createUser.vbs
10:29 PM==================================================================================================='' Name: createUser.vbs' Description: VBScript interactive script that prompts for the user to enter in user specific info' in order to create a user in AD SSO' Written By: Aslam Latheef' Date: 8/18/2010'' Script Usage: cscript //nologo createUser.vbs' Result Code: N/A' Example: D:\Windows\Scripts\cscript //nologo createUser.vbs''' *** Notes ***'' 1) The createUser.vbs script will only work if you have an organization that is currently present' in the AD SSO structure' 2) Run the createCompany.vbs script if the company is not present first' 3) UID information is automatically generated for you with this script' 4) Currently runs on Windows 2003 or earlier; Will not work unless ADO is enabled on Windows 2008' 5) For more information or help, please email corp-tech@opsource.net'' ===================================================================================================' ==================================================================================================='' Revision History:' ' 1.00 - Initial Release of script on 8/18/2010' 1.01 - Added service account field to script on 9/1/2010' 1.02 - Modified password change script to prompt for password entry on 9/14/2010' 1.03 - Changed the semantics on the user creation part to handle non-standard UNIX group configs' on 10/4/2010' 1.04 - Changed code again to better handle UNIX attributes as it was hosing the UID generation' on 10/5/2010' 1.05 - Changed code to handle new R2 schema updates on 4/13/2011'' ===================================================================================================' ==================================================================================================='' Reference Documentation at the following links:'' http://msdn.microsoft.com/en-us/library/aa746471%28VS.85%29.aspx' http://www.1keydata.com/sql/sql-commands.html' http://docs.sun.com/source/817-2514-10/Ch11_ADO.html'' ===================================================================================================Option ExplicitConst adStateOpen = 1Const provider = "Active Directory Provider" ' If blank use ""Const uname = "CN=adsso_svc,OU=Service Accounts,OU=OpSource,DC=cust,DC=corp,DC=opsource,DC=net"Const passwd = "sm2D*_W$kGUH"Const ADS_PROPERTY_CLEAR = 1Const ADS_PROPERTY_UPDATE = 2Const ADS_PROPERTY_APPEND = 3Const ADS_PROPERTY_DELETE = 4Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8Const ADS_GROUP_TYPE_SECURITY_ENABLED = &H80000000Const ADS_ACETYPE_ACCESS_ALLOWED = 0Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = 2Const READ_ONLY = &H80000000Const DomainDN = "DC=cust,DC=corp,DC=opsource,DC=net"Const oProvider = "LDAP://"Const oDomain = "cust"Const oLoginShell = "/bin/bash"Const oUnixPasswd = "ABCD!efgh12345$67890"Const oWinPasswd = "pass123[]"Const oSecGroup = "OU=Security Groups,OU="Const oAdmins = "OU=Admins,OU="Const oUsers = "OU=Users,OU="Const oSvcAccts = "OU=Service Accounts,OU="Const oWindows = "OU=Windows,OU=Security Groups,OU="Const oUNIX = "OU=UNIX_LINUX,OU=Security Groups,OU="Const oUPN = "@cust.corp.opsource.net"Dim objConn ' ADO Connection objectDim objComm ' ADO Command objectDim objRS ' ADO Recordset objectDim objUser, objOU, objShell, WshShellDim objAdminWin, objUserWin, objAdminUNIX, objUserUNIX ' Default security groups for customerDim objWindows, objUNIX ' OU's in ADDim objAdminGPO, objRestrictedGPO, objLDAPGroupDim custAdminGPO, custRestrictedGPO, custLDAPGroup, custAdminGPOLong, custRestrictedGPOLong, custLDAPGroupLongDim oUsername, oFirstName, oLastName, oCompany, oDecision, oAccessLevelDim result, oConfirm, oChgPasswd(1), oPasswdLengthDim permittedChars, passwordLength, pwd, iDim oClass,oCategory,oFieldName, searchResultMessageDim adminWinGroup, userWinGroup, adminWinGroupLong, userWinGroupLong, adminUNIXGroup, userUNIXGroup, adminUNIXGroupLong, userUNIXGroupLongDim userDN, oExist' ==================================================================================================='' *** WARNING - DO NOT MODIFY!!! ****'' Please do not modify the code below this section as that can cause the script to fail or perform' in an unintended manner. If you decide to anyways, do at your own risk.'' ===================================================================================================' Print Version release informationCall versionInfo()' Script portion that solicits data from the end userWscript.StdOut.Write "Please enter in the Company: "oCompany = Wscript.StdIn.ReadLineoCompany = Lcase(replace(oCompany, " ",""))Wscript.Echo " "' Validate if user already exists and if so the script exits outoClass = "*"oCategory = "OrganizationalUnit"oFieldName = "name,ou"Call validate(oCompany,oClass,oCategory,oFieldName)Wscript.StdOut.Write "Please enter in the Username: "oUsername = Wscript.StdIn.ReadLineoUsername = Lcase(replace(oUsername, " ",""))Wscript.Echo " "' Validate if user already exists and if so the script exits outoClass = "user"oCategory = "person"oFieldName = "samAccountName"Call validate(oUsername,oClass,oCategory,oFieldName)Wscript.StdOut.Write "Please enter in the First Name: "oFirstName = Wscript.StdIn.ReadLineoFirstName = replace(oFirstName, " ","")Wscript.Echo " "Wscript.StdOut.Write "Please enter in the Last Name: "oLastName = Wscript.StdIn.ReadLineoLastName = replace(oLastName, " ","")Wscript.Echo " "Do Wscript.StdOut.Write "Is this a service account (Y)es or (N)o: " oDecision = Wscript.StdIn.ReadLine oDecision = Ucase(oDecision) Wscript.Echo " "Loop Until oDecision = "Y" Or oDecision = "N"Do Wscript.StdOut.Write "Please enter in the User Access Level (A)dmin or (R)estricted: " oAccessLevel = Wscript.StdIn.ReadLine oAccessLevel = Ucase(oAccessLevel) Wscript.Echo " "Loop Until oAccessLevel = "A" Or oAccessLevel = "R"' Validate if UNIX group already exists and if not the script doesn't set UNIX attributesoClass = "group"oCategory = "group"oFieldName = "samAccountName,member"Call validate(oCompany,oClass,oCategory,oFieldName)' Gets the default groups for the company assuming it existsCall getGroups(oCompany)' Calls review screen before implementing changesCall reviewOptions()' Calls createUser() subroutine to create the actual user accountCall createUser(oCompany,oUsername,oFirstName,oLastName,oAccessLevel,oDecision)Call addToGroup(oAccessLevel)'Exits the programCall exitProgram()' ========================================================'' Script section for subroutines and functions'' ========================================================Sub validate(subObjectName,subClass,subCategory,subFind) Set objConn = CreateObject("ADODB.Connection") Set objComm = CreateObject("ADODB.Command") objConn.Provider = "ADSDSOObject" objConn.Open provider,uname,passwd If objConn.State <> adStateOpen Then WScript.Echo "Authentication Failed." WScript.Sleep(2000) WScript.Quit(1) End If On Error Resume Next Set objComm.ActiveConnection = objConn objComm.CommandText = "SELECT " & subFind & " FROM '" & oProvider & DomainDN & "' WHERE objectClass='" & subClass & "' AND objectCategory='" & subCategory & "'" objComm.Properties("Page Size") = 100000 objComm.Properties("Timeout") = 60 objComm.Properties("searchscope") = 2 objComm.Properties("Cache Results") = False objComm.Execute set objRS = objComm.Execute If subFind = "name,ou" Then Do While Not objRS.EOF result = Lcase(objRS.Fields.Item("name").Value) ' Wscript.Echo result If result = subObjectName Then ' Tests for if the recordset is populated searchResultMessage = "Company exists in Active Directory..." Exit Do End If objRS.MoveNext Loop If result <> subObjectName Then searchResultMessage = "Company does not exist in Active Directory. Please create the OU before continuing...." Wscript.Echo searchResultMessage WScript.Sleep(2000) WScript.Quit(1) End If Wscript.Echo " " Wscript.Echo searchResultMessage Wscript.Echo " " Elseif subFind = "samAccountName" Then Do While Not objRS.EOF result = Lcase(objRS.Fields.Item("samAccountName").Value) ' Wscript.Echo result If result = subObjectName Then ' Tests for if the recordset is populated Wscript.Echo " " Wscript.Echo "Object already exists - Please try a different username..." Wscript.Echo " " WScript.Sleep(2000) WScript.Quit(1) End If objRS.MoveNext Loop Wscript.Echo " " Wscript.Echo "User account is currently available for assignment..." Wscript.Echo " " Elseif subFind = "samAccountName,member" Then Do While Not objRS.EOF result = Lcase(objRS.Fields.Item("samAccountName").Value) ' Wscript.Echo result If result = subObjectName Then ' Tests for if the recordset is populated oExist = "Y" 'Wscript.Echo " " 'Wscript.Echo "Object exists - assigning UNIX attributes..." 'Wscript.Echo " " Exit Do End If objRS.MoveNext Loop If result <> subObjectName Then Wscript.Echo " " Wscript.Echo "Object does not exist - Skipping UNIX attribute assignments..." Wscript.Echo " " End If End If Set objRS = Nothing Set objConn = Nothing Set objComm = NothingEnd SubSub getUid() Set objConn = CreateObject("ADODB.Connection") Set objComm = CreateObject("ADODB.Command") objConn.Provider = "ADSDSOObject" objConn.Open provider,uname,passwd If objConn.State <> adStateOpen Then WScript.Echo "Authentication Failed." WScript.Sleep(2000) WScript.Quit(1) End If Set objComm.ActiveConnection = objConn objComm.CommandText = "SELECT msSFU30UidNumber FROM '" & oProvider & DomainDN & "' WHERE objectClass='user' AND objectCategory='person' ORDER BY msSFU30UidNumber ASC" objComm.Properties("Page Size") = 10000 objComm.Properties("Timeout") = 60 objComm.Properties("searchscope") = 2 objComm.Properties("Cache Results") = False objComm.Properties("Sort On") = "msSFU30UidNumber" objComm.Execute set objRS = objComm.Execute While Not objRS.EOF If IsNull(objRS.Fields.Item("msSFU30UidNumber").Value) = 0 Then ' Tests for if the recordset is populated If objRS.Fields.Item("msSFU30UidNumber").Value >= 10000 Then result = objRS.Fields.Item("msSFU30UidNumber").Value ' Wscript.Echo objRS.Fields.Item("msSFU30UidNumber").Value End If End If objRS.MoveNext Wend result = result + 1 Wscript.Echo "Assigning new user the following UID: " & result Wscript.Echo " " Set objRS = Nothing Set objConn = Nothing Set objComm = NothingEnd SubSub getGroups(subObject) On Error Resume Next ' Set Windows default group objects adminWinGroup = "CN=" & subObject & " Admins" adminWinGroupLong = oProvider & adminWinGroup & "," & oWindows & oCompany & ",OU=Customers," & DomainDN userWinGroup = "CN=" & subObject & " Users" userWinGroupLong = oProvider & userWinGroup & "," & oWindows & oCompany & ",OU=Customers," & DomainDN Set objAdminWin = getObject(adminWinGroupLong) Set objUserWin = getObject(userWinGroupLong) custAdminGPO = "CN=Customer Admins GPO,OU=Customers," & DomainDN custAdminGPOLong = oProvider & custAdminGPO custRestrictedGPO = "CN=Customer Restricted GPO,OU=Customers," & DomainDN custRestrictedGPOLong = oProvider & custRestrictedGPO custLDAPGroup = "CN=" & oCompany & "_LDAP_Access," & oSecGroup & oCompany & ",OU=Customers," & DomainDN custLDAPGroupLong = oProvider & custLDAPGroup Set objAdminGPO = getObject(custAdminGPOLong) Set objRestrictedGPO = getObject(custRestrictedGPOLong) Set objLDAPGroup = getObject(custLDAPGroupLong) ' Set UNIX default group objects adminUNIXGroup = "CN=" & subObject & "_sudo" adminUNIXGroupLong = oProvider & adminUNIXGroup & "," & oUNIX & oCompany & ",OU=Customers," & DomainDN userUNIXGroup = "CN=" & subObject userUNIXGroupLong = oProvider & userUNIXGroup & "," & oUNIX & oCompany & ",OU=Customers," & DomainDN Set objAdminUNIX = getObject(adminUNIXGroupLong) Set objUserUNIX = getObject(userUNIXGroupLong) 'WScript.Echo objAdminUNIX.get("name") & " and " & objAdminUNIX.get("msSFU30GidNumber") 'WScript.Echo objUserUNIX.get("name") & " and " & objUserUNIX.get("msSFU30GidNumber") On Error Goto 0 End SubSub createUser(subCompany,subUser,subGivenName,subSn,subAccessLevel,subAction) Wscript.Echo " " Wscript.Echo "Creating user account with prescribed values..." Wscript.Echo " " If subAccessLevel = "A" Then Set objOU = getObject(oProvider & "OU=Admins,OU=" & subCompany & ",OU=Customers," & DomainDN) Elseif subAccessLevel = "R" Then Set objOU = getObject(oProvider & "OU=Users,OU=" & subCompany & ",OU=Customers," & DomainDN) Elseif subAccessLevel = "S" Then Set objOU = getObject(oProvider & "OU=Service Accounts,OU=" & subCompany & ",OU=Customers," & DomainDN) End If Set objUser = objOU.Create("User", "CN=" & subUser) objUser.Put "sAMAccountName", subUser objUser.Put "userPrincipalName", subUser & oUPN objUser.Put "DisplayName", subGivenName & " " & subSn objUser.Put "givenName", subGivenName objUser.Put "sn", subSn objUser.Put "company", subCompany objUser.SetInfo Call setPasswd(objUser) If subAction = "N" and oExist = "Y" Then WScript.Echo "" WScript.Echo "Assigning UNIX attributes..." WScript.Echo "" ' If user is not found in the directory the script then gets the last UID above 10000 that is available for use Call getUid() objUser.Put "msSFU30NisDomain", oDomain objUser.Put "msSFU30Name", subUser objUser.Put "uidNumber", result objUser.Put "msSFU30UidNumber", result objUser.Put "gidNumber", objUserUNIX.msSFU30GidNumber 'Default is 20001 objUser.Put "msSFU30GidNumber", objUserUNIX.msSFU30GidNumber 'Default is 20001 objUser.Put "msSFU30LoginShell", oLoginShell objUser.Put "msSFU30HomeDirectory", "/home/" & subUser objUser.Put "msSFU30Password", oUnixPasswd objUser.SetInfo End If If subAction ="Y" Then Set objOU = getObject(oProvider & "OU=Service Accounts,OU=" & subCompany & ",OU=Customers," & DomainDN) objOU.MoveHere objUser.ADsPath, vbNullString End IfEnd SubSub AddToGroup(subObject) WScript.Echo "" WScript.Echo "Adding User to specified groups..." WScript.Echo "" WScript.Sleep(1000) On Error Resume Next If subObject = "A" Then ' Adding to Admin Security groups objAdminWin.Add(objUser.ADsPath) objAdminUNIX.Add(objUser.ADsPath) objAdminUNIX.PutEx ADS_PROPERTY_APPEND, "MemberUID", Array(objUser.samAccountName) objAdminUNIX.PutEx ADS_PROPERTY_APPEND, "msSFU30PosixMember", Array(objUser.distinguishedName) objAdminUNIX.SetInfo objAdminGPO.Add(objUser.ADsPath) objAdminGPO.SetInfo End If If subObject = "R" Then ' Adding to Restricted Security groups objUserWin.Add(objUser.ADsPath) objRestrictedGPO.Add(objUser.ADsPath) objRestrictedGPO.SetInfo End If If SubObject = "A" or "R" Then objUserUNIX.Add(objUser.ADsPath) objUserUNIX.PutEx ADS_PROPERTY_APPEND, "MemberUID", Array(objUser.samAccountName) objUserUNIX.PutEx ADS_PROPERTY_APPEND, "msSFU30PosixMember", Array(objUser.distinguishedName) objUserUNIX.SetInfo End If ' Set LDAP Group membership to read company objects objLDAPGroup.Add(objUser.ADsPath) objLDAPGroup.SetInfo ' Set Primary GID on User Object objUser.Put "gidNumber", objUserUNIX.msSFU30GidNumber objUser.Put "msSFU30GidNumber", objUserUNIX.msSFU30GidNumber objUser.SetInfo On Error Goto 0End SubSub exitProgram()Wscript.Echo ""Wscript.Echo "Thanks for using this program. Please be sure to check the object in the"Wscript.Echo "Active Directory Users and Computers MMC to verify everything is OK. Please"Wscript.Echo "note that the UID and GID information for this user has been updated for you"Wscript.Echo "and should be confirmed before turning this over to the end user. Failure"WScript.Echo "to do so may cause errors on the backend."Wscript.Echo ""Wscript.Echo "Thank you!"Wscript.Echo ""Wscript.Echo "- The Operations Engineering Team -"Wscript.Sleep(3000)Wscript.QuitEnd SubSub reviewOptions() WScript.Echo "Please review the settings you want to implement before proceeding:" WScript.Echo " " WScript.Echo " Username: " & oUsername WScript.Echo " First Name: " & oFirstname WScript.Echo " Last Name: " & oLastname WScript.Echo " Company: " & oCompany 'WScript.Echo " Service Account: " & oDecision WScript.Echo " Access Level: " & oAccessLevel 'WScript.Echo " Password: " & randomPassword WScript.Echo " " Do Wscript.StdOut.Write "To Confirm your choice type CONFIRM or EXIT: " oConfirm = Wscript.StdIn.ReadLine oConfirm = Ucase(oConfirm) Loop Until oConfirm = "CONFIRM" Or oConfirm = "EXIT" If oConfirm = "CONFIRM" Then ' Calls code to creat the actual user if all checks above complete successfully ' Call createUser(oCompany,oUsername,oFirstName,oLastName,oAccessLevel,oDecision) Else WScript.Quit() End If End SubSub clearScreen() set objShell = CreateObject("WScript.Shell") objShell.SendKeys "cls + {ENTER}" objShell = NothingEnd SubSub versionInfo() Wscript.Echo "" WScript.Echo "Current Version 1.05 - Release Date 4/13/2011" WScript.Echo "Report errors via ticket in RNT and assign to wninobla@opsource.net" Wscript.Echo ""End SubFunction randomPassword()' Reference script taken from the following site:' http://blogs.msdn.com/b/gstemp/archive/2004/02/23/78434.aspx permittedChars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+~`-=[]{}\|;:',.<>/?" passwordLength = "12" pwd = "" for i=1 to passwordLength Randomize pwd = pwd & mid(permittedChars,int(rnd*len(permittedChars)+1),1) next randomPassword = pwdEnd Function Sub setPasswd(subObject) Do Wscript.Echo "" Wscript.Echo "Password Change - " & subObject.sAMAccountName Wscript.Echo "" Wscript.StdOut.Write "Please enter in the new Password: " oChgPasswd(0) = Wscript.StdIn.ReadLine Wscript.StdOut.Write "Please re-enter in the new Password: " oChgPasswd(1) = Wscript.StdIn.ReadLine If oChgPasswd(0) <> oChgPasswd(1) Then Wscript.Echo "" Wscript.Echo "Passwords do not match - please enter them again..." Wscript.Echo "" End If oPasswdLength = Len(oChgPasswd(0)) If oPasswdLength < 8 Then Wscript.Echo "" Wscript.Echo "Password is too short - Please try again..." Wscript.Echo "" End If Loop Until oChgPasswd(0) = oChgPasswd(1) And oPasswdLength >= 8 subObject.SetPassword oChgPasswd(0) subObject.AccountDisabled=False subObject.Put "PwdLastSet", "0" subObject.SetInfoEnd SubSub errorCheck() If Err.Number <> 0 Then WScript.Echo "Error: " & Err.Number WScript.Echo "Error (Hex): " & Hex(Err.Number) WScript.Echo "Source: " & Err.Source WScript.Echo "Description: " & Err.Description Err.Clear End If End Sub
0 comments