How to create a computer account in a Windows 2000 domain by using ADSI with Visual Basic (313038)


The information in this article applies to:

  • Microsoft Active Directory Services Interface, Microsoft Active Directory Client
  • Microsoft Active Directory Services Interface, System Component
  • Microsoft Visual Basic Enterprise Edition for Windows 6.0
  • Microsoft Visual Basic Professional Edition for Windows 6.0
This article was previously published under Q313038

IN THIS TASK

INTRODUCTION

This article describes how to make a computer object in a Microsoft Windows 2000 domain by using Active Directory Services Interface (ADSI) with Microsoft Visual Basic.

back to the top

Create the computer object in the Active Directory

To create the computer object, follow these steps:
  1. Bind to the container of the parent computer.

    This is the location where all the computer objects for the domain are stored.
  2. Create a computer object in this container.
  3. Set the samAccountName attribute and the userAccountControl attribute on this computer object.

    The userAccountControl attribute can be set to enable or to disable the following flags:
    • UF_WORKSTATION_TRUST
    • UF_ACCOUNTDISABLE
    • UF_PASSWD_NOTREQD
    The previous flags are defined as constants in the sample code in step 2 of the "Build the sample in Visual Basic" section.
  4. Set the initial password for the computer object by using the SetPassword method.
  5. Modify the security descriptor for the computer object to add an Access Control Entry (ACE).

    You add the ACE for the user or for the group that you want to have permissions to the computer object.
  6. Enable the computer account.
back to the top

Build the sample in Visual Basic

To build the sample, follow these steps:
  1. Start Visual Basic 6.0, and then open a new Standard EXE project.

    Note Make sure that you are logged on to the client as a domain administrator for the targeted domain. You must do this so that you can create computer objects in the Active Directory.
  2. Double-click Form View. Add the following code to the Form_Load() subroutine.

    Note Make sure that you have made the appropriate modifications to the sections that are indicated in the sample code. 
    '----Constants----

Const UF_WORKSTATION_TRUST_ACCOUNT = &H1000
Const UF_ACCOUNTDISABLE = &H2
Const UF_PASSWD_NOTREQD = &H20
Const ADS_GUID_COMPUTRS_CONTAINER = "aa312825768811d1aded00c04fd8d5cd"
Const ADS_ACETYPE_ACCESS_ALLOWED = 0
Const ADS_ACEFLAG_INHERIT_ACE = 2 

'----Parameters ----

lFlag = UF_WORKSTATION_TRUST_ACCOUNT Or UF_ACCOUNTDISABLE Or UF_PASSWD_NOTREQD
'Modify the following two variants based on the name of the computer
'object that you want to create and the name of the group that you want 
'to have permissions to this computer object.
sComputer = "myMachine"
sUserOrGroup = "MYDOMAIN\MyGroup" 'Who can join this computer?

'----Build a well-known guid adspath for the computer container.----

Set rootDSE = GetObject("LDAP://RootDSE")
sPath = "LDAP://<WKGUID=" & ADS_GUID_COMPUTRS_CONTAINER
sPath = sPath + ","
sPath = sPath + rootDSE.Get("defaultNamingContext")
sPath = sPath + ">"

Set compCont = GetObject(sPath)

'Bind again to get the correct ADsPath.
sPath = "LDAP://" & compCont.Get("distinguishedName")
Set compCont = GetObject(sPath)

'----Create a computer object.----

Set comp = compCont.Create("computer", "CN=" & sComputer)
comp.Put "samAccountName", sComputer + "$"
comp.Put "userAccountControl", lFlag
comp.SetInfo

'----Set an initial password.----

sPwd = sComputer 
sPwd = StrConv(sPwd, vbLowerCase)
comp.SetPassword sPwd

'----Set security.----

Set sd = comp.Get("ntSecurityDescriptor")
Set dacl = sd.DiscretionaryAcl

'----Set ACE.----

Set ace = CreateObject("AccessControlEntry")
ace.AccessMask = -1 'Full Permission (Allowed)
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED
ace.Trustee = sUserOrGroup

'----ACL----

dacl.AddAce ace
sd.DiscretionaryAcl = dacl

'----SD----

comp.Put "ntSecurityDescriptor", Array(sd)

comp.SetInfo

'----Enable the account.----
' A Windows 2000 domain computer account does not have to be enabled.
comp.AccountDisabled = False
comp.SetInfo
  3. Click Project, click Add Reference, click the COM tab, and then add the references to the Active DS Type Library.
  4. Click OK to close the Add Reference dialog box.
  5. Click Start, and then click Run.

    After you run the code, the enabled computer account object is created in the Computers container in the Active Directory. The name of the enabled computer account object is the name that you specified in the code.

    You can also run this code from a VBScript file.
  6. Verify that the computer account object was created. To do this, follow these steps:
    1. Locate the Administrative Tools application group on a domain controller for this domain.
    2. Click Active Directory Users and Computers.
    3. Click the Computers container.

      The newly created computer account object appears in this container.
back to the top

REFERENCES

For additional information about how to programmatically make accounts, click the following article number to view the article in the Microsoft Knowledge Base:

255042 How to make machine accounts programmatically by using ADSI with Visual C++

For additional information about automating computer account creation in Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:

315273 Automating the creation of computer accounts

For additional information about automating computer account creation in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:

222525 Automating the creation of computer accounts


back to the top
Modification Type:MajorLast Reviewed:5/6/2004
Keywords:kbcode kbHOWTOmaster KB313038 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.