February 5, 2007 - 16:07 UTC - Tags: ADAM scripting AD LDS
Using Windows Scripting host (Wscript) and ADSI objects you can actually setup ADAM from a script. This is really useful when deploying to different enviroments. I will give a quick walkthrough of some of the features in this script. The scripts are written in an idempotent way that will allow you to run them and implement changes incrementally.
Prerequisites
When running this script you must be logged in as a user with the Administrator role of the ADAM instance.
Connecting to ADAM
To connect simply use the server name and port and invoke the GetObject-method:
Getting a container or user object
By accessing the top container, we can access the the different containers and objects in our ADAM instance. Consider an ADAM where we have created a container for service users (users that allow our ASP.NET web app to connect, administrators etc.): CN=ServiceUsers,CN=TestApp,O=Test. We can get hold of this container using the following method:
Creating a child container
But what if our ServiceUsers container in the example above does not exist? We'll create it using the following method:
Creating a new user
Users are created in almost the same way as containers.
Adding the user to a role
Next we may want to add the user to the Administrators role.
Adding a built-in group to ADAM
Sometimes we may want to add a local built-in group to a role in ADAM. Adding the built-in "Authenticated users" group to the Readers-role will allow users to change their own password. By adding it manually through ADAM ADSI Edit, we can find the SID (Security IDentifier) in both string and hex form. We'll use this as input to our AddToRole function.
More advanced features
By invoking other applications from your script, you can import ldifs and set ACLs on the containers. Maybe I'll write a post on that later.
Comments closed for this post
Prerequisites
When running this script you must be logged in as a user with the Administrator role of the ADAM instance.
Connecting to ADAM
To connect simply use the server name and port and invoke the GetObject-method:
Const SERVER = "localhost:50000"
Const OU = "CN=TestApp,O=Test"
LDAPPATH = "LDAP://" & SERVER
WScript.Echo "Connecting to ADAM instance..."
set oTopContainer = GetObject(LDAPPATH & "/" & OU)
WScript.Echo " - Success" & newLineGetting a container or user object
By accessing the top container, we can access the the different containers and objects in our ADAM instance. Consider an ADAM where we have created a container for service users (users that allow our ASP.NET web app to connect, administrators etc.): CN=ServiceUsers,CN=TestApp,O=Test. We can get hold of this container using the following method:
function GetChild(parent, childName, objectClass)
on error resume next
Dim dn
set GetChild = parent.GetObject(objectClass, "CN=" & childName)
if (Err.Number <> 0) then
set GetChild = Nothing
end if
end function
set oServiceUsers = GetChild(oTopContainer, "ServiceUsers", "container")Creating a child container
But what if our ServiceUsers container in the example above does not exist? We'll create it using the following method:
function CreateChildContainer(parent, childName)
Wscript.Echo "Creating container " & childName & " under " & parent.Get(DN) & "..."
set cont = GetChild(parent, childName, "container")
if (cont is nothing) then
set cont = parent.Create("container", "CN=" & childName)
cont.put "displayName", childName
cont.setInfo
Wscript.Echo " - " & cont.get(DN) & " successfully created" & newLine
else
WScript.Echo " - " & cont.get(DN) & " allready exists" & newLine
end if
set CreateChildContainer = cont
end function
set oServiceUsers = CreateChildContainer(oTopContainer, "ServiceUsers")Creating a new user
Users are created in almost the same way as containers.
function CreateUser(container, username)
WScript.Echo "Creating user " & username & " in " & container.Get(DN)
set user = GetChild(container, username, "user")
if (user is nothing) then
set user = container.Create("user", "CN=" & username)
user.put "displayName", username
user.put "userPrincipalName", username
user.SetInfo
WScript.Echo " - " & user.Get(DN) & " successfully created." & newLine
else
WScript.Echo " - " & user.Get(DN) & " allready exists" & newLine
end if
set CreateUser = user
end function
set adminUser = CreateUser(oServiceUsers, "Admin User")Adding the user to a role
Next we may want to add the user to the Administrators role.
function AddUserToRole(user, roleName)
AddToRole user.Get(DN), user.CN, roleName
end function
function AddToRole(dn, cn, roleName)
Wscript.Echo "Adding " & dn & " to role " & roleName & "..."
rdn = roleName & ",CN=Roles," & OU
set role = GetObject(LDAPPATH & "/" & rdn)
dim found
found = false
for each strUser in role.Members
if (strUser.CN = cn) then
found = true
end if
next
if (found = false) then
if (left(dn, 5) = "LDAP:") then
role.Add dn
else
role.PutEx ADS_PROPERTY_APPEND, "member", Array(dn)
role.setInfo
end if
Wscript.Echo " - Added to role" & newLine
else
Wscript.Echo " - Was allready member of role" & newLine
end if
end function
AddUserToRole adminUser, "CN=Administrators"Adding a built-in group to ADAM
Sometimes we may want to add a local built-in group to a role in ADAM. Adding the built-in "Authenticated users" group to the Readers-role will allow users to change their own password. By adding it manually through ADAM ADSI Edit, we can find the SID (Security IDentifier) in both string and hex form. We'll use this as input to our AddToRole function.
AddToRole "LDAP://<SID=01010000000000050B000000>", "S-1-5-11", "CN=Readers"More advanced features
By invoking other applications from your script, you can import ldifs and set ACLs on the containers. Maybe I'll write a post on that later.
About Erlend
Security guy with some thoughts on secure development.
Tag cloud
Categories
Blogroll
