Chapter 16. Manipulating Users and Groups

IN THIS CHAPTER

With domains and OUs under your belt, you're ready to start writing scripts that manipulate and query the users and groups in your domains. I'll focus on using the LDAP provider for domain operations, and the WinNT provider for working with computers' local SAMs.

User and group maintenance is probably one of the top administrative tasks that you wanted to automate when you picked up this book. You may be interested primarily in domain user and group management, or local computer user and group management, or possibly both. Remember that the WinNT ADSI provider can be used both in NT domains and, for limited operations, in Active Directory (AD) domains. The WinNT provider also gives you access to the SAM on standalone and member servers and NT-based client computers, such as Windows XP machines. The LDAP provider is AD's native provider, and gives you the best access to AD's capabilities, including the ability to work with OUs.

In an AD domain, the WinNT provider gives you a flat view of the domain: All users are in a single space, not separated into containers and OUs. With the LDAP provider, however, you need to remain aware of your domain's OU structure, and you need to become accustomed to fully qualified domain names (FQDNs) that describe users and groups not only by their name, but also by their position within the domain's OU hierarchy.