Windows脚本编程核心技术精解Chapter24.pdf

Chapter 24Managing Windows NT/2000 ServerIn This Chapter?Manage Windows NT through the APIadd/delete users,changepermissions,and change group membership?Find out about ADSI and how you get it?Discover the ADSI object model,and change user account properties?Manage services:start,stop,and pause them,even on remote systems?Shut down your local machine or any remote computer?Add secret Registry keys to automatically log onto Windows NTScripts are perfect for administering Windows NT/2000.Through API callsand the new ADSI(Active Directory Service Interface),your scripts canmanage user accounts,file shares,printers,and services.In conjunction withthe file system methods,you can easily transfer hundreds of user profiles ina matter of minutes.In this chapter,you learn how to use both the API andADSI to manage all kinds of server-related tasks.Managing Windows NT/2000 SecurityManaging Windows NT/2000 can be annoying at timesits just too muchwork to administer hundreds of user accounts manually.Isnt there somemacro language that can automatically take care of routine work?There is.VBScript and the Windows Scripting Host can help you administerWindows NT/2000,and Microsoft has made VBScript the official newautomation language of Windows 2000.This shows you the new emphasisMicrosoft puts on VBScript.4684-8 ch24.f.qc 3/3/00 9:45 AM Page 669However,VBScript itself is only the framework.It doesnt provide anymethods to access user accounts and change security settings.There aretwo ways to add these capabilities:IWrite your own COM objects.Youve seen many COM objects throughoutthis book serve as scripting extensions,and Windows NT managementfunctions provided by the API can easily“wrap”inside COM objects.IAdd ADSI to your system.ADSI is the new management standardintroduced with Windows 2000.Its a general interface to standardizehow scripts talk to different namespaces.You dont need Windows 2000to take advantage of ADSI,though.ADSI is available separately,and itsfree.All you need is to download the ADSI update.The big ADSI advantage is its availability:You can find it on any Windows2000 machine,and you can add it to other Windows versions.Also,ADSI is ageneral interface,and you can access Exchange mail accounts or the ActiveDirectory.However,its drawback is speed:ADSI is much slower than directAPI calls.Especially if you plan to batch-update large numbers of accounts,you should use the API approach.Creating scripting extensions to manageuser accountsTable 24-1 lists some scripting extensions Ive created to help you manageWindows NT/2000.However,these extensions are provided as sample only.Ina professional production environment,review the source code to make sureit works as intended.Be extremely cautious if you decide to experiment withthese extensions.Ive provided full source code so you can understand and expand the COMobjects as you like.Make sure you have installed the COM objects listsetin Table 24-1.They are needed for the API-based scripts.Table 24-1COM Objects Provided With This BookCOM ObjectDescriptioninstallntusersetup.exeManage user accountsinstallntservicesetup.exeManage system servicesinstallntshutdownsetup.exeShutdown a system locally or remotelyGetting ready for ADSIADSI is exciting and much more suitable for scripting.It will be the newstandard once Windows 2000 takes over,so its a good idea to get670Part V:Accessing Hidden ComponentsII4684-8 ch24.f.qc 3/3/00 9:45 AM Page 670accustomed with it.ADSI is free,and you can upgrade Windows NT 4 bygoing to for the suitable update for your system and download the package.Itscomparably lightweight.Once you have updated your system to ADSI,youcan immediately take advantage of all the ADSI sample scripts.Managing User Accounts(the API Way)Fiddling around manually with user accounts is very time-consuming anderror-prone,at least in larger companies.Dont do it.You can forget mostof the dialog boxes with your new scripting extensions and manage useraccounts solely by script once you have installed the COM script extensionas outlined previously.Enumerating usersTo find out which users are defined on a specific computer,use EnumUsers:24-1.VBSset tool=CreateObject(“nt.user”)MsgBox tool.EnumUsersMsgBox tool.EnumUsers(“scenic”)You can query local users as well as user accounts on remote machines aslong as you have the necessary permissions.EnumUsersreturns the information as name,comment,usercomment,andfull name.Use Splitto get to the individual information:24-2.VBSset tool=CreateObject(“nt.user”)users=Split(tool.EnumUsers,vbCr)for x=0 to UBound(users)-1infos=Split(users(x),vbTab)list=list&“Username:“&infos(0)&vbCrlist=list&“Comment:“&infos(1)&vbCr&vbCrnextMsgBox list,vbInformationChapter 24:Managing Windows NT/2000 Server671II4684-8 ch24.f.qc 3/3/00 9:45 AM Page 671EnumUserssupports a second parameter that works as a filter:Table 24-2Filter Codes for Enumerating User AccountsFilterDescription1Local user account data on a domain controller2Global user account data on a computer4Combination of all8Domain trust account data on a domain controller16Workstation or member server account data on a domain controller32Domain controller account data on a domain controllerThe next script shows the differences.You can combine filter flags to includemore than one group:24-3.VBSset tool=CreateObject(“nt.user”)for i=0 to 5users=Split(tool.EnumUsers(,2i),vbCrLf)list=“Enumerating using filter“&2i&vbCrfor x=0 to UBound(users)-1infos=Split(users(x),vbTab)list=list&“Username:“&infos(0)&vbCrnextMsgBox list,vbInformationnextAdding usersYour scripts can add users,too.Use AddUser:24-4.VBSset tool=CreateObject(“nt.user”)if tool.AddUser(“”,“testaccount”,“secret”,_5,“c:userstest”,“this is a test account”)thenMsgBox“User account added!”elseMsgBox“Couldnt add user account:“&tool.GetLastErrorend ifThis is the complete syntax:AddUser server,user,pwd,expires,homedir,comment,scriptdir672Part V:Accessing Hidden ComponentsII4684-8 ch24.f.qc 3/3/00 9:45 AM Page 672Table 24-3AddUser ParametersArgumentDescriptionserverName of server or“”for local serveruserName of user accountpwdPasswordexpiresDays the password is validhomedirHome directorycommentComment describing the account purposescriptdirScript directoryDeleting user accountsDelUserdeletes a user account.Note that deleting a user account cant beundone.Even if you re-create the account later,the new account gets newSecurity IDs and acts as a different account.24-5.VBSset tool=CreateObject(“nt.user”)if tool.DelUser(“”,“testaccount”)thenMsgBox“User account deleted!”elseMsgBox“Couldnt delete user account:“&tool.GetLastErrorend ifChanging passwordsYour script can change user passwords,too.You have two options,one beingto provide the old password as authentication.Or,if you are an administra-tor,you can use administrative override and skip the old password.This isespecially useful if someone has forgotten his or her password or has left thecompany.Execute script 24-4.VBSfirst to add a test user account,and then change thepassword:24-6.VBSset tool=CreateObject(“nt.user”)if tool.ChangePassword(“”,“testaccount”,_“newpassword”,“secret”)thenMsgBox“Password has changed!”elseChapter 24:Managing Windows NT/2000 Server673II4684-8 ch24.f.qc 3/3/00 9:45 AM Page 673MsgBox“Couldnt change password:“&tool.GetLastErrorend ifTo use administrative override,you need administrator privilege.Skip the oldpassword:24-7.VBSset tool=CreateObject(“nt.user”)if tool.ChangePassword(“”,“testaccount”,_“newpassword”)thenMsgBox“Password has changed!”elseMsgBox“Couldnt change password:“&tool.GetLastErrorend ifListing global groupsYour COM object can manage global groups,too.Local groups cannot bemanaged.Global groups are a feature of domains.On your local computer,you may nothave access to global groups.Take a look at your global groups:24-8.VBSset tool=CreateObject(“nt.user”)MsgBox tool.EnumerateGroupsYou can list the groups of individual servers,too:24-9.VBSset tool=CreateObject(“nt.user”)MsgBox tool.EnumerateGroups(“SCENIC”)You can even find out the groups a specific user belongs to:24-10.VBSset tool=CreateObject(“nt.user”)MsgBox tool.EnumerateGroups(“”,“testaccount”)Maybe you want to list the users in a specific group.Heres how:24-11.VBSset tool=CreateObject(“nt.user”)MsgBox tool.EnumGroupUsers(“”,“Power User”)674Part V:Accessing Hidden ComponentsII4684-8 ch24.f.qc 3/3/00 9:45 AM Page 674Managing group membershipYour script can add users to groups and remove them from groups,too.Thisis how you make your test account a member of the domain administrators:24-12.VBSset tool=CreateObject(“nt.user”)if tool.AddUserToGroup(“”,“Power User”,“testaccount”)thenMsgBox“User added to group!”elseMsgBox“Couldnt add user to group:“&tool.GetLastErrorend ifTo remove the account from the group,use this approach:24-13.VBSset tool=CreateObject(“nt.user”)if tool.DelUserFromGroup(“”,“Power User”,“testaccount”)thenMsgBox“User removed from group!”elseMsgBox“Couldnt remove user from group:“&tool.GetLastErrorend ifFinding the primary domain controllerInternally,the COM object uses a helper function to find the primary domaincontroller if you specify a domain name instead of a server name.You canuse this method separately,too.Just replace the domain name in the samplescript with a valid domain name:24-14.VBSset tool=CreateObject(“nt.user”)MsgBox tool.GetPrimaryDCName(“ASP”)Exploring the ADSI WorldADSI can access all kinds of namespaces.Namespacesrefer to the way anapplication or service organizes its data.To access Windows NT security,ADSI uses the identifier WinNT:.Lets check out what this namespacehas to offer:24-15.VBS get access to namespaceset namespace=GetObject(“WinNT:”)Chapter 24:Managing Windows NT/2000 Server675II4684-8 ch24.f.qc 3/3/00 9:45 AM Page 675 see what we getfor each object in namespacelist=list&object.name&vbCrnextMsgBox listThe namespacecontains the names of all domains and workgroups currentlyonline.You can dive into the hierarchy.For example,pick a listed domain andenumerate its content.Exchange the domain name in this example with avalid domain name.You can also use a computer name.24-16.VBS get access to namespaceset namespace=GetObject(“WinNT:/ASP”)see what we getfor each object in namespacelist=list&object.name&vbCrnextMsgBox listWhoa:This time the script spits out all the user accounts and groups.If you are interested in your local computer only,you can further enhanceyour scripts and have them use your computer name by default.Just use theComputerNamemethod provided by WScript.Network:Set objNet=WScript.CreateObject(“WScript.Network”)MsgBox objNet.ComputerName Lets check out who is a member in a specific group:24-17.VBSSet net=WScript.CreateObject(“WScript.Network”)local=net.ComputerName get access to namespaceset namespace=GetObject(“WinNT:/”&local&“/Power Users”)see what we getfor each object in namespacelist=list&object.name&vbCrnextMsgBox listThis time,you get an error.You cant ask for user names this way.Getting“real”error messagesWhenever ADSI raises an error,you wont get a clue what is going on.Thisis because ADSI raises OLE errors and doesnt support the VBScript-style676Part V:Accessing Hidden ComponentsII4684-8 ch24.f.qc 3/3/00 9:45 AM Page 676err.descriptionproperty.So,the first task is to find out why ADSI raisesan error.Fortunately,you dont need to invest much time:Youve done it already.Remember?In Chapter 4,you developed a COM object that transforms OLEerror numbers into clear text error messages.Just make sure you haveinstalled the COM object:installoleerrsetup.exe.Now,you can findout the reason why ADSI complains:24-18.VBSSet net=WScript.CreateObject(“WScript.Network”)local=net.ComputerName get access to namespaceset namespace=GetObject(“WinNT:/”&local&“/Power Users”)see what we geton error resume nextfor each object in namespacelist=list&object.name&vbCrnextCheckErrorMsgBox listsub CheckErrorif not err.number=0 then an error occuredset ole=CreateObject(“ole.err”)MsgBox ole.oleError(err.Number),vbCriticalerr.clearend ifend subYou get an“Error not found”error:ADSI was unable to find what yourequested.While WinNT:and domains are containers,groups are not.Youcant enumerate their content and get away with it.Groups are single objects.Is it a container?The next script provides a method to check whether an object is a containeror not:24-19.VBSSet net=WScript.CreateObject(“WScript.Network”)local=net.ComputerNamelist=WhatIsIt(“WinNT:/”&local)list=list&WhatIsIt(“WinNT:/”&local&“/Power Users”)Chapter 24:Managing Windows NT/2000 Server677II4684-8 ch24.f.qc 3/3/00 9:45 AM Page 677MsgBox list,vbInformationfunction WhatIsIt(objname)set obj=GetObject(objname)if isContainer(obj)thenWhatIsIt=objname&“is a container and of class“_&obj.class&vbCrelseWhatIsIt=objname&“is NO container and of class“_&obj.class&vbCrend ifend functionfunction isContainer(obj)set classobj=GetObject(obj.Schema)isContainer=classobj.Containerend functionEnumerating group membershipsGroups are objects with their own properties and methods.Here are themethods:Table 24-4ADSI Group MethodsMethodDescriptionDescriptionDescription of groupMembersCollection of membersIsMemberTests whether a user is a member of this groupAddAdds object to groupRemoveRemoves object from groupSo,this is how you enumerate the members of a group:24-20.VBSSet net=WScript.CreateObject(“WScript.Network”)local=net.ComputerNameset group=GetObject(“WinNT:/”&local&“/Power Users”)see what we getfor each member in group.Memberslist=list&member.name&vbCrnextMsgBox list678Part V:Accessing Hidden ComponentsII4684-8 ch24.f.qc 3/3/00 9:45 AM Page 678Testing whether a user belongs to the groupUsing IsMember,you can now ask the group whether a user is a member:24-21.VBSSet net=WScript.CreateObject(“WScript.Network”)local=net.ComputerName get access to groupset group=GetObject(“WinNT:/”&local&“/Power Users”)ask if user is memberif group.isMember(“WinNT:/”&local&“/Administrator”)thenMsgBox“User is group member!”elseMsgBox“User is no group member!”end ifCreating a new user accountIf you want to create new things,you need to hook yourself up to the parentcontainer.For example,if you want to create a new user account in a domain,connect to the domain.Then,call the Createmethod and specify the classof object you want to create.Likewise,you can connect to a computer andcreate local accounts.The following script adds a new account called testaccountso you can playaround with group memberships and user rights:24-22.VBSSet net=WScript.CreateObject(“WScript.Network”)local=net.ComputerNameset server=GetObject(“WinNT:/”&local)set user=server.Create(“User”,“testaccount”)on error resume nextuser.SetInfoif err.number=0 thenMsgBox“Account added.”elseCheckErrorend ifsub CheckErrorif not err.number=0 then an error occuredset ole=CreateObject(“ole.err”)MsgBox ole.oleError(err.Number),vbCriticalerr.clearend ifend subChapter 24:Managing Windows NT/2000 Server679II4684-8 ch24.f.qc 3/3/00 9:45 AM Page 679You must call SetInfoto write your new object into the parent container.Without SetInfo,y