' '* Declare constants used in defining the default location for the '* machine account, flags to identify the object as a machine account, '* and security flags 'Const UF_WORKSTATION_TRUST_ACCOUNT = &H1000 Const UF_ACCOUNTDISABLE = &H2 Const UF_PASSWD_NOTREQD = &H20 Const ADS_GUID_COMPUTRS_CONTAINER = "aa312825768811d1aded00c04fd8d5cd" Const ADS_ACETYPE_ACCESS_ALLOWED = 0 Const ADS_ACEFLAG_INHERIT_ACE = 2
' '* Set the flags on this object to identify it as a machine account '* and determine the name. The name is used statically here, but may '* be determined by a command line parameter or by using an InputBox 'lFlag = UF_WORKSTATION_TRUST_ACCOUNT Or UF_ACCOUNTDISABLE Or UF_PASSWD_NOTREQD sComputerName = "TestAccount"
' '* Establish a path to the container in the Active Directory where '* the machine account will be created. In this example, this will '* automatically locate a domain controller for the domain, read the '* domain name, and bind to the default "Computers" container '*********************************************************************
''* Here, the computer account is created. Certain attributes must '* have a value before calling .SetInfo to commit (write) the object '* to the Active Directory 'Set oComputer = computerContainer.Create("computer", "CN=" & sComputerName) oComputer.Put "samAccountName", sComputerName + "$" oComputer.Put "userAccountControl", lFlag oComputer.SetInfo
' '* Establish a default password for the machine account 'sPwd = sComputerName & "$" sPwd = LCase(sPwd) oComputer.SetPassword sPwd
''* Specify which user or group may activate/join this computer to the '* domain. In this example, "MYDOMAIN" is the domain name and '* "JoeSmith" is the account being given the permission. Note that '* this is the downlevel naming convention used in this example. 'sUserOrGroup = "MYDOMAINjoesmith"
''* Bind to the Discretionary ACL on the newly created computer account '* and create an Access Control Entry (ACE) that gives the specified '* user or group full control on the machine account 'Set secDescriptor = oComputer.Get("ntSecurityDescriptor") Set dACL = secDescriptor.DiscretionaryAcl Set ACE = CreateObject("AccessControlEntry")
' '* An AccessMask of "-1" grants Full Control ' ACE.AccessMask = -1 ACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED ACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE
''* Grant this control to the user or group specified earlier. 'ACE.Trustee = sUserOrGroup
' '* Now, add this ACE to the DACL on the machine account 'dACL.AddAce ACE secDescriptor.DiscretionaryAcl = dACL
' '* Commit (write) the security changes to the machine account 'oComputer.Put "ntSecurityDescriptor", Array(secDescriptor) oComputer.SetInfo
''* Once all parameters and permissions have been set, enable the '* account. ' oComputer.AccountDisabled = False oComputer.SetInfo
''* Create an Access Control Entry (ACE) that gives the specified user '* or group full control on the machine account 'wscript.echo "The command completed successfully."
'***************** '* End Script '*****************
设为主页
收藏本站
相关文章: