***********************
'* Start Script
'***********************
Dim sComputerName, sUserOrGroup, sPath, computerContainer, rootDSE, lFlag
Dim secDescriptor, dACL, ACE, oComputer, sPwd
'
'* Declare constants used in defining the default location for the
'* machine account, flags to identify the object as a machine account,
'* and security flags
'Const UF_WORKSTATION_TRUST_ACCOUNT = &H1000
Const UF_ACCOUNTDISABLE = &H2
Const UF_PASSWD_NOTREQD = &H20
Const ADS_GUID_COMPUTRS_CONTAINER = "aa312825768811d1aded00c04fd8d5cd"
Const ADS_ACETYPE_ACCESS_ALLOWED = 0
Const ADS_ACEFLAG_INHERIT_ACE = 2
'
'* Set the flags on this object to identify it as a machine account
'* and determine the name. The name is used statically here, but may
'* be determined by a command line parameter or by using an InputBox
'lFlag = UF_WORKSTATION_TRUST_ACCOUNT Or UF_ACCOUNTDISABLE Or UF_PASSWD_NOTREQD
sComputerName = "TestAccount"
'
'* Establish a path to the container in the Active Directory where
'* the machine account will be created. In this example, this will
'* automatically locate a domain controller for the domain, read the
'* domain name, and bind to the default "Computers" container
'*********************************************************************
Set rootDSE = GetObject("LDAP://RootDSE")
sPath = "LDAP://Set computerContainer = GetObject(sPath)
sPath = "LDAP://" & ("distinguishedName")
Set computerContainer = GetObject(sPath)
''* Here, the computer account is created. Certain attributes must
'* have a value before calling .SetInfo to commit (write) the object
'* to the Active Directory
'Set oComputer = ("computer", "CN=" & sComputerName)
"samAccountName", sComputerName + "$"
"userAccountControl", lFlag
'
'* Establish a default password for the machine account
'sPwd = sComputerName & "$"
sPwd = LCase(sPwd)
sPwd
''* Specify which user or group may activate/join this computer to the
'* domain. In this example, "MYDOMAIN" is the domain name and
'* "JoeSmith" is the account being given the permission. Note that
'* this is the downlevel naming convention used in this example.
'sUserOrGroup = "MYDOMAIN\joesmith"
''* Bind to the Discretionary ACL on the newly created computer account
'* and create an Access Control Entry (ACE) that gives the specified
'* user or group full control on the machine account
'Set secDescriptor = ("ntSecurityDescriptor")
Set dACL =
Set ACE = CreateObject("AccessControlEntry")
'
'* An AccessMask of "-1" grants Full Control
'
= -1
= ADS_ACETYPE_ACCESS_ALLOWED
= ADS_ACEFLAG_INHERIT_ACE
''* Grant this control to the user or group specified earlier.
' = sUserOrGroup
'
'* Now, add this ACE to the DACL on the machine account
' ACE
= dACL
'
'* Commit (write) the security changes to the machine account
' "ntSecurityDescriptor", Array(secDescriptor)
''* Once all parameters and permissions have been set, enable the
'* account.
'
= False
''* Create an Access Control Entry (ACE) that gives the specified user
'* or group full control on the machine account
' "The command completed successfully."
'*****************
'* End Script