Creating Users and Groups
Creating users and groups is probably one of the most frequently automated tasks for administrators, or at least the task they'd most like to automate. Scripting makes it easy, whether you're using the WinNT provider or the LDAP provider.
The WinNT Way
With the WinNT provider, you start by obtaining a connection to the domain itself. Because all users and groups exist at the top level of the domain, you don't need to connect to a specific OU. Note that you can also use this technique to create local user and group accounts, by simply connecting directly to a non-domain controller instead of connecting to a domain.
TIP
If you want to create a user or group on a specific domain controller, thus making it available immediately on that domain controller without waiting for replication to occur, connect to the domain controller by name rather than connecting to the domain. Domain controllers don't technically have local accounts, so when you attempt to create new local accounts on a domain controller, you're really creating domain accounts.
After you are connected, simply use the Create method-much as I did with OUs in the previous chapter-to create the user account. Here's an example.
Dim oDomain, oUser
Set oDomain = GetObject("WinNT://DOMAIN")
Set oUser = oDomain.Create("user","DonJ")
Not much to it. You need to call SetInfo to save the new user, but first you probably want to set some of the user's attributes. Here's an extended example.
Dim oDomain, oUser
Set oDomain = GetObject("WinNT://DOMAIN")
Set oUser = oDomain.Create("user","DonJ")
oUser.SetPassword "pa55w0rd!"
oUser.FullName = "Don Jones"
oUser.Description = "Author"
oUser.HomeDirectory = "\\server1\donj"
oUser.RasPermissions = 9
oUser.SetInfo
The WinNT provider helpfully exposes these attributes as properties of the user object, meaning you don't have to use raw attribute names like you do with the LDAP provider (which I'll cover next).
Creating a group requires a similar process.
Dim oDomain, oGroup
Set oDomain = GetObject("WinNT://DOMAIN")
Set oGroup = oDomain.Create("group","HelpDesk")
oGroup.SetInfo
Again, not much to it. Later in this chapter, I'll show you how to manipulate the group's membership list.
The LDAP Way
Creating groups and users with the LDAP provider is very similar, although because the LDAP provider is a bit more generic than the WinNT provider is, you have to provide a bit more detail in the way of attribute names. Also, because LDAP recognizes AD OUs, you need to connect to the parent object-either an OU or a container-that you want the new user or group to live in. If you just connect to the domain, the new object will be created in the domain's default container, which is generally the Users container. Here's an example.
Dim oUser, oGroup, oDomain
'Connect to the MIS OU
Set oDomain = GetObject("LDAP://ou=MIS,dc=domain,dc=com")
'Create a user
Set oUser = oDomain.Create("user", "cn=DonJ")
oUser.Put "sAMAccountName", "donj"
oUser.SetInfo
'create a group
Set oGroup = oDomain.Create("group", "cn=HelpDesk")
oGroup.Put "sAMAccountName", "HelpDesk"
oGroup.SetInfo
The overall layout is very similar to the WinNT way of doing things. However, when you create a new object, you must specify its canonical name (CN), such as cn=DonJ. You must also provide a value for one of the user class' mandatory attributes, sAMAccountName. Generally, that should be the same as the CN, without the cn= part. Finally, you call SetInfo to save everything.
| 
