Jump to content



Welcome to AstaHost - Dear Guest , Please Register here to get Your own website. - Ask a Question / Express Opinion / Reply w/o Sign-Up!

Toggle shoutbox Shoutbox Open the Shoutbox in a popup

@  yordan : (14 April 2014 - 05:28 PM) By The Way, This Could Be An Interesting Subject For A Topic, What About Posting This Question? Let's See If Other People Have The Same Feeling Concerning Bootlists!
@  yordan : (13 April 2014 - 09:36 AM) Boot Order : Cd, [Usb,] Hard Drive :D
@  yordan : (11 April 2014 - 07:23 PM) I Simply Let The Bios Do That
@  Ritesh : (11 April 2014 - 10:23 AM) Is It Possible To Launch Fedora Live Cd Or Installation Disk From Hard Drive On Windows Platform Using Grub Mbr File.
@  Ritesh : (11 April 2014 - 10:21 AM) No U Are Not.. Btw.. I Have Question For You.
@  yordan : (10 April 2014 - 08:02 AM) You Are Partially Right.
I Was Not.
Nevertheless, I Am Again :)
@  Ritesh : (09 April 2014 - 07:33 PM) :P
@  Ritesh : (09 April 2014 - 07:33 PM) I Think U R Not..
@  yordan : (09 April 2014 - 09:28 AM) I'm The Master Of The Shoutbox!
@  yordan : (05 April 2014 - 10:32 PM) He-He
@  Ritesh : (04 April 2014 - 06:59 PM) Ha Ha Ha ....
@  yordan : (04 April 2014 - 11:15 AM) Welcome Back, Starscream!
@  yordan : (03 April 2014 - 02:31 PM) And I Hope That He Will Come Back Soon :)
@  yordan : (01 April 2014 - 02:53 PM) Nice, Ritesh Came, I'm Not Home Alone Today.
@  Ritesh : (01 April 2014 - 08:51 AM) Oh!!! Poor Dear Yordan..
@  yordan : (31 March 2014 - 10:02 AM) I'm A Poor Lonesome Cow-Boy
@  yordan : (27 March 2014 - 02:22 PM) He Is Unpatient Due To His Patients!
@  Ritesh : (27 March 2014 - 10:46 AM) :(
@  Ritesh : (27 March 2014 - 10:46 AM) He Is Busy With His Patients.
@  yordan : (26 March 2014 - 08:12 PM) Ahsani, Where Are You?

Replying to Lightweight Directory Access Protocol (ldap) Interfacing Microsofts Active Directory over LDAP


Post Options

    • Can't make it out? Click here to generate a new image

  or Cancel


Topic Summary

Mr. Matt

Posted 24 March 2008 - 10:14 PM

This was a script I wrote for automating the creation of over 1000 some accounts within Active Directory over summer before the new fiscal year in 2007. It is not intended for direct use. Please make changes necessary to reflect your user management or production environment.

#!/usr/bin/perl
use strict;
# use Tk;
# use Tk::DialogBox;
# use Tk::Carp qw/cluck warningsToDialog fatalsToDialog/;
use Win32::FileSecurity qw(MakeMask Get Set);
use Win32::OLE;

/*
my $adp_acct = 'USERNAME';

use constant ADP_DOMAIN = 'DOMAIN';
use constant ADP_PARENT_OU => 'ou=Sub Organizational Unit, ou=Organizational Unit, dc=' . ADP_DOMAIN;
use constant ADP_GROUP_OU => 'cn=Group Name, dc=DOMAIN';
use constant CHANGE_PASSWORD_GUID => '{ab721a53-1e2f-11d0-9819-00aa0040529b}'; # User cannot change password
use constant ADS_UF_DONT_EXPIRE_PASSWD => 0x10000; # Password does not expire
use constant ADS_CUSTOM_ACCOUNT_ENABLED => 0x512; # Account is enabled
use constant ADS_RIGHT_DS_CONTROL_ACCESS => 0x100;
use constant ADS_ACETYPE_ACCESS_DENIED => 0x1;
use constant ADS_ACETYPE_ACCESS_ALLOWED_OBJECT => 0x5;
use constant ADS_ACETYPE_ACCESS_DENIED_OBJECT => 0x6;
use constant ADS_ACEFLAG_OBJECT_TYPE_PRESENT => 0x1;

my $ADP_USER_OU = "ou=Container, " . ADP_PARENT_OU;
my $adp_domain = 'DOMAIN';

print LOG "Adding $adp_acct...\n";

my $objDomain = Win32::OLE->GetObject("LDAP://$ADP_USER_OU");
my $objUser = $objDomain->Create('user', 'cn=' . $adp_acct);

$objUser->Put('sAMAccountName', "$adp_acct");
$objUser->Put('userPrincipalName', "$adp_acct\@" . ADP_DOMAIN);
$objUser->Put('userAccountControl', ADS_UF_DONT_EXPIRE_PASSWD);
$objUser->SetInfo;

my %current_acl;
mkdir $adp_homedirectory;
my $acl_admin = MakeMask(qw(GENERIC_ALL FULL));
my $acl_user = MakeMask(qw(CHANGE GENERIC_WRITE GENERIC_READ GENERIC_EXECUTE));

$current_acl{Administrator} = $acl_admin;
$current_acl{$adp_acct} = $acl_user;
delete $current_acl{Everyone};

Set($adp_homedirectory, \%current_acl);

my $objGroup = Win32::OLE->GetObject('LDAP://' . ADP_GROUP_OU);
$objGroup->Add("LDAP://cn=$adp_acct, " . $ADP_USER_OU);

my $objACESelf = Win32::OLE->new('AccessControlEntry');
my $objACEEveryone = Win32::OLE->new('AccessControlEntry');
$objACESelf->{Trustee} = 'NT AUTHORITY\SELF';
$objACEEveryone->{Trustee} = 'EVERYONE';
$objACESelf->{AceFlags} = 0;
$objACESelf->{AceType} = ADS_ACETYPE_ACCESS_DENIED_OBJECT;
$objACESelf->{Flags} = ADS_ACEFLAG_OBJECT_TYPE_PRESENT;
$objACESelf->{ObjectType} = CHANGE_PASSWORD_GUID;
$objACESelf->{AccessMask} = ADS_RIGHT_DS_CONTROL_ACCESS;
$objACEEveryone->{AceFlags} = 0;
$objACEEveryone->{AceType} = ADS_ACETYPE_ACCESS_DENIED_OBJECT;
$objACEEveryone->{Flags} = ADS_ACEFLAG_OBJECT_TYPE_PRESENT;
$objACEEveryone->{ObjectType} = CHANGE_PASSWORD_GUID;
$objACEEveryone->{AccessMask} = ADS_RIGHT_DS_CONTROL_ACCESS;

my $objACEUser = Win32::OLE->GetObject("LDAP://cn=$adp_acct, $ADP_USER_OU");
my $objSecDescriptor = $objACEUser->Get('ntSecurityDescriptor');
my $objDACL = $objSecDescriptor->DiscretionaryAcl;
$objDACL->AddAce($objACESelf);
$objDACL->AddAce($objACEEveryone);
$objUser->Put('ntSecurityDescriptor', [$objSecDescriptor]);
$objUser->SetInfo;
*/

Review the complete topic (launches new window)