Automating the creation of computer accounts (315273)



The information in this article applies to:

  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP 64-Bit Edition
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Web Edition

This article was previously published under Q315273

SUMMARY

This article describes how to automate the creation of computer accounts. Two methods are described:
  • netdom
  • Scripting the computer account using Active Directory Service Interface (ADSI) and Windows Script Host

MORE INFORMATION

Creating Computer Accounts Using "NETDOM"

Note that you should use only the Windows XP version of netdom, which is included with the Windows XP CD in the Support\Tools\Support.cab file. Previous versions do not work correctly for all features in Windows XP.

You can use netdom from the command line (or call it optionally from a batch file) to script computer account creation. This sample creates only the computer account and displays how you can specify credentials of an authorized user who has permissions to create computer accounts in the domain. Follow this example of the syntax for the netdom command

netdom join ComputerName /domain:DomainName /userd:User /passwordd:UserPassword

where User is a user with permission to join the domain.

For more information about using NETDOM, click the following article number to view the article in the Microsoft Knowledge Base:

150493 How to join a domain from the command line

Scripting the Computer Account Using ADSI and Windows Script Host

Using Active Directory Services Interface (ADSI) and Windows Script Host (WSH), an administrator can create a Visual Basic Script (VBScript) to automate the creation of computer accounts.

For more information about Visual Basic Scripting, visit the following Microsoft Web site:
To use this method, create a script as outlined in the following sample script, and then save the file with a .vbs extension. To run the file, double-click the file or type cscript myscript.vbs at a command prompt.

Sample Script

'***********************
'* Start Script
'***********************

Dim sComputerName, sUserOrGroup, sPath, computerContainer, rootDSE, lFlag
Dim secDescriptor, dACL, ACE, oComputer, sPwd

'*********************************************************************
'* Declare constants used in defining the default location for the 
'* machine account, flags to identify the object as a machine account,
'* and security flags
'*********************************************************************

Const UF_WORKSTATION_TRUST_ACCOUNT = &H1000
Const UF_ACCOUNTDISABLE = &H2
Const ADS_GUID_COMPUTRS_CONTAINER = "aa312825768811d1aded00c04fd8d5cd"
Const ADS_ACETYPE_ACCESS_ALLOWED = 0
Const ADS_ACEFLAG_INHERIT_ACE = 2

'*********************************************************************
'* Set the flags on this object to identify it as a machine account
'* and determine the name.  The name is used statically here, but may 
'* be determined by a command line parameter or by using an InputBox
'*********************************************************************

lFlag = UF_WORKSTATION_TRUST_ACCOUNT Or UF_ACCOUNTDISABLE
sComputerName = "TestAccount"

'*********************************************************************
'* Establish a path to the container in the Active Directory where
'* the machine account will be created.  In this example, this will
'* automatically locate a domain controller for the domain, read the 
'* domain name, and bind to the default "Computers" container
'*********************************************************************

Set rootDSE = GetObject("LDAP://RootDSE")
sPath = "LDAP://<WKGUID=" & ADS_GUID_COMPUTRS_CONTAINER
sPath = sPath + ","
sPath = sPath + rootDSE.Get("defaultNamingContext")
sPath = sPath + ">"
Set computerContainer = GetObject(sPath)
sPath = "LDAP://" & computerContainer.Get("distinguishedName")
Set computerContainer = GetObject(sPath)

'*********************************************************************
'* Here, the computer account is created.  Certain attributes must
'* have a value before calling .SetInfo to commit (write) the object
'* to the Active Directory
'*********************************************************************

Set oComputer = computerContainer.Create("computer", "CN=" & sComputerName)
oComputer.Put "samAccountName", sComputerName + "$"
oComputer.Put "userAccountControl", lFlag
oComputer.SetInfo

'*********************************************************************
'* Establish a default password for the machine account
'*********************************************************************

sPwd = sComputerName & "$"
sPwd = LCase(sPwd)
oComputer.SetPassword sPwd

'*********************************************************************
'* Specify which user or group may activate/join this computer to the 
'* domain.  In this example, "MYDOMAIN" is the domain name and
'* "JoeSmith" is the account being given the permission.  Note that 
'* this is the downlevel naming convention used in this example.
'*********************************************************************

sUserOrGroup = "MYDOMAIN\joesmith"

'*********************************************************************
'* Bind to the Discretionary ACL on the newly created computer account
'* and create an Access Control Entry (ACE) that gives the specified
'* user or group full control on the machine account
'*********************************************************************

Set secDescriptor = oComputer.Get("ntSecurityDescriptor")
Set dACL = secDescriptor.DiscretionaryAcl
Set ACE = CreateObject("AccessControlEntry")

'*********************************************************************
'* An AccessMask of "-1" grants Full Control
'*********************************************************************

ACE.AccessMask = -1
ACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
ACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE

'*********************************************************************
'* Grant this control to the user or group specified earlier.
'*********************************************************************

ACE.Trustee = sUserOrGroup

'*********************************************************************
'* Now, add this ACE to the DACL on the machine account
'*********************************************************************

dACL.AddAce ACE
secDescriptor.DiscretionaryAcl = dACL

'*********************************************************************
'* Commit (write) the security changes to the machine account
'*********************************************************************

oComputer.Put "ntSecurityDescriptor", Array(secDescriptor)
oComputer.SetInfo

'*********************************************************************
'* Once all parameters and permissions have been set, enable the 
'* account.
'*********************************************************************

oComputer.AccountDisabled = False
oComputer.SetInfo

'*********************************************************************
'* Create an Access Control Entry (ACE) that gives the specified user 
'* or group full control on the machine account
'*********************************************************************

wscript.echo "The command completed successfully."

'*****************
'* End Script
'*****************
Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

For more information about UserAccountControl flags , click the following article number to view the article in the Microsoft Knowledge Base:

305144 How to use the UserAccountControl flags to manipulate user account properties


Modification Type:MajorLast Reviewed:5/4/2006
Keywords:kbinfo KB315273