Printout Header
RSS Feed

Creating LDAP Directory Objects


In order to create different objects you may just connect to the directory container in which the new objects shall be. There, you use the container operation create(). You have to pass the object class for the new object and its relative distinguished name (RDN). In addition, depending on the specific object class, mandatory attributes have to be set, otherwise the object can not be created appropriately or even cannot be created at all.


Examples for Active Directory and Exchange (for Exchange 2000 or later):


Creating Organizational Units
 
 
Creating Users
Creating Mail Users
Creating Contacts
Creating Local Groups
Creating Global Groups
Creating Universal Groups

Examples for Novell eDirectory (NDS):


Creating Organizational Units
Creating ZEN Application Objects
Creating Users
Creating Groups



Creating Organizational Units


In order to create an Active Directory Organizational Unit, you have to connect to the directory container in which it shall be created. This can be either a domain object or another OU.

Set parent = GetObject("LDAP://ou=Accounts,dc=cerrotorre,dc=de") Set ou = parent.Create("organizationalUnit", "ou=Department1") ou.SetInfo

Creating Users


In order to create an Active Directory user, you have to utilize the object class 'user' and after that you have to set at least the attribute 'sAMAccountName' (Windows NT logon name):

Set ou = GetObject("LDAP://ou=Accounts,dc=cerrotorre,dc=de") Set user = ou.Create("user", "cn=Philipp") user.sAMAccountName = "philipp" user.SetInfo

By the way, the user is created as a deactivated user without password. Possible existing password standards (minimum password length or complexity requirements) are not considered. To activate the account at the same time, we have to set a flag in the attribute userAccountControl:

Set ou = GetObject("LDAP://ou=Accounts,dc=cerrotorre,dc=de") Set user = ou.Create("user", "cn=Philipp") user.sAMAccountName = "philipp" user.userAccountControl = 512 '512 = mormal account user.SetInfo

This will fail in many cases, because as before the account will be created with an empty password this way - and this should be illegal in most domains with appropriate password policies. However, it is difficult to assign a password when the account is not created yet. So we create him with a userAccountControl flag that allows a blank password for this user. This flag is removed again after setting a password:

Set ou = GetObject("LDAP://ou=Accounts,dc=cerrotorre,dc=de") Set user = ou.Create("user", "cn=Philipp") user.sAMAccountName = "philipp" user.userAccountControl = 544 '512 + 32 = normal account / password not required user.SetInfo 'user is created with empty password despite the password policy user.SetPassword "Pa$$w0rd" 'a default password is set user.userAccountControl = 512 'flag for allowing an ampty password is removed user.pwdLastSet = 0 'password has to be changed on next logon user.SetInfo

More information about the relevant LDAP attributes or about the configuration of additional object properties can be found in 'Attributes for Active Directory User' here in the SelfADSI Tutorial.


Creating Mail Users


In order to create a mail-enabled user within an Exchange organization (Exchange 2000 upwards) the object class 'user' has to be used and then at least the attributes 'sAMAccountName' (Windows NT logon name), 'mailNickName' (Exchange alias), 'displayName' and 'homeMDB' (information store of the mailbox) have to be set.

 

The exact distinguished name of the information store has to be used which consists of the organization's name of the Exchange server, the name of the storage group and the database.

Set ou = GetObject("LDAP://ou=Accounts,dc=cerrotorre,dc=de") Set mailuser = ou.Create("user", "cn=Philipp") mailuser.sAMAccountName = "philipp" mailuser.homeMDB = "CN=Name of the Priv Database," & "CN=Name of the StorageGroup,CN=InformationStore,CN=Name of the Exchange server,"& _ "CN=Servers,CN=Name of the administrative group," & _ "CN=Administrative Groups,CN=Name of the Exchange organisation,CN=Microsoft Exchange," & _ "CN=Services,CN=Configuration,DC=cerrotorre,DC=de" mailuser.mailNickName = "philipp" mailuser.displayName = "Foeckeler, Philipp" mailuser.SetInfo

The mailbox of this user will not be displayed in the Exchange System Manager (ESM) as long as the first mail is delivered. By the way, the user is created as deactivated user without password. Possible existing password standards (minimum password length or complexity requirements) are not considered. To activate the account at the same time, we have to set a flag in the attribute userAccountControl:

Set ou = GetObject("LDAP://ou=Accounts,dc=cerrotorre,dc=de") Set mailuser = ou.Create("user", "cn=Philipp") mailuser.sAMAccountName = "philipp" mailuser.homeMDB = "CN=Name of the Priv Database," & "CN=Name of the StorageGroup,CN=InformationStore,CN=Name of the Exchange server,"& _ "CN=Servers,CN=Name of the administrative group," & _ "CN=Administrative Groups,CN=Name of the Exchange organisation,CN=Microsoft Exchange," & _ "CN=Services,CN=Configuration,DC=cerrotorre,DC=de" mailuser.mailNickName = "philipp" mailuser.displayName = "Foeckeler, Philipp" user.userAccountControl = 512 '512 = mormal account mailuser.SetInfo

This will fail in many cases, because as before the account will be created with an empty password this way - and this should be illegal in most domains with appropriate password policies. However, it is difficult to assign a password when the account is not created yet. So we create him with a userAccountControl flag that allows a blank password for this user. This flag is removed again after setting a password:

Set ou = GetObject("LDAP://ou=Accounts,dc=cerrotorre,dc=de") Set mailuser = ou.Create("user", "cn=Philipp") mailuser.sAMAccountName = "philipp" mailuser.homeMDB = "CN=Name of the Priv Database," & "CN=Name of the StorageGroup,CN=InformationStore,CN=Name of the Exchange server,"& _ "CN=Servers,CN=Name of the administrative group," & _ "CN=Administrative Groups,CN=Name of the Exchange organisation,CN=Microsoft Exchange," & _ "CN=Services,CN=Configuration,DC=cerrotorre,DC=de" mailuser.mailNickName = "philipp" mailuser.displayName = "Foeckeler, Philipp" user.userAccountControl = 544 '512 + 32 = normal account / password not required user.SetInfo 'user is created with empty password despite the password policy user.SetPassword "Pa$$w0rd" 'a default password is set user.userAccountControl = 512 'flag for allowing an ampty password is removed user.pwdLastSet = 0 'password has to be changed on next logon user.SetInfo

More information about the relevant LDAP attributes or about the configuration of additional object properties can be found in 'Attributes for Active Directory User' here in the SelfADSI Tutorial.


Creating Contacts


If you want to create a mail-enabled contact within an Exchange Organization (Exchange 2000 upward), the object class 'contact' will have to to be used and then at least the attributes 'mailNickName' (Exchange alias), ' displayName' and 'targetAddress' (external mail address) have to be set (this is the Windows NT logon name):

Set ou = GetObject("LDAP://ou=Accounts,dc=cerrotorre,dc=de") Set mailcontact = ou.Create("contact", "cn=Mail-Contact") mailContact.mailNickName = "pfoeckeler-extern" mailContact.displayName = "Föckeler, Philipp (Extern)" mailContact.targetAddress = "philipp.foeckeler@cerrotorre.de" mailcontact.SetInfo

More information about the relevant LDAP attributes or the configuration of additional object properties can be found in the topic 'Attributes for Active Directory Contact' here in the SelfADSI Tutorial.


Creating Local Groups


If you want to create a local Active Directory group, the object class 'group' needs to be used and then at least the attributes 'sAMAccountName' (this is the downwards compatible Windows NT name) and 'groupType' (group area) have to be set:

ADS_GROUP_TYPE_LOCAL_GROUP = &H00000004 ADS_GROUP_TYPE_SECURITY_ENABLED = &H80000000 Set ou = GetObject("LDAP://ou=Accounts,dc=cerrotorre,dc=de") Set localgroup = ou.Create("group", "cn=SAPUsers") localgroup.sAMAccountName = "SAPUsers" localgroup.groupType = ADS_GROUP_TYPE_LOCAL_GROUP Or ADS_GROUP_TYPE_SECURITY_ENABLED localgroup.SetInfo

In order to create a local distribution group within an Exchange organization (Exchange 2000 upwards), the object class 'group' has to be used and then at least the attributes 'sAMAccountName' (Windows NT logon name), 'mailNickName' (Exchange alias), 'displayName' and 'groupType' have to be set:

ADS_GROUP_TYPE_LOCAL_GROUP = &H00000004 ADS_GROUP_TYPE_SECURITY_ENABLED = &H80000000 Set ou = GetObject("LDAP://ou=Accounts,dc=cerrotorre,dc=de") Set local-dl = ou.Create("group", "cn=All-SAP-Users") local-dl.sAMAccountName = "All-SAP-Users" local-dl.mailNickName = "All-SAP-Users" local-dl.displayName = "All SAP Users" local-dl.groupType = ADS_GROUP_TYPE_LOCAL_GROUP local-dl.SetInfo

If you want the group becoming a security group that is able to get permissions as well as to receive mail, then the group type has to be set like this:

... local-dl.groupType = ADS_GROUP_TYPE_LOCAL_GROUP Or ADS_GROUP_TYPE_SECURITY_ENABLED ...


If you need further information concerning the relevant LDAP attributes or the configuration of additional object properties can be found in the topic 'Attributes for Active Directory Group' here in the SelfADSI Tutorial.



Creating Global Groups


If wanting to create a local Active Directory group, the object class 'group' needs to be used and then at least the attributes 'sAMAccountName' (this is the downwards compatible Windows NT name) and 'groupType' (group area) have to be set:

ADS_GROUP_TYPE_GLOBAL_GROUP = &H00000002 ADS_GROUP_TYPE_SECURITY_ENABLED = &H80000000 Set ou = GetObject("LDAP://ou=Accounts,dc=cerrotorre,dc=de") Set globalgroup = ou.Create("group", "cn=Development") globalgroup.sAMAccountName = "Entwicklung" globalgroup.groupType = ADS_GROUP_TYPE_GLOBAL_GROUP Or ADS_GROUP_TYPE_SECURITY_ENABLED globalgroup.SetInfo

In order to create a global distribution group within an Exchange Organization (Exchange 2000 upwards) ,the object class 'group' has to be used and then at least the attributes 'sAMAccountName' (this is the downwards compatible Windows NT name), 'mailNickName' (Exchange alias), 'displayName' and 'groupType' have to be set:

ADS_GROUP_TYPE_GLOBAL_GROUP = &H00000002 ADS_GROUP_TYPE_SECURITY_ENABLED = &H80000000 Set ou = GetObject("LDAP://ou=Accounts,dc=cerrotorre,dc=de") Set global-dl = ou.Create("group", "cn=All-Department-Managers") global-dl.sAMAccountName = "All-Department-Managers" global-dl.mailNickName = "All-Department-Managers" global-dl.displayName = "All Department Managers" global-dl.groupType = ADS_GROUP_TYPE_GLOBAL_GROUP global-dl.SetInfo

If you want the group becoming a security group that is able to get permissions as well as to receive mail, then the group type has to be set like this:


... local-dl.groupType = ADS_GROUP_TYPE_GLOBAL_GROUP Or ADS_GROUP_TYPE_SECURITY_ENABLED ...


More information about the relevant LDAP attributes or the configuration of additional object properties can be found in the topic 'Attributes for Active Directory Group' here in the SelfADSI Tutorial.


Creating Universal Groups


If you want to create a universal Active Directory group, the object class 'group' has to be used and then at least the attributes 'sAMAccountName' (this is the downwards compatible Windows NT name) and 'groupType' (group area) have to be set:

ADS_GROUP_TYPE_UNIVERSAL_GROUP = &H00000008 ADS_GROUP_TYPE_SECURITY_ENABLED = &H80000000 Set ou = GetObject("LDAP://ou=Accounts,dc=cerrotorre,dc=de") Set globalgroup = ou.Create("group", "cn=Support") globalgroup.sAMAccountName = "Support" globalgroup.groupType = ADS_GROUP_TYPE_UNIVERSAL_GROUP Or ADS_GROUP_TYPE_SECURITY_ENABLED globalgroup.SetInfo

In order to create a universal distribution group within an Exchange Organization (Exchange 2000 upwards), the object class 'group' has to be used and then at least the attributes 'sAMAccountName' (this is the downwards compatible Windows NT name), 'mailNickName' (Exchange alias), 'displayName' and 'groupType' have to be set:

ADS_GROUP_TYPE_UNIVERSAL_GROUP = &H00000002 ADS_GROUP_TYPE_SECURITY_ENABLED = &H80000000 Set ou = GetObject("LDAP://ou=Accounts,dc=cerrotorre,dc=de") Set global-dl = ou.Create("group", "cn=All-Support-Engineers") global-dl.sAMAccountName = "All-Support-Engineers" global-dl.mailNickName = "All-Support-Engineers" global-dl.displayName = "All Support Engineers" global-dl.groupType = ADS_GROUP_TYPE_UNIVERSAL_GROUP global-dl.SetInfo

If you want the group to become a security group that is able to get permissions as well as to receive mail, then the group type has to be set like this:

... local-dl.groupType = ADS_GROUP_TYPE_UNIVERSAL_GROUP Or ADS_GROUP_TYPE_SECURITY_ENABLED ...


More information about the relevant LDAP attributes or the configuration of additional object properties can be found in the topic 'Attributes for Active Directory Group' here in the SelfADSI Tutorial.


Creating Organizational Units in the eDirectory


If you need to create an Organizational Unit within the eDirectory, you connect to the directory container in which the new objects shall be created in at first. This can be either an object of an organization, another OU, a locality object or a domain. No mandatory attributes need to be set.

Set parent = GetObject("LDAP://ou=DE,o=CERROTORRE") Set ou = parent.Create("organizationalUnit", "cn=Karlsruhe") ou.objectClass = "organizationalUnit" ou.SetInfo

Please note the difference between this case and the creation of objects in Active Directory environments: The attribute "objectClass" is set explicitly. This is not necessary in every eDirectory version, but to avoid errors, you should definitely set the objectclass of eDirectory objects in this way.


Creating User in the eDirectory


In order to create an eDirectory user, you have to use the object class 'inetOrgPerson' and then you have to set at least the attribute 'sn' (surname):

Set ou = GetObject("LDAP://ou=Accounts,ou=DE,o=CERROTORRE") Set user = ou.Create("inetOrgPerson", "cn=Philipp") user.sn = "Foeckeler" user.objectClass = "inetOrgPerson" user.SetInfo

Please note the difference between this case and the creation of objects in Active Directory environments: The attribute "objectClass" is set explicitly. This is not necessary in every eDirectory version, but to avoid errors, you should definitely set the objectclass of eDirectory objects in this way.


Creating Groups in the eDirectory


For creating an eDirectory group, the object class 'group', 'groupOfNames' or as well 'groupOfUniqueNames' may be used. These are equal synonyms of the same object class. No mandatory attributes need to be set.

Set ou = GetObject("LDAP://ou=Groups,ou=DE,o=CERROTORRE") Set group = ou.Create("groupOfNames", "cn=CerroAdmins") group.objectClass = "groupOfNames" group.SetInfo

Please note the difference between this case and the creation of objects in Active Directory environments: The attribute "objectClass" is set explicitly. This is not necessary in every eDirectory version, but to avoid errors, you should definitely set the objectclass of eDirectory objects in this way.


Creating ZEN Application Objects in the eDirectory


For creating a ZEN Application Object the object class 'appApplication' has to be used and at least the attributes 'appCaption' and 'appPath' have to be set. This is the description of the applications and the call path of the respective program:

Set ou = GetObject("LDAP://ou=Apps,ou=DE,o=CERROTORRE") Set app = ou.Create("appApplication", "cn=AppControl") app.Put "appCaption", "AppControl 1.0" app.Put "appPath", "47 NULL" app.Put "objectClass", "appApplication" app.SetInfo

Please note that we have to use the entirely official put method here and can not simply set the attributes as object properties. Thus, the call app.appCaption = 'AppControl 1.0' would have caused a runtime error. The reason for this is that the attributes appCaption and appPath feature a type that is specific to providers and are no standard strings.


In our example I have set the path to the executable data file empty - for that purpose the string '47 NULL' has to be set as value.


Tweet