![Page 1: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/1.jpg)
Gestire Active Directory con script ADSI
(parte 1)
![Page 2: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/2.jpg)
Script originalmente sviluppati da Dr. Holger Schwichtenberg
![Page 3: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/3.jpg)
Agenda
Le basi di ADSI Introduzione all’architettura di ADSI Tool ADSI
Operazioni tipiche con script ADSI Esempi commentati di uso di ADSI
Creazione di user, group, organizational unit Modifica delle impostazioni utente Aggiunta di un utente ad un gruppo
Query ADSI
![Page 4: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/4.jpg)
Le basi di ADSI
![Page 5: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/5.jpg)
Cos‘è ADSI?
Componente COM per l‘accesso a diversi servizi di directory LDAP WinNT NDS
Utilizzabile in script e programmi (COM e .NET) Versione attuale 2.5 Incluso in tutte le attuali versioni di Windows È un add-on per Windows NT 4 e Win9x ADSI SDK fornisce esempi e documentazione
![Page 6: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/6.jpg)
Dove si utilizza ADSI?
Con Windows Script Host (WSH) Con VBA (Word, Excel, Powerpoint ...) VB 6 Tutti i linguaggi che possono usare COM
(C++, C) Tutti i linguaggi .NET
![Page 7: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/7.jpg)
Architettura ADSI
ADSI ProviderLDAP://
ADSI ProviderWinNT://
ADSI Provideraltro
Active Directory Service Interface
Rete
AD
Exchange
NT4
NT5.xAltro
System.DirectoryServiceScript COM
Client
.NET
![Page 8: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/8.jpg)
Provider ADSI NT Lanmanager
Windows NT 4.0 locale/domain Windows 2000 locale Windows XP locale Windows Server 2003 locale (Active Directory 2000/2003)
Novell Netware/Directory Services Internet Information Server Metabase LDAP (Active Directory, ADAM, Microsoft
Exchange, Lotus Notes, ecc.)
![Page 9: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/9.jpg)
Operazioni tipiche con script ADSI
![Page 10: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/10.jpg)
Basic ADSI Operations
Accesso ai container e oggetti di AD Lettura di dati Modifica di dati Enumerazione di oggetti Spostamento di oggetti Creazione e cancellazione di oggetti
![Page 11: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/11.jpg)
Accesso e lettura di attributi degli oggetti
Determinazione del percorso LDAPLDAP://server01/CN=giorgio
malusardi,OU=it,DC=firbolg,DC=com Acquisire l‘oggetto nello script
set obj = GetObject("LDAP://server01/CN=Giorgio Malusardi,OU=it,DC=firbolg,DC=com")
L‘oggetto ha: Attributi (Proprietà):
Dati che possono essere letti e scritti (es.: Displayname, TelephoneNumber)
Metodi: Operazioni che si possono effettuare (es.: cancellare un oggetto)
![Page 12: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/12.jpg)
Accesso e lettura di attributi degli oggetti
Determinazione del percorso LDAPLDAP://server01/CN=giorgio
malusardi,OU=it,DC=firbolg,DC=com Acquisire l‘oggetto nello script
set obj = GetObject("LDAP://server01/CN=Giorgio Malusardi,OU=it,DC=firbolg,DC=com")
L‘oggetto ha: Attributi (Proprietà):
Dati che possono essere letti e scritti (es.: Displayname, TelephoneNumber)
Metodi: Operazioni che si possono effettuare (es.: cancellare un oggetto)
Il nome del protocolloè case sentive
![Page 13: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/13.jpg)
demo
ADSI Edit
![Page 14: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/14.jpg)
Accesso e lettura di attributi degli oggettiUserPATH="LDAP://server01/CN=giorgio
malusardi,OU=it,DC=firbolg,DC=com"
Set u = GetObject(PATH)
' --- ADSI meta data
WScript.echo "Name: " & u.name
WScript.echo "Class: " & u.Class
' --- General property page
WScript.echo "DisplayName: " & u.Fullname
WScript.echo "Description: " & u.Description
WScript.echo "TelephoneNumber: " & u.TelephoneNumber
' --- Account property page
WScript.echo "NT4-Account Name: " & u.samAccountName
![Page 15: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/15.jpg)
Oggetti ADSI vs oggetti ADS
Organizational
Unit
Organizational
Unit
ou
DisplayNameManagedBy
ou
DisplayNameManagedBy
Name
ClassFilterCount
LocalityNamecreate()
delete()
user
user
cn
displayNamesAMAccountName
cn
displayNamesAMAccountName
NameClass
FullNameFirstName
SetPassword()
User xxxxOrganizational utnit it
ADSI
Active Directory
Risorse
Binding (Percorso LDAP) Binding (Percorso LDAP)
Rappresentazione Rappresentazione
![Page 16: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/16.jpg)
Come trovare il corretto nome delle proprietà
Mappatura tra User Object e User Interface http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/user_object_user_interface_mapping.asp
Inserire un valore nella proprietà in MMC trovare la proprietà in ADSI Edit
city loffice physicalDeliveryOfficeName
![Page 17: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/17.jpg)
Problemi con i Data type
![Page 18: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/18.jpg)
Problemi con i Data type
Proprietà multivalore
![Page 19: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/19.jpg)
Problemi con i Data type
Proprietà multivalore
Function ADSIGet(obj, attribut)ADSIGet = ""On Error Resume NextADSIGet = obj.Get(attribut)If IsArray(ADSIGet) Then ADSIGet = Join(obj.Get(attribut), ";")End Function
Wscript.echo ADSIGet(u,"OtherTelephone")
Wscript.echo ADSIGet(u,"Url")
![Page 20: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/20.jpg)
Problemi con i Data type
Proprietà multivalore
Function ADSIGet(obj, attribut)ADSIGet = ""On Error Resume NextADSIGet = obj.Get(attribut)If IsArray(ADSIGet) Then ADSIGet = Join(obj.Get(attribut), ";")End Function
Wscript.echo ADSIGet(u,"OtherTelephone")
Wscript.echo ADSIGet(u,"Url")
![Page 21: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/21.jpg)
Problemi con i Data type
INTEGER8 (Integer a 64-Bit). Intervallo a 100 nano secondi da 1.1.1601
Proprietà multivalore
Function ADSIGet(obj, attribut)ADSIGet = ""On Error Resume NextADSIGet = obj.Get(attribut)If IsArray(ADSIGet) Then ADSIGet = Join(obj.Get(attribut), ";")End Function
Wscript.echo ADSIGet(u,"OtherTelephone")
Wscript.echo ADSIGet(u,"Url")
![Page 22: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/22.jpg)
Problemi con i Data type
INTEGER8 (Integer a 64-Bit). Intervallo a 100 nanosececondi da 1.1.1601
Proprietà multivalore
Function ADSIGet(obj, attribut)ADSIGet = ""On Error Resume NextADSIGet = obj.Get(attribut)If IsArray(ADSIGet) Then ADSIGet = Join(obj.Get(attribut), ";")End Function
Wscript.echo ADSIGet(u,"OtherTelephone")
Wscript.echo ADSIGet(u,"Url")
Int8ToDate(u.Get("AccountExpires"))Int8ToDate(u.Get("lastLogon"))Int8ToDate(u.Get("lastLogoff"))Int8ToDate(u.Get("badPasswordTime"))Int8ToDate(u.Get("pwdLastSet"))
![Page 23: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/23.jpg)
Un errore tipico
Creare un oggetto con RDN Errato:
objCON.Create("organizationalunit", "DEV") Corretto:
objCON.Create("organizationalunit", "ou=DEV")
![Page 24: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/24.jpg)
demo
Leggere i dati di xxx
![Page 25: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/25.jpg)
Modificare le proprietàUser
u.DisplayName = "giorgio malusardi"u.put "Description", "Evangelist"u.TelephoneNumber = "++39 2 70392020"u.EmailAddress = "[email protected]"Dim tel(1)tel(0) = "++39 2 70392020"tel(1) = "++39 2 70397000"u.PutEx 2, "otherTelephone", telu.SetInfo
![Page 26: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/26.jpg)
Modificare le proprietàUser
u.DisplayName = "giorgio malusardi"u.put "Description", "Evangelist"u.TelephoneNumber = "++39 2 70392020"u.EmailAddress = "[email protected]"Dim tel(1)tel(0) = "++39 2 70392020"tel(1) = "++39 2 70397000"u.PutEx 2, "otherTelephone", telu.SetInfo
1 = Rimuove i valori 2 = Rimpiazza i valori3 = Aggiunge i valori4 = Cancella i valori
![Page 27: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/27.jpg)
Enumerazione di oggettiUsers
Tutti gli user in un containerConst PATH = "LDAP://server01/OU=it,DC=firbolg,DC=com"
Set c = GetObject(PATH)
Wscript.Echo "# of Objects: " & c.Count
For Each u In c
WScript.echo u.ADsPath & " : " & u.Get("SAMAccountname")
Next
![Page 28: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/28.jpg)
Enumerazione di oggettiUsers
Tutti gli user in un containerConst PATH = "LDAP://server01/OU=it,DC=firbolg,DC=com"
Set c = GetObject(PATH)
Wscript.Echo "# of Objects: " & c.Count
For Each u In c
WScript.echo u.ADsPath & " : " & _
u.Get("SAMAccountname")
Next
c.Filter = Array("User", "Group")
![Page 29: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/29.jpg)
Creazione di un oggetttoOUConst CONTAINER = "LDAP://server01/DC=firbolg,DC=com"Const MANAGER = "CN=giorgio
malusardi,OU=it,DC=firbolg,DC=com"Const DESC = "Firbolg - IT Managers"Const LOCALITY = "Milano"Const OU = "Managers"' --- Get containerSet objCON = GetObject(CONTAINER)' --- Create new OUSet objOU = objCON.Create("organizationalunit", "ou=" &
OU)' --- Set propertiesobjOU.LocalityName = LOCALITYobjOU.Description = DESCobjOU.Put "ManagedBy", MANAGERobjOU.SetInfo
![Page 30: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/30.jpg)
Creazione di un oggetttoOUConst CONTAINER = "LDAP://server01/DC=firbolg,DC=com"Const MANAGER = "CN=giorgio malusardi,OU=it,DC=firbolg,DC=com"Const DESC = "Firbolg - IT Managers"Const LOCALITY = "Milano"Const OU = "Managers"' --- Get containerSet objCON = GetObject(CONTAINER)' --- Create new OUSet objOU = objCON.Create("organizationalunit", "ou=" & OU)' --- Set propertiesobjOU.LocalityName = LOCALITYobjOU.Description = DESCobjOU.Put "ManagedBy", MANAGERobjOU.SetInfo
RDN completo, non solo il nome
![Page 31: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/31.jpg)
Creazione di un oggettoUserFunction ADSIADS_CreateUser(CONTAINER, USER, PASSWORD)
Dim c, u' --- Bind to containerSet c = GetObject(CONTAINER)' --- Create userSet u = c.Create("user", "cn=" & USER)' --- Set required propertiesu.Put "samAccountName", CStr(USER)u.SetInfo' --- Set passwordWScript.echo "User has been created: " & u.ADsPathu.SetPassword PASSWORDWScript.echo "Password has been set!"' --- Enable Accountu.AccountDisabled = Falseu.SetInfo' --- Return new user objectSet ADSIADS_CreateUser = u
End Function
![Page 32: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/32.jpg)
Attributi utente' --- Account Property Page' UPNu.userPrincipalName = "giorgio malusardi"' User must change password at next loginu.pwdLastSet = 0' SmartCard requiredConst ADS_UF_SMARTCARD_REQUIRED = 262144u.userAccountControl = u.userAccountControl OR
ADS_UF_SMARTCARD_REQUIRED' Account expiresu.AccountExpirationDate = "01/01/2005"' User cannot change password' difficult!!! see demo ' --- Organization Property Page' Manager: AD attribute "Manager", type "DN"u.manager = "cn=paolo rossi,OU=it,dc=firbolg,dc=com"
![Page 33: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/33.jpg)
Muovere oggetti
Muovere un oggetto in una diversa OU
Const TARGETCONTAINER = "LDAP://server01/ou=Managers,DC=firbolg,DC=com"
Const SOURCEOBJEKT = "LDAP://server01/cn=giorgio malusardi,OU=it,DC=firbolg,DC=com"
Const TARGETRDN = "cn=giorgio malusardi"
Dim objContainer ' As IADsContainer
Set objContainer = GetObject(TARGETCONTAINER)
objContainer.MoveHere SOURCEOBJEKT, TARGETRDN
WScript.Echo "User Moved"
![Page 34: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/34.jpg)
Muovere oggetti
Muovere un oggetto in una diversa OU
Const TARGETCONTAINER = "LDAP://server01/ou=Managers,DC=firbolg,DC=com"
Const SOURCEOBJEKT = "LDAP://server01/cn=giorgio malusardi,OU=it,DC=firbolg,DC=com"
Const TARGETRDN = "cn=giorgio malusardi"
Dim objContainer ' As IADsContainer
Set objContainer = GetObject(TARGETCONTAINER)
objContainer.MoveHere SOURCEOBJEKT, TARGETRDN
WScript.Echo "User Moved"
Si puo‘ usare perRINOMINARE oggetti
![Page 35: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/35.jpg)
demo
Creare utenti da un database
![Page 36: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/36.jpg)
Architettura ADSI
Script COM
ADSI ProviderLDAP://
ADSI ProviderWinNT://
ADSI ProviderNDS://
Active Directory Service Interface
Rete
AD
Exchange
NT4
NT5.xAltro
OLE DB Providerper ADSI
OLE DB ProviderSQL
OLE DB ProviderAltro
OLE DB
Rete
ActiveX Data Object (ADO)
SQL Server Altro DB
Read/Write
Read only
![Page 37: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/37.jpg)
Sintassi delle query ADSI ADO su ADSI usa un OLE DB-Provider Solo per LDAP Provider Read-only Sintassi LDAP (LDAP Search Filter, RFC 2254)
<LDAP://server01/dc=firbolg,dc=com>;(&(objectCategory=person)(objectClass=user)(name=f*));name,adspath"
Sintassi SQL"Select adspath,SamAccountname from 'LDAP://server01/dc=firbolg,dc=com' where objectclass='user' and objectCategory='person' and name = 'f*'"
![Page 38: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/38.jpg)
Sintassi delle query LDAP
Operatori: AND: e commerciale (&) OR: barra verticale (|) NOT: punto esclamativo (!)
Esiste il valore: (!(MyCorpSpecial=*)
Comparazione: =, <=, >= > e < non sono consentiti
(&(Attribute>=Value)(!(Attribute=Value)))
![Page 39: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/39.jpg)
Sintassi delle query LDAP
Operatori: AND: e commerciale (&) OR: barra verticale (|) NOT: punto esclamativo (!)
Esiste il valore: (!(MyCorpSpecial=*)
Comparazione: =, <=, >= > e < non sono consentiti
(&(Attribute>=Value)(!(Attribute=Value)))
Generare query con "Saved Queries" nella console Windows Server 2003 "AD Users and Computers"
![Page 40: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/40.jpg)
Alcuni esempi di query LDAP Tutti gli oggetti computer senza descrizione:
(&(objectCategory=computer)(!description=*))
Tutti gli utenti in lockout(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
Tutti gli utenti con impostato "Password Never Expires"(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))
![Page 41: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/41.jpg)
Alcuni esempi di query LDAP
Utenti che non hanno fatto logon negli ultimi x giornid = DateAdd("h", -days, Now()) : i = DateToInt8(d)(&(objectCategory=person)(objectClass=user)(lastLogon<=" & i & "))
Utenti che non hanno cambiato la password negli utlimi x giorni&(objectCategory=person)(objectClass=user)(pwdLastSet<=" & i & "))
Utenti creati dopo una certa data (es. 11/10/2004)&objectCategory=person)(objectClass=user)(whenCreated>=20041110000000.0Z))"
![Page 42: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/42.jpg)
Risorse della Community Community Resources
http://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP) http://www.microsoft.com/communities/mvp
Newsgroups http://communities2.microsoft.com/communities/newsgroups/en
-us/default.aspx
User Groups http://www.microsoft.com/communities/usergroupsdefault.mspx
![Page 43: Gestire Active Directory con script ADSI (parte 1)](https://reader036.vdocuments.pub/reader036/viewer/2022081421/5542eb4b497959361e8b79cf/html5/thumbnails/43.jpg)
© 2003-2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.