to the computer object.
  6. Enable the computer account.

Build the sample in Visual Basic

To build the sample, follow these steps:

  1. Start Visual Basic 6.0, and then open a new Standard EXE project.

    Note Make sure that you are logged on to the client as a domain administrator for the targeted domain. You must do this so that you can create computer objects in the Active Directory.

  2. Double-click Form View. Add the following code to the Form_Load() subroutine.

    Note Make sure that you have made the appropriate modifications to the sections that are indicated in the sample code.

    '----Constants----

Const UF_WORKSTATION_TRUST_ACCOUNT = &H1000
Const UF_ACCOUNTDISABLE = &H2
Const ADS_GUID_COMPUTRS_CONTAINER = "aa312825768811d1aded00c04fd8d5cd"
Const ADS_ACETYPE_ACCESS_ALLOWED = 0
Const ADS_ACEFLAG_INHERIT_ACE = 2 

'----Parameters ----

lFlag = UF_WORKSTATION_TRUST_ACCOUNT Or UF_ACCOUNTDISABLE
'Modify the following two variants based on the name of the computer
'object that you want to create and the name of the group that you want 
'to have permissions to this computer object.
sComputer = "myMachine"
sUserOrGroup = "MYDOMAIN\MyGroup" 'Who can join this computer?

'----Build a well-known guid adspath for the computer container.----

Set rootDSE = GetObject("LDAP://RootDSE")
sPath = "LDAP://<WKGUID=" & ADS_GUID_COMPUTRS_CONTAINER
sPath = sPath + ","
sPath = sPath + rootDSE.Get("defaultNamingContext")
sPath = sPath + ">"

Set compCont = GetObject(sPath)

'Bind again to get the correct ADsPath.
sPath = "LDAP://" & compCont.Get("distinguishedName")
Set compCont = GetObject(sPath)

'----Create a computer object.----

Set comp = compCont.Create("computer", "CN=" & sComputer)
comp.Put "samAccountName", sComputer + "$"
comp.Put "userAccountControl", lFlag
comp.SetInfo

'----Set an initial password.----

sPwd = sComputer 
sPwd = StrConv(sPwd, vbLowerCase)
comp.SetPassword sPwd

'----Set security.----

Set sd = comp.Get("ntSecurityDescriptor")
Set dacl = sd.DiscretionaryAcl

'----Set ACE.----

Set ace = CreateObject("AccessControlEntry")
ace.AccessMask = -1 'Full Permission (Allowed)
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED
ace.Trustee = sUserOrGroup

'----ACL----

dacl.AddAce ace
sd.DiscretionaryAcl = dacl

'----SD----

comp.Put "ntSecurityDescriptor", Array(sd)

comp.SetInfo

'----Enable the account.----
' A Windows 2000 domain computer account does not have to be enabled.
comp.AccountDisabled = False
comp.SetInfo
  3. Click Project, click Add Reference, click the COM tab, and then add the references to the Active DS Type Library.
  4. Click OK to close the Add Reference dialog box.
  5. Click Start, and then click Run.

    After you run the code, the enabled computer account object is created in the Computers container in the Active Directory. The name of the enabled computer account object is the name that you specified in the code.

    You can also run this code from a VBScript file.
  6. Verify that the computer account object was created. To do this, follow these steps:
    1. Locate the Administrative Tools application group on a domain controller for this domain.
    2. Click Active Directory Users and Computers.
    3. Click the Computers container.

      The newly created computer account object appears in this container.


REFERENCES

For more information about the flags for the UserAccountControl attribute, click the following article number to view the article in the Microsoft Knowledge Base:

305144 How to use the UserAccountControl flags to manipulate user account properties


For more information about how to programmatically make accounts, click the following article number to view the article in the Microsoft Knowledge Base:

255042 How to make machine accounts programmatically by using ADSI with Visual C++


For more information about automating computer account creation in Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:

315273 Automating the creation of computer accounts



Additional query words: computer object Windows 2000 domain ADSI

Keywords: kbcode kbhowtomaster KB313038



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/313038&oldid=380255
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki