Working with OUs

You'll likely do four basic things with an OU. By the way, some of these operations also apply to the built-in, OU-like containers: Users, Computers, and Built-In. Keep in mind that these are not proper OUs and cannot be accessed in quite the same way as I described in the previous chapter. In the next four sections, I'll demonstrate how to use ADSI to create, modify, query, and delete an OU.

Creating an OU

Creating an OU is simple enough. First, you need to obtain a reference to the parent of the new OU, and then use that object's Create method to create a new OU. To create a new top-level OU named Sales:

Dim objDomain, objNewOU

Set objDomain = GetObject("LDAP://dc=domain,dc=com")

Set objNewOU = objDomain.Create("organizationalUnit", "ou=Sales")

objNewOU.SetInfo

Classes and Attributes As you're working with AD, it's important to understand the system of classes and attributes that the AD schema uses for its organization. An attribute is some discrete piece of information, such as a name or description. A class is simply a collection of attributes that describes some real-world object. For example, a user is a class that includes attributes such as name, description, address, and so forth. A group is another class, which includes such attributes as name, description, and members. AD does not allow multiple attributes to use the same name. So, when you see two classes with the same attributes (such as description), both classes are actually using the same attribute definition from the AD schema. This sort of re-use makes AD very efficient. An instance is a copy of a class with its attributes' values filled in. For example, DonJ might be the name of a particular user. The user object you see in the AD GUI is an instance of the user class.

Notice that the Create method returns a reference to the newly created object, and I still have to call that object's SetInfo method to save the changes into the directory. I could also modify properties of the new OU prior to calling SetInfo. Let me extend this example and create both a top-level Sales OU and a child OU named West under that.

Dim objDomain, objNewOU

Set objDomain = GetObject("LDAP://dc=domain,dc=com")

Set objNewOU = objDomain.Create("organizationalUnit", _

 "ou=Sales")

objNewOU.SetInfo



Dim objChildOU

Set objChildOU = objNewOU.Create("organizationalUnit, "ou=West")

objChildOU.SetInfo

The child OU is created by using the Create method of its parent. If you want to create a child OU under an existing OU, you must obtain a reference to that existing OU first, not the domain.

Dim objParent, objNewOU

Set objParent = GetObject("LDAP://ou=Sales,dc=domain,dc=com")

Set objNewOU = objParent.Create("organizationalUnit", "ou=East")

objNewOU.SetInfo

Notice that the GetObject call is now focusing on a specific OU, meaning the new OU will be created under that specific OU.

Modifying an OU

Need to modify the attributes of an OU? No problem. Simply obtain a reference to it, use its Put method to change one or more attributes, and use SetInfo to save your changes.

Dim objOU

Set objOU = GetObject("LDAP://ou=Sales,dc=domain,dc=com")

objOU.Put "description", "Sales"

objOU.SetInfo

The trick to working with the Put method is that you have to know the name of the attributes that are available to you. One way to see them all is to look right in AD's schema. To do so:

Many of the optional attributes-the ones shown in the console with Optional as their type-may not make sense. For example, why would an OU need an associated PO box? Some of these attributes aren't even shown in the AD tools' user interface. Others, however, such as description, are definitely useful.

Using Put requires you to know the correct attribute name, including the correct capitalization, and the value that you want to put into that attribute.

Querying an OU

If you just want to read the attributes of an OU, you can use the Get method. Just get a reference to the OU, and then use Get to retrieve the attributes you're interested in.

Dim objOU

Set objOU = GetObject("LDAP://ou=Sales,dc=domain,dc=com")

WScript.Echo objOU.Get("description")

As with Put, you need to know the name of the attribute you're after. You should also understand about how ADSI works under the hood. When you call either Get or GetEx, both methods actually call a behind-the-scenes method called GetInfo. This method's job is to go out to AD and physically load the attributes and their values into a cache on the client. You can also call GetInfo directly, forcing ADSI to load attributes and their values from AD into your client's local attribute cache. Your scripts actually work with this cache. For example, if you suspect that someone else will be modifying AD info while your script is running, GetInfo will help ensure that your script's local cache has the latest AD data. Here's how.

Dim objOU

Set objOU = GetObject("LDAP://ou=Sales,dc=domain,dc=com")

objOU.GetInfo

Note that the Put method also works with the local cache; SetInfo writes the local cache back to AD. If you use Put to change an attribute, and then call GetInfo, your changes will be lost when the cache is refreshed. Always make sure you call SetInfo first to save the cache back to AD.

Deleting an OU

Deleting an object is perhaps the easiest operation: Connect to the object's parent and call its Delete method. Note that there's no "Are you sure?" confirmation, no possibility of undoing the deletion, and unless you have a backup, no way to reverse the operation. Here's how to do it.

Dim objOU

Set objOU = GetObject("LDAP:// dc=domain,dc=com")

objOU.Delete "organizationalUnit", "ou=HR"

In the case of an OU, every object in the OU will also be deleted, including users, groups, and child OUs. So, use this capability with extreme caution! Note that you do have to connect to the object's parent, just as if you were creating a new object; you cannot connect to the object itself and call Delete with no parameters.