Extending Active Directory Functionality
{ Posted on Wednesday, January 13, 2010 at 6:12 pm by John }
Have you ever wished that you could change the functionality within the Active Directory Users and Computers (ADUC) snap in?
The following post will demonstrate how to extend the ADUC capabilities with VBScript and ADSIEdit.
The purpose of this post is to show how to build the groundwork and implement custom VBSscripts into the context menu of ADUC (see thumbnail below).
PREREQUISTITES
Before you can begin, there are two prerequties needed to extend the context menus.
- ADSIEdit.MSC :: (This can be installed from the Windows 2000/2003 Support Tools)
- An Active Directory account with “Enterprise Admins” permissions assigned to it.
VBScript
For this post, we will assume you have created a VBSscript named “Display_User.vbs”, and once done you have already moved/copied this script to the NETLOGON share of one of your domain controllers (DC).
On Error Resume Next Set wshArguments = WScript.Arguments Set objUser = GetObject(wshArguments(0)) str1 = "Last Login: " & objUser.LastLogin str2 = "Last Logoff: " & objUser.LastLogoff str3 = "Last Failed Login: " & objUser.LastFailedLogin str4 = "Logon Count: " & objUser.logonCount str5 = "Bad Login Count: " & objUser.BadLoginCount str6 = "Password Last Changed: " & objUser.PasswordLastChanged str7 = "User Account Control: " & objUser.userAccountControl str8 = "Login Script: " & objUser.scriptPath str9 = "Account Created: " & objUser.whenCreated str10 = "Account Last Modified: " & objUser.whenChanged MsgBox str1 & vbCrLf & str2 & vbCrLf & str3 _ & vbCrLf & str4 & vbCrLf & str5 & vbCrLf & str6 _ & vbCrLf & str7 & vbCrLf & str8 & vbCrLf & str9 _ & vbCrLf & str10,,objUser.Name
Side Note: Because you placed the script in the NETLOGON share, the script will be replicated to all of your domain controllers should you have more than one.
Modify the ADUC Context Menu:
1. Open the ADSIEdit.MSC snap in (assuming you have already installed this) with the Active Directory credentials that have the necessary level of permissions and navigate to the path below.
CN=409,CN=DisplaySpecifies,CN=Configuration,DC=stevofc,DC=com
Side Note: Change the domain name listed in red with the domain name of your own.
2. Right click the context object you would like to modify, and choose “Properties“. For this post we will use the object, “CN=user-Display”.
3. Double click on the first attribute, “adminContextMenu“, once you have the properties menu loaded.
4. From the multi valued String Editor, enter the below string.
“3, &Display User Information,\\stevofc.com\netlogon\Display_User.vbs”
Remember to change the NETLOGON path to your own domain.
5. Once complete, click “Add“, then click “OK“. You are now done using the ADSIEdit.MSC tool.
6. Now open your ADUC console (dsa.msc), and if you right click a user object you will now have the added filed inside the context menu (see screenshots below).
By using the above method, you can add any custom VBScript to your domain to make automating both simple or complex tasks with makes administration easier.
Related posts:
4 Responses to “Extending Active Directory Functionality”
Trackbacks/Pingbacks
-
[...] This post was mentioned on Twitter by Michael Stanclift and askatknits, StevoFC. StevoFC said: Extending Active Directory Functionality http://is.gd/6dAlC [...]
John works in the public IT sector focusing on network security and system admin/monitoring.
Wow, nice post.
It’s handy, my context menu at work on the production domain is huge. I’ve got scripts to change user’s addresses on the fly, copy group memberships to clipboard, grant specific user groups RDP access to servers, etc.
I should post what I have soon.
Great information, John. Thanks for sharing!