NT 4.0 has some shortcomings with regard to user properties. It does not
report three properties (PasswordExpirationDate, AccountDisabled, and
IsAccountLocked) in OptionalProperties, so you cannot use them with Get and Put.
Conversely, two properties (PasswordExpired and BadLoginCount) work only with
Get and Put and not the previous procedure. Thus, you might have to use both
approaches.
Another shortcoming is that you can access the properties of
UserCannotChangePassword, PasswordNeverExpires, and Global/Local account type
only through the UserFlags bit field property. So you have to find the right
bits and do some calculations. Finally, you cannot access the dial-in settings
and the properties LogonHours, HomeDirDriveLetter, PasswordLastChanged, and
LastFailedLogin.
Manipulating Objects
When you have done enough browsing and reporting, you will likely be eager
to make some changes. When manipulating objects, you need to identify both the
objects and their paths. To identify the object from its path, you can use the
GetObject function as in the code examples here. To identify the path to an
object, you can use the ADsPath property by typing:
PathToSomeObj = SomeObj.ADsPath.
You can manipulate objects in many ways using Create, Delete, Move, and
Copy. Here's an example of how to use Create to add a new user and its
properties to a container in NT 4.0:
Dim Container As IADsContainer
Dim NewUser As IADsUser
Set Container = GetObject
("WinNT://SomeDomain")
Set NewUser = Container.Create
("user", "Maggie")
NewUser.FullName = "Henderson Maggie"
NewUser.HomeDirectory = "\\Server2\Maggie"
NewUser.SetInfo
NewUser.SetPassword ("secret")
Set NewUser = Nothing
An important element in this code is SetInfo. After you specify the object
you are creating, its name, and its properties (lines 3 through 6 in the code),
the client computer caches this information. The computer creates the object and
adds the property values to the user database only when you use SetInfo (line
7). You do not have to use SetInfo, however, when creating a password because
SetPassword (line 8) is a method and not a property.
Another important element is the Set NewUser = Nothingstatement (line 9).
Use this statement when you finish working with a COM object. Otherwise,
depending on the scope of the object variable, you might not release all the
memory back to the operating system.
NT 5.0 beta includes a VBScript example program, which adds and deletes
users using a Microsoft Excel worksheet. The program uses ADSI and is 170 lines
long, half of which are comment lines.
Deleting, moving, and copying objects in ADSI is as simple as creating
them. The ADSI specification can show you how to perform these and other
procedures. If you have questions, Microsoft has an ADSI news group at
msnews.microsoft.com/microsoft.public.
active.directory.interfaces. In
addition, Microsoft's Knowledge Base will likely contain program examples and
other information. You just need to go to http://
www.microsoft.com/kb and
search on ADSI. The Microsoft Developer Network (MSDN) is another resource to
tap into.
The Best Is Yet to Come
Although the ADSI specification is version 1.0, it performs more like a beta
version. Using ADSI with NT 4.0 or NetWare is more limiting, although easier,
than using the corresponding native APIs.
This situation, however, will change next year for two reasons. First,
Novell will release an ADSI provider for NDS that will likely support the
NetWare environment better than Microsoft's ADSI provider. Novell's ADSI
provider will give NetWare users a way to access NDS via COM programming. This
access will be beneficial because the clients will already be using 32-bit
Windows.
Second, Microsoft will release NT 5.0 next year. ADSI is the chosen
interface for NT 5.0's AD, so ADSI will perform at full capacity. In addition,
although Microsoft designed ADSI and AD at the same time, it released ADSI
earlier. The earlier release will give ADSI time to mature. By the time
Microsoft releases NT 5.0, ADSI's bugs will likely be worked out.
Microsoft has committed to using LDAP 3 in NT 5.0 if the IETF finalizes
this revised protocol in time. The LDAP 3 draft specification calls for an
improved referral process, better support for user authentication,
extensibility, and other improvements. (For more information about LDAP 3 and
how various vendors plan to use it, see Craig Zacker, "LDAP and the Future
of Directory Services, Part 2," page 191.) The use of LDAP 3 in NT 5.0
would likely bring about two changes: ADSI would get an LDAP 3 provider and LDAP
3 would update ADSI.
If AD dominates the industry, ADSI will be beside it. But if a new
programming technique replaces object-oriented COM, ADSI will vanish. However,
ADSI probably won't disappear in this millennium, so you need to take a closer
look at it. ADSI is an object that represents the future.