How to create a computer account in a Windows 2000 domain by using ADSI with Visual Basic (313038)
The information in this article applies to:
- Microsoft Active Directory Services Interface, Microsoft Active Directory Client
- Microsoft Active Directory Services Interface, System Component
- Microsoft Visual Basic Enterprise Edition for Windows 6.0
- Microsoft Visual Basic Professional Edition for Windows 6.0
This article was previously published under Q313038 INTRODUCTION This article describes how to make a
computer object in a Microsoft Windows 2000 domain by using Active Directory Services
Interface (ADSI) with Microsoft Visual Basic. back to
the topCreate the computer object in the Active
DirectoryTo create the computer object, follow these steps: - Bind to the container of the parent computer.
This is the location where all the
computer objects for the domain are stored. - Create a computer object in this container.
- Set the samAccountName attribute and the userAccountControl attribute on this computer object.
The userAccountControl attribute can be set to enable or to disable the following flags:- UF_WORKSTATION_TRUST
- UF_ACCOUNTDISABLE
- UF_PASSWD_NOTREQD
The previous flags are defined as constants in the sample code in step 2 of the "Build the sample in
Visual Basic" section. - Set the initial password for the computer object by using the SetPassword method.
- Modify the security descriptor for the computer object to
add an Access Control Entry (ACE).
You add the ACE for the user or for the group that you want to have permissions to the computer object. - Enable the computer account.
back to the topBuild the sample in
Visual BasicTo build the sample, follow these steps: - Start Visual Basic 6.0, and then open a new Standard EXE project.
Note Make
sure that you are logged on to the client as a domain administrator for the targeted
domain. You must do this so that you can create computer objects in the Active
Directory. - Double-click Form View. Add the following code
to
the Form_Load() subroutine.
Note Make sure that you have made the appropriate modifications to the sections that are indicated in the sample code.
'----Constants----
Const UF_WORKSTATION_TRUST_ACCOUNT = &H1000
Const UF_ACCOUNTDISABLE = &H2
Const UF_PASSWD_NOTREQD = &H20
Const ADS_GUID_COMPUTRS_CONTAINER = "aa312825768811d1aded00c04fd8d5cd"
Const ADS_ACETYPE_ACCESS_ALLOWED = 0
Const ADS_ACEFLAG_INHERIT_ACE = 2
'----Parameters ----
lFlag = UF_WORKSTATION_TRUST_ACCOUNT Or UF_ACCOUNTDISABLE Or UF_PASSWD_NOTREQD
'Modify the following two variants based on the name of the computer
'object that you want to create and the name of the group that you want
'to have permissions to this computer object.
sComputer = "myMachine"
sUserOrGroup = "MYDOMAIN\MyGroup" 'Who can join this computer?
'----Build a well-known guid adspath for the computer container.----
Set rootDSE = GetObject("LDAP://RootDSE")
sPath = "LDAP://<WKGUID=" & ADS_GUID_COMPUTRS_CONTAINER
sPath = sPath + ","
sPath = sPath + rootDSE.Get("defaultNamingContext")
sPath = sPath + ">"
Set compCont = GetObject(sPath)
'Bind again to get the correct ADsPath.
sPath = "LDAP://" & compCont.Get("distinguishedName")
Set compCont = GetObject(sPath)
'----Create a computer object.----
Set comp = compCont.Create("computer", "CN=" & sComputer)
comp.Put "samAccountName", sComputer + "$"
comp.Put "userAccountControl", lFlag
comp.SetInfo
'----Set an initial password.----
sPwd = sComputer
sPwd = StrConv(sPwd, vbLowerCase)
comp.SetPassword sPwd
'----Set security.----
Set sd = comp.Get("ntSecurityDescriptor")
Set dacl = sd.DiscretionaryAcl
'----Set ACE.----
Set ace = CreateObject("AccessControlEntry")
ace.AccessMask = -1 'Full Permission (Allowed)
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED
ace.Trustee = sUserOrGroup
'----ACL----
dacl.AddAce ace
sd.DiscretionaryAcl = dacl
'----SD----
comp.Put "ntSecurityDescriptor", Array(sd)
comp.SetInfo
'----Enable the account.----
' A Windows 2000 domain computer account does not have to be enabled.
comp.AccountDisabled = False
comp.SetInfo
- Click Project, click Add Reference, click the COM tab, and then add the references to the Active DS Type Library.
- Click OK to close the Add Reference dialog box.
- Click Start, and then click Run.
After you run the code, the enabled computer account object is created in the Computers container in the Active Directory. The name of the enabled computer account object is the name that you specified in
the code.
You can also run this code from a VBScript file. - Verify
that the computer account object was created. To do this, follow these steps:
- Locate the Administrative Tools application group on a domain controller for this domain.
- Click Active Directory Users and Computers.
- Click the Computers container.
The newly created computer account object appears in
this container.
back to the
topREFERENCES
For additional information about how to programmatically make accounts, click the following article number to view the article in the Microsoft Knowledge Base:
255042
How to make machine accounts programmatically by using ADSI with Visual C++
For additional information about automating computer account creation in Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:
315273
Automating the creation of computer accounts
For additional information about automating computer account creation in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:
222525
Automating the creation of computer accounts
back to the
top
Modification Type: | Major | Last Reviewed: | 5/6/2004 |
---|
Keywords: | kbcode kbHOWTOmaster KB313038 kbAudDeveloper |
---|
|