Administering ADAM Programmatically
Applies To: Windows Server 2003 R2
You can accomplish programmatically many of the tasks that you can complete manually using the ADAM administration tools. The ADAM download includes several sample scripts and some sample code to help get you started.
Administering ADAM Programmatically Through Visual Basic Scripts
The \LABS_DEMO\LABS\VBScript directory in the ADAM download includes sample scripts that are produced in Microsoft® Visual Basic®, Scripting Edition (VBScript), for the following common operations:
Extend schema to include the contact class. (Adamcontact.vbs)
Import two contacts. (AdamContactImport.vbs)
The following scripts assume that Adamuser.ldf was imported in a previous exercise:
Add OU
Add user
Add group
Add user to group
Delete user
Get a list of specific objects in a path (Filter_adam.vbs)
Enumerate users and groups
Set password
For example, the script for enumerating users and groups contains the following code:
'**************************************************
'
' This script enumerates the users and groups in the passed in OU
' To run: cscript member_adam.vbs [OU] [Group]
' Examples: cscript member_adam.vbs ou=testou,c=us testuser
'
'**************************************************
set Args = Wscript.Arguments
ouName = Args(0)
' If the application OU DN is "ou=adamou,c=us" and the server is "adamhost" and the port is 389. Then this parameter should be passed
' as follows: "LDAP://adamhost:389/ou=adamou,c=us"
set ou = GetObject(ouName )
wscript.echo "Displaying Groups and Group membership..." & vbcrlf
ou.Filter = Array("group")
for each obj in ou
wscript.echo "Group : " & obj.Name
for each member in obj.Members
wscript.echo " |"
wscript.echo " -- " & member.Name
Next
wscript.echo vbcrlf
Next
You can run any of these scripts from a command prompt, using the cscript command. (For help with cscript, at a command prompt, type cscript /?.) Each script requires that the distinguished names of both the provider and the host be passed, along with the port specifier.
Note
The Adamcontact.vbs script only requires servername:portnumberto be passed, because it extends the schema. You can open the file in Notepad to see the specific syntax. (If you run a script without parameters, the following error message is returned: “Subscript out of range.”)
For example, to run the Member_adam.vbs script to enumerate users and groups of an object with a distinguished name of O=Microsoft,C=US, type:
cscript member_adam.vbs "LDAP:// servername**:**portnumber /o=Microsoft,c=us"
where servername**:**portnumber represents the computer name and LDAP communications port of your ADAM instance.
Administering ADAM Programmatically Through the System.DirectoryServices API
The following exercise requires that you have Microsoft® Visual Studio® .NET installed.
To access ADAM through the System.DirectoryServices Application Programming Interface (API)
Start Visual Studio .NET.
On the File menu, click New, and then click Project.
In Project Types, click a project type (C#, VB.NET, and so on).
In Templates, click a project template (Console, Windows, and so on).
In Name, type a name for your project.
After the project is created, click Add Reference on the Project menu.
In the Component Name column, click System.DirectoryServices.dll, as shown in the following.
.gif "Visual Studio .NET System.DirectoryServices.dll")
Add the following line at the top of your code:
C#: using System.DirectoryServices; VB.NET: Imports System.DirectoryServices;Note
Adding the namespace name is not mandatory, but it is easier than typing a long name. For example instead of System.DirectoryServices.DirectoryEntry, use DirectoryEntry.
To read an ADAM object, add the following code:
int portNumber=1025; // put the correct port number here. String serverName="adam01"; // put the correct servername here. String partitionDir = "O=Fabrikam"; //put the correct partition distinguished name. DirectoryEntry ent = new DirectoryEntry("LDAP://"+serverName+":"+portNumber+"/"+partitionDir); Console.WriteLine("Hello World, {0}, with Guid {1}", ent.Name, ent.Guid);
Administering ADAM Proxy Objects Programmatically
The \LABS_DEMO\LABS\bindredirect directory in the ADAM download includes sample code for creating, populating, and testing ADAM proxy objects. In addition, the directory includes a compiled, ready-to-run version of this sample code. This sample code illustrates how you can automate the creation of proxy objects, and it completes the steps in the “To bind to ADAM through an ADAM proxy object” procedure in Using the ADAM Administration Tools.
Note
For more information about ADAM bind redirection, see the Active Directory Application Mode Administrator’s Guide. To view the Active Directory Application Mode Administrator’s Guide, click Start, point to All Programs, point to ADAM, and then click ADAM Help.
The code in sampleBindRedirect.c completes all of the following operations programmatically:
Binds to an ADAM instance using a Windows user account that you provide.
Reads the tokenGroups attribute for the Windows user to retrieve the user's SID.
Binds to an ADAM instance using the ADAM Administrator’s account that you provide.
With the ADAM administrator account, creates a userProxy object for the Windows user.
Adds the Users group from any given application directory partition to the Readers group of the same partition.
Binds to an ADAM instance as the Windows user, to demonstrate that the Windows user cannot read the application directory partition.
Binds to an ADAM instance through the proxy object, to demonstrate that the application directory partition can be read.
Deletes the userProxy object.
You can run the compiled version of this sample code, BindRedirect.exe, to observe how the sample code works. For help running the BindRedirect.exe sample program, at a command prompt, type bindredirect /?.
Note
This sample code runs with the following requirements: To run properly, SSL connections to ADAM must be available (which requires the installation of certificates), or the RequireSecureProxyBind attribute on the msds-Other-Settings attribute of nTDsService object must be set to 0. For more information, see “Binding Security and ADAM Proxy Objects” in Managing Authentication in ADAM. No foreign security principal object should exist in ADAM for the Windows user that you specify. When using an SSL connection and binding, you must provide the full DNS name of the computer running ADAM.