QC20N
asked on
How do I disabled a computer by using ADSI?
I need to find a solution to disabled a computer by using ADSI.
I know how to disabled a user, as you can see in the code, but I don't know how to do it on a computer.
I know how to disabled a user, as you can see in the code, but I don't know how to do it on a computer.
procedure DisabledUser;
var User : IAdsUser;
begin
CoInitializeEx(0,COINIT_MULTITHREADED);
if SUCCEEDED(ADsGetObject('LDAP://cn=' + Query1.FieldByName('Employee').AsString + ',LDAP path',IADsUser, User)) then
begin
if not User.AccountDisabled then
begin
User.AccountDisabled := true;
end;
User.SetInfo;
User._Release;
end;
CoUnInitialize;
end;
ASKER
Yes, the link I know and it is true that it does not appear that there is a way to disable a computer using IADS. I expect to achieve by disable a computer the same way that a user is disabled. You should not allow to access our Active Directory environment.
The setup of our environment is that when a user retire in our company both the user and the computer is disabled. Today we do it by using "Active Directory Users and Computers"
The setup of our environment is that when a user retire in our company both the user and the computer is disabled. Today we do it by using "Active Directory Users and Computers"
ASKER
Anyone that could help me?
I think if I were asking this question I would find out how to do it through Actve Directory first. Then try to use Delphi to accomplish the same thing. To that end I would ask the question in a windows forum first. I am no Active Directory expert.
Another thing you might try is using the active directory APIs to enumerate objects. If you can find out how the computer enumeration looks then the same call you are using may be able to retrieve the active directory computer. Then you could see if there is a disable capability in that interface.
Another thing you might try is using the active directory APIs to enumerate objects. If you can find out how the computer enumeration looks then the same call you are using may be able to retrieve the active directory computer. Then you could see if there is a disable capability in that interface.
ASKER
I have tried to find info about this, but haven't been able to do that. And I have no idea how to approach this. Don't know how to enumerate objects. Was hoping that someone here could helped me.
I must apologize about my slow responses. The Code Rage developer conference is going on all this week so I will not have a lot of time to look into it. Looks like next Monday I would be able to try to look into a solution, but I do not have access to an Active Directory to test with. If you can wait until then I should be able to do the research that will get you started.
ASKER
Sure, any help is good.
I did find this code for using LDAP in Delphi.
http://cc.embarcadero.com/Item/16879
I also found out that you will need to 1) get the computer object 2) set the AccountDisabled = True and 3) call SetInfo. Here is the link to the VB scripting sample of doing what you are trying to do.
http://gallery.technet.microsoft.com/ScriptCenter/en-us/ac6c44dd-db2f-487a-a51f-3ecb69b9386c
If you still need more, let me know. As I mentioned before, I do not currently have access to am LDAP directory to test against, so you will need to try and let me know how it goes.
http://cc.embarcadero.com/Item/16879
I also found out that you will need to 1) get the computer object 2) set the AccountDisabled = True and 3) call SetInfo. Here is the link to the VB scripting sample of doing what you are trying to do.
http://gallery.technet.microsoft.com/ScriptCenter/en-us/ac6c44dd-db2f-487a-a51f-3ecb69b9386c
If you still need more, let me know. As I mentioned before, I do not currently have access to am LDAP directory to test against, so you will need to try and let me know how it goes.
ASKER
I have looked at these links, but I can't understand how to use it.
I'm not interesed to create an account to download stuff.
I'm not interesed to create an account to download stuff.
You really should create the free account. This will get you the ability to download the LDAP routines from the people who make Delphi. If you are not willing to create an account to download the content, I am legally not able to circumvent their web site and get it for you. I found it for you, but I cannot download it for you. You are the only one who can do that.
ASKER
But I already use a unit ActiveDs_TLB and unit adshlp. Should they not be good enough?
ASKER
Ok. Created the free account and downloaded the LDAP files. But how do I use them?
The function CHECK shows an example of how the classes were intended to be used. Look it over. Copy what they have done and modify it to what you need. Let me know if you have more questions.
ASKER
Is this the one:
function Check(const Server:string;const PortNumber:integer; const Uid,Password,BaseDN:string ):boolean;
If so, I don't see this as an example. :)
cause I can't find the example you are talking about.
function Check(const Server:string;const PortNumber:integer; const Uid,Password,BaseDN:string
If so, I don't see this as an example. :)
cause I can't find the example you are talking about.
The source code of that function is at the bottom of the source. It shows the objects to create and an example of how to use them. Once the initial objects is created in source code, Delphi will show you all of the methods you can call on it. This will let you experiment and chaneg the source to do what you want. If you cannot find the code behind the function I do not think it would be bad to post just that code. Let me know if you are unable to find it.
ASKER
Is this the one?
If not, then I can't find it.
If not, then I can't find it.
function Check(const Server:string;const PortNumber:integer; const Uid,Password,BaseDN:string):boolean;
var
dn:string;
conn:ldapConnection;
el1:ldapEntryList;
begin
result:=true;
try
try
Conn:=ldapConnection.Create;
Conn.Open(Server,'','',PortNumber);
el1:=ldapEntryList.create;
Conn.Search(el1,baseDN,'(uid='+uid+')');
if (el1.Count=1) then dn:=el1.dn[0] else dn:='';
if dn='' then Result:=false else Conn.ReBind(dn,Password);
finally
el1.Free;
conn.Close;
conn.free;
end;
except
Result:=false;
end;
end;
That is the one. You notice that they start be creating a connection. Then they create an laspEntryList (to be used as a parameter to the search). Next they run the search. The list of results is in the entry list. You should be able to use this to search for the computer. Once you have that you should be able to use methods of the resulting object to disable the object.
Let me know how it goes.
Let me know how it goes.
ASKER
I'm sorry to say, but I really don't think this is the right way to approach this. I already use ADSI to "talk" to Active Directory. I have been using this link
http://www.agnisoft.com/white_papers/active_directory.asp
http://www.agnisoft.com/white_papers/active_directory.asp
ASKER
Geert_Gruwez have you any ideas?
ASKER
I'm about to close this question. How should I close this question?
ASKER
Anyone who can help?
var User : IAdsUser;
var Computer :AdsComputer;
begin
CoInitializeEx(0,COINIT_MU LTITHREADE D);
if SUCCEEDED(ADsGetObject('LD AP://cn=' + Query1.FieldByName('Comput ername').A sString + ',LDAP path',IADsComputer, Computer)) then
User: = computer.QueryInterface;
User.AccountDisabled := true;
User.SetInfo;
Computer.Setinfo;
User._Release;
Computer._Release;
...
end;
Obtain an IADsUser interface for the new computer object by using the IDispatch::QueryInterface.
You have to get the IADsUser interface the to computer object which sounds completely wrong but as described by following KB, you can then use the AccountDisable property to enable/disable the computer account.
http://support.microsoft.com/kb/255042
Obtain an IADsUser interface for the new computer object by using the IDispatch::QueryInterface method returned by the IADsContainer::Create call. The IADsUser interface allows easy access to specific properties of the new computer account such as samAccountName, AccountDisabled, and the IADsSecurityDiscriptor interface.
Set samAccountName to the computer name with a "$" appended to the end.
Set the initial password for the new computer account using the IADsUser::SetPassword method. The initial password for the machine account must be set to the name of the computer in lower case.
Add Access Control Entry for the user or group that has permissions to add the machine to the domain. The access control entry rights added by the sample code grants full permissions to the trustee. When the ADSI Users and Computers snap-in is used to add a computer account, specific access control entry is added to the ACL that grant the minimum rights necessary to join the computer to the domain. Note that determining the minimum access right (Access Control Entry) is left as an exercise for the reader. Reference the ADSI User and Computers snap-in documentation for details on how to view the extended rights for the machine account.
Enable the computer account by setting the IADsUser::AccountDisabled property to zero.
var Computer :AdsComputer;
begin
CoInitializeEx(0,COINIT_MU
if SUCCEEDED(ADsGetObject('LD
User: = computer.QueryInterface;
User.AccountDisabled := true;
User.SetInfo;
Computer.Setinfo;
User._Release;
Computer._Release;
...
end;
Obtain an IADsUser interface for the new computer object by using the IDispatch::QueryInterface.
You have to get the IADsUser interface the to computer object which sounds completely wrong but as described by following KB, you can then use the AccountDisable property to enable/disable the computer account.
http://support.microsoft.com/kb/255042
Obtain an IADsUser interface for the new computer object by using the IDispatch::QueryInterface method returned by the IADsContainer::Create call. The IADsUser interface allows easy access to specific properties of the new computer account such as samAccountName, AccountDisabled, and the IADsSecurityDiscriptor interface.
Set samAccountName to the computer name with a "$" appended to the end.
Set the initial password for the new computer account using the IADsUser::SetPassword method. The initial password for the machine account must be set to the name of the computer in lower case.
Add Access Control Entry for the user or group that has permissions to add the machine to the domain. The access control entry rights added by the sample code grants full permissions to the trustee. When the ADSI Users and Computers snap-in is used to add a computer account, specific access control entry is added to the ACL that grant the minimum rights necessary to join the computer to the domain. Note that determining the minimum access right (Access Control Entry) is left as an exercise for the reader. Reference the ADSI User and Computers snap-in documentation for details on how to view the extended rights for the machine account.
Enable the computer account by setting the IADsUser::AccountDisabled property to zero.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Did that work??
ASKER
Sorry for the late reply, I will follow up on this.
Although the question has been answered (33636096) when reviewing I see it has been an open question for more than a year.
ASKER
Don't delete. It is working.
>>Don't delete. It is working.
And as such, is a reference for others.
@QC20N,
Please award points and keep this from being deleted.
And as such, is a reference for others.
@QC20N,
Please award points and keep this from being deleted.
Sorry got ahead of myself.
ASKER
Should I do anything now?
I think that finishes it, looks good.
Thanks for the response.
Thanks for the response.
http://msdn.microsoft.com/en-us/library/aa705980(VS.85).aspx
It does not appear that there is a way to disable a computer using IADS. It would help to know what you expect to achieve by disabling a computer. There are interfaces that would allow you to turn the computer off. There are interfaces that would allow you to disable the network connection. If you could be more specific about what you want to accomplish perhaps another way can be found.