sams teach Yourself windows Script Host in 21 Days phần 9 ppt

Day 18: Using WSH to Manipulate the Microsoft Active Directory Today, you will use Windows Scripting Host and the Microsoft Active Directory to manage users and computers in a Windows NT

Trang 1

"user " & sUserName

Trang 3

The script checks the parameters that were specified on the command

line There must be at least one parameter, and the parameter must be in

the form specified in the ShowUsage() function.

3.The script dynamically generates a SQL statement that will be used to

Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com

Trang 4

retrieve the user login details If you examine the code, you’ll notice that

the WHERE clause is modified dynamically depending on the

command-line parameters used to execute the script.

The script sets connection parameters, creates a connection string, and

attempts to connect to the database that contains the user login

The database query is performed First create a Recordset object, and

then call the Open() method using the SQL statement that was

dynamically generated in step 3.

Like the addlog.vbs script, this script builds on the steps discussed earlier

in this chapter You can easily modify it to incorporate your own database

connection parameters, and you can change it to incorporate whatever SQL

statement you need to use.

You can use the code from the examples as a building block for your own code that

leverages ADO objects The objects are easy to use, and you’ll find that they integrate naturally with the scripts that you create.

AYou can get the current username and computer using the provides WshNetwork object, which

Username and Computer properties.

Trang 5

Day 18: Using WSH to Manipulate the

Microsoft Active Directory

Today, you will use Windows Scripting Host and the Microsoft Active Directory to

manage users and computers in a Windows NT domain But the Active Directory

enables you to do much more It provides a standard set of tools to access any directory object, whether it is part of a Windows NT or Windows 2000 domain, a Novell Netware user list, or any other directory that supports the Lightweight Directory Access Protocol (LDAP).

Before you can run the Windows NT 4 examples in this chapter, you need to install

ADSI version 2.0 or higher, the Active Directory components, onto your Windows NT 4

or Windows 95 system This is available for no charge from the Microsoft Web site at

The full Active Directory is the central component of Windows 2000 Server, formerly

called Windows NT 5 Server The examples at the end of this chapter require Windows

NT 5 Beta 2, Windows 2000 Server Beta 3, or later (As an aside, Windows NT 5

Workstation has been renamed to Windows 2000 Professional.)

What is a directory? In an abstract sense, it is a list of objects, such as people,

companies, computers, or buildings, with some information about those objects, such as street address, phone number, SSN, name, or digital signature certificate.

Trang 6

database, and your email address book.

Directories look a lot like databases, and in many cases they are implemented using

database technology Some of the important things that make directories unique are the

The information is retrieved much more often than it is updated It must support

browsing (give me a list of people in Topeka born in January 1995) and searching

(what's the phone number of Janice Doe on Broad Street in Austin?).

Each item of information describing an object in a directory is called an attribute or

property For instance, the telephone number and name are attributes of the person

object The list of attributes available for a particular object, with their characteristics, is

called a schema In the past, each organization has developed schemas to meet their

own needs, even though they might describe the same thing, such as the employee of a company Efforts to standardize key schemas such as an "organizational person" have achieved some success.

In the past, automated directories were implemented using proprietary software and

technologies This made development cumbersome because each directory had its own programs Integration of multiple directories was nearly impossible, and you had to use those proprietary programs to access any information in the directory Examples of

proprietary directories include the Windows NT 4 domain accounts database and

Microsoft Mail's Global Address List.

developed in the early 1990s The LDAP protocol has now become the de facto

standard for accessing and updating directory information.

Microsoft also realized that proprietary access methods were not cost-effective, but took

a slightly different approach to use new technologies to manage their proprietary

directories The Active Directory is a Windows 2000 concept that incorporates an accessible directory that includes users, groups, computers, share names, and all other aspects of the current Windows NT domain It also includes the Active Directory

LDAP-Services Interface (ADSI), which is available now.

The ADSI provides a consistent method to access any directory regardless of its

underlying technology Microsoft and other vendors supply Service Provider Interfaces (SPIs), which translate standard ADSI requests from an application into the format

required by the target directory The standard ADSI package comes with SPIs for

Windows NT 4, Novell NetWare (both Bindery and NDS directories), and LDAP

Microsoft also has an SPI for managing the configuration of the Internet Information

Server 4 Providers support namespaces, which are the top-level items of the directory

LDAP and WinNT are examples of namespaces.

Trang 7

Every Windows NT 4 workstation or server has an accounts database, or SAM A

Windows NT 4 domain is simply a group of computers with a common accounts

database Users are kept in the domain SAM Global groups, which can contain users in

that domain, are also kept in the domain accounts database Changes to the accounts

database are always done via the Primary Domain Controller, or PDC There can be

many Backup Domain Controllers (BDCs), and they receive updates to the SAM from their PDC When you log in to the network, your computer finds a domain controller for

the domain you are logging in to and validates you Another type of server is called a

member server Each server has a local accounts database where you can create

accounts and groups on this one computer Member servers can belong to a domain

and enable users and groups in that domain to access resources on the server NT

Workstation works in the same way as member servers.

In NT 4, domains can trust each other If domain ATLANTA trusts domain ACME, an

administrator on ATLANTA can give a user or group in domain ACME access to a local printer or share name This saves a lot of work because users no longer have to have

an account in domain ATLANTA to access resources there Trusts are defined in one direction—you have to establish separate trusts from domain ACME to ATLANTA and

from ATLANTA to ACME Also, trusts are not transitive: If ATLANTA trusts ACME and ACME trusts UNIVERSAL, ATLANTA does not implicitly trust UNIVERSAL This

provides additional security but also imposes additional work in complex organizations Trusts lead to four basic enterprise permissions models:

Network All domains in the company trust all other domains in the company This is

simplest in small organizations or where administration is completely decentralized It becomes increasingly difficult to manage as the number of domains grows.

Single master All users and global groups are created in a master domain Resource

domains contain all the users' sharenames and printers, and each trusts the master domain This is preferred at most medium-sized organizations Permissions on the

resource domains can be delegated, but administrative access to the master domain

is usually strictly controlled.

Multiple master In very large organizations or where account management is

delegated, you establish a small number of master domains that hold users and

groups for their scope of operations, such as a continent or subsidiary These master domains trust all other master domains, and each resource domain trusts all the

master domains This enables an administrator in any domain to give permissions to a user or group from any of the master domains A variation of this model has a third

"security" domain that is trusted by all the other domains The small number of "super administrators" in this domain can see the entire enterprise while protecting

themselves from access.

Individual computers have local groups You usually assign permissions on resources

(printers, share names, and so on) to local groups Local groups then contain users and global groups from the local domain or from trusted domains There are a number of

preconfigured local groups on each server and Windows NT workstation:

Administrators, Server Operators or Power Users, Account Operators, Backup

Operators, and Users You can add your own You should note that all domain

controllers in a domain share the same local group For example, adding a user to the local Administrators group on one domain controller grants them administrative rights to all the domain controllers there This can be a blessing (no separate permissions

needed) and a curse ("I didn't know they could do that there!").

Trang 8

There are several other directories in the Windows NT 4 environment:

There are a number of limitations to the Windows NT 4 directory There are many

proprietary directories meeting specialized needs As enterprises become more

complex, Windows NT 4 becomes more difficult to administer.

The Active Directory is organized as a forest of trees Each tree is a single Windows

2000 domain, and the collection of all domains in an enterprise is a forest Users can

search the entire forest Permissions between trees can be assigned.

A domain is no longer a flat structure It can include a hierarchy of Organizational Units,

as shown in the Figure 18.1, taken from a Windows 2000 directory management

Trang 9

computers in the Atlanta Organizational Unit By default, having permissions at one level

of the hierarchy gives permissions at all lower levels.

The schema is much bigger too There are about 200 objects, called classes in

Windows 2000, and about 1500 attributes Figures 18.2 and 18.3 show some of the

information that can be filled in for users You can see all the Windows NT 4 fields are still there, but there are many more.

Trang 10

First, you retrieve an object using GetObject(), passing in the directory object you

want or the name of the directory service provider This establishes a session to your

object with your current login credentials Note that the provider name is case sensitive,

whereas attributes and methods are not For example:

In the rare case where you need to access the object using other credentials, use the

DSOpenObject() method for any existing directory object, or the provider itself, as

The <ADSPath> is the directory object you want to open; the <userid> and

<password> are straightforward Flags depend on what directory provider you are

using and can usually be omitted.

ADSI is a good way to automate many administration tasks for Exchange 5.5

mailboxes and distribution lists There are a couple of excellent articles on this

topic in Microsoft Technet Search for the keywords exchange and adsi.

If you want to go beyond those articles, you can find the LDAP name of any

attribute or class Use admin in raw mode (admin -r), and look at its definition in

the schema The description field of the attribute contains the LDAP name If you

are not sure what class a particular object has, open the raw properties of that

Trang 11

object and search for the attribute Object-Class Choose the first incomprehensible number, click Viewer, and then Choose properties.

You can explicitly load all the properties for the object into local memory using

getInfo getInfo is called "under the covers" when you access a property Note that there are some properties that can be accessed only by using get.

Finally, you update the directory by calling setInfo Changes are not reflected in the

Trang 12

Two kinds of directory objects can hold other objects Containers are part of the formal

directory tree and hold objects of different types You create objects in a container using the create method and delete them using the delete method The objects are

created and destroyed using these methods:

Think of the members of a Collection object as a property of that object The objects that

are added to collections already exist Users are members of the group collection

The printjobs object holds a collection of printjob objects Again, you add

members to a collection using the add method and remove them using the remove

Trang 13

Trang 14

command and the class of the object you are retrieving You don’t have to enter the

class of the object, but if you leave it out, you might not get what you expect For

example, the first line in the following example returns the computer account for the

server as a user object, whereas the second line returns the computer object:

Create the userid, associate his home directory with the userid, and add

him to NT groups to give him access to shared resources This

manipulates the Domain, Group, and User objects.

Trang 15

WScript.echo " Last Login=" +

Trang 16

This connects you to the WinNT directory object Note that you haven’t

specified a domain The WinNT object is a container object that holds each

domain it can find using the NT or Windows 95/98 browser service.

You use a select case statement with oDomainItem.class to determine

how you should interpret the object If it is a user, you display selected

information about the userid Computers contain further objects, so if the

class is a computer, you display each object associated with that computer

This will include users and groups (local users and groups this time), print

queues, services, and so on.

This can be easily extended to other reports using the information from

Figure 18.4, as in this example, which displays information about the jobs in

a print queue:

’ ShowPrintQueueInfo_NT4.vbs - Display information

Trang 17

about all Print

Trang 18

At most organizations, each user has a home directory where she can keep

her own settings and personal files In this section, you’ll create a directory

on a file/print server, and then you’ll share that directory with the user’s

sharename The sharename will be the same as the userid, although this

is not necessary Also, the sharename will end with a $ so that it is hidden

from the sharename browse list This makes it much easier to find the

sharenames people use every day.

Trang 19

oShare.Path = "D:\Users\" + sUserid

Normally, you would accept the input using the inputbox function or from

You use the techniques described in Chapter 3, "The Scripting Object

Model," and Chapter 9, "Handling WSH Script Arguments and

Reading/Writing Files," to create the user’s home directory:

Sharenames are objects contained in a file system container object For

Windows NT environments, this object is retrieved using the following:

Note that the filesystem container also contains objects for active user

sessions and Windows NT services, such as the scheduler When retrieving

the objects in lanmanserver, don’t assume they all refer to sharenames.

To add an object to a container, you use the create method on the

container object and provide the object class and name Here you are

creating a fileshare object with the name TedSmith$.

Windows NT 4 contains global and local groups Global groups contain only

userids in the same domain as the global group, and they usually define

people by the organization of the company (Atlanta division), by the projects

they are working on (Ultimate/2000 development team), or the kinds of jobs

they do (Engineers).

Local groups are usually used to assign permissions to resources, such as

Trang 20

people who can use the Atlanta printers or sharenames Local groups

contain global groups or userids from their own or any trusted domain.

What good are groups if you can’t add things to them? A group is a collection

(not a container), so you add items to the collection using the add method

and remove them using the remove method You use the ADSPath to add

and delete users and other groups:

Figure 18.8 shows the output from User Manager for Domains after running

this sample script, which creates a local group and adds the global group

(The dim statements have been removed.):

Trang 21

aMembers=array("AtlantaUsers","FredGreen") ’ Groups this group should contain

Local groups can also be created and managed on NT Workstations by

referring to the workstation object WinNT://domain/workstation They

can include local userids and domain userids or groups.

Here is the full script, which you will take apart (again, the dim statements

have been removed in the interest of space):

Trang 22

Often, you need to create userids with initial passwords that can’t be easily

guessed or known, but which are easy for the user to remember The

function makePassword makes a password of the form:

word+number+word The words are short and chosen randomly, and the

number is chosen randomly between 2 and 9 to avoid confusion with the

letters "O" and "l" Even with this simple list of 20 words, hackers have only a

1 in 3200 chance of guessing the password, and that is only if they have the

words list You use the function split to make an array from a string, just to

make it easier to type in the word list Randomize generates a random

starting number, and rnd returns real numbers chosen at random between 0

and 1, but always excluding 1 itself, as follows:

Trang 23

Now, you set all its properties The FullName and Description help to

identify the user You set the home directory drive letter and sharename

using the remaining parameters Note that HomeDirDrive was only added

in ADSI 2.5, and using the alternative method to set the value does not work

The setPassword doesn’t work until after setInfo is run because the

object hasn’t yet been updated in the domain, so you use the following:

setPassword doesn’t work unless the user is a member of the account

operators, administrators, or domain administrators group.

If Ted is a member of local or global groups in other workstations or

domains, the groups’ getObject method should identify the entire, correct

Now, you have created Ted and set up his home directory, but you haven’t

given Ted permissions to use it yet ADSI is only just emerging with methods

to change security The following example works with ADSI 2.0 and uses the

free tool, xcacls, from the NT Resource Kit to make the change Note that

you are leaving the permissions on the sharename unchanged, but you are

changing the underlying NTFS directory permissions This is usually a better

way to control security because it also protects the information from

someone accessing the directory from another sharename, such as

\\Server\Users, or from the server console This uses the techniques

described in Chapter 4, "The WSH Object Model," to run a program using

Trang 24

the run method of the Wscript.Shell object:

Trang 25

When Ted leaves, you want to delete his userid but perhaps save his

personal files to determine whether anything should be archived

Note that you use the delete method, which destroys the object and

removes it from the domain container object You specify the object class

(user) to delete the correct object As mentioned earlier, you can have two

objects with the same name, such as the computer and the computer

account, which is a user object.

Định dạng
Số trang	51
Dung lượng	2,13 MB