使用ldifde扩展活动目录架构
使用ldifde可以扩展Windows 活动目录架构。一般情况,我们需要通过mmc添加活动目录架构管理控制台来手动添加要扩展的属性。我们也可以从ldf文件中导入架构信息。
脚本一:
On Error Resume Next '''''''''''''''''''''''''''''''''''''' ' Bind to the rootDSE '''''''''''''''''''''''''''''''''''''' sPrefix = "LDAP://" Set root= GetObject(sPrefix & "rootDSE") If (Err.Number <> 0) Then BailOnFailure Err.Number, "on GetObject method" End If '''''''''''''''''''''''''''''''''''''' ' Get the DN for the Schema '''''''''''''''''''''''''''''''''''''' sSchema = root.Get("schemaNamingContext") If (Err.Number <> 0) Then BailOnFailure Err.Number, "on Get method" End If '''''''''''''''''''''''''''''''''''''' ' Bind to the Schema container '''''''''''''''''''''''''''''''''''''' Set Schema= GetObject(sPrefix & sSchema ) If (Err.Number <> 0) Then BailOnFailure Err.Number, "on GetObject method to bind to Schema" End If ''''''''''''''''''''''''''''''''''''''' ' Read the fsmoRoleOwner attribute to see which server is the schema master. ''''''''''''''''''''''''''''''''''''''' sMaster = Schema.Get("fsmoRoleOwner") If (Err.Number <> 0) Then BailOnFailure Err.Number, "on IADs::Get method for fsmoRoleOwner" End If ''''''''''''''''''''''''''''''''''''''' ' fsmoRoleOwner attribute returns the nTDSDSA object. ' The parent is the server object. ' Bind to NTDSDSA object and get parent ''''''''''''''''''''''''''''''''''''''' Set NTDS = GetObject(sPrefix & sMaster) If (Err.Number <> 0) Then BailOnFailure Err.Number, "on GetObject method for NTDS" End If sServer = NTDS.Parent If (Err.Number <> 0) Then BailOnFailure Err.Number, "on IADs::get_Parent method" End If ''''''''''''''''''''''''''''''''''''''' ' Bind to server object and get the ' reference to the computer object. ''''''''''''''''''''''''''''''''''''''' Set Server = GetObject(sServer) If (Err.Number <> 0) Then BailOnFailure Err.Number, "on GetObject method for " & sServer End If '''''''''''''''''''''''''''''''''''''''''' ' Display the DN for the computer object. '''''''''''''''''''''''''''''''''''''''''' sComputerDNSName = Server.Get("DNSHostName") strText = "Schema Master has the following DNS Name: "& sComputerDNSName WScript.echo strText sFile = "myschemaext2.ldf" sFromDN = sSchema sToDN = "CN=Schema,CN=Configuration,DC=test,DC=xx" sAttrPrefix = "yF" '搜索前缀 sFilter = "(&((cn=" & sAttrPrefix & "*)(|(objectCategory=classSchema)(objectCategory=attributeSchema))))" sRetAttr = "dn,adminDescription,adminDisplayName,governsID,cn,mayContain," &_ "mustContain,systemMayContain,systemMustContain,lDAPDisplayName," &_ "objectClassCategory,distinguishedName,objectCategory,objectClass," &_ "possSuperiors,systemPossSuperiors,subClassOf,defaultObjectCategory," &_ "name,schemaIDGUID,auxiliaryClass,auxiliaryClass,systemAuxiliaryClass," &_ "description,defaultHidingValue,rDNAttId,defaultSecurityDescriptor," &_ "attributeID,attributeSecurityGUID,attributeSyntax," &_ "isMemberOfPartialAttributeSet,isSingleValued,mAPIID,oMSyntax,rangeLower," &_ "rangeUpper,searchFlags,oMObjectClass,linkID" ' Add flag rootDN. sCommand = "ldifde -d " & sSchema sCommand = sCommand & " -c " & sFromDN & " " & sToDN ' Add flag schema master. sCommand = sCommand & " -s " & sComputerDNSName ' Add flag filename. sCommand = sCommand & " -f " & sFile ' Add flag filter to search for attributes. sCommand = sCommand & " -r " & sFilter ' Add flag for attributes to return. '要获得的属性名称
'sCommand = sCommand & " -l " & sRetAttr WScript.echo sCommand Set WshShell = Wscript.CreateObject("Wscript.Shell") WshShell.Run sCommand ''''''''''''''''''''''''''''''''''''''' ' Display subroutines ''''''''''''''''''''''''''''''''''''''' Sub BailOnFailure(ErrNum, ErrText) strText = "Error 0x"_ & Hex(ErrNum) & " " & ErrText MsgBox strText, vbInformation, "ADSI Error" WScript.Quit End Sub
该vbs脚本可以帮助导出自定义的AD扩展信息。
脚本二
On Error Resume Next '''''''''''''''''''''''''''''''''''''' ' Bind to the rootDSE '''''''''''''''''''''''''''''''''''''' sPrefix = "LDAP://" Set root= GetObject(sPrefix & "rootDSE") If (Err.Number <> 0) Then BailOnFailure Err.Number, "on GetObject method" End If '''''''''''''''''''''''''''''''''''''' ' Get the DN for the Schema '''''''''''''''''''''''''''''''''''''' sSchema = root.Get("schemaNamingContext") If (Err.Number <> 0) Then BailOnFailure Err.Number, "on Get method" End If '''''''''''''''''''''''''''''''''''''' ' Bind to the Schema container '''''''''''''''''''''''''''''''''''''' Set Schema= GetObject(sPrefix & sSchema ) If (Err.Number <> 0) Then BailOnFailure Err.Number, "on GetObject method to bind to Schema" End If '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' Read the fsmoRoleOwner attribute to see which server is the schema master. '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' sMaster = Schema.Get("fsmoRoleOwner") If (Err.Number <> 0) Then BailOnFailure Err.Number, "on IADs::Get method for fsmoRoleOwner" End If ''''''''''''''''''''''''''''''''''''''''''''''''''''' ' fsmoRoleOwner attribute returns the nTDSDSA object. ' The parent is the server object. ' Bind to NTDSDSA object and get parent ''''''''''''''''''''''''''''''''''''''''''''''''''''' Set NTDS = GetObject(sPrefix & sMaster) If (Err.Number <> 0) Then BailOnFailure Err.Number, "on GetObject method for NTDS" End If sServer = NTDS.Parent If (Err.Number <> 0) Then BailOnFailure Err.Number, "on IADs::get_Parent method" End If ''''''''''''''''''''''''''''''''''''''''''''''' ' Bind to server object ' and get the reference to the computer object. ''''''''''''''''''''''''''''''''''''''''''''''' Set Server = GetObject(sServer) If (Err.Number <> 0) Then BailOnFailure Err.Number, "on GetObject method for " & sServer End If sComputer = Server.Get("serverReference") ''''''''''''''''''''''''''''''''''''''''' ' Display the DN for the computer object. ''''''''''''''''''''''''''''''''''''''''' sComputerDNSName = Server.Get("DNSHostName") ' strText = "Schema Master has the following DN: "& sComputer strText = "Schema Master has the following DNS Name: "& sComputerDNSName WScript.echo strText sFile = "myschemaext1.ldf" sFromDN = "CN=Schema,CN=Configuration,DC=test,DC=yifeng,DC=sap" sToDN = sSchema ' Add flag replace fromDN with ToDN. sCommand = "ldifde -i -k -c " & sFromDN & " " & sToDN ' Add flag schema master. sCommand = sCommand & " -s " & sComputerDNSName 'Add flag filename. sCommand = sCommand & " -f " & sFile ' Add flag filter to search for my attributes. WScript.echo sCommand cc = inputbox ("","",sCommand) Set WshShell = Wscript.CreateObject("Wscript.Shell") WshShell.Run (sCommand) ''''''''''''''''''''''''''''''''''''''' ' Display subroutines ''''''''''''''''''''''''''''''''''''''' Sub BailOnFailure(ErrNum, ErrText) strText = "Error 0x" & Hex(ErrNum) & " " & ErrText MsgBox strText, vbInformation, "ADSI Error" WScript.Quit End Sub
该脚本可以调用ldifde读取ldf文件进行扩展。
下面是我的一些ldf样式
dn: CN=yfDeptExt02,CN=Schema,CN=Configuration,DC=test,DC=xx'注意替换
changetype: add
objectClass: top
objectClass: attributeSchema
cn: yfDeptExt02
distinguishedName:
CN=yfDeptExt02,CN=Schema,CN=Configuration,DC=test,DC=xx
attributeID:
1.2.840.113556.1.8000.2554.58215.11474.15632.18093.38597.10491665.1488508.2.28
attributeSyntax: 2.5.5.12
isSingleValued: TRUE
adminDisplayName: yfDeptExt02
oMSyntax: 64
lDAPDisplayName: yfDeptExt02
name: yfDeptExt02
objectCategory:
CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=test,DC=yifeng,DC=sap
adminDescription::55uK5Liw6YOo6Zeo6aKE55WZ5a2X5q61MDI= '描述信息采用base64的
参考:http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx