LDAP |
||||
Administration / LDAP / Beispiele / Create User | ||||
Das Lightweight Directory Access Protocol |
||||
|
||||
Creating a New GroupJoe needs to create a new group. He would like to secure some resources (file, Active Directory objects, or other objects) based on the membership of this group. Set ou = GetObject("LDAP://OU=Sales,DC=Fabrikam,DC=COM") Set grp = ou.Create("group", "CN=Management") grp.Put "samAccountName", "mgmt" grp.Put "groupType", ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP Or ADS_GROUP_TYPE_SECURITY_ENABLED grp.SetInfo This group, Management, will be created in the Sales organizational unit. The first thing Joe needs to do is create an ADSI object for the Sales organizational unit. He then needs to set the samAccountName attribute on this object, since it is a mandatory attribute for backward compatibility. For this example, when samAccountName is set, Windows NT 4.0 tools such as User Manager see the attribute as mgmt instead of Management. Finally, Joe needs to specify the type of group. In a Windows 2000 domain, there are three types of groups: Global, Domain Local, and Universal. In addition, the group carries its security characteristic. A group can be either a security-enabled or a non-secured group. Essentially, security-enabled groups are those that can be granted or denied access rights to resources, just like a user. Granting a group access to a file share, for example, implies that all members of the group can access the file share. Distribution lists cannot be used in a similar manner — you cannot, for example, grant a distribution list the right to access a file share. During the upgrade, Windows NT 4.0 groups are migrated as security-enabled groups. Non-secured groups in Active Directory are similar to distribution lists in Exchange. Hence, creating groups or distribution lists are very similar operations in Windows 2000. In the Windows 2000 native mode (native mode means that all domain controllers in a domain are Windows 2000 servers), the groups can be nested to any level. |