VBScript for Windows System Administrators - Part 1

Welcome to part one of a multi-part tutorial series, VBScript for Windows System Administrators.  The goal of this series is to teach non-programmers how to write useful VBS code to automate their environment, and perform tasks faster, and in a more consistent fashion.  I am not a professional programmer, and I am not a professional author.  I'm just an admin who has found that VBS has made my life much, much easier, and I'd like to share that with you.  I hope you enjoy this reading this series as much as I've enjoyed writing it.

As Admins, a lot of our job revolves around managing users, user settings, and everything else in Active Directory.  The majority of this series will focus on that.  I will also be going into reading/writing text files, and working with Excel automation.  For the sake of staying on topic, I'm going to make a few assumptions:  You know your way around AD pretty well, and understand basic concepts such as Organizational Units, Containers, Users, Groups, Contacts, etc.  If you need any help understanding those topics, please take a moment to browse this site before continuing:  http://technet.microsoft.com/en-us/library/cc780336.aspx

Ok.  For the duration of this series, we will be working with a simple forest/domain AD.  One forest, one domain.  The FQDN of the domain is mydomain.local, and the AD structure looks like this:

   Domain Controllers
   Microsoft Exchange System Objects
   NTDS Quotas
   Program Data
   Security Groups
   Service Accounts

In the above directory structure, the end-user accounts are all in the Employees OU, PCs are all in the Workstations OU, and servers are all in the Servers OU.  The Disabled OU is where accounts are moved to when they are disabled, and the Service Accounts OU contains various service accounts for the domain (cluster administrator account, custom application service accounts, SQL service accounts, etc).

Ok.  With that out of the way, on to the basics of VBS.  Although Notepad will work for writing scripts, I HIGHLY recommend writing your code in an IDE (integrated development environment).  The benefits of this are many, but some of my favorites are the built-in debugging, highlighting of reserved words, and auto-completion.  My personal favorite is PrimalScript, by Sapien (www.sapien.com), but there are lots of them.  For the duration of this series, I will assume you are using PrimalScript (there's a 30-day free trial, so play along).  Now that we have our development environment, let's do something.  Open a new, blank VBScript, and type the following code.

wscript.echo("Hello World!")

Press F7 to run the script.  The output window will display the text       Hello World!          Congratulations, you just wrote your first script!  I know it doesn't look like much, but that one method (wscript.echo) will help you immensely in debugging scripts.  You can insert it nearly anywhere in a script to output the value of a variable to check that the script is actually doing what you want it to do.

Now that you've successfully written your first script, let's cover some basics of logic.  The two logic blocks you'll likely use most are  If...Then...Else  and  For...Next.

If...Then Example:

i = 2
If i > 0 Then
    Wscript.echo("i is a positive number")
ElseIf i < 0 Then
    Wscript.echo("i is a negative number")
End If

The output of the code above would be    i is a positive number

For i = 0 to 10

The output of the code above would be  0  1  2  3  4  5   6  7  8  9  10   with each number being displayed on it's own line.     Another example of a For...Next loop is

For each object in objects

In the code above, objects represents a group of items, and    object    is actually a variable name.  The code below would do the exact same thing

For each item in objects

This code is most frequently used when iterating objects in Active Directory.  But before we get to that code, we need to learn how to attach to AD objects.  To do so, we want to use the ADSPath of the object, which is the DN of the object preceeded by   LDAP://     Using our example directory structure above, if we had a user named John Doe in the Employees OU, the ADSPath for the user would be    LDAP://CN=John Doe,OU=Employees,DC=mydomain,DC=local   To get a handle to that user, we would use the following code.

Set oUser = GetObject("LDAP://CN=John Doe,OU=Employees,DC=mydomain,DC=local")

oUser is a variable, and can be anything you want it to be.  Some people like to use objUser to signify a user object, I prefer the shorter method of simply oUser.  You could just as easily use    cat    or     house      or     baseball      and get the same result.

Set baseball = GetObject("LDAP://CN=John Doe,OU=Employees,DC=mydomain,DC=local")

We will use the oUser version for the remainder of this article (it helps to use descriptive variable names, the script will be easier to understand that way).  Now that we have a handle to the user object in AD, what do we want to do with it?  How about change the user's description?

Set oUser = GetObject("LDAP://CN=John Doe,OU=Employees,DC=mydomain,DC=local")
oUser.Description = "My User"

Now we have changed the users description.  However, this was only changed in the cache.  To actually commit the change to Active Directory, we need to use the  SetInfo()   method.

Set oUser = GetObject("LDAP://CN=John Doe,OU=Employees,DC=mydomain,DC=local")
oUser.Description = "My User"

Viola!  You have just programmatically changed the description of a user.  Now, if we expand on that, and use our For...Next loop, we would want to get a handle to the OU:

Set oOU = GetObject("LDAP://OU=Employees,DC=mydomain,DC=local")
For each oUser in oOU
    oUser.Description = "My User"

Again, in the above code, oUser is simply a variable name.  I chose to use oUser again because it is a good descriptor for the object type I'm working with, but I could have just as easily said

For each baseball in oOU

But it just doesn't read as well.  So, what does the above code do?  It goes through each object in the Employees OU and sets the description to    My User     This is one of the reasons that good AD organization is key:  We don't like it when there are OUs that have multiple types of objects in them (users mixed with computers mixed with groups).  It makes coding more difficult.  It can still be done, but now you have to evaluate the type of each object you're working with.  For instance, lets assume there is a fictional OU named    Objects   and it contains a mix of objects.  Our goal is to set the description of all the user objects to      My User      but not modify any of the other objects.  This could be accomplished by doing the following:

Set oOU = GetObject("LDAP://OU=Objects,DC=mydomain,DC=local")
For each oUser in oOU
    If oUser.Class = "User" Then
        oUser.Description = "My User"
    End If

We combined If...Then   and    For...Next   in order to accomplish our goal.

Want to modify other attributes of a user?  No problem.  The next installment of VBScripting for Windows System Administrators will focus on how to locate that evasive AD field you want to modify.

Until then, spend your time wisely organizing your AD to make it conducive to scripting.  :-)


Comments (2)

Ron MalmsteadSr. Developer

May I suggest WMI Code creator for anyone who is learning how to write administrative scripts.

I <b>HIGHLY</b> recommend WMI Code creator as well as The Do It Yourself kit, which has scripting tools written in vbscript,, KIXtart REXX and other languages.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.