Welcome to part one of a multi-part tutorial series, VBScript for Windows System Administrators. The goal of this series is to teach non-programmers how to write useful VBS code to automate their environment, and perform tasks faster, and in a more consistent fashion. I am not a professional programmer, and I am not a professional author. I'm just an admin who has found that VBS has made my life much, much easier, and I'd like to share that with you. I hope you enjoy this reading this series as much as I've enjoyed writing it.
As Admins, a lot of our job revolves around managing users, user settings, and everything else in Active Directory. The majority of this series will focus on that. I will also be going into reading/writing text files, and working with Excel automation. For the sake of staying on topic, I'm going to make a few assumptions: You know your way around AD pretty well, and understand basic concepts such as Organizational Units, Containers, Users, Groups, Contacts, etc. If you need any help understanding those topics, please take a moment to browse this site before continuing:
http://technet.microsoft.com/en-us/library/cc780336.aspx
Ok. For the duration of this series, we will be working with a simple forest/domain AD. One forest, one domain. The FQDN of the domain is mydomain.local, and the AD structure looks like this:
mydomain.local
Builtin
Computers
Disabled
DLs
Domain Controllers
Employees
ForeignSecurityPrincipals
LostAndFound
Microsoft Exchange System Objects
NTDS Quotas
Program Data
Security Groups
Servers
Service Accounts
System
Users
Workstations
In the above directory structure, the end-user accounts are all in the Employees OU, PCs are all in the Workstations OU, and servers are all in the Servers OU. The Disabled OU is where accounts are moved to when they are disabled, and the Service Accounts OU contains various service accounts for the domain (cluster administrator account, custom application service accounts, SQL service accounts, etc).
Ok. With that out of the way, on to the basics of VBS. Although Notepad will work for writing scripts, I HIGHLY recommend writing your code in an IDE (integrated development environment). The benefits of this are many, but some of my favorites are the built-in debugging, highlighting of reserved words, and auto-completion. My personal favorite is PrimalScript, by Sapien (www.sapien.com), but there are lots of them. For the duration of this series, I will assume you are using PrimalScript (there's a 30-day free trial, so play along). Now that we have our development environment, let's do something. Open a new, blank VBScript, and type the following code.
wscript.echo("Hello World!")
Press F7 to run the script. The output window will display the text Hello World! Congratulations, you just wrote your first script! I know it doesn't look like much, but that one method (wscript.echo) will help you immensely in debugging scripts. You can insert it nearly anywhere in a script to output the value of a variable to check that the script is actually doing what you want it to do.
Now that you've successfully written your first script, let's cover some basics of logic. The two logic blocks you'll likely use most are If...Then...Else and For...Next.
If...Then Example:
i = 2
If i > 0 Then
Wscript.echo("i is a positive number")
ElseIf i < 0 Then
Wscript.echo("i is a negative number")
End If
The output of the code above would be i is a positive number
For i = 0 to 10
Wscript.echo(i)
Next
The output of the code above would be 0 1 2 3 4 5 6 7 8 9 10 with each number being displayed on it's own line. Another example of a For...Next loop is
For each object in objects
wscript.echo(object)
Next
In the code above, objects represents a group of items, and object is actually a variable name. The code below would do the exact same thing
For each item in objects
wscript.echo(item)
Next
This code is most frequently used when iterating objects in Active Directory. But before we get to that code, we need to learn how to attach to AD objects. To do so, we want to use the ADSPath of the object, which is the DN of the object preceeded by LDAP:// Using our example directory structure above, if we had a user named John Doe in the Employees OU, the ADSPath for the user would be LDAP://CN=John Doe,OU=Employees,DC=mydomain,DC=local To get a handle to that user, we would use the following code.
Set oUser = GetObject("LDAP://CN=John Doe,OU=Employees,DC=mydomain,DC=local")
oUser is a variable, and can be anything you want it to be. Some people like to use objUser to signify a user object, I prefer the shorter method of simply oUser. You could just as easily use cat or house or baseball and get the same result.
Set baseball = GetObject("LDAP://CN=John Doe,OU=Employees,DC=mydomain,DC=local")
We will use the oUser version for the remainder of this article (it helps to use descriptive variable names, the script will be easier to understand that way). Now that we have a handle to the user object in AD, what do we want to do with it? How about change the user's description?
Set oUser = GetObject("LDAP://CN=John Doe,OU=Employees,DC=mydomain,DC=local")
oUser.Description = "My User"
Now we have changed the users description. However, this was only changed in the cache. To actually commit the change to Active Directory, we need to use the SetInfo() method.
Set oUser = GetObject("LDAP://CN=John Doe,OU=Employees,DC=mydomain,DC=local")
oUser.Description = "My User"
oUser.SetInfo()
Viola! You have just programmatically changed the description of a user. Now, if we expand on that, and use our For...Next loop, we would want to get a handle to the OU:
Set oOU = GetObject("LDAP://OU=Employees,DC=mydomain,DC=local")
For each oUser in oOU
oUser.Description = "My User"
oUser.SetInfo()
Next
Again, in the above code, oUser is simply a variable name. I chose to use oUser again because it is a good descriptor for the object type I'm working with, but I could have just as easily said
For each baseball in oOU
But it just doesn't read as well. So, what does the above code do? It goes through each object in the Employees OU and sets the description to My User This is one of the reasons that good AD organization is key: We don't like it when there are OUs that have multiple types of objects in them (users mixed with computers mixed with groups). It makes coding more difficult. It can still be done, but now you have to evaluate the type of each object you're working with. For instance, lets assume there is a fictional OU named Objects and it contains a mix of objects. Our goal is to set the description of all the user objects to My User but not modify any of the other objects. This could be accomplished by doing the following:
Set oOU = GetObject("LDAP://OU=Objects,DC=mydomain,DC=local")
For each oUser in oOU
If oUser.Class = "User" Then
oUser.Description = "My User"
oUser.SetInfo()
End If
Next
We combined If...Then and For...Next in order to accomplish our goal.
Want to modify other attributes of a user? No problem. The next installment of VBScripting for Windows System Administrators will focus on how to locate that evasive AD field you want to modify.
Until then, spend your time wisely organizing your AD to make it conducive to scripting. :-)
-exx1976
Comments (2)
Commented:
http://www.microsoft.com/downloads/details.aspx?FamilyID=2cc30a64-ea15-4661-8da4-55bbc145c30e&displaylang=en
Commented:
http://www.microsoft.com/downloadS/details.aspx?familyid=D187C9D7-FFA8-49CD-BB33-363DB8FA481E&displaylang=en