Hey, Scripting Guy! Question

Hey, Scripting Guy! We use a script to create user accounts. How can I modify this script so that it will place the new user in the same OU as the person running the script?

-- CB

SpacerHey, Scripting Guy! AnswerScript Center

Hey, CB. Interesting question. We’re assuming that you’ve delegated control of Active Directory. User A, for example, has the right to create users in the Finance OU, but only the Finance OU. User B, meanwhile, can also create user accounts, but only in the Headquarters OU. If you’re like other people we know in this situation you’ve done one of two things: either you’ve created a generic script that prompts the user to enter the OU each time they create a user account, or you’ve created separate scripts for each user who has been authorized to create accounts.

Unfortunately, neither of these approaches is optimal. The first one requires the user to type the Active Directory path each and every time they create a user account; the second one requires you to maintain, distribute, update, and otherwise take care of multiple scripts, all of which ultimately carry out the same exact task (they create user accounts). You’re looking for a single script that can say, “Oh, you’re User A, huh? Well, I know that you’re in Finance OU, so I’ll automatically create this new user account in that same OU.”

And good news: we just happened to have a script that will do this very thing. In fact, here it is:

On Error Resume Next

Set objSysInfo = CreateObject("ADSystemInfo")

arrDirectoryLocation =  Split(objSysInfo.UserName, ",")

For i = 1 to Ubound(arrDirectoryLocation)
    If i = 1 Then
        strLocation = arrDirectoryLocation(i)
    Else
        strLocation = strLocation & "," & arrDirectoryLocation(i)
    End If
Next

strOU = "LDAP://" & strLocation

Set objOU = GetObject(strOU) 
Set objUser = objOU.Create("User", "cn=Myer Ken") 
objUser.sAMAccountName = "myerken" 
objUser.GivenName = "Ken" 
objUser.SN = "Myer" 
objUser.AccountDisabled = FALSE 
objUser.SetInfo

Admittedly, it might not be immediately obvious what’s going on here. So let’s take a minute or two to walk you through the process.

The script starts by creating an instance of the ADSystemInfo object; this object can return basic Active Directory information for the logged on user and his or her computer, including the user’s Distinguished Name (the UserName property). In other words, we can get back something that looks like this:

CN="Jonathan Haas", OU="Finance",DC="fabrikam",DC="com"

As you can see, this is close to the information we need; if we can get rid of the CN=”Jonathan Hass” we’ll have a path to the desired OU. And before you ask, no, we can’t just ask for the value of the user’s OU; for some reason, Active Directory doesn’t store that information directly. Because of that, we’ll have to figure out the OU path on our own. But trust us, that’s easy.

We begin the process with this line of code:

arrDirectoryLocation =  Split(objSysInfo.UserName, ",")

This code takes the user’s Distinguished Name and - thanks to the magic of the Split function - creates an array out of that name. Our new array (which divvies up the items using the comma as a delimiter) looks like this:

CN="Jonathan Haas"
OU="Finance"
DC="fabrikam"
DC="com"

What did that gain us? Well, now we have an array with four elements. If we get rid of the first element (Jonathan Haas, item 0) we can then construct the OU path using the remaining elements. To do that, we’re simply going to loop through array beginning with the second element (also known as item 1; remember the first element in an array is item 0, making the second element item 1). That’s what this code does: it bypasses the first element (CN=“Jonathan Haas”) and then grabs each of the remaining elements until there’s nothing left to grab (Ubound represents the last item in an array):

For i = 1 to Ubound(arrDirectoryLocation)

Inside the loop we reconstruct the OU path, jamming all the names back together and separating them with commas. You might notice that, when dealing with item 1, we don’t add a comma before tacking on the element value. If we did, we’d end up with a string that looked like this:

, OU="Finance",DC="fabrikam",DC="com"
Not what we want. By omitting the comma for the first item, we end up with this path:
OU="Finance",DC="fabrikam",DC="com"

Believe it or not, we’re home free now. To construct the ADsPath to the OU, we just need to tack on the provider name. By adding LDAP:// to the beginning of our string, we end up with a path that looks just like this:

LDAP://OU="Finance",DC="fabrikam",DC="com"

And guess what? By remarkable coincidence, this is exact information we need to bind to the OU and create the new user account. In other words:

Set objOU = GetObject(strOU)

The rest of the script simply creates the new user account, sets a few property values, and then uses SetInfo to save the new account to Active Directory. We had to go through a few gyrations to get there, but you now have a generic script that will create new user accounts in the same OU as the user running the script.