?
Solved

Add programmatically a user to a group in an NT domain

Posted on 2009-05-16
5
Medium Priority
?
738 Views
Last Modified: 2013-12-04
Very easy to do using the "User Manager", but how to do it in code?
I am writing a utility for administrators.  I need a function that will get:
User name
User password (probably not even necessary)
Domain

Now I would like to move them into and out of existing groups.
Any code? examples?
thanks
0
Comment
Question by:yossikally
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24405388

You might need to find a copy of ADSI 2.5 depending on the platform executing the script. Try it though, I was far too near the beginning of my career to do scripting when I played with Windows NT :)

All examples below are in VbScript. Let me know if you want something else (can do VB .NET, C# .NET, PowerShell and Perl as well).

Chris
' Connecting to a Domain
 
Set objDomain = GetObject("WinNT://DomainName")
 
' Looping through objects in the Domain
 
objDomain.Filter = Array("user")
ForEach objUser in objDomain
  WScript.Echo objUser.FullName
Next
 
' Connecting to a specific user
 
Set objUser = GetObject("WinNT://DomainName/Username")
WScript.Ech objUser.FullName
 
' Connecting to a specific group
 
Set objGroup = GetObject("WinNT://DomainName/GroupName")
 
' Adding a member to a group
 
objGroup.Add "WinNT://DomainName/UserName"
' Or
objGroup.Add objUser.ADSPath
 
' Removing a member from a group
 
objGroup.Remove "WinNT://DomainName/UserName"
' Or
objGroup.Remove objUser.ADSPath

Open in new window

0
 

Author Comment

by:yossikally
ID: 24405397
Thanks. I would rather have it in C++, but this will do.
I notice you use "WinNT://...", while other examples I saw use "LDAP...". What's the difference?
I need it to run on XP workstation. Some examples I saw will only ru on Windows Server.  Does your code run on XP?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24405414

The LDAP provider is only useful if you're connecting to an LDAP complaint directory like Active Directory. That's no help for Windows NT because it doesn't use LDAP. For a Windows NT domain you have no choice but to use the WinNT provider.

The code will run on Windows XP, you won't need to add anything to use it, ADSI is present by default from Windows 2000 and up. It can attach to a Windows NT domain from there.

If you're wanting C++ I suspect the following might help (I assume it's C++, it's not labelled):

http://msdn.microsoft.com/en-us/library/aa772211(VS.85).aspx

You should find references for the Add Method under IADsGroup and so on.

Chris
0
 

Author Comment

by:yossikally
ID: 24405478
I still don't quite understand the difference between using LDAP and WinNT, I understand they are sematics used to differentiate between 2 sets of use cases.  I realize this is not a part of the question but can you direct me to source of more information (I guess ADSI for beginners reference)
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 1500 total points
ID: 24405539

There's the ADSI Scripting Primer here which might help?

http://www.microsoft.com/technet/scriptcenter/guide/sas_ads_overview.mspx?mfr=true

ADSI Architecture tends to cover most of the real differences.

In short I would say:

WinNT Provider
 - Can connect to Windows NT directories and Active Directory directories (although doesn't differentiate between the two)
 - Accesses a full set of properties for a Windows NT domain, and a subset of properties for an Active Directory domains
 - Can only access user, group, computer and domain objects in Active Directory (other object classes are not exposed in the WinNT provider)
 - Treats every directory as a flat namespace (all objects are referenced on the same level). As seen in User Manager / Server Manager
 - Cannot deal with nested groups (Windows NT didn't allow that)

LDAP Provider
 - Can only connect to Active Directory domains / forests
 - Can access all properties
 - Can access all object classes
 - Will access the directory as a hierarchical namespace. As seen in AD Users and Computers
 - Can access and enumerate nested group structures

The LDAP Provider is certainly the way to go if you're dealing with an AD Domain or Forest. Its far more powerful which tends to make it much more suitable.

Chris
0

Featured Post

Enroll in August's Course of the Month

August's CompTIA IT Fundamentals course includes 19 hours of basic computer principle modules and prepares you for the certification exam. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question