mcse注:其实这是按照ADSI(ActiveDirectoryServicesInterface:活动目录服务接口)写的程序。如果你安装了resourcekit，这段代码可以用netcom这条命令进行工作，下面是netcom的一个例子:

NETDOM/Domain:MYDOMAIN/user:adminuser/password:apasswordMEMBERMYCOMPUTER/ADD

复制代码 代码如下:

***********************

'*StartScript

'***********************

DimsComputerName,sUserOrGroup,sPath,computerContainer,rootDSE,lFlag

DimsecDescriptor,dACL,ACE,oComputer,sPwd

'

'*Declareconstantsusedindefiningthedefaultlocationforthe

'*machineaccount,flagstoidentifytheobjectasamachineaccount,

'*andsecurityflags

'ConstUF_WORKSTATION_TRUST_ACCOUNT=&H1000

ConstUF_ACCOUNTDISABLE=&H2

ConstUF_PASSWD_NOTREQD=&H20

ConstADS_GUID_COMPUTRS_CONTAINER="aa312825768811d1aded00c04fd8d5cd"

ConstADS_ACETYPE_ACCESS_ALLOWED=0

ConstADS_ACEFLAG_INHERIT_ACE=2

'

'*Settheflagsonthisobjecttoidentifyitasamachineaccount

'*anddeterminethename.Thenameisusedstaticallyhere,butmay

'*bedeterminedbyacommandlineparameterorbyusinganInputBox

'lFlag=UF_WORKSTATION_TRUST_ACCOUNTOrUF_ACCOUNTDISABLEOrUF_PASSWD_NOTREQD

sComputerName="TestAccount"

'

'*EstablishapathtothecontainerintheActiveDirectorywhere

'*themachineaccountwillbecreated.Inthisexample,thiswill

'*automaticallylocateadomaincontrollerforthedomain,readthe

'*domainname,andbindtothedefault"Computers"container

'*********************************************************************

SetrootDSE=GetObject("LDAP://RootDSE")

sPath="LDAP://SetcomputerContainer=GetObject(sPath)

sPath="LDAP://"&computerContainer.Get("distinguishedName")

SetcomputerContainer=GetObject(sPath)

''*Here,thecomputeraccountiscreated.Certainattributesmust

'*haveavaluebeforecalling.SetInfotocommit(write)theobject

'*totheActiveDirectory

'SetoComputer=computerContainer.Create("computer","CN="&sComputerName)

oComputer.Put"samAccountName",sComputerName+"$"

oComputer.Put"userAccountControl",lFlag

oComputer.SetInfo

'

'*Establishadefaultpasswordforthemachineaccount

'sPwd=sComputerName&"$"

sPwd=LCase(sPwd)

oComputer.SetPasswordsPwd

''*Specifywhichuserorgroupmayactivate/jointhiscomputertothe

'*domain.Inthisexample,"MYDOMAIN"isthedomainnameand

'*"JoeSmith"istheaccountbeinggiventhepermission.Notethat

'*thisisthedownlevelnamingconventionusedinthisexample.

'sUserOrGroup="MYDOMAINjoesmith"

''*BindtotheDiscretionaryACLonthenewlycreatedcomputeraccount

'*andcreateanAccessControlEntry(ACE)thatgivesthespecified

'*userorgroupfullcontrolonthemachineaccount

'SetsecDescriptor=oComputer.Get("ntSecurityDescriptor")

SetdACL=secDescriptor.DiscretionaryAcl

SetACE=CreateObject("AccessControlEntry")

'

'*AnAccessMaskof"-1"grantsFullControl

'

ACE.AccessMask=-1

ACE.AceType=ADS_ACETYPE_ACCESS_ALLOWED

ACE.AceFlags=ADS_ACEFLAG_INHERIT_ACE

''*Grantthiscontroltotheuserorgroupspecifiedearlier.

'ACE.Trustee=sUserOrGroup

'

'*Now,addthisACEtotheDACLonthemachineaccount

'dACL.AddAceACE

secDescriptor.DiscretionaryAcl=dACL

'

'*Commit(write)thesecuritychangestothemachineaccount

'oComputer.Put"ntSecurityDescriptor",Array(secDescriptor)

oComputer.SetInfo

''*Onceallparametersandpermissionshavebeenset,enablethe

'*account.

'

oComputer.AccountDisabled=False

oComputer.SetInfo

''*CreateanAccessControlEntry(ACE)thatgivesthespecifieduser

'*orgroupfullcontrolonthemachineaccount

'wscript.echo"Thecommandcompletedsuccessfully."

'*****************

'*EndScript