mcse注:其实这是按照ADSI(ActiveDirectoryServicesInterface:活动目录服务接口)写的程序。如果你安装了resourcekit,这段代码可以用netcom这条命令进行工作,下面是netcom的一个例子:
NETDOM/Domain:MYDOMAIN/user:adminuser/password:apasswordMEMBERMYCOMPUTER/ADD
复制代码 代码如下:
***********************
'*StartScript
'***********************
DimsComputerName,sUserOrGroup,sPath,computerContainer,rootDSE,lFlag
DimsecDescriptor,dACL,ACE,oComputer,sPwd
'
'*Declareconstantsusedindefiningthedefaultlocationforthe
'*machineaccount,flagstoidentifytheobjectasamachineaccount,
'*andsecurityflags
'ConstUF_WORKSTATION_TRUST_ACCOUNT=&H1000
ConstUF_ACCOUNTDISABLE=&H2
ConstUF_PASSWD_NOTREQD=&H20
ConstADS_GUID_COMPUTRS_CONTAINER="aa312825768811d1aded00c04fd8d5cd"
ConstADS_ACETYPE_ACCESS_ALLOWED=0
ConstADS_ACEFLAG_INHERIT_ACE=2
'
'*Settheflagsonthisobjecttoidentifyitasamachineaccount
'*anddeterminethename.Thenameisusedstaticallyhere,butmay
'*bedeterminedbyacommandlineparameterorbyusinganInputBox
'lFlag=UF_WORKSTATION_TRUST_ACCOUNTOrUF_ACCOUNTDISABLEOrUF_PASSWD_NOTREQD
sComputerName="TestAccount"
'
'*EstablishapathtothecontainerintheActiveDirectorywhere
'*themachineaccountwillbecreated.Inthisexample,thiswill
'*automaticallylocateadomaincontrollerforthedomain,readthe
'*domainname,andbindtothedefault"Computers"container
'*********************************************************************
SetrootDSE=GetObject("LDAP://RootDSE")
sPath="LDAP://SetcomputerContainer=GetObject(sPath)
sPath="LDAP://"&computerContainer.Get("distinguishedName")
SetcomputerContainer=GetObject(sPath)
''*Here,thecomputeraccountiscreated.Certainattributesmust
'*haveavaluebeforecalling.SetInfotocommit(write)theobject
'*totheActiveDirectory
'SetoComputer=computerContainer.Create("computer","CN="&sComputerName)
oComputer.Put"samAccountName",sComputerName+"$"
oComputer.Put"userAccountControl",lFlag
oComputer.SetInfo
'
'*Establishadefaultpasswordforthemachineaccount
'sPwd=sComputerName&"$"
sPwd=LCase(sPwd)
oComputer.SetPasswordsPwd
''*Specifywhichuserorgroupmayactivate/jointhiscomputertothe
'*domain.Inthisexample,"MYDOMAIN"isthedomainnameand
'*"JoeSmith"istheaccountbeinggiventhepermission.Notethat
'*thisisthedownlevelnamingconventionusedinthisexample.
'sUserOrGroup="MYDOMAINjoesmith"
''*BindtotheDiscretionaryACLonthenewlycreatedcomputeraccount
'*andcreateanAccessControlEntry(ACE)thatgivesthespecified
'*userorgroupfullcontrolonthemachineaccount
'SetsecDescriptor=oComputer.Get("ntSecurityDescriptor")
SetdACL=secDescriptor.DiscretionaryAcl
SetACE=CreateObject("AccessControlEntry")
'
'*AnAccessMaskof"-1"grantsFullControl
'
ACE.AccessMask=-1
ACE.AceType=ADS_ACETYPE_ACCESS_ALLOWED
ACE.AceFlags=ADS_ACEFLAG_INHERIT_ACE
''*Grantthiscontroltotheuserorgroupspecifiedearlier.
'ACE.Trustee=sUserOrGroup
'
'*Now,addthisACEtotheDACLonthemachineaccount
'dACL.AddAceACE
secDescriptor.DiscretionaryAcl=dACL
'
'*Commit(write)thesecuritychangestothemachineaccount
'oComputer.Put"ntSecurityDescriptor",Array(secDescriptor)
oComputer.SetInfo
''*Onceallparametersandpermissionshavebeenset,enablethe
'*account.
'
oComputer.AccountDisabled=False
oComputer.SetInfo
''*CreateanAccessControlEntry(ACE)thatgivesthespecifieduser
'*orgroupfullcontrolonthemachineaccount
'wscript.echo"Thecommandcompletedsuccessfully."
'*****************
'*EndScript