Active Directory Scripting

2 Table of Contents
Table of Contents
Active Directory Scripting ......................................................................................................................... 3

Exercise 1 Viewing existing accounts ................................................................................................................6
Exercise 2 Retrieving information from an individual user account ..................................................................9
Exercise 3 Enabling an individual user account...............................................................................................11
Exercise 4 Deleting an individual user account................................................................................................12
Exercise 5 Creating a New OU ........................................................................................................................13
Exercise 6 Moving a user account to a different OU........................................................................................14
Exercise 7 Creating a new user account ...........................................................................................................16
Exercise 8 Creating multiple user accounts using a text file ............................................................................18
Exercise 9 Creating new security groups .........................................................................................................20
Exercise 10 Adding an individual user to a security group ..............................................................................22
Exercise 11 Adding multiple users to a security group ....................................................................................23
Exercise 12 Removing a user from a security group........................................................................................24
Exercise 13 Modifying an individual user account ..........................................................................................25
Exercise 14 Modifying a multi-valued attribute...............................................................................................26
Exercise 15 Reading the userAccountControl Attribute ..................................................................................28
Exercise 16 Modifying the userAccountControl Attribute...............................................................................30
Exercise 17 Modifying multiple user accounts ................................................................................................31
Exercise 18 Changing a user’s password .........................................................................................................33
For More Information........................................................................................................................................34
Appendix 1: userAccountControl Attributes and Values ..................................................................................34
Active Directory Scripting 3
Active Directory Scripting
Objectives After completing this lab, you will be able to:

Use scripts to carry out fundamental Active Directory management tasks
such as creating, modifying, and deleting user accounts.
Write scripts that carry out those same fundamental Active Directory
management tasks.
Prerequisites Before working on this lab, you must have:

Nothing; no prerequisites are required, although a knowledge of basic
scripting fundamentals and of Active Directory are both useful. It is also
recommended that you watch the Scripting Guys’ Webcast Users and
Groups and OUs: Oh, My! before doing the lab.
For more information Email scripter@microsoft.com.
Scenario It’s your first day on the job as IT Manager for Fabrikam, Inc., and you’ve just
discovered that your predecessor’s final project – to convert your organization’s
directory service to Active Directory – was never completed. She managed to
get Active Directory up and running, and even created a handful of user
accounts. However, she did not get all the required accounts created, nor did
she complete the rest of the Active Directory infrastructure: your domain
currently has no organizational units (OUs) and no security groups other than
the ones automatically created when you install Active Directory.
Consequently, you are faced with three major tasks:
Determining the current state of your Active Directory. For example, you
need to figure out which user accounts have been created and which ones
have not.
Setting up the rest of the Active Directory infrastructure. This includes such
things as creating additional user accounts; creating OUs and sub-OUs;
moving existing user accounts to the appropriate OUs; and creating and
populating security groups.
Making additional modifications as needed. As part of your day-to-day
management of Active Directory, you need to do such things as audit
existing user accounts to ensure that they are in compliance with Fabrikam
policies, as well as make changes to accounts to match changes in the
workplace. (For example, if a user acquires a second telephone number, that
number should be recorded in Active Directory.)
4 Active Directory Scripting
Fortunately, you can use ADSI scripts to help you with these tasks. Note that in
the exercises in this lab an argument can be made that a script is possibly less
efficient than simply carrying out a task using Active Directory Users and
Computers. For the most part, this is an artifact of the lab environment: in order
to keep the lab manageable, and in order to ensure that all the tasks can be
completed in a reasonable amount of time, you will often be asked to do
something to just one user account. When working with a single user account,
you might very well find it faster and easier to use Active Directory Users and
Computers. Scripting becomes a more useful alternative in situations such as
this:
You need to make a change to many user accounts at once. This lab offers a
few simple examples of working with multiple accounts at the same time;
for example, in one exercise you will use a script to move all the users in a
department to a specified OU, regardless of the current Active Directory
location of those user accounts. In the lab this involves moving a handful of
accounts; in real-life this might involve moving thousands of user accounts.
If you are working with thousands of user accounts at the same time, a script
might save you several days’ worth of effort.
You want to enforce standards. For example, you might want all your user
accounts to have a CN in the format First Name Last Name (e.g., Ken
Myer) and a logon name in the format First Initial Last Name (e.g.,
kmyer). Scripts can help enforce these standards by carrying out these tasks
for you; in one of the labs, you will write a script that reads user information
(in this case, first name and last name) from a text file and then creates
multiple user accounts, using your organization standards to automatically
create such things as the CN (common name) and the SAM Account (logon)
name.
Using the Script Templates

To help reduce the need to completely type in each script, script templates are
provided in the C:\Scripts folder. These templates include boilerplate code that
limits the amount of typing required to create a script. (This also helps to
emphasize the fact that many scripts follow predictable patterns; after you learn
how to write one ADSI script, you will discover that you now know how to
write scores of ADSI scripts.)
For example, suppose an exercise calls for you to write the following script:
Set colItems = GetObject _
("LDAP://CN=Users, DC=fabrikam, DC=com")
For Each objItem in colItems
Wscript.Echo objItem.Name & ", " & objItem.Class
Next
The template for this script might look similar to this:

("LDAP://XX=XXXXXXXXXX, DC=fabrikam, DC=com")
Wscript.Echo objItem.XXXXXXXXXX & ", " & objItem.XXXXXXXXXX
Next
You can either type in the full script, or you can open the template and replace
the X's with the required information; you would then only have to type the
items in bold:

Wscript.Echo objItem.Name & ", " & objItem.Class
Next
If you cannot get a script to work no matter what you try, you can find complete
copies of all the scripts used in this lab in the C:\Solutions folder.
Using the Bonus Scripts

A number of “bonus” scripts are included in this lab. These scripts, which
illustrate additional/alternative tasks for managing Active Directory are
included primarily for your reference; however, complete versions of all the
bonus scripts are available in the folder C:\Solutions. Although technically not
part of the lab, you can run these scripts if you’d like to see what they do.
Estimated time to
complete this lab: 60
minutes
Exercise 1
Viewing existing accounts
Before you can finish setting up the new Active Directory, you need to determine how much your
predecessor managed to get done herself. In this exercise, you will use a simple ADSI script to view
the accounts currently in Active Directory. Because you have already been told that all the accounts
are in the Users container, the script binds to that container and enumerates only the items found
there. The resulting output will show the CN (common name) for each account, as well as the
account type. For example:
Administrator, user
Cert Publishers, group
DHCP Administrators, group
DHCP Users, group
Tasks Detailed steps
1. View existing accounts a. Click in the virtual machine window.

b. Press Right-ALT + DEL.
c. Log on to the domain as Administrator, with a password of
password.
d. Double-click the Notepad shortcut on the desktop and type the
following (To reduce the amount of typing required, you can use the
template C:\Scripts\Container_View.txt):
Wscript.Echo objItem.CN & ", " & objItem.Class
Next
e. Click File | Save As.
f. Save the script as view_accounts.vbs in the folder C:\Scripts. To
ensure that the .vbs file extension is used, enclose the file name in
quotation marks before clicking Save:
"view_accounts.vbs"
g. Close Notepad.
h. Double-click the Command Prompt (Scripts Folder) shortcut on the
desktop.
i. Type the following and press ENTER:
cscript view_accounts.vbs
j. To verify that the script is returning accurate information, click Start |
Programs | Administrative Tools | Active Directory Users and
Computers.
k. In Active Directory Users and Computers, expand fabrikam.com
and then click Users.
l. For convenience, leave both the Command Prompt and Active
Directory Users and Computers open for the remainder of this lab.
Why CScript?
When you run a script in this lab, the instructions for starting that script will always be prefaced by
the word “cscript”:
This ensures that the script runs under the CScript script host; in turn, that ensures that the output
will appear in the command window rather than in a seemingly-endless series of message boxes (as
would be the case using WScript, the default script host). If you do not want to type in the word
cscript each and every time, you can change the default script host to CScript by typing the
following at the command prompt, and then pressing ENTER:
cscript //H:cscript
If you want to change the default host back to WScript, then type this at the command prompt and
press ENTER:
cscript //H:wscript
Bonus Script: Filtering user and computer accounts

The script used in Exercise 1 returns a collection of all the objects found in the Users container.
However, there might be times when you want to work with only a selected portion of the objects in
a container, such as just the user accounts or just the security groups. With ADSI you can limit the
object types returned in a collection by applying a filter. For example, this script (filter_accounts)
returns only the user accounts found in the Users container:
Set colItems = GetObject("LDAP://CN=Users, DC=fabrikam, DC=com")
colItems.Filter = Array("User")
Wscript.Echo objItem.CN & ", " & objItem.Class
Next
As you can see, the parameter passed to the Filter must be passed as an array; that means you can
filter for more than one type of object. For example, this filter returns both user and computer
accounts, but nothing else:
colItems.Filter = Array("User", "Computer")
Bonus Script: Searching for user accounts

The scripts shown thus far return a collection of all the users in a specified Active Directory
container. However, what if you want to return a list of all the user accounts, regardless of the
location of that account within Active Directory? The quickest and easiest way to do that is to
search Active Directory, looking for everything with an objectCategory equal to User. This sample
script (search_for_accounts.vbs) returns the name of all the user accounts in the fabrikam.com
domain, regardless of the account’s location within Active Directory:
On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = _
"SELECT Name FROM 'LDAP://DC=fabrikam,DC=com' WHERE " _
& "objectCategory='user'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
Wscript.Echo objRecordSet.Fields("Name").Value
objRecordSet.MoveNext
Loop
If you run this script, you might notice a stray user account (David Hamilton) that did not appear
when you looked at the list of user accounts found in the Users container. That’s because this
account was mistakenly created in the Computers container rather than the Users container.
Exercise 2
Retrieving information from an individual user account
You were initially alerted to the fact that there was a problem when one of your users – Ken Myer –
called to say that he was enable to log on to the domain. In the previous exercise you noticed that an
account exists for Ken Myer; now all you need to do is figure out when he is unable to log on. In
this exercise, you will use an ADSI script to bind to the Ken Myer user account (found in the Users
container) and retrieve some basic account information, including the user’s first name, last name,
and middle initial, as well as the current account status (whether the account is enabled or disabled).
1. Retrieve information from a. Double-click the Notepad shortcut on the desktop and type the
an individual user account. following (To reduce the amount of typing required, you can use the
template C:\Scripts\Account_View.txt):
Set objUser = GetObject _
("LDAP://CN=Ken Myer, CN=Users, DC=fabrikam,
DC=com")
Wscript.Echo "First name: " & objUser.GivenName
Wscript.Echo "Middle initial: " & objUser.Initials
Wscript.Echo "Last name: " & objUser.SN
Wscript.Echo "Account disabled: " & _
objUser.AccountDisabled
b. Click File | Save As.
c. Save the script as bind_user.vbs, in the folder C:\Scripts. To ensure
that the .vbs file extension is used, enclose the file name in quotation
marks before clicking Save:
"bind_user.vbs"
d. Close Notepad.
e. In Command Prompt (Scripts Folder) type the following and press
ENTER:
cscript bind_user.vbs
f. Check the output to see the requested information for the Ken Myer
user account. Be sure to verify that this user account is disabled.
Bonus Script: Binding to CNs That Include Commas

The script shown in Exercise 2 binds to an account with the CN of Ken Myer; with only the
slightest modification, it can just as easily bind to an account with the CN of Tamara Johnston or
Scott Rockfeld. However, the script will fail if it tries to bind to an account with the CN of Penor,
Lori. Why? The culprit turns out to be the comma embedded in the CN. ADSI expects the comma
to be used to separate the individual parts of a user’s distinguished name; because of that, the script
thinks the ADsPath to this user account is this:
CN=Penor
Lori
CN=Users
DC=fabrikam
DC=com
That’s not a valid Active Directory path, so an error occurs.
If you have CNs that include commas, you need to “escape” the comma by placing a \ before it, as
shown in this sample script (comma_in_cn.vbs):
Set objUser = GetObject("LDAP://CN=Penor\, Lori, CN=Users, DC=fabrikam,
DC=com")
Wscript.Echo objUser.CN
For more information on binding to user accounts when the account CN includes a comma, see this
edition of the Hey, Scripting Guy! column on TechNet.
Exercise 3
Enabling an individual user account
As it turns out, Ken Myer is unable to log on because his account is disabled. In this exercise, you
will use an ADSI script to enable the Ken Myer user account. Enabling an account is an important
task for script writers; by default, any account you create using a script is disabled, at least until you
explicitly enable it. Note the use of the SetInfo method in the last line of the script. SetInfo is
roughly equivalent to the Save command in an application; you can make any changes you want to
a user account, but those changes are not actually written to Active Directory until you call SetInfo.
1. Enable an individual user a. Double-click the Notepad shortcut on the desktop and type the
account. following (To reduce the amount of typing required, you can use the
template C:\Scripts\Account_Change.txt):
("LDAP://CN=Ken Myer, CN=Users, DC=fabrikam,
DC=com")
objUser.AccountDisabled = FALSE
objUser.SetInfo
c. Save the script as enable_user.vbs in the folder C:\Scripts. To ensure
"enable_user.vbs"
d. Close Notepad.
ENTER:
cscript enable_user.vbs
f. To verify that the account has been enabled, type the following and
press ENTER:
cscript bind_user.vbs
Exercise 4
Deleting an individual user account
When you looked over the user accounts back in Exercise 1, you noticed that an account for Pilar
Ackerman still exited. Pilar was your predecessor; it’s obviously a gaping security hole for her to
still have a valid domain administrator account. In this exercise, you will delete the user account for
Pilar Ackerman. Bear in mind that, when you call the Delete method, the account will immediately
be deleted from Active Directory; you will not be given a prompt along the lines of “Are you sure
you want to delete this user account?” However, you could include such a prompt as part of your
script code; you would simply need to make sure that the prompt occurred before you actually
called the Delete method.
1. Delete an individual user a. In Command Prompt (Scripts Folder) type the following and press
account. ENTER:
b. Verify that the Pilar Ackerman user account exists in Active
Directory.
c. Double-click the Notepad shortcut on the desktop and type the
template C:\Scripts\Container_Change.txt):
Set objOU = GetObject _
objOU.Delete "user", "CN=Pilar Ackerman"
d. Click File | Save As.
e. Save the script as delete_user.vbs in the folder C:\Scripts. To ensure
"delete_user.vbs"
f. Close Notepad.
g. In Command Prompt (Scripts Folder) type the following and press
ENTER:
cscript delete_user.vbs
h. To verify that the Pilar Ackerman user account has been deleted, type
the following and press ENTER:
cscript view_accounts.vbs.
Exercise 5
Creating a New OU
It’s now time to begin setting up the Active Directory infrastructure, and to start creating all the
outstanding user accounts. In this exercise, you will create a new organizational unit (OU) named
Finance. A “top-level” OU such as Finance is created by binding to the domain root, and then
calling the Create method.
1. Create a New a. Switch to Active Directory Users and Computers, expand

Organizational Unit fabrikam.com.
You should NOT see an OU named Finance.
b. Minimize Active Directory Users and Computers.
c. Double-click the Notepad shortcut on the desktop and type the
Set objDomain = GetObject("LDAP://DC=fabrikam,
DC=com")
Set objOU = objDomain.Create("organizationalUnit",
"OU=Finance")
objOU.SetInfo
d. Click File | Save As.
e. Save the script as create_ou.vbs in the folder C:\Scripts. To ensure
"create_ou.vbs"
f. Close Notepad.
g. In Command Prompt (Scripts Folder) type the following and press
ENTER:
cscript create_ou.vbs
h. To verify that the new OU has been created, switch to Active
Directory Users and Computers.
i. Right-click fabrikam.com and click Refresh.
Bonus Script: Creating an OU inside another OU

One scripting question that seems to get asked frequently is this: How do I create an OU inside
another OU? Surprisingly enough, there’s nothing particularly difficult about that; you simply bind
to the parent OU rather than the domain root. For example, in this sample script (nested_ou.vbs),
the script binds to the Finance OU and then creates a nested OU named International:
Set objDomain = GetObject("LDAP://OU=Finance, DC=fabrikam, DC=com")
Set objOU = objDomain.Create("organizationalUnit", "OU=International")
objOU.SetInfo
After running this script the Finance OU will contain a sub-OU named International
(OU=International, OU=Finance, DC=fabrikam, DC=com).
Exercise 6
Moving a user account to a different OU
Ken Myer is a member of the Finance department; as such, it makes sense that his user account be
stored in the Finance OU rather than the Users container. In this exercise, you will move the Ken
Myer user account from the Users container to the Finance OU. This script requires just two lines
of code. In line 1, you bind to the OU where you want the account to be moved (in this example,
the Finance OU). In line 2, you call the MoveHere method, specifying the current ADsPath
(LDAP://CN=Ken Myer,CN=Users,DC=fabrikam,DC=com ) of the account being moved.
1. Move a user account to a a. Double-click the Notepad shortcut on the desktop and type the
different OU. following (To reduce the amount of typing required, you can use the
Set objOU =
GetObject("LDAP://OU=Finance,DC=fabrikam,DC=com")
objOU.MoveHere _
"LDAP://CN=Ken
Myer,CN=Users,DC=fabrikam,DC=com", vbNullString
c. Save the script as move_user.vbs in the folder C:\Scripts. To ensure
"move_user.vbs"
d. Close Notepad.
ENTER:
cscript move_user.vbs
f. To verify that the user account has been moved, switch to Active
g. Right-click fabrikam.com and then click Refresh.
h. Click the Finance OU.
You should see that the Ken Myer account is now in the Finance OU.
Bonus Exercise: Moving multiple user accounts based on department

name
The preceding script does a perfectly good job of moving a single user account from one Active
Directory container to another. However, it does raise an understandable question: if all you are
doing is moving one user account, wouldn’t it be faster and easier to use Active Directory Users
and Computers as opposed to writing a script?
Yes, it probably would. However, suppose you wanted to move all the users in the Finance
department to the Finance OU, and suppose: a) you don’t know off the top of your head which
users are actually in the Finance department; and, b) those user accounts could be located anywhere
within Active Directory. In a case such as that, using a script to automatically find and move each
of those accounts is far faster, far easier, and far more reliable than trying to perform the same task
by hand.
The sample script shown below (move_multiple_users.vbs) searches Active Directory for all users
in the Finance department (department=’Finance’), and then moves each account to the Finance
OU:
Set objOU = GetObject("LDAP://OU=Finance,DC=fabrikam,DC=com")
Set objConnection = CreateObject("ADODB.Connection")
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
"SELECT ADsPath FROM 'LDAP://DC=fabrikam,DC=com' WHERE
objectCategory='user' " & _
"AND Department='Finance'"
objOU.MoveHere objRecordSet.Fields("ADsPath").Value, vbNullString
Loop
Exercise 7
Creating a new user account
You’ve also received a call this morning from Eszter Hidasi, who can’t log on to the domain either.
In this case, however, it’s not because the account is disabled, but because the account does not
exist. In this exercise, you will create a new user account with two mandatory properties: a CN of
Eszter Hidasi and a SAM Account Name of ehidasi. Note that these two property values must be
specified when creating a user account; hence the term mandatory attributes. The other attributes
specified in the script, including GivenName (first name), Initials, and SN (surname, or last name)
are optional; you can create a user account without specifying these values.
Note as well that you must call the SetInfo method to create the account before you can enable that
account; you will then need to call SetInfo a second time to enable the account. That’s because the
account must exist before it can be enabled. Likewise, the account must exist before you can assign
the user a password (a task covered in Exercise 18).
1. Create a new user account a. Double-click the Notepad shortcut on the desktop and type the
Set objOU = GetObject("LDAP://OU=Finance,
DC=fabrikam, DC=com")
Set objUser = objOU.Create("User", "CN=Eszter
Hidasi")
objUser.sAMAccountName = "ehidasi"
objUser.GivenName = "Eszter"
objUser.Initials = "A"
objUser.SN = "Hidasi"
objUser.SetInfo
objUser.SetInfo
c. Save the script as create_user.vbs in the folder C:\Scripts. To ensure
"create_user.vbs"
d. Close Notepad.
ENTER:
cscript create_user.vbs
f. To verify that the user account has been created, switch to Active
g. Right-click the Finance OUand then click Refresh.
You should now see a new user account for Eszter Hidasi.
Bonus Script: Creating a new contact

One of the nice things about ADSI is that ADSI scripts tend to follow certain patterns. For example,
the process for creating an OU is very similar to the process for creating a user account which is
very similar to the process for creating a contact. To illustrate this, the following script
(create_contact.vbs) creates a contact named Simon Pearson; notice that the script follows the
basic pattern of binding to the OU, calling the Create method, and then calling SetInfo to write the
new account to Active Directory:
Set objOU = GetObject("LDAP://OU=Finance, DC=fabrikam, DC=com")
Set objUser = objOU.Create("contact", "CN=Simon Pearson")
objUser.SetInfo
Note that with a contact you only have to specify a CN; you do not have to specify a logon name,
because contacts – which are not security principals – cannot log on to the domain anyway.
Exercise 8
Creating multiple user accounts using a text file
After creating an account for Ezster Hidasi, you discovered that the Finance department has
prepared a text file that has the information needed to create the other user accounts for this
department. In this exercise, you will create multiple user accounts by reading information from a
text file (C:\Scripts\New_Users.txt). The text file is a simple comma-delimited file that looks like
this (first name, middle initial, last name, job title):
Amy,A,Recker,Administrator
Jamie,F,Reding,Accountant
Miles,M,Reid,Accountant
The script works by reading in the first line of the file and then using the VBScript Split function to
create an array consisting of the individual fields within the record:
Amy
A
Recker
Administrator
The script uses that array to set the appropriate property values; for example, the user’s GivenName
(first name) is assigned the value of item 0 in the array (the first item in an array is given the index
number 0, the second value is given the index number 1, and so on). In addition, the script
automatically generates a CN and a SAM Account Name for each user.
In a real-world situation you might find it easier to store information in Microsoft Excel rather than
in a text file. For information on creating user accounts based on information found in an Excel
spreadsheet, see this edition of the Scripting Clinic column on MSDN.
1. Create user accounts using a a. Double-click the Notepad shortcut on the desktop and type the
text file. following (To reduce the amount of typing required, you can use the
template C:\Scripts\Text_File.txt):
Const ForReading = 1
Set objOU =
GetObject("LDAP://OU=Finance,dc=fabrikam,dc=com")
Set objFSO =
CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile _
("new_users.txt", ForReading)
Do Until objTextFile.AtEndOfStream
strText = objTextFile.ReadLine
arrAttributes = Split(strText, ",")
strCN = arrAttributes(0) & " " &
arrAttributes(2)
Set objUser = objOU.Create("User", "cn=" &
strCN)
strsAMAccountName = Left(arrAttributes(0),1) &
arrAttributes(2)
objUser.sAMAccountName = strsAMAccountName
objUser.GivenName = arrAttributes(0)
objUser.Initials = arrAttributes(1)
objUser.SN = arrAttributes(2)
objUser.Department = "Finance"
objUser.Title = arrAttributes(3)
objUser.SetInfo
objUser.SetInfo
Loop
objTextFile.Close
c. Save the script as create_multiple_users.vbs in the folder C:\Scripts.
To ensure that the .vbs file extension is used, enclose the file name in
"create_multiple_users.vbs"
d. Close Notepad.
ENTER:
cscript create_multiple_users.vbs
f. To verify that the new accounts have been created, switch to Active
g. Right-click the Finance OU and then click Refresh.
You should now see the new user accounts.
Note. It should be pointed out that, outside of the lab environment, this
script might occasionally fail to create a user account. That’s because CNs
must be unique within a container, and the SAM Account Names must be
unique within a forest. As currently designed, the script would assign a
user named Barry Johnson a SAM Account Name of bjohnson; however, it
would also try to assign that same SAM Account Name to Brandon
Johnson. In a real production script, you could do a search to determine
whether a SAM Account Name is already in use; if it is, you could then tack
the number 1 on the end (e.g., bjohnson1) and check to see if that name is
in use. If it is, you could continue to increment the value until you finally
find a unique name.
Exercise 9
Creating new security groups
Creating accounts gives user the ability to log on to the domain. However, this does not give
them access to resources. Resource access is typically controlled through the use of security
groups; giving a single group access is easier than giving each of the individual members of
the group access to that same resource. (On top of that, any new users added to the group
automatically gain access to the resource, without having requiring any work whatsoever on
your part.) In this exercise, you will create a global security group named Finance Managers.
Notice that two constants (ADS_GROUP_TYPE_GLOBAL_GROUP and
ADS_GROUP_TYPE_SECURITY_ENABLED) are required when specifying the group type.
(Don’t be misled by the OR operator; in the bitwise logic used to set the group type, OR can
be read as if it was really the word and.) The constant
ADS_GROUP_TYPE_GLOBAL_GROUP makes the group a global group, while the
ADS_GROUP_TYPE_SECURITY_ENABLED constant makes it a security group. Without
this latter constant, you would create a distribution group instead.
1. Create a new security group. a. Double-click the Notepad shortcut on the desktop and type the
Const ADS_GROUP_TYPE_GLOBAL_GROUP = &H2
Const ADS_GROUP_TYPE_SECURITY_ENABLED = &H80000000
Set objOU =
GetObject("LDAP://OU=Finance,DC=fabrikam,DC=com")
Set objGroup = objOU.Create("Group", "CN=Finance
Users")
objGroup.Put "samAccountName", "FinanceUsers"
objGroup.Put "groupType",
ADS_GROUP_TYPE_GLOBAL_GROUP OR _
ADS_GROUP_TYPE_SECURITY_ENABLED
objGroup.SetInfo
c. Save the script as create_group.vbs in the folder C:\Scripts. To
"create_group.vbs"
d. In Command Prompt (Scripts Folder) type the following and press
ENTER:
cscript create_group.vbs
e. To verify that the group has been created, switch to Active Directory
Users and Computers.
f. Right-click the Finance OU and then click Refresh.
You should now see the new FinanceUsers group.
Bonus Script: Creating other types of groups

There are a total of six group types that can be created in Active Directory: you can create global,
domain local, and universal security groups, and you can create global, domain local, and universal
distribution groups. Constant values used in creating Active Directory groups are shown in the
following table:
Group Type Constant Value Description
Global group &H2 Users must all come from the same domain.
Permissions apply only to the local domain.
Domain local group &H4 Users can come from any domain in the forest,
but permissions apply only to the local domain.
Universal group &H8 Users can come from any domain in the forest.
Security group &H80000000 Security groups can be granted or denied access
to resources. Distribution groups cannot.
The following script (create_distribution_group.vbs) creates a domain local distribution group.

Note that because this is not a security group, the constant value for creating a security group
(&H80000000) is not used.
Const ADS_GROUP_TYPE_LOCAL_GROUP = &H4
Set objOU = GetObject("LDAP://OU=Finance, DC=fabrikam, DC=com")
Set objGroup = objOU.Create("Group", "CN=Vendors")
objGroup.Put "samAccountName", "vendors"
objGroup.Put "groupType", ADS_GROUP_TYPE_LOCAL_GROUP
objGroup.SetInfo
Exercise 10
Adding an individual user to a security group
Now that the Finance Users group exists you can begin adding members to it. In this exercise, you
will add Ken Myer to the Finance Users security group. This is done by binding to the group,
binding to the user account, and then calling the Add method to add the user to the group.
1. Add an individual user to a a. Double-click the Notepad shortcut on the desktop and type the
security group. following (To reduce the amount of typing required, you can use the
Set objGroup = GetObject _
("LDAP://CN=Finance Users, OU=Finance,
("LDAP://CN=Ken Myer, OU=Finance, DC=fabrikam,
DC=com")
objGroup.Add(objUser.ADsPath)
c. Save the script as add_user.vbs in the folder C:\Scripts. To ensure
"add_user.vbs"
d. Close Notepad.
ENTER:
cscript add_user.vbs
f. To verify that the user has been added to the group, switch to Active
g. In the Finance OU, right-click Finance Users and click Properties.
h. In the Finance Users Properties dialog box, click the Members tab.
You should now see Ken Myer as a member of Finance Users.
i. Close the Finance Users Properties dialog box.
Bonus Script: Viewing Group Membership

To find out which users are members of a group, all you have to do is bind to the group and then
report back the values contained in the Members property (Members is an example of a multi-
valued attribute, an attribute type you will deal with in Exercise 14). This sample script
(view_group_membership.vbs) lists the CN for all the members of the Finance Users group:
("LDAP://CN=Finance Users, OU=Finance, DC=fabrikam, DC=com")
For Each strUser in objGroup.Members
WScript.Echo strUser.CN
Next
Exercise 11
Adding multiple users to a security group
A common requirement in many organizations is for all users in an OU to also be members of a
specified group. (This is often done because an OU is not a security principal.) Active Directory
does not have any mechanism for automatically placing all the users in an OU in a corresponding
security group; however, you can write a script that will retrieve a list of users found in and OU and
then place each of those users in a security group. In this exercise, you will use a script to add all
the users in the Finance OU to the Finance Users group. This is done by returning a collection of all
the users in the OU (notice the filter applied to the returned collection), and then adding the users to
the group, one-by-one.
1. Add multiple users to a a. Double-click the Notepad shortcut on the desktop and type the
security group. following (To reduce the amount of typing required, you can use the
Set objOU = GetObject("LDAP://OU=Finance,
objOU.Filter = Array("User")
For Each objUser in objOU
objGroup.Add(objUser.ADsPath)
Next
c. Save the script as add_multiple_users.vbs in the folder C:\Scripts. To
"add_multiple_users.vbs"
d. Close Notepad.
ENTER:
cscript add_multiple_users.vbs
f. To verify that the users have been added to the group, switch to Active
g. In the Finance OU, right-click Finance Users and then click
Properties.
You should now see various users as members of Finance Users.
Exercise 12
Removing a user from a security group
Having added Ken Myer to the Finance Users group, you now discover that, as a manager, he
should not be a member of this group. In this exercise, you will remove Ken Myer from the Finance
Users group. Note the similarities between the script that removes a user from a group and the
script that originally added the user to the group.
1. Remove a user from a a. Double-click the Notepad shortcut on the desktop and type the
security group following (To reduce the amount of typing required, you can use the
DC=com")
objGroup.Remove(objUser.ADsPath)
c. Save the script as remove_user.vbs in the folder C:\Scripts. To ensure
"remove_user.vbs"
d. Close Notepad.
ENTER:
cscript remove_user.vbs
f. To verify that the user has been removed from the group, switch to
Active Directory Users and Computers.
g. In the Finance OU, right-click Finance Users and then click
Properties.
You should no longer see Ken Myer listed as a member of Finance Users.
Exercise 13
Modifying an individual user account
One reason you mistakenly placed Ken Myer in the Finance Users group is because you did not
realize Ken was a manager. To help avoid similar mistakes in the future, you decided to add Ken’s
department, job title, and company to his Active Directory user account. (This is an easy task,
because these attributes are available for use with any Active Directory user account.) In this
exercise, you will modify organization property values for the Ken Myer user account. This process
involves binding to the account, assigning the new property values, and then calling the SetInfo
method to write the changes to Active Directory.
1. Modify an individual user a. Double-click the Notepad shortcut on the desktop and type the
account. following (To reduce the amount of typing required, you can use the
template C:\Scripts\Account_Change.txt)
Set objUser = GetObject("LDAP://CN=Ken Myer,
OU=Finance, DC=fabrikam, DC=com")
objUser.Title = "Manager"
objUser.Department = "Finance Department Management
Team"
objUser.Company = "Fabrikam"
objUser.SetInfo
c. Save the script as modify_user.vbs in the folder C:\Scripts. To ensure
"modify_user.vbs"
d. Close Notepad.
ENTER:
cscript modify_user.vbs
f. To verify that the account values have been changed, switch to Active
g. In the Finance OU, right-click Ken Myer in and click Refresh.
h. Right-click Ken Myer a second time and then click Properties.
i. In the Ken Myer Properties dialog box, click the Organization tab
and verify the values.
j. Close the Ken Myer Properties dialog box.
Exercise 14
Modifying a multi-valued attribute
When you talked to Ken Myer this morning, he also told you that he had just acquired a second
work phone, and he wanted to be sure that this second number was available in the directory
service. In this exercise, you will modify the otherTelephone attribute for the Ken Myer user
account. The otherTelephone attribute is an example of a “multi-valued” attribute, an attribute that
can contain more than one value.
Working with multi-valued attributes is different than working with single-valued attributes. With
a single-valued attribute, you typically assign a property value simply by, well, assigning a property
value:
objUser.SN = "Myer"
When working with a multi-valued attribute you use a defined constant to indicate the type of
operation you are performing. These constants and the operations they perform are listed in the
following table:
Constant Value Description
ADS_PROPERTY_CLEAR 1 Clears all the values from the specified

attribute.
ADS_PROPERTY_UPDATE 2 Replaces the value in the specified attribute
with new values.
ADS_PROPERTY_APPEND 3 Appends a new value (or values) in the
specified attribute.
ADS_PROPERTY_DELETE 4 Deletes the value (or values) from the
specified attribute.
A complete explanation of working with multi-valued attributes lies beyond the scope of this lab;
this sample task is presented simply because you will often find yourself working with multi-valued
attributes. For more information, see the chapter Active Directory Users in the Microsoft
Windows 2000 Scripting Guide, or the Scripting Guys’ Webcast Users and Groups and OUs: Oh,
My!.
1. Modify a multi-valued a. Double-click the Notepad shortcut on the desktop and type the
attribute. following (To reduce the amount of typing required, you can use the
Const ADS_PROPERTY_APPEND = 3
DC=com")
objUser.PutEx ADS_PROPERTY_APPEND,
"otherTelephone",_
Array("(425)-555-4444")
objUser.SetInfo
c. Save the script as modify_multi-value.vbs in the folder C:\Scripts. To

"modify_multi-value.vbs"
d. Close Notepad.
ENTER:
cscript modify_multi-value.vbs
f. To verify that the new phone number has been added, switch to Active
g. In the Finance OU, right-click Ken Myer and click Refresh.
h. Right-click Ken Myer a second time and click Properties.
i. In the Ken Myer Properties dialog box, on the General tab, click the
Other … button located next to Telephone Number.
j. Verify that the new phone number appears in the Phone Number
(Others) dialog box.
k. Close the Ken Myer Properties dialogue box.
Bonus Script: Displaying a Multi-Valued Attribute

Multi-valued attributes are stored as an array; because of that, you will generate a Type Mismatch
error if you try to directly echo a multi-valued attribute (for example, using code similar to
Wscript.Echo objUser.otherTelephone). Instead, you must deal with a multi-valued attribute the
same way that you deal with any array: by creating a For-Each loop and then enumerating each
item in the array (each value in the multi-valued attribute).
In addition, you should use the GetEx method to explicitly grab the multi-valued attribute; using
GetEx ensures that the value is returned as an array and that your For-Each loop will then function
correctly.
For example, this script (display_milti-value.vbs) echoes all the values in the multi-valued
attribute otherTelephone:
("LDAP://cn=Ken Myer,ou=Finance,dc=fabrikam,dc=com")
Wscript.Echo "First name: " & objUser.GivenName

Wscript.Echo "Middle initial: " & objUser.Initials
Wscript.Echo "Last name: " & objUser.SN
arrOtherPhones = objUser.GetEx("otherTelephone")
For Each strPhoneNumber in arrOtherPhones
WScript.Echo "Other work phone number: " &
strPhoneNumber
Next
Exercise 15
Reading the userAccountControl Attribute
You did not create Ken Myer’s user account, nor did your predecessor use a standard script when
creating account. Consequently, you do not know for sure how the account has been configured.
That’s important, because certain properties of a user account – such as configuring an account so
that a password is not required or so the password never requires – can represent security risks. In
this exercise, you will use the userAccountControl attribute to determine whether or not Ken
Myer’s user account password expires. (As a security precaution, it is highly recommended that you
do not assign users passwords that never expire.)
The userAccountControl is an example of a bitmask attribute, an attribute that, in effect, contains
multiple attributes and their values. Among other things, the userAccountControl attribute contains
information about whether a user:
Can change his or her password.
Has a password that never expires.
Can use an encrypted text password.
Must log on using a smartcard.
For a list of attributes and their corresponding hexadecimal values see Appendix 1:
userAccountControl Attributes and Values.
In this sample exercise, you will use bitwise logic to determine whether the Password never
expires attribute has been enabled for Ken Myer. That test is performed using this line of code:
If objUser.UserAccountControl AND ADS_UF_DONT_EXPIRE_PASSWD Then
If TRUE, that means the Password never expires attribute has been enabled; if FALSE, then the
password does expire, because the attribute has not been enabled. You can test for other values in
the userAccountControl attribute by substituting the appropriate constant and its hexadecimal value.
A complete explanation of working with the userAccountControl lies beyond the scope of this lab;
this sample task is presented simply because you will often find yourself working with this
attribute. For more information, see the chapter ADSI Scripting Primer in the Microsoft Windows
2000 Scripting Guide.
1. Read the a. Double-click the Notepad shortcut on the desktop and type the
userAccountControl following (To reduce the amount of typing required, you can use the
Attribute template C:\Scripts\Account_View.txt):
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
If objUser.UserAccountControl AND
ADS_UF_DONT_EXPIRE_PASSWD Then
Wscript.Echo "This password never expires."
Else
Wscript.Echo "This password expires."
End If
c. Save the script as read_uac.vbs in the folder C:\Scripts. To ensure
"read_uac.vbs"
d. Close Notepad.
ENTER:
cscript read_uac.vbs
f. To verify that the password for the Ken Myer user account never
expires, switch to Active Directory Users and Computers.
g. In the Finance OU, right click Ken Myer and click Properties.
h. On the Account tab, verify that the checkbox labeled Password never
expires is selected.
i. Close the Ken Myer Properties dialogue box.
Exercise 16
Modifying the userAccountControl Attribute
The fact that Ken Myer’s password does not expire is a potential security risk; because of that, you
decide to reconfigure his account to ensure that the password will expire, and thus have to be
changed periodically. In this exercise, you will use the userAttribute control to ensure that Ken
Myer’s password will expire. To do that, you first use this line of code to determine whether or not
the password is currently set to expire:
If objUser.userAccountControl AND ADS_UF_DONT_EXPIRE_PASSWD Then
If TRUE, that means that the password does not expire. To change this to an expiring password, use
the bitwise logic XOR operator. The XOR operator toggles the value an attribute: if the attribute is
enabled, XOR will disable it; if the attribute is disabled, XOR will enable it.
1. Modify the a. Double-click the Notepad shortcut on the desktop and type the
userAccountControl following (To reduce the amount of typing required, you can use the
Attribute. template C:\Scripts\Account_Change.txt):
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
If objUser.userAccountControl AND
ADS_UF_DONT_EXPIRE_PASSWD Then
objPasswordExpires = objUser.userAccountControl
XOR ADS_UF_DONT_EXPIRE_PASSWD
objUser.Put "userAccountControl",
objPasswordExpires
objUser.SetInfo
End If
c. Save the script as modify_uac.vbs in the folder C:\Scripts. To ensure
"modify_uac.vbs"
d. Close Notepad.
ENTER:
cscript modify_uac.vbs
f. To verify that the attribute value has been changed, re-run the script
read_uac.vbs that you created in Exercise 16.
Exercise 17
Modifying multiple user accounts
Fabrikam has several subsidiary companies, and it’s useful to keep track of which users work for
which company. Because all the users currently in your Active Directory for the parent company,
you decide to assign the value Fabrikam to the Company attribute for each of these users. In this
exercise, you will set the Company property for all the users in your domain to Fabrikam. As you
might expect, you use an Active Directory search as the framework for a script that changes a
property value for all the users in a domain. There is one catch, however: Active Directory searches
are read-only; for those of you familiar with SQL, there are no UPDATE queries when working
with Active Directory. Instead, you conduct a search, returning a collection of ADsPaths for all the
users in the domain. With those ADsPaths in hand, you then individually bind to each user account
in the collection and change the property value.
1. Modify multiple user a. Double-click the Notepad shortcut on the desktop and type the
accounts. following (To reduce the amount of typing required, you can use the
template C:\Scripts\Search.txt):
Set objConnection =
CreateObject("ADODB.Connection")
objCommand.Properties("Searchscope") =
ADS_SCOPE_SUBTREE
"SELECT ADsPath FROM
'LDAP://DC=fabrikam,DC=com' WHERE " _
& "objectCategory='user'"
strPath = objRecordSet.Fields("ADsPath").Value
Set objUser = GetObject(strPath)
objUser.Company = "Fabrikam"
objUser.SetInfo
Loop
c. Save the script as modify_many.vbs in the folder C:\Scripts. To
"modify_many.vbs"
d. Close Notepad.
ENTER:
cscript modify_many.vbs
f. To verify that the Company name has changed, switch to Active

g. In the Finance OU, right-click any user account and click Refresh.
h. Right-click the user account a second time and then click Properties.
i. In the Properties dialog box for the user account, on the Organization
tab, verify the Company name.
j. Close the user Properties dialog box.
Exercise 18
Changing a user’s password
Upon notifying Ken Myer that his account has been enabled, you discover that he does not know
his password; the password he used in the company’s Windows NT 4.0 domain is apparently not
the same password your predecessor assigned to his Active Directory account. In this exercise, you
will change the password for the Ken Myer user account. Note that the SetPassword method does
not require you to know the user’s current password.
1. Change a user’s password. a. Double-click the Notepad shortcut on the desktop and type the
("LDAP://CN=Ken
Myer,OU=Finance,DC=fabrikam,DC=com")
objUser.SetPassword("i5A2sj*!")
c. Save the script as change_password.vbs in the folder C:\Scripts. To
"change_password.vbs"
d. Close Notepad.
ENTER:
cscript change_password.vbs
Note that there is no way to determine the password that has been assigned
to a user account; this information is not accessible even to enterprise
administrators. The only way to verify a password is to try to log on to the
domain using that password.
f. Close all open windows.
For More Information

Active Directory is a large and complex piece of technology; because of that, this lab covers only a
handful of the many management tasks that can be carried out using ADSI scripts. For more
information on using scripts to manage Active Directory, please refer to the following resources:
The ADSI Scripting Primer chapter in the Microsoft Windows 2000 Scripting Guide
The Active Directory Users chapter in the Microsoft Windows 2000 Scripting Guide
The Scripting Guys’ Webcast Users and Groups and OUs: Oh, My!
The Scripting Guys’ Webcast Pokin’ Your Nose Into Active Directory
The Scripting Guys’ Webcast Inactive Directory? Not When You Use Scripts to Help Manage
AD
The Scripting Clinic column Creating User Accounts from Information in an Excel
Spreadsheet
The Scripting Clinic column Scripting Excel: The Saga Continues
Appendix 1: userAccountControl Attributes and Values

Individual attributes, their corresponding constants, and their hexadecimal values found in the
userAttributeControl are shown in the following table:
Constant Value Attribute Description
ADS_UF_SCRIPT 0x00000001 The logon script is executed.
ADS_UF_ACCOUNTDISABLE 0x00000002 The user account is disabled.
ADS_UF_HOMEDIR_REQUIRED 0x00000008 The home directory is required.
ADS_UF_LOCKOUT 0x00000010 The account is currently locked out.
ADS_UF_PASSWD_NOTREQD 0x00000020 No password is required.
ADS_UF_PASSWD_CANT_CHANGE 0x00000040 The user cannot change the password.
ADS_UF_ENCRYPTED_TEXT_PASSWOR 0x00000080 The user can send an encrypted password.

D_ALLOWED
ADS_UF_TEMP_DUPLICATE_ACCOUNT 0x00000100 This is an account for users whose primary account is in

another domain. This account provides user access to
this domain, but not to any domain that trusts this
domain. Also known as a local user account.
ADS_UF_NORMAL_ACCOUNT 0x00000200 This is a default account type that represents a typical

user.
ADS_UF_INTERDOMAIN_TRUST_ACCOU 0x00000800 This is a permit to trust account for a system domain

NT that trusts other domains.
ADS_UF_WORKSTATION_TRUST_ACCO 0x00001000 This is a computer account for a computer that is a

UNT member of this domain.
ADS_UF_SERVER_TRUST_ACCOUNT 0x00002000 This is a computer account for a system backup domain

controller that is a member of this domain.
ADS_UF_DONT_EXPIRE_PASSWD 0x00010000 The password for this account will never expire.
ADS_UF_MNS_LOGON_ACCOUNT 0x00020000 This is an MNS logon account.
ADS_UF_SMARTCARD_REQUIRED 0x00040000 The user must log on using a smart card.
ADS_UF_TRUSTED_FOR_DELEGATION 0x00080000 The service account (user or computer account), under

which a service runs, is trusted for Kerberos delegation.
Any such service can impersonate a client requesting
the service.
ADS_UF_NOT_DELEGATED 0x00100000 The security context of the user will not be delegated to
a service even if the service account is set as trusted for
Kerberos delegation.
ADS_UF_USE_DES_KEY_ONLY 0x00200000 Restrict this principal to use only Data Encryption

Standard (DES) encryption types for keys.
ADS_UF_DONT_REQUIRE_PREAUTH 0x00400000 This account does not require Kerberos

preauthentication for logon.
ADS_UF_PASSWORD_EXPIRED 0x00800000 The user password has expired. This flag is created by
the system using data from the Pwd-Last-Set attribute
and the domain policy.
ADS_UF_TRUSTED_TO_AUTHENTICATE 0x01000000 The account is enabled for delegation. This is a

_FOR_DELEGATION security-sensitive setting; accounts with this option
enabled should be strictly controlled. This setting
enables a service running under the account to assume a
client identity and authenticate as that user to other
remote servers on the network.

Active Directory Scripting

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Active Directory Scripting

Hochgeladen von

Copyright:

Verfügbare Formate

2 Table of Contents

Active Directory Scripting ......................................................................................................................... 3

Active Directory Scripting

Objectives After completing this lab, you will be able to:

Prerequisites Before working on this lab, you must have:

For more information Email scripter@microsoft.com.

Using the Script Templates

The template for this script might look similar to this:

Set colItems = GetObject _

Using the Bonus Scripts

Cert Publishers, group

DHCP Administrators, group

DHCP Users, group

Tasks Detailed steps

1. View existing accounts a. Click in the virtual machine window.

Bonus Script: Filtering user and computer accounts

Bonus Script: Searching for user accounts

Tasks Detailed steps

Bonus Script: Binding to CNs That Include Commas

Tasks Detailed steps

Tasks Detailed steps

Tasks Detailed steps

1. Create a New a. Switch to Active Directory Users and Computers, expand

Bonus Script: Creating an OU inside another OU

Tasks Detailed steps

Bonus Exercise: Moving multiple user accounts based on department

Tasks Detailed steps

Bonus Script: Creating a new contact

Tasks Detailed steps

Tasks Detailed steps

Bonus Script: Creating other types of groups

Group Type Constant Value Description

The following script (create_distribution_group.vbs) creates a domain local distribution group.

Tasks Detailed steps

Bonus Script: Viewing Group Membership

Tasks Detailed steps

Tasks Detailed steps

Tasks Detailed steps

Constant Value Description

ADS_PROPERTY_CLEAR 1 Clears all the values from the specified

Tasks Detailed steps

c. Save the script as modify_multi-value.vbs in the folder C:\Scripts. To

Bonus Script: Displaying a Multi-Valued Attribute

Wscript.Echo "First name: " & objUser.GivenName

Tasks Detailed steps

Tasks Detailed steps

Tasks Detailed steps

Directory Users and Computers.

Tasks Detailed steps

For More Information

Appendix 1: userAccountControl Attributes and Values

Constant Value Attribute Description

ADS_UF_SCRIPT 0x00000001 The logon script is executed.

ADS_UF_ACCOUNTDISABLE 0x00000002 The user account is disabled.

ADS_UF_HOMEDIR_REQUIRED 0x00000008 The home directory is required.

ADS_UF_LOCKOUT 0x00000010 The account is currently locked out.

ADS_UF_PASSWD_NOTREQD 0x00000020 No password is required.

ADS_UF_PASSWD_CANT_CHANGE 0x00000040 The user cannot change the password.

ADS_UF_ENCRYPTED_TEXT_PASSWOR 0x00000080 The user can send an encrypted password.

ADS_UF_TEMP_DUPLICATE_ACCOUNT 0x00000100 This is an account for users whose primary account is in

ADS_UF_NORMAL_ACCOUNT 0x00000200 This is a default account type that represents a typical

ADS_UF_INTERDOMAIN_TRUST_ACCOU 0x00000800 This is a permit to trust account for a system domain

ADS_UF_WORKSTATION_TRUST_ACCO 0x00001000 This is a computer account for a computer that is a

ADS_UF_SERVER_TRUST_ACCOUNT 0x00002000 This is a computer account for a system backup domain