Scripting Tips & Tricks

WSH and ADSI automate AD account creation

Bob Wells

December 15, 2002

5 Min Read
ITPro Today logo in a gray background | ITPro Today


I'd like to use Windows Script Host (WSH) and Active Directory Service Interfaces (ADSI) to automate student-account creation. I have a text file that includes account information (e.g., name, password). I understand WSH, but I'm not familiar with ADSI. Can you offer any guidance?

First, I should point out that Windows 2000 Server includes two tools designed to perform the task you describe: the comma-separated value (CSV) Directory Exchange tool (csvde.exe) and the LDAP Data Interchange Format (LDIF) Directory Exchange tool (ldifde.exe). Both tools, which you can find in the %systemroot%system32 directory, import data to and export it from Active Directory (AD) by using text-based input files. To learn more, see the "Importing and exporting directory information" Win2K Server Help topic.

Before creating your script, you should decide on the format of the input file because that format will affect how your script works. For example, if some input attributes contain commas, using a .csv file won't easily work. Other input-file considerations include the order of the data and whether every attribute contains a value. I'll assume that your data doesn't contain commas and is in a .csv file. Figure 1 shows the format and contents of a sample file, students.csv.

Listing 1 shows CreateStudents.vbs, which creates student user accounts based on the contents of the students.csv file. The script first enables Option Explicit and declares the script's variables. The ForReading constant works with the FileSystemObject object's OpenTextFile method to open students.csv as read-only, as the code at callout B in Listing 1 shows.

The OpenTextFile method opens students.csv and returns a reference to a TextStream object, which you can use to read the file's contents. I use the TextStream object's ReadAll method to put the entire file into one string variable, strCsvFileContents. Thus, strCsv FileContents contains the entire input file—including the carriage returns and line feeds—as one long string. The script then closes the file handle that the TextStream object references.

Next, the script uses VBScript's Split function to split the string into individual records. The Split function accepts one mandatory argument—the name of the string to split. CreateStudents.vbs also uses the function's optional second argument, which defines the delimiter that identifies the boundaries at which to split the target string. The Split function returns an array, each element of which contains a substring of the original string. The code at callout C passes to Split the strCsvFileContents string and VBScript's carriage return­line feed constant, vbCrLf. The Split function returns an array and assigns it to the arrRecords array variable.

The script encounters ADSI in the next line, which connects (i.e., binds) to the target container in which I create the new user accounts. To bind to an AD object, you use VBScript's GetObject function combined with a special string called an ADsPath—a provider-specific string that identifies an ADSI object in a directory service. The ADsPath that CreateStudents.vbs passes to the GetObject function identifies the provider to use to talk with AD (i.e., LDAP:) and the target object's distinguished name (DN), which comes from the strContainer string variable and is defined in the code at callout A. The GetObject function returns a reference to the target container, which the script then uses to initialize the objContainer variable.

CreateStudents.vbs cranks out student accounts in the body of a For Each...Next statement. During each loop iteration, the script retrieves a student record from the arrRecords array and assigns the record to the strRecord string variable. The loop then uses the Split function to split the record into fields, as the code at callout D shows. Within the loop, the script passes the Split function a single record and, as the delimiter, a comma. The script puts the results into an array named arrFields—Table 1 shows the first occurrence of this array for the sample input file—then, to make the code more readable, assigns each array element to a variable.

The code at callout E creates the AD user account for the current student record. To create objects in AD, you use the Create method in ADSI. The Create method takes two parameters: the class name for the type of object you're creating and the object's relative DN (RDN). Although you use the objContainer reference that the script obtained earlier to call the Create method, the new user object exists only in local memory. Before committing the new object to the target container in AD, you must set any mandatory attributes that the system doesn't set. Other than the new user's RDN, which the script uses the Create method to set, sAMAccountName is the only mandatory attribute you must explicitly set when you create new AD user accounts.

To set attributes on the new user object, you use the objStudent object reference that the Create method returns, coupled with the Put method. The Put method takes two parameters: the lDAPDisplayName of the attribute to set and the attribute's value. If you examine the attribute names that the script passes to Put at callout E (e.g., givenName, sn, l), you might wonder how you figure out the lDAPDisplayName for an AD attribute. Fortunately, the Directory Services software development kit (SDK) includes tables that map the UI labels to AD attribute names. To access the information online, see the MSDN Library Mappings for the Active Directory User and Computers Snap-in page (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/mappings_for_the_active_directory_users_and_computers_snap-in.asp). After the attributes are set, the script calls the SetInfo method to commit the new user object to the directory.

The final steps within the For Each loop are setting the new user's password and enabling the new user account. The new user object must exist in AD before the call to SetPassword, which is why the script commits the user object first. The SetPassword method sets the user's password immediately; a call to SetInfo isn't necessary. The script then sets the IADsUser interface's AccountDisabled property to False to enable the account. The script again calls SetInfo to commit the AccountDisabled change to the user object in the directory. Finally, the For Each loop sets the user object reference, objStudent, to Nothing in preparation for the next loop iteration.

To run this script in your AD forest, you need to change the values at callout A. Replace the value assigned to the strCsvFile variable with the fully qualified path and filename for your input file, and substitute your target container's DN for the DN assigned to the strContainer variable.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like