Reading and Writing User Account Attributes
Microsoft® Windows® 2000 Scripting Guide
The two primary interfaces for managing Active Directory user accounts are IADs and IADsUser. IADs is a core interface and can be used to manage many types of objects in Active Directory, not just user accounts. In contrast, IADsUser is a persistent interface that is specifically limited to managing user account objects. The attributes of a user account object available from IADsUser are represented as properties of the interface. For example, the pwdLastSet attribute of a user account is represented by the PasswordLastChanged property of IADsUser. IADs has a small set of methods that use the lDAPDisplayNames of attributes to manage user accounts and other types of object in Active Directory. Therefore, to retrieve the first name of a user account, IADs reads the lDAPDisplayName, givenName.
It might seem sensible to use IADsUser for all of your user account management tasks, because the property names are intuitive and easier to remember than the lDAPDisplayNames of the attributes. However, the IADsUser interface does not provide access to most of the attributes of a user account and is limited to managing user account objects. IADs, on the other hand, can read all attributes of all Active Directory object. Thus, your comfort with managing user account attributes from the IADs core interface will make it easier to understand how to manage many other types of Active Directory objects.
Managing the attributes of a user account object involves reading and writing to those attributes. The key to using the IADs core interface to manage attributes of user account objects is knowing how to find the following characteristics of each attribute:
lDAPDisplayName of an attribute. Use the Active Directory Schema snap-in to determine the lDAPDisplayNames of attributes to determine the names of the attributes associated with the User class. For information about installing the Active Directory Schema snap-in, see "ADSI Scripting Primer" in this book.
Data type of the attribute. Some data types are simple to read, such as attributes stored as strings. Other attributes might require some manipulation in VBScript in order to read them, such as octet string and large integer data types.
If an attribute cannot be easily displayed by using the LDAP provider and VBScript, determine whether you can read the attribute with a persistent interface such as IADsUser or by using the WinNT provider.
Number of entries an attribute can hold. Attributes are either single-valued, containing a single entry; or multivalued, containing one or more entries. Use the Get and Put methods of IADs to manage single-valued attributes and use the GetEx and PutEx methods of IADs to manage multivalued attributes. To clear entries from both single-valued and multivalued attributes, use the PutEx method.
Note
- In rare instances, an attribute might be defined as multivalued but only be capable of holding a single value. In this case, you can use the Get and Put methods of IADs to manage them. In the remainder of this section, any multivalued attribute that holds a maximum of one entry is noted.
When modifying values using either Put or PutEx, you will need to specify the type of operation being performed (clear, update, append, or delete). These operations are listed in Table 7.7.
Table 7.7 Put and PutEx Operations
Constant |
Value |
Description |
|---|---|---|
ADS_PROPERTY_CLEAR |
1 |
Clears the value (or values) from the specified attribute. |
ADS_PROPERTY_UPDATE |
2 |
Replaces the value in the specified attribute with new values. |
ADS_PROPERTY_APPEND |
3 |
Appends a new value to the value (or values) in the specified attribute. |
ADS_PROPERTY_DELETE |
4 |
Deletes the value (or values) from the specified attribute. |
Administering the General Properties Page
The General tab appears first by default when you view the Properties dialog box of a user account object. This tab contains attributes that are commonly used to identify particular users in the directory. The information on this page is available to all Active Directory users when they access the properties of a user account by browsing the directory from Windows Explorer.
The General properties page is shown in this chapter to demonstrate methods for reading and writing user account attributes. These same methods can be used for reading and writing the user account attributes found on the other properties pages.
The lDAPDisplayName of each attribute is commonly used to read and write entries to the General properties page. Therefore, it is important for you to be able to identify these attributes by name. The labels appearing on the property pages are often different from the lDAPDisplayNames of their corresponding attributes. On the General properties page, only two labels are the same as their lDAPDisplayNames: the Description label (with the lDAPDisplayName description) and the Initials label (with the lDAPDisplayName initials). Figure 7.1 shows the General properties page of the MyerKen user account and the lDAPDisplayNames as they appear in the Active Directory schema for each user interface label on this page.
Figure 7.1 User Account Attributes on the General Properties Page
.gif "sas_usr_003c")
Table 7.8 lists selected properties of the attributes appearing on the General properties page of a user account object.
Table 7.8 User Account Attributes on the General Properties Page and Selected Attribute Definitions
lDAPDisplayName |
Single-valued or Multivalued |
Indexed |
Data Type |
In Global Catalog |
|---|---|---|---|---|
givenName |
Single-valued |
Yes |
String |
Yes |
initials |
Single-valued |
No |
String |
No |
sn |
Single-valued |
Yes |
String |
Yes |
displayName |
Single-valued |
Yes |
String |
Yes |
description |
Multivalued |
No |
String |
Yes |
physicalDeliveryOfficeName |
Single-valued |
Yes |
String |
No |
telephoneNumber |
Single-valued |
No |
String |
Yes |
otherTelephone |
Multivalued |
No |
String |
No |
Single-valued |
Yes |
String |
Yes |
|
wWWHomePage |
Single-valued |
No |
String |
No |
url |
Multivalued |
No |
String |
No |
The cn/name attribute, MyerKen, that appears near the top of Figure 7.1 does not appear in Table 7.8 because this attribute is automatically created when the user account object is created, and it cannot be changed by simply modifying the cn/name attribute. Modifying this attribute is equivalent to renaming the user account object. For information about renaming a user account, see "Moving and Renaming User Accounts" later in this chapter.