Using ADSI Objects

ADSI, the Active Directory Services Interface, is an object library very similar in nature to the FileSystemObject and WScript objects I covered in Chapters 11 and 12. ADSI is a bit more complicated than the objects you've worked with so far, mainly because the information ADSI deals with is inherently more complicated.

For example, with the FileSystemObject, you learned to use CreateObject to have VBScript load the object's DLL into memory and provide a reference to your script. For example:

Dim oFSO

Set oFSO = CreateObject("Scripting.FileSystemObject")

That's not quite how you'll use ADSI, though. For example, to have ADSI change password policy in a domain named BRAINCORE, you'd use the following code.

Set objDomain = GetObject("WinNT://BRAINCORE")



objDomain.Put "MinPasswordLength", 8

objDomain.Put "MinPasswordAge", 10

objDomain.Put "MaxPasswordAge", 45

objDomain.Put "MaxBadPasswordsAllowed", 3

objDomain.Put "PasswordHistoryLength", 8

objDomain.Put "AutoUnlockInterval", 30000

objDomain.Put "LockoutObservationInterval", 30000

objDomain.SetInfo

Notice that the GetObject statement is used, rather than CreateObject. I like to remember the difference by telling myself that I'm not trying to create a domain, just get to an existing one. Another important part of that statement is WinNT://, which tells ADSI which provider to use. The two main providers you'll work with are WinNT: and LDAP.

The WinNT provider can connect to any NT-compatible domain, including AD. Obviously, the provider cannot work with advanced AD functionality like organizational units (OUs), which don't exist in NT domains. The WinNT provider can also connect to the local SAM and other services on member and standalone computers. The LDAP provider can connect to any LDAP-compatible directory, such as the Exchange 5.5 directory or Active Directory. Both providers can be used to obtain a reference to an entire domain, an OU (in AD), users, groups, and much, much more. You'll even find areas of functionality that overlap with Windows Management Instrumentation (WMI); that's because ADSI is a bit older, and when WMI came on the scene, it started taking over. In fact, it's possible that someday ADSI will fade away entirely and that WMI will become the single means of accessing management information. For now, though, there's plenty that ADSI can do that WMI cannot.

Another important part of the GetObject statement is the ADsPath, which tells the provider what to connect to. In this example, the path was a simple domain name; it could also be a path like "//BRAINCORE/Donj,user", which would connect to a user object named DonJ in the domain named BRAINCORE.

The object reference created by GetObject-in this case, the variable objDomain-has several basic methods:

• Create. Creates a new object, provided the reference object is a container of some kind, like a domain or OU.

• Get. Retrieves a specified attribute.

• Put. Writes a specified attribute.

• SetInfo. Saves changes made by Put.

• Delete. Deletes an object, provided the reference object is a container of some kind.

These methods usually accept one or more parameters. In the example, the Put method requires the name of an attribute to change, along with a new value for the attribute. Obviously, the available attribute names depend on what type of directory you're working with; ADSI itself doesn't care, because it's designed to access any directory service. In the remainder of this chapter, I'll introduce you to what each of the two main providers can help you accomplish.