Browse All Articles > VBScript for Windows System Administrators - Part 2
Welcome back! My apologies for taking so long to write part two of this series; it's been a long time coming! As I promised in Part 1, this article will focus on how to locate those elusive AD properties that you are searching for. Why is this useful? Well, for instance, did you know that each user account in AD has an Employee ID field? Don't go look, you can't find it in the regular Active Directory Users & Computers (hereafter referred to as ADU&C) GUI. But, I'll show you how to find, and configure, this field and many, many more.
First things first. In order to follow along, you're going to need an AD environment you can use as a sandbox. That's right, kids, don't run this stuff on your production network. BAD THINGS can happen! I remember an incident about 10 years ago when I deleted every single user in AD. Luckily, the company hadn't yet switched to AD (it was a clean migration from NT4 to 2000, not an upgrade), so I just re-ran the script to recreate all the users. But had that been production, I'm sure I would have spent some time brushing the dust off my resume!
So, to get started, the main tool we will be using here is ADSIEdit.msc. This is a free tool, and is included with the Windows Support tools. Download the package, install it, and then just click Start -> Run and type "adsiedit.msc" and viola! There it is. WARNING: BE CAREFUL! Anything you modify in here directly changes Active Directory, and can cause corrupted objects, or other undesireable results. Hence my recommendation of a sandbox!! Now, back to your regularly scheduled programming: Expand the Domain container, then expand the domain DN, and then drill into an OU until you find a user account. Right-click the user object and then click properties. There are several checkboxes at the top: "Show mandatory attributes", "Show optional attributes" and "Show only attributes that have values". Let's step back for a moment and show the practical use for this.
For example, say you're trying to figure out how to access the "IP phone" field from the Telephones tab programmatically, so you can set a user's extension or phone number via a script. Open the user object, and enter an easily identifiable string in there, like 999-999-9999. Now, open ADSIEdit.msc, and browse to the user properties. Then, check the box for "Show only attributes that have values". All the objects that are not set will be hidden, making it easier to find the string you are looking for. As a result, we see that the field name we are looking for is called ipphone. So it would be
Set oUser = GetObject("CN=Test User,OU=Employees,DC=mydomain,DC=loc
al")
oUser.ipPhone = "999-999-9999"
oUser.SetInfo
Congratulations, you've just successfully located and configured the IP Phone for this user! So, if you scroll through the properties in ADSIEdit, you can see everything that's available to you. EmployeeID is one field that is available, but doesn't show up in the GUI.
Set oUser = GetObject("CN=Test User,OU=Employees,DC=mydomain,DC=loc
al")
oUser.employeeID = "123456"
oUser.SetInfo
There are lots of other cases in which you'll want to have this weapon in your scripting arsenal. Consider: In order to create a mailbox for a user, you need to know the full path to the Exchange server. This can be long and ugly, but it can be easily found on a user that is already configured. The attribute is called msExchHomeServerName.
Set oUser = GetObject("CN=Test User,OU=Employees,DC=mydomain,DC=loc
al")
WScript.Echo oUser.msExchHomeServerName
Output:
/o=Organization/ou=Exchange Administrative Group (FRDWBOHF34SPDPQ)/cn=Confi
guration/c
n=Servers/
cn=MAILSER
VER
Want to figure out how to set mailbox limits? In ADU&C enter some numbers in the "Issue Warning" box, the "Prohibit Send" box and the "Prohibit Send and Receive" box. Then, open ADSIEdit and go look for them. Here's the code:
Set oUser = GetObject("CN=Test User,OU=Employees,DC=mydomain,DC=loc
al")
oUser.mDBStorageQuota = 250000
oUser.mDBOverQuotaLimit = 275000
oUser.mDBOverHardQuotaLimit = 300000
oUser.SetInfo
And there you have it. Test User is now restricted on the amount of information that can be in his mailbox. But now you ask "Why are the values not in quotes? How did you know they were supposed to be integers instead of strings?" Ah HA! Yet another value of ADSIEdit. Not only do you get to see the attribute and the value, you also get to see the syntax, meaning it tells you if it should be an Integer, Boolean, String, etc.
The next installment of this series (which will not take another year and a half, I promise), I think will be about file manipulation. Unless anyone has any requests? Feel free to leave them in the comments, and I'll take them under advisement.
Until next time...
-exx1976
First things first. In order to follow along, you're going to need an AD environment you can use as a sandbox. That's right, kids, don't run this stuff on your production network. BAD THINGS can happen! I remember an incident about 10 years ago when I deleted every single user in AD. Luckily, the company hadn't yet switched to AD (it was a clean migration from NT4 to 2000, not an upgrade), so I just re-ran the script to recreate all the users. But had that been production, I'm sure I would have spent some time brushing the dust off my resume!
So, to get started, the main tool we will be using here is ADSIEdit.msc. This is a free tool, and is included with the Windows Support tools. Download the package, install it, and then just click Start -> Run and type "adsiedit.msc" and viola! There it is. WARNING: BE CAREFUL! Anything you modify in here directly changes Active Directory, and can cause corrupted objects, or other undesireable results. Hence my recommendation of a sandbox!! Now, back to your regularly scheduled programming: Expand the Domain container, then expand the domain DN, and then drill into an OU until you find a user account. Right-click the user object and then click properties. There are several checkboxes at the top: "Show mandatory attributes", "Show optional attributes" and "Show only attributes that have values". Let's step back for a moment and show the practical use for this.
For example, say you're trying to figure out how to access the "IP phone" field from the Telephones tab programmatically, so you can set a user's extension or phone number via a script. Open the user object, and enter an easily identifiable string in there, like 999-999-9999. Now, open ADSIEdit.msc, and browse to the user properties. Then, check the box for "Show only attributes that have values". All the objects that are not set will be hidden, making it easier to find the string you are looking for. As a result, we see that the field name we are looking for is called ipphone. So it would be
Set oUser = GetObject("CN=Test User,OU=Employees,DC=mydom
oUser.ipPhone = "999-999-9999"
oUser.SetInfo
Congratulations, you've just successfully located and configured the IP Phone for this user! So, if you scroll through the properties in ADSIEdit, you can see everything that's available to you. EmployeeID is one field that is available, but doesn't show up in the GUI.
Set oUser = GetObject("CN=Test User,OU=Employees,DC=mydom
oUser.employeeID = "123456"
oUser.SetInfo
There are lots of other cases in which you'll want to have this weapon in your scripting arsenal. Consider: In order to create a mailbox for a user, you need to know the full path to the Exchange server. This can be long and ugly, but it can be easily found on a user that is already configured. The attribute is called msExchHomeServerName.
Set oUser = GetObject("CN=Test User,OU=Employees,DC=mydom
WScript.Echo oUser.msExchHomeServerName
Output:
/o=Organization/ou=Exchang
Want to figure out how to set mailbox limits? In ADU&C enter some numbers in the "Issue Warning" box, the "Prohibit Send" box and the "Prohibit Send and Receive" box. Then, open ADSIEdit and go look for them. Here's the code:
Set oUser = GetObject("CN=Test User,OU=Employees,DC=mydom
oUser.mDBStorageQuota = 250000
oUser.mDBOverQuotaLimit = 275000
oUser.mDBOverHardQuotaLimi
oUser.SetInfo
And there you have it. Test User is now restricted on the amount of information that can be in his mailbox. But now you ask "Why are the values not in quotes? How did you know they were supposed to be integers instead of strings?" Ah HA! Yet another value of ADSIEdit. Not only do you get to see the attribute and the value, you also get to see the syntax, meaning it tells you if it should be an Integer, Boolean, String, etc.
The next installment of this series (which will not take another year and a half, I promise), I think will be about file manipulation. Unless anyone has any requests? Feel free to leave them in the comments, and I'll take them under advisement.
Until next time...
-exx1976
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (0)