Introduction to ADSI
ADSI or the Active Directory Services Interface allows a programmer to create applications or scripts that can ease the management of an Windows domain. Although ADSI is not natively supported in NT version 4, ADSI is available in the operating system in Windows 2000.
ADSI is a set of COM interfaces that exposes properties and methods that allow a developer to access directory services from various network providers. The provider could be Novell Directory Services, an Exchange Information Store, an Internet Information Server's properties, Lightweight Directory Access Protocol or LDAP, which is used in Windows 2000, or an NT 4 domain -- basically any network service information that is exposed to the operating system. ADSI allows developers and administrators to develop scripts or applications to manage various network services using a common set of commands. This will simplify the development of higher end applications that will greatly reduce the amount of hands on administration that is currently required for an Windows domain.
Using ADSI a developer or administrator can automate certain tasks that would normally be a manual process, for example using an application such as the User Manager for Domains. The User Manager for Domains application allows a domain administrator of a Windows network assign permissions to certain users that are members of the primary domain. An administrator can create account that have access to domain resources, change password, disable accounts, and add users to various groups which have different levels of permissions on a domain. Using ADSI a developer can do such things as create scripts or applications that can automate these tasks or work in conjunction with other applications such as Web applications.
ADSI can be used to access almost any resource available on an Windows domain. A developer can use ADSI to create virtual directories on a Web server. This could be useful in the case of an Internet Service Provider who wishes to automate tasks as setting up a user account and providing the user with a virtual directory to host their Website and then applying the appropriate security permissions to the directories. Using ADSI they could create an application that would perform these tasks in a few simple steps.
Binding to an Active Directory Service can be achieved by calling the GetObject method in Visual Basic, or an Active Server Page (ASP) to create a connection to the directory service. For instance if you wished to obtain a list of all the available domains available on a network from a Web page using ASP you would do so in the following way:
Dim adsNS
Dim adsDomain
Set adsNS = GetObject("WinNT:")
adsNS.Filter = Array("domain")
For Each adsDomain In adsNS
'output the name to the browser.
Response.Write(adsDomain.ADsPath & "")
Next
Set adsNS = Nothing
The preceding ASP code would output all available Windows domains available to the machine. It will display the local machine domain as in the case of a member server, the primary domain, and any trusts relationships the domain has with other domains.
A developer can do more than just access the properties of the available domains. It's also possible to manipulate properties of individual accounts, groups, or any other property of the network resource. In the next example we'll go over disabling a user account using ASP code that can be ran via any Web browser.
Dim oUser
Set oUser = GetObject("WinNT://machinename/username")
oUser.AccountDisabled = True
oUser.SetInfo
Set oUser = Nothing
Security is a concern when developing applications that are so closely tied in with administration tasks. As in the case of browser applications that use ASP to manipulate user accounts. The one running the browser application must be authenticated by the network and have the appropriate permissions in order to perform the task such as disabling an account. Microsoft Internet Explorer supports the Challenge and Response (CR) method of a domain to authenticate users. CR provides encryption of the user account and password going over the network. Being that user modifications by the Web application are only outputting basic html the browser could also be Netscape Navigator, but Navigator only supports basic clear text authentication which sends user account and password information as basic text over the network connection and does not provide ample security for an application such as the one in the previous example.
This technology can open up a realm of possible applications. By exposing the ADSI object model, a developer can greatly reduce the amount of effort that goes into managing a large enterprise domain.
References:
Hahn, Steven (1999). ADSI ASP Programmers Reference, Wrox Press
Internet:
Microsoft Active Directory Services Overview Website
http://www.microsoft.com/windows/server/Technical/directory/adsilinks.asp
In part two of this series we will build a self service account unlock application to allow your users to go to a intranet website and unlock their account using a challange question and answer they configure.
By: Patrick Santry, Microsoft MVP (ASP/ASP.NET), developer of this site, author of books on Web technologies, and member of the DotNetNuke core development team. If you're interested in the services provided by Patrick, visit his company Website at Santry.com.