ADSI

Scripting:
TFM ™

Cade Fassett

SAPIEN Press
Napa,California
 ADSI Scripting: TFM™

Introduction to ADSI .................................................................... 1

What Is ADSI? ....................................................................................... 2
How Does ADSI Work? ......................................................................... 2
A Word About ADSI and Firewalls ................................................................................ 4

What Benefits Does ADSI Provide? ...................................................... 4

Multiple Language Support ........................................................................................... 4
Automation-Friendly...................................................................................................... 6
Simplicity....................................................................................................................... 6

What Can I Do With ADSI? ................................................................... 6

ADSI and WMI ....................................................................................... 7
ADSI Best Practices .............................................................................. 9
No Hard-Coded Passwords .......................................................................................... 9
Use Source Control ...................................................................................................... 9
Document Your Code ................................................................................................. 10
Test Your Scripts ........................................................................................................ 11

Learning ADSI ............................................................................ 13

The WinNT Provider ............................................................................ 14
When to Use WinNT ................................................................................................... 14
Connecting to the WinNT Provider ............................................................................. 15

The LDAP Provider.............................................................................. 17

When to Use LDAP..................................................................................................... 18
Connecting to the LDAP Provider ............................................................................... 18

Searching Active Directory with ADO .................................................. 20

Connecting to Active Directory with Alternate Credentials .................. 23
Error Handling ..................................................................................... 24
ADSI Errors................................................................................................................. 24
COM Errors................................................................................................................. 25
LDAP Errors................................................................................................................ 26

Now Put It to Use!................................................................................ 28

Further Reading................................................................................... 28
Books .......................................................................................................................... 28
Web Sites ................................................................................................................... 29

ii
 ADSI Scripting: TFM™

Using ADSI for System Administration.................................... 31

Managing Users .................................................................................. 32
Create a Domain User ................................................................................................ 32
Create a Local User .................................................................................................... 34
Delete a Domain User ................................................................................................ 34
Delete a Local User .................................................................................................... 35
Move a User to a Different OU ................................................................................... 35
Rename a User........................................................................................................... 36
Listing User Properties ............................................................................................... 36
Change User Properties ............................................................................................. 38
Copy Property from One Account to Another ............................................................. 39
List Group Membership .............................................................................................. 40
Test Group Membership ............................................................................................. 42
Adding User to Group ................................................................................................. 43
Removing User from Group ........................................................................................ 43
Change the User's Password ..................................................................................... 44
Get Date of Last Password Change ........................................................................... 45
Require User to Change Password ............................................................................ 46
Disable User Account ................................................................................................. 46
Enable User Account .................................................................................................. 47
Get Account Expiration Date ...................................................................................... 47
Unlock User Account .................................................................................................. 48
Work with Bitmasks (UserFlags and UserAccountControl) ........................................ 49
Create Users from Excel Spreadsheets ..................................................................... 51
Modify Users from Excel Spreadsheets ..................................................................... 53

Managing Groups ................................................................................ 54

Create a Domain Group.............................................................................................. 54
Create a Local Group ................................................................................................. 56
Delete a Domain Group .............................................................................................. 56
Delete a Local Group .................................................................................................. 57
List Group Members ................................................................................................... 57
Add Group Members .................................................................................................. 60
Remove Group Members ........................................................................................... 61

Managing Computers .......................................................................... 62

List All Computer Accounts in the Domain ................................................................. 62

iii
 ADSI Scripting: TFM™
Find Computer Accounts by Attribute ......................................................................... 64

Organizational Units (OUs).................................................................. 65

Create an Organizational Unit .................................................................................... 65
Create a Sub-OU ........................................................................................................ 66
Delete an Organizational Unit ..................................................................................... 67

Services ............................................................................................... 68
Get Service Status ...................................................................................................... 68
Start a Service ............................................................................................................ 69
Stop a Service ............................................................................................................ 69
Restart a Service ........................................................................................................ 70

File Shares .......................................................................................... 70

Create a File Share..................................................................................................... 70
Delete a File Share ..................................................................................................... 71
Configure a File Share ................................................................................................ 71

Printers ................................................................................................ 72
Pausing and Resuming a Print Queue ....................................................................... 72
Purging a Print Queue ................................................................................................ 73
Manage Individual Print Jobs...................................................................................... 73

Domains .............................................................................................. 74
Get Domain Password Policy ..................................................................................... 74

Active Directory GUI Mappings ................................................ 79

User Object .......................................................................................... 82
General Tab ................................................................................................................ 82
Address Tab ............................................................................................................... 84
Account Tab................................................................................................................ 86
Profile Tab .................................................................................................................. 88
Telephones Tab .......................................................................................................... 90
Organization Tab ........................................................................................................ 92
Member Of Tab........................................................................................................... 94
Object Tab .................................................................................................................. 96

Computer Object ................................................................................. 98

General Tab ................................................................................................................ 98
Operating System Tab .............................................................................................. 100
Member Of Tab......................................................................................................... 102

iv
 ADSI Scripting: TFM™
Location Tab ............................................................................................................. 104
Managed By Tab ...................................................................................................... 106
Object Tab ................................................................................................................ 108

Group Object ..................................................................................... 110

General Tab .............................................................................................................. 110
Members Tab............................................................................................................ 112
Member Of Tab......................................................................................................... 114
Managed By Tab ...................................................................................................... 116
Object Tab ................................................................................................................ 118

Organizational Unit (OU) Object ........................................................ 120

General Tab .............................................................................................................. 120
OU:Managed By Tab ................................................................................................ 122
Object Tab ................................................................................................................ 124

Shared Folder (Share) Object ........................................................... 126

General Tab .............................................................................................................. 126
Managed By Tab ...................................................................................................... 128
Object Tab ................................................................................................................ 130

Printer Object..................................................................................... 132

General Tab .............................................................................................................. 132

Managed By Tab ............................................................................... 134

Object Tab ................................................................................................................ 136

Domain Object ................................................................................... 138

General Tab .............................................................................................................. 138

Managed By Tab ............................................................................... 140

Object Tab ................................................................................................................ 142

Contact Object ................................................................................... 144

General Tab .............................................................................................................. 144
Address Tab ............................................................................................................. 146
Telephones Tab ........................................................................................................ 148
Organization Tab ...................................................................................................... 150
Member Of Tab......................................................................................................... 152
Object Tab ................................................................................................................ 154

WinNT Object Reference ......................................................... 157

Common Properties and Methods..................................................... 158
v
 ADSI Scripting: TFM™
Properties ................................................................................................................. 158
Methods .................................................................................................................... 158
Standard Methods .................................................................................................... 159

(Class Object) .................................................................................... 161

Computer Object ............................................................................... 161
Properties ................................................................................................................. 162
Methods .................................................................................................................... 162

Domain Object ................................................................................... 163

Properties ................................................................................................................. 163
Methods .................................................................................................................... 164

FileService Object ............................................................................. 165

Properties ................................................................................................................. 165
Methods .................................................................................................................... 169

FileShare Object ................................................................................ 170

Properties ................................................................................................................. 170
Methods .................................................................................................................... 171

(FPNWFileService) ............................................................................ 171

(FPNWFileShare) .............................................................................. 171
(FPNWResource) .............................................................................. 172
(FPNWResourcesCollection) ............................................................ 172
(FPNWSession) ................................................................................. 172
(FPNWSessionsCollection) ............................................................... 172
Group Object ..................................................................................... 173
Properties ................................................................................................................. 173
Methods .................................................................................................................... 174

(GroupCollection Object) ................................................................... 175

LocalGroup Object............................................................................. 175
Properties ................................................................................................................. 175
Methods .................................................................................................................... 176

(LocalgroupCollection Object) ........................................................... 177

(Namespace) ..................................................................................... 177
PrintJob Object .................................................................................. 178
Properties ................................................................................................................. 178

vi
 ADSI Scripting: TFM™
Methods .................................................................................................................... 181

(PrintJobsCollection Object) .............................................................. 181

PrintQueue Object ............................................................................. 181
Properties ................................................................................................................. 182
Methods .................................................................................................................... 185

(Property Object) ............................................................................... 186

Resource Object ................................................................................ 186
Properties ................................................................................................................. 186
Methods .................................................................................................................... 187

(ResourcesCollection Object) ............................................................ 187

(Schema Object)................................................................................ 188
Service Object ................................................................................... 189
Properties ................................................................................................................. 189
Methods .................................................................................................................... 193

Session Object .................................................................................. 194

Properties ................................................................................................................. 195
Methods .................................................................................................................... 195

(SessionsCollection Object) .............................................................. 196

(Syntax Object) .................................................................................. 196
User Object ........................................................................................ 197
Properties ................................................................................................................. 197
Methods .................................................................................................................... 200

UserGroupCollection Object .............................................................. 200

Properties ................................................................................................................. 201
Methods .................................................................................................................... 202

LDAP Object Reference ........................................................... 203

Common Properties and Methods..................................................... 204
Properties ................................................................................................................. 204
Methods .................................................................................................................... 205
Standard Methods .................................................................................................... 206

(Class Object) .................................................................................... 206

Computer Object ............................................................................... 207
Properties ................................................................................................................. 207

vii
 ADSI Scripting: TFM™
Methods .................................................................................................................... 209

Contact Object ................................................................................... 209

Properties ................................................................................................................. 210
Methods .................................................................................................................... 212

Group Object ..................................................................................... 213

Properties ................................................................................................................. 213
Methods .................................................................................................................... 215

GroupCollection Object ..................................................................... 216

Properties ................................................................................................................. 217
Methods .................................................................................................................... 217

(Namespace) ..................................................................................... 218

OrganizationalUnit Object.................................................................. 219
Properties ................................................................................................................. 219
Methods .................................................................................................................... 220

PrintQueue Object ............................................................................. 221

Properties ................................................................................................................. 221
Methods .................................................................................................................... 223

(Property Object) ............................................................................... 224

(Schema Object)................................................................................ 225
(Syntax Object) .................................................................................. 226
User Object ........................................................................................ 227
Properties ................................................................................................................. 227
Methods .................................................................................................................... 232

UserGroupCollection Object .............................................................. 233

Properties ................................................................................................................. 233
Methods .................................................................................................................... 234

ADSI Error Codes ..................................................................... 235

Generic ADSI Error Codes ................................................................ 235
Generic COM Error Codes ................................................................ 237
LDAP Error Codes ............................................................................. 238
Index .......................................................................................... 243

viii
ADSI Scripting: TFM™

ix
 ADSI Scripting: TFM™

Chapter 1

Introduction to ADSI
Welcome to the wonderful world of Active Directory Service
Interfaces, or ADSI. ADSI is a powerful tool provided by Microsoft
that enables you to manage directory services such as Active
Directory programmatically from your scripts and applications.
Unfortunately, documentation on ADSI has either been difficult to
find, or when you could find it, it turned out to be incredibly dense
and technical.
This book aims to change all of that by providing comprehensive
coverage of virtually everything ADSI has to offer. What’s more, I
hope to accomplish this without boring you to tears, which might be
what you’d experience if you tried to learn all of this from
Microsoft’s official ADSI documentation.
So sit back, relax, and enjoy the ride.

1
 ADSI Scripting: TFM™

What Is ADSI?
Before I can really get down to teaching you much about how
ADSI works, you need to understand exactly what ADSI is, as well as
how it works and why you should even care. So that’s what the rest of
this chapter is about. Even if you think you already know this stuff,
please bear with me. There are a lot of misconceptions about the
details of ADSI, and I hope to clear a lot of those up in this chapter.
At its most basic, ADSI is simply a way of accessing information
from a directory service using a scripting language such as VBScript
or a full-blown programming language like C#. Using ADSI, you can
do things like creating and deleting user accounts, changing
passwords, and managing group memberships.
One other thing worth mentioning is that the name “Active
Directory Service Interfaces” can be a bit misleading. Most people
group the words in their minds as “(Active Directory) Service
Interfaces.” This implies that ADSI works only with Active
Directory, which is definitely not the case. ADSI works with a wide
variety of directory services including Windows NT and Novell
NetWare.

How Does ADSI Work?

ADSI is what’s known as an abstraction layer, which means ADSI
allows you to manage information within a directory without having
to know much about the inner workings of the underlying directory.
You can think of ADSI as a translator between the language of the
program or script and the language of the underlying directory. Much
like a translator of spoken languages, ADSI allows you to “speak” to
the directory without having to know its language.
ADSI performs this magic through Microsoft’s technology known
as the Component Object Model or COM. Essentially, these COM
objects are DLLs that reside on your system that allow you to
instantiate their objects within your code. The functions these objects
expose work just like functions in the code you write - they enable
you to perform all sorts of wizardry without having to know too much
about the interface provided with your chosen directory service.

2
 ADSI Scripting: TFM™

Figure 1-1: ADSI Structure

As you can see in Figure 1-1, ADSI abstracts away the details of
the underlying directory structure. You never need to know exactly
what is going on under the hood of the directory. Instead, all you need
to know is how to access some fairly standardized COM objects from
within your program. ADSI then takes your requests as passed to the
COM objects, parses them into proper commands for the directory,
and sends them along. It does the same process in reverse to translate
any output from the directory back to your program.

3
 ADSI Scripting: TFM™

A Word About ADSI and Firewalls

If there is a firewall between the computer on which you are
running your scripts and the directory server they are targeting, it is
important to make sure your firewall is properly configured,
otherwise your scripts will undoubtedly fail. Luckily, this
configuration is pretty simple.
Because the ADSI client COM objects reside on your local
computer, they are always accessible (provided everything is working
properly with COM on your local machine). Since these COM objects
just access the native interface of the directory service, they operate
over the standard ports of that directory. For example, access to
Microsoft’s Active Directory makes use of the Lightweight Directory
Access Protocol (LDAP), which is provided over TCP port 389. Also,
if there are other ports used for features such as authentication and
network infrastructure (i.e. DNS), ADSI will make use of these when
it connects. Thus, if you are behind a firewall, you need to make sure
these ports are accessible or your connection will fail. Of course, if
you are able to successfully connect through the firewall using that
protocol in a non-ADSI context, you are probably safe. Even so, it
certainly bears mentioning.
For other vendors, directory services, and non-standard
configurations, you need to consult your vendor’s documentation or
the responsible party in your organization.

What Benefits Does ADSI Provide?

ADSI is an interesting tool in that at first glance it doesn’t seem to
do very much. If all ADSI does is translate your requests into the
language of the directory, then why do you need it? However, a more
detailed examination of the situation will make you very glad you
have ADSI in your toolkit.

Multiple Language Support

Many vendor-created programming interfaces support only one
language, or at best, a handful of languages. However, because ADSI
provides an abstraction layer to the directory that allows access
through any COM-aware language, it is possible to write applications

4
 ADSI Scripting: TFM™

to access a particular directory service from a wide variety of

languages.
It’s okay if you don't understand what is going on in the code
samples in this chapter since the next few chapters include detailed
discussions of all the features of scripting with ADSI. So, for the time
being, take my word for it that these scripts actually do what they say
they do. After reading Chapters 2 and 3, feel free to come back to this
chapter when you have a better understanding of the workings of an
ADSI script.

Code 1-1: GetPasswordExpiration.vbs

On Error Resume Next

Set objComputer = GetObject("WinNT://.")

objComputer.Filter = Array( "User" )

For Each objUser In objComputer

WScript.Echo objUser.Name & vbTab & objUser.Description
WScript.Echo "LastLogon: " & objUser.PasswordExpirationDate
WScript.Echo ""
Next

Code 1-2: GetPasswordExpiration.pl

use strict;
use Win32::OLE;
use Win32::OLE::Enum;
use Win32::OLE::Variant;

my $objComputer = Win32::OLE->GetObject("WinNT://.,computer");

my $obj = Win32::OLE::Enum->new($objComputer);

foreach ($obj->All) {
if(lc($_->{'Class'}) eq "User") {
print "$_->{'Name'}\t$_->{'Description'}\n";
print "\tLastLogon: $_->{'PasswordExpirationDate'}\n";
}
}

The Perl code is a bit longer than the VBScript code because you
have to explicitly add references to Perl scripts to enable support for
COM objects. That’s what you see in the three “use Win32” lines at
the beginning of Code 1-2. However, once you have enabled this
feature in Perl, the syntax for accessing ADSI is remarkably similar,
allowing for the often drastic differences in syntax between VBScript
and Perl.
5
 ADSI Scripting: TFM™

Ultimately, both of these scripts do almost exactly the same thing.

They read in the directory object for the local computer (that’s the
“GetObject” line in both scripts), then filter the listings in the
directory to include only user objects (the “objComputer.Filter” line
in VBScript, and the “if” line in Perl). Once that is done, they both
print out the user’s name, description, and the date when that user's
password is set to expire.

Automation-Friendly
Related to multiple language support is the idea of being
automation-friendly. Virtually all scripting and automation languages
that run on Windows support COM including VBScript, Perl, and
Python. Since ADSI is also based on COM, you are not required to
learn a new programming language to develop scripts for automating
administrative tasks. As long as you can get to COM objects from a
language you know, you can continue to use that language for ADSI
scripting. This enables you to capitalize on the time you have already
spent learning that particular language instead of having to take the
time to learn a new language to automate directory service operations.

Simplicity
To put it mildly, compared to a lot of the directory-specific
protocols, ADSI is incredibly simple. Often the architecture of the
directory service is rather complex, as is the vendor-provided way of
accessing the service directly. However, by pulling this functionality
out into ADSI, you can use the ADSI programming model, which is
generally easier to learn.

What Can I Do With ADSI?

The rest of this book will answer this question. ADSI is an
incredibly powerful, feature-rich tool that enables you to do all kinds
of impressive things such as:
• Create an arbitrary number of test user accounts, give them
passwords, assign them to security groups, and then delete them
when you are finished testing.

6
 ADSI Scripting: TFM™

• Get a list of all the accounts in your domain that have passwords
that expire within a certain number of days.
• Assign users to groups based on information from a file or
available in the directory.
• Create a command-line utility that allows you to instantly reset a
user’s password, assign a temporary random password, and set
the flag that requires users to change their password the next time
they log on.
• Get a list of open files on a fileserver, along with the user that has
a certain file open.
• Change the password for a local user account (e.g. Administrator)
on a list of computers over the network.
• Query the directory for a list of computers in an organizational
unit (OU), and then perform management operations on the
computers returned by the query using another management
technology such as WMI.
There are many other cool things you can do with ADSI, many of
which I will cover in this book. Most of the examples above can be
found in Chapter 3. You can also find a lot of useful ADSI scripts on
various Web sites. One of the best is Microsoft’s TechNet Script
Repository, which is available at
http://www.microsoft.com/technet/scriptcenter/scripts/.

ADSI and WMI

At this point, you may be wondering how ADSI relates to other
Microsoft administration and scripting technologies such as Windows
Management Instrumentation (WMI). ADSI is quite distinct from
WMI in terms of the functionality provided. However, there is a very
small amount of overlap in areas such as managing services.
ADSI is primarily concerned with managing users, groups,
computers, and other objects in a directory such as Microsoft’s Active
Directory. In contrast, WMI is mainly used for managing the
configuration of individual computer systems. Thus, while the aim of
each technology is different, they can easily be used in concert to
great effect.

7
 ADSI Scripting: TFM™

Code 1-3: GetDomainIPs.vbs

strDomain = InputBox("Enter your domain name:")
strWorkstation = "."

Set objDomain = getobject("WinNT://" & strDomain)

objDomain.filter = Array("Computer")

On Error Resume Next

For Each objComputer in objDomain

strComputer = objComputer.Name
WScript.Echo VbCrLf & "Computer: " & strComputer

Set objLocalWMI = GetObject("winmgmts:" _

& "{impersonationLevel=impersonate}!\\" _
& strWorkstation & "\root\cimv2")
Set colPings = objLocalWMI.ExecQuery _
("SELECT * FROM Win32_PingStatus WHERE Address = '" _
& strComputer & "'")
For Each objPing in colPings
strPingStatus = objPing.StatusCode
Next

If strPingStatus = 0 Then
Set objWMI = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\cimv2")

Set colNICs = objWMI.ExecQuery _

("Select * from Win32_NetworkAdapterConfiguration " _
& "where IPEnabled=TRUE")

For Each objIPConfig in colNICs

If Not IsNull(objIPConfig.IPAddress) Then
For i=0 to UBound(objIPConfig.IPAddress)
WScript.Echo objIPConfig.IPAddress(i)
Next
End If
Next
Else
Wscript.Echo "Failure pinging " & strComputer
End If
Next

Consider the VBScript code in Code 1-3. This code first uses an
InputBox to prompt the user for a domain name. Once you have the
domain name, use ADSI’s WinNT provider to connect to the domain
and retrieve a list of all computers in the directory. Then, for every
computer you find, first use WMI to ping the machine and ensure that
it is alive, then use WMI again to retrieve every IP address associated
with every NIC card on that computer. Next, echo (display) these IP
addresses back to the user.

8
 ADSI Scripting: TFM™

As you can see, this is a handy tool to have because other network
tools such as IP scanners can only display IP addresses on the same
subnet as the scanning machine. With this script you can display
every IP address for every accessible machine even if the machine
has multiple NIC cards on multiple LAN segments.

ADSI Best Practices

If you’re thinking that the last thing this world needs is another
person spouting a collection of “best practices” that seem completely
arbitrary and totally useless – you’d be right. That’s why when I talk
about best practices, I try to be sure my concepts are concise, useful,
and reasonable. Of course you are free to disagree, but I hope you
will be able to glean some important information from this section.

No Hard-Coded Passwords
This is one of the most important practices that those of us in the
scripting community try to get people to employ. There is a good
reason for this - if your credentials are hard-coded into your script,
then anyone who has read access to that script file can gain access to
the account using those credentials. It also makes maintenance more
difficult since every time the password changes, the script fails to
function unless you remember to edit the password in the file. The
best solution is to prompt for a password when the script runs.

Use Source Control

Source code control systems are a must if you are doing any serious
administrative scripting. Basically, a source code control (SCC)
system allows you to track revisions to your script files over time.
SCC even allows you to see the differences between any two versions
of your script, and roll back to previous versions if necessary.
The SCC product you a probably most familiar with is Microsoft’s
Visual SourceSafe, which is includes with some versions of
Microsoft’s Visual Studio development package. However, I
personally don’t recommend SourceSafe, even if you have a license
and are a regular Visual Studio developer.

9
 ADSI Scripting: TFM™

Instead, the product I recommend is Subversion, also known as

SVN, which is available from http://subversion.tigris.org. This
product is completely open-source and available free of charge for
unlimited use. While Subversion is used primarily by Linux users, the
software also runs on Windows. There is a Windows client program
called TortoiseSVN available from http://tortoisesvn.tigris.org that
integrates with Windows Explorer and makes using SVN a snap.

Document Your Code

This is one practice often forget. When you’re in a hurry writing
code, you think you’ll remember what the code does the next time
you need to look at it. So, you decide to leave the comments out of
the code. This attitude is just plain wrong for several reasons.
If you have to make modifications to a script you wrote three
months ago, odds are you will not remember exactly what the critical
parts of the script are and what they do. This means you will waste
time examining the code to figure out what’s going on. You will go
through this with every script each time you need to modify it after
not working with the code for an extended period of time.
For this reason, not documenting your scripts is really a false
economy when it comes to saving time. Omitting comments saves a
miniscule amount of time when you first write the script, at the
expense of spending a significant amount of time down the road when
it comes time to make changes to your code. You don’t need to go
overboard and have more comments than you have lines of code.
However, if you take time to document every function and
subroutine, as well as a line or two explaining major blocks of your
code, it will help you down the road.
It is important to note that none of the code samples in this book
contain comments. However, this is not, a “Do as I say, not as I do”
situation. Instead, I do not include comments not only to save space
in the book, but also because the code is explained in the text itself.
Also, keep in mind that the code samples in this book are for
educational purposes, and are not necessarily production-ready. Any
script you write to use in a production environment should include
proper comments and documentation.

10
 ADSI Scripting: TFM™

Test Your Scripts

For all but the simplest scripts, I highly recommend that you run
your scripts in a test environment before allowing them to run against
production machines. If you do not have a dedicated test lab and
cannot afford the hardware outlay to set one up, I suggest that you get
a copy of the free VMware Server software (from
http://www.vmware.com), and set up a small test environment that
closely mirrors the settings of your actual network/domain. In
addition to testing scripts, a test environment can be used for all kinds
of things such as testing patch rollouts and server configuration
changes. For this reason, it’s a good practice to have a test
environment set up whether you use it for scripting or not.

11
 ADSI Scripting: TFM™

Chapter 4

Active Directory GUI Mappings

This chapter is the beginning of the reference portion of this book,
which means the rest of this book will be short on descriptive text.
For the most part, there will be a brief introduction to each chapter,
followed by a lot of screenshots, tables, and reference entries, with
very little narrative text.
Thus, if you are reading through this book for the first time, I
recommend that you read only the introductory sections of each
chapter, and then skim the reference material to get an idea of the
general content included in the chapter. This approach will give you a
better idea of where to find information when you start coding in the
“real world” and need to refer back to these chapters.
While I have already mentioned that ADSI can be used with a wide
variety of directory services, the vast majority of users will use ADSI
with Active Directory (AD) domains. For most AD administrators, a
lot of their time is spent with the Active Directory Users and
Computers (ADUC) GUI, which allows them to manage not only
users and computers, but also other AD objects such as organizational
units, security/distribution groups, and printers.
79
 ADSI Scripting: TFM™

To make life easier for you as an administrator, the ADUC GUI

provides “friendly” labels for all of its fields such as “First Name,”
“User Logon Name,” and “Logon Script.” However, these labels
mask the confusing names given to the actual properties stored in the
directory. For the three examples mentioned above, these friendly
names correspond to the AD properties “givenName,”
“userPrincipalName,” and “scriptPath,” respectively.

Note: Case Sensitivity

Unlike the provider names (WinNT and LDAP), the property
names listed in this chapter are not case sensitive. Thus, for
"givenName," you can use "givenname," "GivenName," or
even "GIVENNAME" if you so prefer.

With scores of properties available within AD, it is easy to see how

things can get confusing. The purpose of this chapter is to reduce the
confusion by providing a screenshot of every page in the ADUC GUI
that has corresponding properties stored within AD. Accompanying
each screenshot is a table listing the ADUC label, the name of the
underlying property in AD, and a reference to that property’s
reference entry later in the book. This reference entry is where you
will find more detailed information on what the property is, what
information it provides, and how it can be used in your scripts and
applications.
Without further ado, let’s get to the meat of this chapter. I will start
with the dialog box pages for a user object since that is probably the
most commonly used dialog in the ADUC GUI, and thus likely to be
the most familiar to you. From there, I will move to other objects
such as groups, OUs, and printers.
All of the dialog boxes in this chapter are accessed from the
Properties dialog box of the associated object. In an effort to avoid
using convoluted language, I will introduce a simple syntax for this
chapter. For example, instead of referring to “the Account tab of the
Properties dialog for the User object,” I will refer to these using the
format Object:Tab.

80
 ADSI Scripting: TFM™

This means the preceding example becomes User:Account.

Therefore, when you see the User:Account reference, you know the
GUI dialog can be found by accessing the properties of a User object
in AD, and then navigating to the Account tab. Using this format
should make things less painful for both of us.

81
 ADSI Scripting: TFM™

User Object
For more information on the User object, see the following pages:
• WinNT Provider: Chapter 5, “User Object”
• LDAP Provider: Chapter 6. “User Object”

General Tab

Figure 4-1: User:General dialog

82
 ADSI Scripting: TFM™

Table 4-1: GUI mappings for User:General

GUI Label Active Directory Property
First name givenName
Last name Sn
Initials Initials
Display name displayName
Description description
Office physicalDeliveryOfficeName
Telephone number telephoneNumber
Telephone number, Other otherTelephone
E-mail Mail
Web page wwwHomePage
Web page, Other URL

83
 ADSI Scripting: TFM™

Address Tab

Figure 4-2: User:Address dialog

84
 ADSI Scripting: TFM™

Table 4-2: GUI mappings for User:Address

GUI Label Active Directory Property
Street streetAddress
P.O. Box postOfficeBox
City l (lowercase L, for locale)
State/province St
Zip/Postal Code postalCode
Country/region Co

85
 ADSI Scripting: TFM™

Account Tab

Figure 4-3: User:Account dialog

86
 ADSI Scripting: TFM™

Table 4-3: GUI mappings for User:Account

GUI Label Active Directory Property
User logon name userPrincipalName
User logon name sAMAccountName
(pre-Windows 2000)
Logon Hours logonHours
Log On To logonWorkstation
Account is locked out lockoutTime
lockoutDuration
User must change password at next pwdLastSet
logon
User cannot change password N/A (Stored in ACL)
Other account options userAccountControl (bitmask)
Account expires accountExpires

87
 ADSI Scripting: TFM™

Profile Tab

Figure 4-4: User:Profile dialog

88
 ADSI Scripting: TFM™

Table 4-4: GUI mappings for User:Profile

GUI Label Active Directory Property
User profile: Profile path profilePath
User profile: Logon script scriptPath
Home folder: Local path homeDirectory
Home folder: Connect (drive) homeDrive
Home folder: To (path) homeDirectory

89
 ADSI Scripting: TFM™

Telephones Tab

Figure 4-5: User:Telephones dialog

90
 ADSI Scripting: TFM™

Table 4-5: GUI mappings for User:Telephones

GUI Label Active Directory Property
Home homePhone
Home, Other otherHomePhone
Pager Pager
Pager, Other otherPager
Mobile Mobile
Mobile, Other otherMobile
Fax facsimileTelephoneNumber
Fax, Other otherFacsimileTelephoneNumber
IP phone ipPhone
IP phone, Other otherIpPhone
Notes Info

91
 ADSI Scripting: TFM™

Organization Tab

Figure 4-6: User:Organization dialog

92
 ADSI Scripting: TFM™

Table 4-6: GUI mappings for User:Organization

GUI Label Active Directory Property
Title Title
Department department
Company company
Manager: Name manager
Direct reports directReports

93
 ADSI Scripting: TFM™

Member Of Tab

Figure 4-7: User:Member Of dialog

94
 ADSI Scripting: TFM™

Table 4-7: GUI mappings for User:Member Of

GUI Label Active Directory Property
Member of memberOf
Primary group primaryGroupID

95
 ADSI Scripting: TFM™

Object Tab

Figure 4-8: User:Object dialog

96
 ADSI Scripting: TFM™

Table 4-8: GUI mappings for User:Object

GUI Label Active Directory Property
Canonical name of object N/A
Object class objectClass
Created whenCreated
Modified whenChanged
USNs: Current uSNChanged
USNs: Original uSNCreated

97
 ADSI Scripting: TFM™

Computer Object
For more information on the Computer object, see the following
pages:
• WinNT Provider: Chapter 5, “Computer Object”
• LDAP Provider: Chapter 6, “Computer Object”

General Tab

Figure 4-9: Computer:General dialog

98
 ADSI Scripting: TFM™

Table 4-9: GUI mappings for Computer:General

GUI Label Active Directory Property
Computer name sAMAccountName
(pre-Windows 2000)
DNS name dNSHostName
Role userAccountControl (bitmask)
Description description

99
 ADSI Scripting: TFM™

Operating System Tab

Figure 4-10: Computer:Operating System dialog

100
 ADSI Scripting: TFM™

Table 4-10: GUI mappings for Computer:Operating System

GUI Label Active Directory Property
Name operatingSystem
Version operatingSystemVersion
Service pack operatingSystemServicePack

101
 ADSI Scripting: TFM™

Member Of Tab

Figure 4-11: Computer:Member Of dialog

102
 ADSI Scripting: TFM™

Table 4-11: GUI mappings for Computer:Member Of

GUI Label Active Directory Property
Member of memberOf
Primary group primaryGroupID

103
 ADSI Scripting: TFM™

Location Tab

Figure 4-12: Computer:Location dialog

104
 ADSI Scripting: TFM™

Table 4-12: GUI mappings for Computer:Location

GUI Label Active Directory Property
Location location

105