Solved

Add programmatically a user to a group in an NT domain

Posted on 2009-05-16
5
727 Views
Last Modified: 2013-12-04
Very easy to do using the "User Manager", but how to do it in code?
I am writing a utility for administrators.  I need a function that will get:
User name
User password (probably not even necessary)
Domain

Now I would like to move them into and out of existing groups.
Any code? examples?
thanks
0
Comment
Question by:yossikally
  • 3
  • 2
5 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24405388

You might need to find a copy of ADSI 2.5 depending on the platform executing the script. Try it though, I was far too near the beginning of my career to do scripting when I played with Windows NT :)

All examples below are in VbScript. Let me know if you want something else (can do VB .NET, C# .NET, PowerShell and Perl as well).

Chris
' Connecting to a Domain
 

Set objDomain = GetObject("WinNT://DomainName")
 

' Looping through objects in the Domain
 

objDomain.Filter = Array("user")

ForEach objUser in objDomain

  WScript.Echo objUser.FullName

Next
 

' Connecting to a specific user
 

Set objUser = GetObject("WinNT://DomainName/Username")

WScript.Ech objUser.FullName
 

' Connecting to a specific group
 

Set objGroup = GetObject("WinNT://DomainName/GroupName")
 

' Adding a member to a group
 

objGroup.Add "WinNT://DomainName/UserName"

' Or

objGroup.Add objUser.ADSPath
 

' Removing a member from a group
 

objGroup.Remove "WinNT://DomainName/UserName"

' Or

objGroup.Remove objUser.ADSPath

Open in new window

0
 

Author Comment

by:yossikally
ID: 24405397
Thanks. I would rather have it in C++, but this will do.
I notice you use "WinNT://...", while other examples I saw use "LDAP...". What's the difference?
I need it to run on XP workstation. Some examples I saw will only ru on Windows Server.  Does your code run on XP?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24405414

The LDAP provider is only useful if you're connecting to an LDAP complaint directory like Active Directory. That's no help for Windows NT because it doesn't use LDAP. For a Windows NT domain you have no choice but to use the WinNT provider.

The code will run on Windows XP, you won't need to add anything to use it, ADSI is present by default from Windows 2000 and up. It can attach to a Windows NT domain from there.

If you're wanting C++ I suspect the following might help (I assume it's C++, it's not labelled):

http://msdn.microsoft.com/en-us/library/aa772211(VS.85).aspx

You should find references for the Add Method under IADsGroup and so on.

Chris
0
 

Author Comment

by:yossikally
ID: 24405478
I still don't quite understand the difference between using LDAP and WinNT, I understand they are sematics used to differentiate between 2 sets of use cases.  I realize this is not a part of the question but can you direct me to source of more information (I guess ADSI for beginners reference)
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24405539

There's the ADSI Scripting Primer here which might help?

http://www.microsoft.com/technet/scriptcenter/guide/sas_ads_overview.mspx?mfr=true

ADSI Architecture tends to cover most of the real differences.

In short I would say:

WinNT Provider
 - Can connect to Windows NT directories and Active Directory directories (although doesn't differentiate between the two)
 - Accesses a full set of properties for a Windows NT domain, and a subset of properties for an Active Directory domains
 - Can only access user, group, computer and domain objects in Active Directory (other object classes are not exposed in the WinNT provider)
 - Treats every directory as a flat namespace (all objects are referenced on the same level). As seen in User Manager / Server Manager
 - Cannot deal with nested groups (Windows NT didn't allow that)

LDAP Provider
 - Can only connect to Active Directory domains / forests
 - Can access all properties
 - Can access all object classes
 - Will access the directory as a hierarchical namespace. As seen in AD Users and Computers
 - Can access and enumerate nested group structures

The LDAP Provider is certainly the way to go if you're dealing with an AD Domain or Forest. Its far more powerful which tends to make it much more suitable.

Chris
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Whether you've completed a degree in computer sciences or you're a self-taught programmer, writing your first lines of code in the real world is always a challenge. Here are some of the most common pitfalls for new programmers.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now