By The Scripting Guys
At Long Last: Write
ADSI Scripts Like the Pros!
Download the ADSI Scriptomatic
Perhaps the most rewarding thing about being the Scripting Guys
is the opportunity we get to read emails sent to us by our readers. For
example, after we released the original Scriptomatic, the incredible little
utility that writes WMI scripts for you, we got hundreds of messages similar to
these:
Dear Scripting Guys: The Scriptomatic rocks!!! Too bad it
doesn't write ADSI scripts for you.
Dear Scripting Guys: I thought I was going to die laughing
when I read the Readme file that accompanied the Scriptomatic. It was so funny,
it almost made up for the fact that the Scriptomatic doesn't write ADSI scripts
for you.
Dear Scripting Guys: Last month I made $25,000 working just
a few hours a week out of the comfort of my own home. And now Im willing to
show you how you can do the same. P.S. Are you guys aware that your
Scriptomatic doesn't write ADSI scripts for you?
Now, upon reading these emails our first reaction was, You
lousy, ungrateful little -- we give you something for free, and you have
the nerve to ask for more? Why we oughta . But after we cooled off a
bit, and after we dried our tears, we realized we should have expected a
reaction like this. After all, why was the Scriptomatic so well received in the
first place? Well, WMI is perceived as being a difficult technology, a
technology more appropriate for people with computer science degrees than for
people new to scripting. The Scriptomatic was a success not only because it
wrote WMI scripts for you, but also because it showed you that WMI scripts
werent all that hard to write; after all, most of them follow a very consistent
pattern. The Scriptomatic was a sneaky way to get over your inhibitions, and
get you started with WMI.
And what about ADSI (Active Directory Service Interfaces),
the scripting technology used to manage Active Directory? Well, again, the perception
is that ADSI is hard, too hard for system administrators or for someone new to
scripting. You’d have to be a genius (hey, like the Scripting Guys!) to write
ADSI scripts. Sure, many people thought, I know that ADSI would let me do a lot
of cool things. But how could someone like me ever get started with
ADSI? Its no wonder people were hoping for an ADSI Scriptomatic, and a little
disappointed when they didn’t get one.
Of course, the truth is that ADSI isn’t all that hard, and
the Scripting Guys aren’t all that smart (if we were, wed be getting paid for
doing this stuff). Like WMI, though, people think ADSI is too hard for
them, and they never even give it a try. Like WMI, people need something to
help them get over that initial barrier, something to help them get started.
Like WMI, people need a Scriptomatic.
Well, its safe to say that you spoke, and the Scripting Guys
listened. Consequently, we set aside all our other projects and duties, and
worked day and night over the past 6 months to produce well, OK, we didn’t
produce an ADSI Scriptomatic. But a few days ago we remembered, Oh, yeah, that
ADSI thing, and we immediately hammered something together for you. And so with
no further adieu, here it is, the oft-requested, long-awaited ADSI
Scriptomatic, the amazing new utility that will actually write ADSI scripts for
you! (And if anyone emails us to complain that it doesn't write WMI
scripts for you .)
So What is the ADSI Scriptomatic?
Uh, havent you been paying attention? The ADSI Scriptomatic
-- as we keep trying to tell you -- is designed to help you write ADSI scripts;
that is, scripts that can be used to manage Active Directory. As if that isn’t
enough (and we learned the hard way that things are never enough), the
ADSI Scriptomatic also teaches you an important point about ADSI scripting:
like WMI, there are consistent patterns to ADSI scripts. For example, the ADSI
Scriptomatic will help you write a script to delete a user account. It will
also help you write scripts for deleting groups and organizational units. And
if you take a close look at the scripts for deleting different objects, you’ll
see something very interesting: theyre practical identical! What is this, some
kind of a rip-off?
Well, it might be. But the reason the scripts look so
similar is because ADSI uses a consistent approach for deleting objects,
regardless of the type of object being deleted. What does that mean? Well, if
you take the time to study the scripts created by the ADSI Scriptomatic (and if
you read the ADSI chapter from the Windows 2000 Scripting Guide), you’ll understand how you
can delete pretty much anything from Active Directory. For example, we
wanted to keep the ADSI Scriptomatic relatively simple; as a result, weve
limited the objects you can work with. The ADSI Scriptomatic will write a
script that deletes a user account, but it won’t write a script that deletes a
published printer. But, hey, so what? After you understand the pattern, you can
write your own script for deleting published printers. (OK, OK, well consider
creating the DeletePublishedPrintersOmatic. But don’t hold your breath.)
But don’t just take our word for it: see for yourself. Heres
a script -- as generated by the ADSI Scriptomatic -- that deletes a user
account:
strContainer = ""
strName = "EzAdUser"
'***********************************************
'* Connect to a container *
'***********************************************
Set objRootDSE = GetObject("LDAP://rootDSE")
If strContainer = "" Then
Set objContainer = GetObject("LDAP://" & _
objRootDSE.Get("defaultNamingContext"))
Else
Set objContainer = GetObject("LDAP://" & strContainer & "," & _
objRootDSE.Get("defaultNamingContext"))
End If
'***********************************************
'* End connect to a container *
'***********************************************
objContainer.Delete "user", "cn=" & strName
And heres a script that deletes a group:
strContainer = ""
strName = "EzAdGroup"
'***********************************************
'* Connect to a container *
'***********************************************
Set objRootDSE = GetObject("LDAP://rootDSE")
If strContainer = "" Then
Set objContainer = GetObject("LDAP://" & _
objRootDSE.Get("defaultNamingContext"))
Else
Set objContainer = GetObject("LDAP://" & strContainer & "," & _
objRootDSE.Get("defaultNamingContext"))
End If
'***********************************************
'* End connect to a container *
'***********************************************
objContainer.Delete "group", "cn=" & strName
Whats the difference between the two scripts? Only the two
items listed in boldface:
- The name of the group (EzAdGroup), as opposed to
the name of the user (EzAdUser)
- The type of object being deleted (group vs.
user).
Thats all there is to it.
But hold on there, Scripting Guys, you’re thinking. You said
wed be able to look at these two scripts, and then write our own script to
delete a published printer. So how do we do that? Look, sit down, take a deep
breath, and don’t panic. Lets say you have a printer name EzAdPrinter and the
type of object being deleted is a printQueue object. Take the next five minutes
or so, and see if you can write a script to delete the EzAdPrinter. Don’t
worry; well wait for you.
Ok, times up. Does your script look like this:
strContainer = ""
strName = "EzAdPrinter"
'***********************************************
'* Connect to a container *
'***********************************************
Set objRootDSE = GetObject("LDAP://rootDSE")
If strContainer = "" Then
Set objContainer = GetObject("LDAP://" & _
objRootDSE.Get("defaultNamingContext"))
Else
Set objContainer = GetObject("LDAP://" & strContainer & "," & _
objRootDSE.Get("defaultNamingContext"))
End If
'***********************************************
'* End connect to a container *
'***********************************************
objContainer.Delete "printQueue", "cn=" & strName
If it does, you’ve either already caught on to the basic
pattern behind ADSI, or you cheated and looked at the answer. But thats OK;
after all, what is the Scriptomatic if not one big cheating device? The bottom
line is, you want just want a script the deletes published printers. It doesn't
really matter who (or what) wrote the thing, does it? Use the Scriptomatic to
help get you started, and then free to embellish the basic script any way you
wish.
Still not convinced that the ADSI Scriptomatic is the
greatest technological innovation in human history? Listen, don’t take our word
for; see for yourself. For example, lets compare the ADSI Scriptomatic with the
Xbox video game console:
* When we say Yes here we actually mean No.
The results speak for themselves: the ADSI Scriptomatic is a
clear winner. Download the ADSI Scriptomatic, and throw away your Xboxes for
good!
Important clarification The Scripting Guys have just
been reminded .. that Microsoft, the same company which signs our paychecks,
also produces the Xbox. Please do not throw your Xboxes away; the Xbox
is the best video game player in the universe. In fact, now that you won’t have
to shell out money to hire an ADSI script writer but can write the scripts
yourself, you might take that money and buy 2 or 3 Xboxes.
Of course, if you have a Gamecube or a PlayStation .
How do I use the ADSI Scriptomatic?
Like its cousin, the original Scriptomatic, the ADSI
Scriptomatic is an HTA, a hypertext application. This means that the ADSI
Scriptomatic is just a Web page (take a look at the code; its all VBScript and
HTML and other stuff you might use to create a Web page) that can run as a
standalone application. To start the ADSI Scriptomatic, just double-click
EzAdScriptomatic.hta. When you do that, something very similar to this will appear
on screen:
.gif)
Now, the fact that something actually appears on screen
already puts the ADSI Scriptomatic ahead of a lot of the software sold these
days. But the ADSI Scriptomatic does more than just take up space on your
monitor. Click the Select a task dropdown list, and the ADSI Scriptomatic will
display the four primary tasks you can accomplish using ADSI:
- Create an object
- Write to an object
- Read an objects properties
- Delete an object
After selecting a task, select one of the following from the
Select a class dropdown:
- User
- Computer
- Contact
- Group
- Organizational unit
As soon as you make your selection, the ADSI Scriptomatic
will write a script for you. For example, if you select Create an Object and
Computer, your screen will look like this:
.gif)
Just like that, you’ve got a script that can be used to
create a computer account. (Now, if we could just modify this to create bank
accounts, wed be on to something.) You can run the script (just click the Run
button), save the script for future use (just click the Save button), or
modify it to your hearts content (you can edit the script just as though you’d
typed it all in yourself). Lets see the Xbox do that!
Important clarification As we were just reminded the
Xbox could save scripts for future use if customer demand warranted it.
However
Theres always a however when it comes to computer stuff,
isn’t there? But don’t worry; this however isn’t too terribly bad. (Not like
the typical software disclaimer, which reads, However, if you actually attempt
to use this software, it will not only fail to work, but you will also be in
violation of the licensing agreement.) You just need to understand that there
is at least one difference between the original, WMI Scriptomatic, and the
all-new, all-cool ADSI Scriptomatic.
The original Scriptomatic was designed to be an educational
tool: we wanted to demonstrate the pattern used in almost any WMI script that
retrieves information about something (be it a printer, an event log, a
service, or whatever). After we had created the Scriptomatic, however, we
realized that we had accidentally created a useful system administration tool
(we also realized we had accidentally created two human clones, but our
attorneys have advised us to keep quiet about that). The scripts you create
with the Scriptomatic can be used exactly as-is to retrieve information about
the local computer. Why? Well, as our two clones pointed out, if you set the
name of a computer to a dot (.) WMI retrieves information from the local
machine. Thus we didn’t have to worry about hard-coding in computer names; we
simply configured the Scriptomatic to use dot as the default computer name.
That meant that every script created by the Scriptomatic is ready to run; as
you might have guessed, thats why we added a Run button.
The ADSI Scriptomatic also has a Run button. However,
there are no obvious default names we could use for ADSI (that is, nothing like
a computer name of dot). Why not? Well, consider the script that creates a new
user account. Yes, we can hard-code a default user name (and we do: EzAdUser),
but that doesn't necessarily mean the script is ready-to-run. Yes, you can run
the script once, and a new user account named EzAdUser will be created in your
domain. But what if you tried to run the script a second time? If you do, the
script will fail, not because you broke ADSI or the Scriptomatic, but simply
because a user named EzAdUser already exists, and Active Directory won’t allow
duplicate user accounts in a domain.
So does that mean if you use the ADSI Scriptomatic one time
and create a user account named EzAdUser, you then have to throw the
Scriptomatic away? Admittedly, that would be an interesting new approach to
software: Use it once, and then throw it away and buy another copy. But you
don’t have to do that. Instead, you just have to edit the script before you run
it. When creating a user account, you simply need to change the account name
and, unless you want user accounts stored in the domain root, change the Active
Directory container where the account will be created.
What do you mean thats too hard? You can't remember two
little things like that? Well, we knew you’d say that, so we added a nifty
little feature to the ADSI Scriptomatic: online help. If you look closely at
the screen that appears when you create a user account, you should see a little
hyperlink that says Read this before running the create an object – user
script.
.gif)
What happens if you click that hyperlink? Up pops a little
reminder that tells you exactly what you need to do to turn the Scriptomatic
script into a working script thats ready to run:
.gif)
See that wasnt so bad, was it? And you won’t get online help
about creating user accounts from well, from other things like, say, video game
consoles .
Thats cool, but couldnt you just include some sort of Active Directory
browser in the Scriptomatic?
Yes, we could, and in its first incarnation we did: when you
started the Scriptomatic, it went out and retrieved the directory information
it needed. However, that created two problems. First, in a large network (such
as Microsofts), it took a couple minutes before the Scriptomatic was ready to
use. We didn’t like that; after all, one of the advantages of the original
Scriptomatic was the fact that it was pretty fast (and, by the way,
Scriptomatic 2.0, which will be out soon, is even faster).
Second, that version of the Scriptomatic required you to be
connected to the network, and to be logged on with an Active Directory
administrator account. That was fine if you wanted to fool around with the
Scriptomatic at work, but what if you wanted to check out the Scriptomatic from
home or while riding on the bus? What if your home was a bus? Needless
to say, things didn’t work quite so well in those situations. Therefore, we
decided to remove the Active Directory dependencies, and make the ADSI
Scriptomatic a utility that could pretty much run anytime anywhere. (And, we
might point out, you don’t need to connect it to your TV, like you have to do
with video game consoles .)
Note: What do we mean when we say anytime anywhere?
Well, if you have Internet Explorer 5.0 or better on your computer, the
Scriptomatic should work or at least you’ll be able to fire it up and create
scripts. To actually run the scripts, you need to have ADSI installed on
your computer. If you are running Windows 2000 or above, you’ve got ADSI
on your computer. If you’re running Windows 98 or Windows NT 4.0, you might
need to download the Directory Service Client Extensions. For more information,
check the Script Center FAQ.
Hey, this browser sounds cool; can I get a copy?
Well, it never occurred to us that somebody might want the
Active Directory browser. It is kind of a handy little tool, and its very
educational; after all, it shows you how to access everything in Active Directory
using VBScript and ADSI (plus it shows you how to display that information in
an HTA). Tell you what, if you’d be interested in getting a copy of the Active
Directory browser (and it would probably just be a browser; we wouldnt add
script-writing capabilities to it), send an email to scripter@microsoft.com (in English, if
possible). If enough people are interested, well see what we can do about
cleaning up the code, commenting it, and making it available to the world.
Wouldnt it have been better to combine the ADSI Scriptomatic with the WMI
Scriptomatic?
Actually, we gave that some serious thought, but finally
decided to keep the ADSI Scriptomatic separate from the WMI Scriptomatic. One
of the nice things about the Scriptomatics is the fact that they are both
simple in concept (they only do one thing) and simple to use. As HTAs, theyre
also educational: you can open the Scriptomatics using Notepad, and examine --
and even modify -- the code. If we combined the two Scriptomatics into a single
utility, wed have a tool that was not as straightforward to use, and might have
pushed the boundaries of the HTA as far as we could push them. Big and
complicated didn’t seem to be in the spirit of the Scriptomatics.
In addition, we are also working on several other utilities
that aren’t quite ready yet. Rather than wait for these to be finished, and
then try to combine them with the ADSI Scriptomatic, we decided to release the
ADSI Scriptomatic right away. Now, when we finish all these other utilities, is
it possible that we might create some all-encompassing script-writing utility?
Maybe; its under consideration. But well make sure that any future tools we
come up with will always be available as simple standalone utilities as well as
being plugged into this all-encompassing script-writing utility.
What are these other utilities? Well, they include the
following:
- Scriptomatic 2.0, which will allow you to save
your script output as a text file or an Excel spreadsheet; which will allow you
to display output in a Web page; which will even allow you to write scripts in
Jscript, Perl, or Python.
- Comparomatic, a nifty little WMI utility designed
for people who manage computers running different versions of Windows (Windows
98, Windows 2000, Windows XP, etc.).
- Logonomatic, a handy-dandy tool for writing
logon scripts.
- Eventomatic, helps you write scripts for
monitoring WMI events on a computer.
And, no, we don’t know yet when these will be done. But look
for Scriptomatic 2.0 and Comparomatic in the very near future.
Would you guys say that the Xbox is the best video game console ever
developed, and that no home should be without one?
Yes. Definitely.
What if I have questions about the ADSI Scriptomatic? Who should I contact?
Officially, we provide no support for the ADSI Scriptomatic;
use it at your own risk. Unofficially, however, we try to help people as much
as possible. If you have a question or comment about the ADSI Scriptomatic,
just drop us a line at scripter@microsoft.com
(in English, if possible).