Welcome to the ScriptVault, where ScriptingAnswers.com users share their administrative scripts.

Have you written a script that accomplishes some administrative task? Please share it! Just navigate to the appropriate category and click the "Contribute to this category" link!

You are here: Top > AD Administration

Contribute to this category

Sub-Categories

(no categories are available)

 

Scripts

A customized Software Installation Console Contributed by Tunji M Taiwo
Designed for customizing installation of MSI, sETUP, INNO and other software programs.
Active Directory HTA for Users to edit personal information Address, Phone Number, Cell Phone etc. Contributed by Aaron Castillo
I was presented with the need for my users to be able to keep their contact information current without delegating the task to an irresponsible employee that would not be able to keep up with the task, in turn I created this HTA that allows users to view/edit their own information in Active Directory without the user having any more privileges than a user. This also creates an access.log file so you can see how many times your HTA was opened and by whom it was opened and where (just a small bonus). The Domain Controller name is hardcoded in the script once you have copied the text to your .HTA just find and replace MyDC with the name of your Domain Controller. MyDC appears only twice in this HTA. Enjoy! Email me your comments and suggestions at aarongcastillo@hotmailDOTcom Thanks Aaron Castillo
Active Directory User Account Audit with Last Password Reset Contributed by David Shower
Purpose: To create a CSV listing of all users in Active Directory, listing whether the account is disabled or enabled, provide both first and last name for sorting, and list the last time the password on the account was reset, allowing for the flagging of accounts that need to be investigated and/or disabled
Active Directory User Information Display Contributed by Ralph E Montgomery
ADUser.vbs. Takes input thru a dialog box and displays User Active Directory Account Information either in a IE type window (or a dialog box - currently commented out). Under WinXP/2003 displays information about Terminal Services. Uses SMS to pull last logged in workstation if SMS is installed. No Admin customization need be completed (except for SMS information, but can be commented out)- runs anywhere, out of the box....enjoy!
AD Assett information Contributed by Jerry Krasnesky
This script will parse a machine text file produced and connect to each system via WMI remote routine to collect system information, software installed and details of services
AD user lookup and password reset Contributed by David Larsen
This HTA allows a helpdesk to search active directory for userid's or last names. When searching by userid it returns basic userinfo including Account Status (locked, disabled, when password expires). Once a userid is found you can unlock a locked account and reset the password. On last name search it returns all of the userid's and full names and then an option to look up that user's status. You will need to modify line 87 of the .hta for your domain's netbios name.
Add domain groups to local ADMINISTRATORS groups on workstations only Contributed by Adam Freden
This script is designed to be used as a logon script (to always verify and add the defined domain groups to the local ADMINISTRATORS groups of workstation-class machines. It is easily modifiable, as it is FULLY DOCUMENTED! This will check to verify the computer is a workstation-OS computer (as you typically don't want internal help-desk users to be server administrators), and will not modify group membership of server-OS computers. Since this script is fully documented, it is easy to modify it to be a stand-alone script (using a multiple computer wrapper template script available from SCRIPTINGANSWERS.COM).
Add stamp or anything else to any extensionAttribute from 1 to 15 for any users in AD Contributed by Christian Sawyer
If no text file is given, will retrieve all users from AD using another sub. All users of any type will be processed. You can change the value of the stamp and the extensionAttribute number as you wish. The Sub SetExtAttributeInAD used here is reusable with any other script that need to change any extensionAttribute number for a user account.
Add Users from a CSV File Contributed by Don Jones
Set up a CSV file to list the user ID, full name, description, and home directory, all separated by commas. Then simply run this script. It'll make up passwords and output them to a file for your reference. The script uses the WinNT provider (be sure to change the script to provide the name of your PDC or, in an AD environment, your domain), so users are created in the default Users container rather than a specific OU. You can tweak the script to use the LDAP ADSI provider instead, which would allow you to connect to an OU and then use its Create() method to create the users in that OU.
ADSI Authentication Template Contributed by Alan
I've noticed many questions pop up in the forums regarding binding to AD and passing credentials via scripting. The following demonstrates the basics for authenticating against AD using VBScript.
Automatically change local admin passwords in workstation in a AD based domain Contributed by Venkita Sundaresa
Keeping track of local administrator password & changing the local admin password of all workstations on a periodical basis is always a big challenge to the IT industry. These have been a major recommendation by the KPMG auditors which have done the audit for BS7799 & ISO27001. The industry practice is to have one common password for administrator or any other name & keep the same for all computers. That’s the normal industry practice that has been seen normally. To overcome this big task, I have developed my own efficient mechanism for the change of local administrator password in all workstations. This is achieved by running the change password script via Group Policy which does the trick. Scripts run via group policy are run in “SYSTEM” account & the question of any additional rights does not arise. Venkita.Sundaresan@ustri.com
Batch Create Sub-OU's Contributed by Tskyers
I've been doing allot of work in active directory lateley. I have a need to add the same sub-ou structure to an existing structure starting at an arbitrary point. I'm pretty lazy when it comes to repetitive tasks like that so I thought I'd script it. My scripting skills leave allot to be desired, and most times I use brute force to get things done, if you have suggestions or ways to make this script better please feel free to post :). I could always use the help! Snip the script below and save it as a .vbs. It works in either cscript or wscript. Also the plain text zapped my tab structure, so you may want to retab the code for easier reading.
Batch-Create Computer Accounts Contributed by Don Jones
This script will create computer accounts listed in a text file. You can modify the script to set the destination OU for the new accounts. This is a good example of how computer accounts get created and what properties must be set for them in AD.
Change AD pwd and set 'change pwd at next logon' Contributed by JR Williams
First, Thank you to JHick, ChrisSaw, Ken Bray and Jvierra, Without all of your help I would still be working on this. This script was designed for our Helpdesk. The script will prompt for the users "DN" Name set a default password and set "change password at next logon".
Change Password Contributed by Don Jones
This is built as a help desk tool, although obviously whoever runs it needs appropriate permissions. It asks for the user's domain and name, and a new password.
Change the location attribute for a computer account Contributed by bhushi72
Demonstration script that changes the location attribute for a computer account in Active Directory.
Changes Local Machine Description To Logged On Users Name! Contributed by Steven Causey
Changes the computer description to the currently logged on domain user variable. Actually works, unlike some out there, we use it to identify primary users, per workstation, etc. If you use DAMEWARE NT UTILITIES, its a godsend. Modified by Drew Douglas & Steven Causey from a non-working script we found elswhere. Use as a startup script in A.D., per user.
Check FSMO availability with PowerShell Contributed by Scott Engle
This PowerShell script checks all FSMO roles within a Forest and if their DNS alias is pingable. All you need to do is pass the script the name of the root domain.
Check SP level on all AD computers Contributed by Don Jones
Displays the OS build number and service pack version for each computer in your AD domain.
Copy Global and Local Groups Contributed by droopy
This script will allow you to copy any global or domain local group in Active Directory. Let me know if you run into any problems or have any ideas.
Create AD User Contributed by Greg Onstot
In my company we had issues of admins continuing to use old scripts for user creation, even after new ones had been emailed out. We also had problems with them not formatting the input text file correctly. Finally, instead of maintaining 2 scripts, one for contractors, and one for employees, this script creates both based on the input received. Highlights: Checks script distribution share to make sure it's the latest version, if not tells user where to upgrade from then exits. Pop-up verifying how the script sees the input file. If a date is entered in the input file, the script makes that person a contractor, with that expiration date, and modifies group membership. Account Creation logged to text file. Assigns group membership, and home folder server, based on location. Sets Home folder NTFS permissions. Modifications needed: To work with your AD you'll need to modify a number of settings. I added a 'MOD comment to the end of each of these lines. Input File (c:\scripts\users-to-create.txt) format: Employees - UserName,FirstName,LastName,Office, (Note trailing comma) Contractors - UserName,FirstName,LastName,Managers Name,AccountExpirationDate (MM/DD/YYYY as in 01/30/2006)
Creating a Computer Account For a User Contributed by bhushi72
Creates and enables a computer account in Active Directory, which a specific, authenticated user can use to add his or her workstation to the domain.
Creating OU's from a directory scructure Contributed by Riccardo Moretti
This script reads a directory structure on a HDD and creates an OU structure within active directory, based on that directory structure. There is also the inverse CreateDirFromOU.vbs, Both of the scripts will allow a user to export ou's to a directory scructure then copy the directory tree to a memory stick and re-create the ou structure in a LAB Note there are 2 scripts here!!! They need some basic clean up...
DC_Info Contributed by Alan
I thought I would go ahead and throw out another script I wrote for maintaining basic data pertaining to Domain Controllers. In a nutshell it will dynamically query the DC's in the forest and enumerate information including names, IP's, sites, GC enabled, etc. The information is again formatted in Excel similar to the Exchange HTA (posted earlier in the HTA forum) in that each domain in the forest is listed as a separate worksheet in the workbook. I find this to be easier than manually updating informational spreadsheets whenever IP subnets are changed or DC's retired. Just run the script and have a current, dynamically populated spreadsheet. This code also makes use of regular expressions to format the RDN of the server from the Distinguished Name attribute as well as format the octects of the IP address. The script can be easily modified to include additional attributes of domain controllers if someone wants more information returned.
Deletes an individual computer account in Active Directory Contributed by bhushi72
Deletes an individual computer account in Active Directory
Disabling a Global Catalog Server Contributed by bhushi72
Disables the global catalog service on a domain controller.
Enabling a Global Catalog Server Contributed by bhushi72
Enables the global catalog service on a domain controller.
Enumerating Computer Account Attributes Contributed by bhushi72
Demonstration script that retrieves the location and description attributes for a computer account in Active Directory.
Enumerating Computer Accounts in Active Directory Contributed by bhushi72
Returns the name and location for all the computer accounts in Active Directory.
Find and Delete Computer Account in Active Directory Contributed by Louis Gaulin
This is a little script that will locate and delete a computer account in active directory, based on a substring that you enter. You can enter only part of the Computer Account name, or the entire computer account name. Presently, the search is case sensitive, but the script can easily be modified to be case insensitive. The script first prompts the user for the string to search. It then locates all computer accounts in the active directory. Then, it iterates through the records found until it locates the substring within the computer account name. When a match is found, it displays it to the user. If the user chooses to delete the account, the script will prompt the user "Are you sure?". There is still room for improvment on this script, but as it is, it gets the job done. ;-) wynken
FInd and Disable Inactive Accounts Contributed by Don Jones
Set the LogOnly constant = True to prevent the script form making any actual changes; it'll just list accounts that it WOULD disable. Set the constant = False to have the inactive accounts disabled.
Find CD-Roms in computer Contributed by A. Cadstillo
This script was designed for an active directory environment, as the description suggests, it will search all computers in Active Directory and prompt as it finds each CD in all of the computers in your network until you find the CD you are looking for. ==================== Download CDR.zip, extract the cdr.txt and rename to cdr.vbs Enjoy!
Find orphaned SIDs on all local machines in domain Contributed by Michael Troy McKee
This script will check AD for a list of machines, and then verify they are up. Then it will check all user groups on each machine and report any with orphaned SIDs (domain SIDs which cannot be associated with a username).
Find User Object using PowerShell Contributed by Jeffery Hicks
Demonstration script on using the DirectorySearcher object to find a user account in Active Directory.
Function to set dialin attributes in AD Contributed by Jim Vierra
Function to set dialin attributes on an AD user object. Only enabling dialin is functional. Other attributes are commented out but provide info needed to extend function to modify these values. Function takes a user object as an argument. EnableDialin ,
Generic search tool for Active Directory Contributed by Ira Davis
Simple class that encapsulates Active Directory and offers some simple search functions. Easily converted to a script component, you can then embed AD search capability in other scripts.
Get obsolete computer accounts Contributed by jhicks91
This script will work in either an NT or AD environment. it checks the password age of your computer accounts. Generally, anything older than 45 days is suspect and could be an obsolete account. The script doesn't actually delete anything, just reports that you could. To save the output to a text file, use standard console redirection (after veriifying script works for you) : cscript obsolete_computer_accounts.vbs >output.txt
Get OU From UserID Contributed by James Vierra
Function returns OU path that the user account is stored in.
Grant Dial-In Access Contributed by Marcus L. Farmer
Run script and enter in the name of the user you wish to grant dial-in access. Script will then enable the attribute. As a template, this script could be used as the basis for almost any type of single-valued attribute change based on a spedified sAMAccountName. Code is not optimized.
Identifying a Global Catalog Server Contributed by bhushi72
Indicates whether or not a specified domain controller is a global catalog server.
LDIFDE HTA Contributed by Alan Finn
A graphical interface to manage the ldifde utility. Supports all switches for the Windows 2003 Server version. LDIFDE.exe must be in %PATH%. Features: 1. Ability to generate syntax via gui interface and copy to the clipboard for use in scheduled tasks and scripts. 2. Ability to launch command line utility with the switches and options directly from the hta gui interface. 3. Automatically enumerates schema classes, categories and populates the hta dropdowns with those relevant for the forest the utility is run within. Also dynamically generates the list of attributes related to the currently select schema class filter.
list Domain, computer and IP of all computers in AD Contributed by James Pedersen
This script will ouput a list of all computers in the domain with their IP addresses to the screen and file. It requires a Win2k3 DNS to point to. The format of the output is: Domain ComputerName 000.000.000.000
Load a spreadsheet withusers from Active Directory Contributed by Jim Vierra
When this spredsheet opens it load itself from YOUR Active Directory. Tis is a useful demonstrationof how to run VBScript inside an Office document. The VBScript can be copied out of teh spreadsheet. With a few small changes it will run from teh command line and create teh spreadsheet.
Modify Users Terminal Server Properties Contributed by citrixtools
Please Note that this script will only work in a Windows 2003 Active Directory environment, Microsoft did not put the functionality in Windows 2000.
Moves Users to OU via Text File Contributed by Mark M. Stout
The script moves users to a specified OU from a text file of sam account names. It will prompt you for the file name and the ou need to move the users.
Moving Computers from a list into an OU Contributed by mbrierley
I had a need to get some older computers moved into an ou, to be disabled then deleted if no one screamed :) I had a list of comuters that I came up with using oldcomp.exe (Google is your friend). Here are my results.
New Objects for Today Contributed by Jerry Carlisle
The script will enumerate Active Directory and report on all new objects created in the past day, except for the dns-node object. The report is formatted in HTML and can be emailed to an admin for review. I use this report to keep track of new objects and to ensure that they conform to current naming standards and object placement with Active Directory. Except for the Constants at the beginning of the script, this should work in all environments.
Query user nested OU membership Contributed by dkounas
We were having an issue b/w Oracle & AD with single sign-on and needed to query where each user resided. This script will query AD and return each user's full DN in a .csv file: Many thanks to Don for all your help!! Dave
Quest NDS Migrator User Mapping File Creator Contributed by Dan Cunningham
When migrating from Novell to AD environment with NDS Migrator, a mapping file is needed per workstation to be migrated. If you're using the clunky interface to migrate your workstations, it looks after this for you (although it means nothing is automated for your end user). If you plan to script the workstation migration, you'll need to manually create the mapping files, OR use this! :) This script will build the MAP.USR file required by WUPD (a component of NDS Migrator to migrate local profiles to domain profiles and lots of other stuff). Each line resembles something like this: \\mycomputer\cunnindn(**)mydomain\dcunningha001(**)S-1-5-21-3414255193-4289457333-2901172377-1009(**) \\mycomputer\testuser(**)mydomain\testuser001(**)S-1-5-21-3414255193-4289457333-2901172377-500(**) The way it works is: Gets the SIDs of all local accounts through WMI Connects to AD through LDAP (this is necessary because at the time of your migration, you won't already be joined or authenticated to the domain) Find AD equivelant users and get their SIDs Build the MAP.USR file accordingly Commandline options are: /L:, /A:, /U: /P: Both /L and /A allow for multiple users so you can migrate multiple profiles per machine. You will also need to modify the following variables: sDomain Specify your domain sServer Specify your LDAP server sUserPath The root path to where your users are stored Lets hope this script is useful to someone else because it took me quite a while to write!! Dan
Random Password Generator with complexity controls for the truly ugly passwords Contributed by Mark F. Mahoney
This script generates complex passwords with controlled content requirements of a minimum of 2 upper case letters, 2 lower case letters, 2 numbers and 2 special characters or any combination as you see fit. It uses ASCII conversions because there is no need to build an array of all the characters; they already exist in the ASCII Table.
Reset Local Administrator Account based upon SID Contributed by Marshall
One of my collegues sent me over the original source of this code (by Marcin Policht) and we have since edited and used it for our purposes within our environment. In a Windows 2000 AD Environment we can use a GPO to accomplish such a task, but under NT4 its quite a bit more manual. This script will allow you to easily change the username and password of the local (builtin) administrator which it identifies based upon its SID. Note: The script is dependant upon ADsSecurity.DLL which is part of the ADSI 2.5 SDK and can be registered using regsvr32.exe. This is done by running the following from the Command Prompt: regsvr32 ADsSecurity.dll USAGE: 1) Create a file called SERVERS.INI -- This will be a list of hostnames that you wish the script to run against. 2) Edit the script values of: strNewAdminName = and strPassword = to equal the new administrator name and password you want specified. IT IS NEVER a good idea to store passwords in plain text, so do as I say and not as I do and don't... :O) -- Seriously, a much better way to do this would be to gather the username/password at execution through the use of an commandline argument or a box.
Retrieve users in Global Security Groups Contributed by kradneb
Main script is FindSecurityGroupInAd.vbs. Procedures and Functions in it. Called from Main Sub BuildSpreadSheet Called from Main Sub CreateGroupList Called by CreateGroupList CreateTempFile Called from Main Sub FindUsersInGroup Called by FindUsersInGroup GetGroupOnly CreateTempFile AddGroupToSpreadSheet Called from Main Sub SaveSpreadSheet Called by SaveSpreadSheet GetDomain
RetrieveModify Department Information for all AD Users Contributed by Andrew Bermender
The RetrieveDeptADUsers script is a modified version of the RetrieveADUsers script from this site. The ModifyDeptADUsers script was designed to take a modified output file of the first script and use it to replace ("modify") department information for users. Simply run the scripts from a command prompt, using the syntax: cscript RetrieveDeptADUsers.vbs cscript ModifyDeptADUsers.vbs The script outputs a .csv file which is specified under the Constant TF_PATH (Default Path is c:\ADDept\users.csv for both scripts) with the following line format: UserDN(contains several commas here),UserSurName,UserGivenName,UserDepartment ModifyDeptADUser.vbs also cotains a constant named DC_ROOT, which denotes what the user''s domain name root ends in (e.g. com, net, local, etc.) and is preserved under the following format "DC=com" (Default)
ScriptingAnswers.com Essentials Contributed by >Don Jones
There's some stuff that comes up so often, it's become easier to make it all available in this one spot. Here you'll find some of the template scripts, security information, and other details that come up literally all the time in our Forums. Since this information is asked for so often, it may be of some use to you as well! You'll find everything in one convenient ZIP file that you can download and keep handy. What's here? Enumeration Shows how to enumerate, recursively, through object collections and heirarchies. The example uses the FileSystemObject to delete a folder's contents, including all files and subfolders. Targeting AD objects This shows how to query an AD domain and retrieve all user, computer, container, or OU objects, and then do something with them. It's a great template to which you can add your own code. Targeting Lists This shows how to read in a text file containing names - the example uses computer names - and then do something to each of them. Both "targeting" examples, by the way, include detailed error trapping so that the scripts continue working even if one targeted object isn't reachable on the network at the time. Alternate Security This shows two examples, demonstrating how to crteate both WMI and ADSI connections using alternate credentials. Run commandline tools from within a script This example shows how to execute a command-line tool from within a script, and how to capture its command-line output into a string variable for further processing. Automate IE This example shows how to make IE go to a specific Web page, and then save the page's content into a local text file. Automate via GUI Sometimes, you just can't get a script to do what you want. But it's so easy to configure whatever it is using the Windows GUI! Well, VBScript can be a GUI jockey, too, as you'll see in this example.
Service Modification Contributed by Carlton E. Lewis
The LDAP location can be rewritten to include the path to the respective OU's in your organization. No error handling has been included, but for testing purposes you may want to comment out "on error resume next", and build error handling into the script for troubleshooting purposes. Lines 9-16 can be commented out with the exception of line 12 to test against your local machine.
Set Domain Properties Contributed by Don Jones
Works in NT or AD domains, and quickly sets the main account policies. A great script to run before the security auditors show up!
W2K_User_Info.vbs Contributed by Sean McNeill
This script will create a tab deliminated text file containing all the user accounts in a domain. The output file contains Account Status; User Name; Display Name; DN; Last Logon; Create Date; and modify date. The script queries for all DC's in the domain (ensuring that they are all located in the Domain Controllers OU) and then gets the last logon field from each DC for each account and then sorts the array to list the most recent logon for the user account. This is very beneficial to help determine stale accounts in the domain.
Who's Logged On Contributed by Kevin Shannon
This batch .cmd script will do a net view to enumerate all workstations in the domain and it will list the current time and the user currently logged on. This script requires the freeware 'PSLoggedOn' utility from SysInternals to be installed somewhere in the path of the workstation where you are running the script from. (http://www.sysinternals.com/Utilities/PsLoggedOn.html) If you are not logged on to the domain, then it will only return the logon information for the local workstation.

©2008 SAPIEN TECHNOLOGIES, INC.
Home | Press Room | Contact Us | Blog | Terms of Use | Privacy Policy | Online Store