ADSI is a powerful COM interface that allows you to programmatically configure IIS, NTLM, and Exchange Server. A previous 15 Seconds' article entitled: "Understanding ADSI", described how ADSI works and gave some examples for configuring IIS. This article will discuss how to configure NTLM using ADSI, including the manipulation of groups, users, and domains.
Each ADSI provider accesses a different directory structure. The IIS provider accesses the IIS 4.0 configuration and is installed with the NT Option Pack 4. The provider that accesses NTLM needs to be downloaded from Microsoft in order for the examples in this article to work. To download and install the NTLM provider, go to this location: ADSI Download.
There are several objects provided with the NTLM provider: Domain, Group, and User. The Domain object represents the domain, or local domain. With the domain object you can add groups and users. The Group object represents groups within the domain. For example, the Administrators group is a typical local domain. The User group represents users that are on the domain or the local machine.
Warning
The following example modifies the NT authentication database: adding users and giving those users passwords. Until you understand how the code works, only run it on test machine, and domains where you do not jeopardize security.
Only people with Administrator or Account Operator privilege on the local machine (i.e. the server where IIS is running) can modify the Windows NT user database. Because of this, Anonymous authentication will always fail. Either use Windows NT Challenge Response Authentication for access on the local Intranet or use Basic authentication over an SSL channel for the Internet. Out-of-process applications will always fail as they run as a guest user also, so the Web application must be set to run in process.
Creating a User
The first task in working with Windows NT authentication is the creation of a user on a domain. Domains can either be a stand-alone machine, or primary domain controllers. Creating a user on a stand-alone machine will create the user on the local machine, allowing them to login. Creating the user on the domain controller allows the user to log into the network. Example 1 shows how to create a user on a domain:
Example 1: Creating a User
strDomain="MACHINENAME"
strUser="jdoe"
Set oDomain = GetObject("WinNT://" & strDomain)
Set oUser = oDomain.Create ("user", strUser)
oUser.SetInfo
Set oDomain=Nothing
Set oUser=Nothing
Notice that we use two strings that need to be configured, one represents the user and the other the domain. Also notice that we called the SetInfo method on the user object that we got back from the domain. Until you call SetInfo, the information is not written to the authentication database.
The problem with Example 1 is that we created a user that can't access the computer. The reason they can't access the computer is because they don't have a password. Example 2 shows how to create a user and set their password:
Example 1: Creating a User with a Password
strDomain="MACHINENAME"
strUser="jdoe"
Set oDomain = GetObject("WinNT://" & strDomain)
Set oUser = oDomain.Create ("user", strUser)
oUser.SetInfo
oUser.SetPassword "mypassword"
oUser.SetInfo
Set oDomain=Nothing
Set oUser=Nothing
Notice that we call SetInfo twice, once to create the user on the Domain and once to set the password.
If you run Example 1 and then run Example 2, you will notice that you get an error running Example 2. The reason is the user already exists in the database. To avoid this problem, we have the code in Example 3:
Example 3: Checking the Domain for a User
On Error Resume Next
strDomain="MACHINENAME"
strUser="jdoe"
Set oDomain = GetObject("WinNT://" & strDomain)
Set oUser = oDomain.Create ("user", strUser)
If (err.number = 0) Then
oUser.SetInfo
oUser.SetPassword "mypassword"
oUser.SetInfo
Set oUser=Nothing
End If
Set oDomain=Nothing
If the user is in the domain, then the Create method fails. We check for this by examining the number property of the built in Err object. If the Create method doesn't fail, then we use the User object to set the password and insert the user into the domain.
Creating a Group
Creating a group is much like creating a user. Example 4 shows how it is done:
Example 4: Creating a Group
strDomain="MACHINENAME"
strGroup="Unidentified"
Set oDomain = GetObject("WinNT://" & strDomain)
Set oGroup = oDomain.Create ("group", strGroup)
oGroup.SetInfo
Set oDomain=Nothing
Set oGroup=Nothing
Notice that we are calling the Create method when creating both a user and a group. The only difference is that the first parameter has changed. This parameter is the class of the object that we are creating.
Putting a User into a Group
In example 5 we add the user, “jdoe”, to the group, “Unidentified”, that we created in the earlier example.
Example 5: Adding a User to a Group
strDomain="MACHINENAME"
strUser="jdoe"
strGroup="Unidentified"
Set oDomain = GetObject("WinNT://" & strDomain)
Set oGroup = oDomain.GetObject("Group", strGroup)
oGroup.Add ("WinNT://" & strDomain & "/" & strUser)
Set oDomain=Nothing
Set oGroup=Nothing
Notice that we get the group object from the domain, instead of creating that group like in earlier examples. Also notice that we refer to the user with the full ADSI path name of the user.
Configuring the User
Once we have the user object we can set the parameters that are associated with that user. For example, the user's expiration date and full name. Example 6 shows how to do this:
Example 6: Configuring the User
strDomain="MACHINENAME"
strUser="jdoe"
Set oUser = GetObject("WinNT://" & strDomain & "/" & strUser)
' Setting the Account Expiration to 30 days from today
dtExpirationDate=Now()
dtExpirationDate=DateAdd("d",30,dtExpirationDate)
oUser.AccountExpirationDate = dtExpirationDate
' Setting the Full Name of the User
oUser.FullName="Joe Doe"
oUser.SetInfo()
Set oUser=Nothing
Iterating through the Users
In some cases you do not want to deal with a single user, but wish to iterate through all the users. Example 7 shows how to iterate though a list of user.
Example 7: Iterating through Users
strDomain="MACHINENAME"
strGroup="Unidentified"
Set Group = GetObject("WinNT://" & strDomain & "/" & strGroup)
For Each Member in Group.Members
If (Member.Class="User") Then
' Here is where you would do
' something with the user
End If
Next
Notice that we call the Members method of the Group object and receive a collection that we can iterate through. We check to make sure that the member class is of type "User" before using that object as a user.
Summary
Using the ADSI COM interface you can modify the NTLM database. The possibilities for this technology are endless. Internet Service providers could create web pages that instantly configure new accounts. Or, administrators could write a script that configured a local machine. Window NT 5.0 will ship with ADSI installed on the machine, allowing you to use this technology without installing it.
Chat with the Author
Did you read the article and still have questions? Chat with the author, Wayne Berry, Thursday March 19th 1998 5:00 PST (-8:00) Time. Depending on the IRQ client you have, we should be able to swap source code files across the chat server.
In order to join the conversation, you will need an IRQ client that you can download for free at http://www.microsoft.com/ie/download/. Make sure to download the client early since the download and installation might take a few minutes.
Once you have an IRQ client installed you can click on this link and you will be connected to the chat room. If the link doesn't work, here is the server location and room name:
In this article, Robert Chartier shows how to use the System.DirectoryServices Class for some simple User and Group administration tasks with impersonation. [Read This Article][Top]
In this article, Remie Bolte further demonstrates the power of ADSI with code that renames users, changes user properties, changes user boundaries, and creates, populates, and removes user groups. [Read This Article][Top]
Remie Bolte uses his popular Adding Users to W2K code sample as a basis for introducing and exploring Microsoft's Active Directory Services Interface. [Read This Article][Top]
The power of Active Directory Service Interfaces (ADSI) and the Microsoft .NET Framework is introduced by Tony Caudill. After completing this article you will be able to easily tame the System.DirectoryServices Namespace and use ADSI services to programatically create, delete, and update all aspects of your Web farm's virtual directories. [Read This Article][Top]
Have you wanted to add virtual roots through VBScript? Create ISAPI server extensions that install themselves in IIS 4.0? Or script the installation of your entire web site including user permissions? You can do this and more with ADSI. [Read This Article][Top]
Mailing List
Want to receive email when the next article is published? Just Click Here to sign up.
