Profile
Active Directory (hereinafter referred to as AD) can be considered a large hierarchical database, and the contents of the concentrated storage must follow the current defined SCHEMA defined by AD. I think the most important content in the AD is Schema, then ADSI.
Schema defines the format of the data store. Including classeschema, is divided into abstract, Auxiliary
And structure, attributeschema, divided into single-value and multi-value attributes; and relationships between class and attributes, divided into optional attributes and essential properties. The SCHEMA in the AD is equivalent to the global Catalog, which is the only one in the entire AD, and any modifications will be synchronized. So there is a need for Schema Administrators. Moreover, the content of Schema can only increase, can not be deleted, the process is irreversible, can only disable some attributes or classes, and there are many restrictions, see the documentation for details.
The data stored in the AD is used as an object, each object is an example of ClassChema. There is a unique path access. The path to the object of the AD is determined by the supported Provider, and Windows 2000 default Provider has four. If you install IIS, you will add an IIS's provider, manage IIS. Usually, more use is LDAP, which can be accessed and managed for domain users and other extension information. Winnt is an account management for NT4, which is estimated to be downward compatible. The other two are access to NetWare's DN, which is not used to us, not described.
ADSI (Active Directory Service Interface) is used to access data in the AD, I think he is an overhead frame, independent of specific data access, just providing a unified interface to the upper application. The actual work is the provider, and should be the Provider access data, then packaged into the form of ADSI requirements, which is completely transparent to the user.
Another more cool place is that ADSI provides a better extension, you can easily add new classes, or add new methods to existing classes.
To explain, although ADSI and AD often appear together, AD and ADSI are two yards, and ADSI can access the AD, but also access IIS and NetWare stored. As long as you provide the corresponding Provider, ADSI can do anything.
AD programming
The programming of the AD to see the content covered, and from the most rough use of the ADSI's existing data to the more advanced extension AD. I think extending AD is the more important content in this part of the program, because more information on any specific application, and the application AD is mainly to utilize the security and distributed storage provided by MS, if the two Aspects are combined, and the AD needs to be expanded for its own application.
If you need to add a method for an existing class (interface class), you need to write the AdSextension class; if you need to store extended information in the AD, you need to modify Schema, add new claschema or attributeschema; further It is fully possible to implement a provider, implement your own query and data storage, this part is not limited to AD. Access AD via ADSI
Accessing AD through ADSI is relatively simple, in fact, two provodes for WinNT and LDAP. In addition to universal interface Iads, IadsContainer, IadsDirectorySearch, etc., Windows provides some interface classes, such as Iadsuser, IADSGroup, which will add some proprietary interfaces, after installing Exchange 2000 after installing Exchange 2000, in installation of AD-based services. At the same time expanded the user.
One of the more important issues in the process of using the AD is the accessient's permissions. If you use the getObject to operate, the application is accessed by the current login user's permissions, and many of the write operations are rejected. Use adsopendsobject-> OpenDSOBject to specify the user of the operation object, of course, this needs to be implemented to get the specified user.
The second place that needs attention is the PATH of the AD, there are two most common prefixes (aunt and this): CN (Common Name) and DC (Domain Controller). In addition, the LDAP is increased from left to right, and Winnt is reduced from left to right, such as accessing my account, paths are ldap: // cn = mittermeyer, cn = users, DC = CN, DC = Corp , DC = Company, DC = COM, Winnt: //cn.corp.company.com/Users/mittermeyer. It is said that AD is different. I look down that he has a data type that is different from the upper and lower strings, but the path is like it doesn't matter, CN = and CN = all.
The third thing to note is the query syntax. In the case of the query, there are two ways, one is the IadssearchDirectory interface, IadsDirectorySearch completes the query process and all work of processing query results. I personally think this way is less suitable for VB; another way is to use ADO. AD has a provider (AdoObject), using this way, returns an ado.recordset, processing results, and the query of the relational database is exactly the same, this way VB is easier to get started. ADO's way query can use SQL syntax, or use LDAP syntax; IadsDirectorySearch can only be used by LDAP syntax.
This part is more interesting that the expansion interface is to write an interface as an extension of the interface class already existing. The expansion interface itself is just inherited iDispatch, but if you need to support the later binding, then a series of methods required to implement Iadsextension, it seems to be a template, which is a routine, so this part of the work is still relatively simple. The key is to associate the interfaces written by yourself and the existing interface class, hehe! It is also very simple, just add one in the registry. (MS thinking is always easier to understand, but there is still a lot of mind in the overall frame, so the shelf is easy.) For example: and the Exchange plus the User extension, it indicates that Exchange User has an extended CoClass - Mailbox, which contains two interfaces ImailRecipient and ImailboxStore. [HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Ads / Provider / LDAP / EXTENSIONS / User]
[HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Ads / Provider / LDAP / EXTENSIONS / USER / {25150F21-5734-11D2-A593-00C04F990D8A}] "Interfaces" = HEX (7): 7b, 00, 32, 100, 35, 00, 31,00, 35, 30, 00, 46, 34, 00, 31, 200, 2D, / 00, 35, 37, 00, 33, 34, 0, 2D, 00, 31 00, 31, 0, 44, 100, 32, 200, 2D, 00, 00, 33, 35, 3, 3, 30, 30, 100, 43, 00, 30, 34, 00, 46, 00, 39, 39, 100, 30, 0, 44, / 00, 38, 100, 41, 3, 7D, 00, 00, 00, 7B, 00) 32, 00, 35, 31, 100, 35, 30, 100, 46, 00, 34, 3, 37, 2D, 00, 35, 37, 100, 33, 00, 34,00, 2d, 00, 31, 31, 0, 44, 100, 32, 200, 2d, 00, 41, / 00, 35, 39, 33, 100, 2D, 00, 30 00, 30, 0, 43, 100, 30, 34, 0, 46, 100, 39, 39, 100, / 30, 0, 44, 100, 38, 100, 41, 100, 7D, 00,00, 00, 0000,
Expansion Schema
First, we know that AttributeSchema and ClassSchema are stored at the same level, we can access this path: LDAP: // computername / Schema (another access path is CN = Schema, cn = configuration,
Secondly, there are some characteristics of AttributeSchema and ClassSchema: OID (GovernSid), the unique representation of the object required for LDAP, which is a string, but different from the GUID is generated according to this unit, but the attribute structure assigned step by step. The uppermost layer is allocated by ISO, grade grade, so it is very troublesome. Ms provides a tool Oidgen.exe, published with Windows 2000 Resource Kit, I don't know if the new ID generated by such a tool can run in the actual extension system, or must pass the MS. Schemaidguid, used to access objects to this class in the access control directory. Access the class object instance through this ID instead of the name. GUID is still very good, you can get through the API of Windows itself. Other names (CN, LDAPDISPLAYNAME, ADMINDISPLAYNAME), displays distinct classes or properties in different tools or occasions, these names are only guaranteed to be globally unique. In addition, ClassChema and AttributeSchema have some specific essential properties. Extended Schema includes the following work: new / disable AttributeSchema, new / prohibited ClassChema, modify the relationship between Property and ClassSchema. New Attributes
Chema and ClassSchema, new subpasses under the path stored by IadsContainer.create, and then assign values for the necessary properties, and finally submit. AttributeSchema and ClassSchema are prohibited, and an existing class or attribute can be prohibited by "discarding". That is, this ClassSchema or AttributeSchema is obtained, and his Isdefunct property is set to true; if you want to set the ISDEFUNCT property to False to recover. Of course, this operation also has a series of restrictions, for example: an attribute is prohibited, then preventing all instances of classes that must contain the attribute. Modify the relationship between Property and ClassSchema, because it is determined which attributeschema contains which attributeschema, actually specifying the "MustContain" and "MayContain" of ClassSchema, which indicates the necessary attributes contained in the contained. Optional properties. Conversely, you can read it via Iadsclass.MandantoryProperties and Iadsclass.OptionalProperties.
Implement Provider
There is no research in the temporary.
Example
Enumerate objects. The following example enumerates all user groups and accounts added to the AD interface through the RC. In this case, IadsContainer.Filter is an array of class names that need to be filtered. If it is empty, it means that all types of objects are returned.
Public Function EnumGroups () As VBA.Collection Dim adDomain As IADsContainer Dim adGroup As IADsGroup Dim nResult As VBA.Collection If m_sAdmin <> vbNullString Then Set adDomain = m_adRoot.OpenDSObject ( "LDAP: //" & m_sExchServer & "/ CN = Users , "& m_sDomain, _ m_sAdmin, m_sAdminPwd, ADS_SECURE_AUTHENTICATION) Else Set adDomain = GetObject (" LDAP: // CN = Users, "& m_sDomain) End If If adDomain Is Nothing Then Exit Function Set nResult = New VBA.Collection adDomain.Filter = Array ("Group", "User") ON Error Resume Next Dim Sname As String Dim Stype As String for Each AdgRoup in Addomain Sname = Right (Adgroup.name, Len (Adgroup.Name) - 3) 'Filter "CN = "Debug.Print sName sType = adGroup.Get (cPropCustomType) If Err.Number = 0 and sType = cTypeRC Then nResult.Add sName, sName End If Err.Clear Next Set EnumGroups = nResultEnd Function add a user and user Related mailboxes, this is a relatively complex example of using ADSI, and other similar operations will not be described. It is used herein that ADSI and Exchange are expanded for the Iadsuser object in ADSI. The section of the slope is quite worth afraid, a very simple sentence in VB, and there is a complex logic behind. Add user groups and group mailboxes similar, different is that the group mailbox is not a physical mailbox, but a list of mailboxes, which is valid by imividile.mailboxenable.
'Add new user to Domain and create mailbox for itPublic Function AddAccountEx (ByVal sAccount As String, ByVal sFullName As String, ByVal sDesc As String, _ ByVal sPassword As String) As Long Dim adDomain As IADsContainer Dim adNewUser As IADsUser Dim oMailStore As CDOEXM. IMailboxStore Dim oExchServer As CExchageManager If m_sAdmin <> vbNullString Then Set adDomain = m_adRoot.OpenDSObject ( "LDAP: // CN = Users," & m_sDomain, _ m_sAdmin, m_sAdminPwd, ADS_SECURE_AUTHENTICATION) Else Set adDomain = GetObject ( "LDAP: // CN = Users, "& m_sDomain) End If 'create a account Set adNewUser = adDomain.Create (" user "," cn = "& sAccount) adNewUser.Put" sAMAccountName ", sAccount adNewUser.Put" userPrincipalName ", sAccount &" @ "& Domain adnewuser.Fullname = sfully, adnewuser.description = SDESC Adnewuser.setInfo
adNewUser.SetPassword sPassword adNewUser.AccountDisabled = False 'create mailbox for this account Set oExchServer = New CExchageManager oExchServer.Connect m_sExchServer' Get Exchange Server's Information Set oMailStore = adNewUser Call oMailStore.CreateMailbox ( "LDAP: //" & m_sExchServer & "/" & OEXCHSERVER.DEFAULTMAILBOXSTORE) Adnewuser.setInfo
'enable immediate-logon for the user adnewuser.put "msexchuseraccountcontrol", 2 adnewuser.setinfoend function
Find. The ADO query is relatively simple, just the type of attribute, especially some multi-value properties, require additional attention. This example is queries all groups in all specified domains, where Description is a multi-value attribute.
Public Function SearchGroup () As ADODB.Recordset Dim oResult As ADODB.Recordset Dim oCommand As ADODB.Command Dim sConnectionStr As String If m_sAdmin = vbNullString Then sConnectionStr = "Provider = ADsDSOObject" Else sConnectionStr = "Provider = ADsDSOObject; UID =" & m_sAdmin & "; PWD =" & m_sAdminPwd End If Set oCommand = New ADODB.Command With oCommand .ActiveConnection = sConnectionStr .CommandTimeout = 15 .CommandText = "SELECT name, description FROM 'LDAP: //" & m_sDomain _ & "' WHERE objectCategory = 'group' "Debug.Print .CommandText .Properties (" searchscope ") = ADS_SCOPE_SUBTREE .Properties (" Chase referrals ") = ADS_CHASE_REFERRALS_EXTERNAL Set oResult = .Execute End With If Not oResult Is Nothing Then Do Until oResult.EOF Debug.Print ORESULT ("Name"), Oresult ("Description") (0) oresult.movenext loop end ifnd functionps: Writing a long time, Hope to correct.
