One of the skills that I've found to be most helpful in my day-to-day as a Windows admin is knowing how to script well. One of the running gags from most Unix guys is that Windows is completely unscriptable. They forget, of course, that any scripting language that runs on their OS of choice most likely works on mine. 
That being the case, I generally stick to one of the VB variants when doing what I need to do. I stick to them for a couple of reasons, most particularly that they're very easy to use and learn. I've also found that most situations I might encounter have been overcome by someone else and I can count on one hand the number of times I've encountered a solution that wasn't written in VB or VBscript (most often it's C# or Powershell).
The latest little project to cross my desk was a need to create almost four dozen distribution lists in AD. I could've done them all by hand, but usually it's easier to write a script. To that end here's my solution, with a bit of info on how it works.
' Setup some variables for use later on.
strParentDN = "ou=DistributionGroups,ou=Exchange,dc=domain,dc=com"
strGroupName = "THE_" & Wscript.Arguments.Item(0) & "_DAEL"
strSMTP = strGroupName & "@domain.com"
Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8
set objOU = GetObject("LDAP://" & strParentDN)
set objGroup = objOU.Create("group","cn=" & strGroupName)
objGroup.Put "groupType", ADS_GROUP_TYPE_UNIVERSAL_GROUP
objGroup.Put "sAMAccountName", strGroupName
objGroup.MailEnable
' Here I'm going to "finalize" some of the settings for the DL. The reason for this
' is I've found that until a group is created and mail enabled, you can't set an
' SMTP address for it. Guess it makes sense...
objGroup.SetInfo
' But, since the group's already opened as an object, I can simply continue
' to add attributes to it.
strDN = "cn=DL Management,ou=Groups,dc=domain,dc=com"
objGroup.Put "mail", strSMTP
objGroup.put "targetAddress", strSMTP
' This says who can add/remove members from the group. But, read on...
objGroup.Put "managedBy", strDN
objGroup.SetInfo
Set objShell = CreateObject("Wscript.Shell")
' If you look on the Managed By tab on the DL's Properties sheet, you'll see a checkbox
' "Manager can update membership list". Just because you've given a user (or in this case a group)
' management of that list doesn't mean they can manage the membership. Now, we could do this
' the right and approved way, which involves setting up DACLs and ACLs for the object
' and all kinds of other voodoo. I find it's easier to just use some of the tools provided by MS.
strCMD = "dsacls " & "cn=" & strGroupName & "," & strParentDN & " /G domain\dlmanage:WP;member"
objShell.Run strCMD
' Let the user know it worked!
Wscript.Echo "Successfully created mail-enabled DL."
Not much to it, but someone might find it useful. And, it certainly demonstrates how easy it really is to script AD. 19 lines of actual code to create 47 distribution lists. I guess that's a fair trade!
That being the case, I generally stick to one of the VB variants when doing what I need to do. I stick to them for a couple of reasons, most particularly that they're very easy to use and learn. I've also found that most situations I might encounter have been overcome by someone else and I can count on one hand the number of times I've encountered a solution that wasn't written in VB or VBscript (most often it's C# or Powershell). The latest little project to cross my desk was a need to create almost four dozen distribution lists in AD. I could've done them all by hand, but usually it's easier to write a script. To that end here's my solution, with a bit of info on how it works.
' Setup some variables for use later on.
strParentDN = "ou=DistributionGroups,ou=Exchange,dc=domain,dc=com"
strGroupName = "THE_" & Wscript.Arguments.Item(0) & "_DAEL"
strSMTP = strGroupName & "@domain.com"
Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8
set objOU = GetObject("LDAP://" & strParentDN)
set objGroup = objOU.Create("group","cn=" & strGroupName)
objGroup.Put "groupType", ADS_GROUP_TYPE_UNIVERSAL_GROUP
objGroup.Put "sAMAccountName", strGroupName
objGroup.MailEnable
' Here I'm going to "finalize" some of the settings for the DL. The reason for this
' is I've found that until a group is created and mail enabled, you can't set an
' SMTP address for it. Guess it makes sense...
objGroup.SetInfo
' But, since the group's already opened as an object, I can simply continue
' to add attributes to it.
strDN = "cn=DL Management,ou=Groups,dc=domain,dc=com"
objGroup.Put "mail", strSMTP
objGroup.put "targetAddress", strSMTP
' This says who can add/remove members from the group. But, read on...
objGroup.Put "managedBy", strDN
objGroup.SetInfo
Set objShell = CreateObject("Wscript.Shell")
' If you look on the Managed By tab on the DL's Properties sheet, you'll see a checkbox
' "Manager can update membership list". Just because you've given a user (or in this case a group)
' management of that list doesn't mean they can manage the membership. Now, we could do this
' the right and approved way, which involves setting up DACLs and ACLs for the object
' and all kinds of other voodoo. I find it's easier to just use some of the tools provided by MS.
strCMD = "dsacls " & "cn=" & strGroupName & "," & strParentDN & " /G domain\dlmanage:WP;member"
objShell.Run strCMD
' Let the user know it worked!
Wscript.Echo "Successfully created mail-enabled DL."
Not much to it, but someone might find it useful. And, it certainly demonstrates how easy it really is to script AD. 19 lines of actual code to create 47 distribution lists. I guess that's a fair trade!
No comments:
Post a Comment