ADSI Scripting, Part 2
In the sixth installment of our seven-part series on scripting in Windows 2000 Active Directory, we will add users to groups using ADSI.
ADSI Scripting, Part 2
by Jim Hudson
This article is derived from Special Edition Using Active Directory, by Jim Hudson and Sean Fullerton (Que Publishing, November 2000).
Manipulating Groups with ADSI
In the last installment, we looked at WSH and using ADSI to create a user. Another common administrative task is adding users to groups. Although there is a perfectly good GUI interface for this in Active Directory Users and Computers, we can also do this from ADSI.
In this example, we will also take a slightly different slant on binding to Active Directory. Our example takes three or more command-line parameters. The first is the organizational unit, the second is the group name, and the third through nth parameters are existing users to add to the group. For example the command in Listing 1 will add the users kiley, abby, logan, landon, and allysa to the group consultants in the Sales OU of the current domain.
Listing 1
C:\>add2group3 sales consultants kiley abby logan landon allysa
The code for the utility is found in Listing 2. As before, we are going to look at the code one section at a time to understand how the utility works.
Listing 2
'set up error handling on error resume next 'set command line arguments set objargs=wscript.arguments 'serverless bind to root DSA Specific Entry set root=getobject("LDAP://rootDSE") 'get default naming context domainpath=root.get("DefaultNamingContext") 'get context for operation set ou=getobject("LDAP://ou=" & objargs(0) & "," & domainpath) 'get group to add to set grp=ou.getobject("group", "cn=" & objargs(1)) 'iterate through list of users and add to group for ctr=2 to (objargs.count-1) set usr=ou.getobject("user", "cn=" & objargs(ctr)) grp.add usr.adspath next
'set up error handling
As before, this simply allows us to recover from errors. In this utility, this is particularly useful because we can misspell a user's name or list a user that is already a member of the group, and the other users will still be successfully added. Note that there is no other error handling in this code, so if you want feedback on success or failure, you will need to add the appropriate code.
'set command line arguments
As before, this allows us to specify the users at the command line.
'serverless bind to root DSA Specific Entry (DSE)
Proper binding to AD is probably the critical component of ADSI binding. If you don't bind or bind to the wrong context, the code will not run. Binding to AD is conceptually the same as opening a connection to a SQL database. When I connect to a SQLServer, I connect to the target server and database before I start selecting or modifying data. The AD database is no different. Here, however, we avoid connecting to a specific server. It is the function of the SRV records in the DNS infrastructure to return an LDAP server "near" me to bind to and execute the LDAP commands.
Here we are binding to the rootDSE. The rootDSE holds information about the LDAP server that we need to continue our operation.
NOTE
Although we see no evidence of security in these examples, you will need to be logged on with credentials sufficient to perform these operations.
'get default naming context
This gets the default naming context. This is one reason why there is more binding code in this example than the previous one, but the command-line parameters are simpler. The defaultnamingcontext is the LDAP distinguished name of the domain this server is a member of.
'get context for operation
This sets the organizational unit that the group and users are members of.
'get group to add to
This sets the group that we are going to add users to. Notice that the call to getobject is different here than it was in the getobject call to rootDSE. If we call getobject without specifying the schema class name (in this instance, group) getobject returns the first object in the container with that name.
'iterate through list of users and add to group
Because we have written the utility to accept one or more users to add to the group, we do not know in advance how many users are on the command line. We can use the count property of the arguments collection to find that, however. The reason we are using count-1 is that the arguments collection is zero-basedthat is, the first argument is 0, the second argument is 1, and so on.
Because we have done all the work of binding to the AD upfront and have created our objects, all we have to do is iterate through the list of users and pass the adspath property of the user object to the add method of the group object.