| Platform SDK: Exchange Server |
The AcctMgmt COM class defines an object that can be used to create and delete domain accounts as well as convert between the account name and its security identifiers and descriptors. This is particularly useful in applications that use scripting languages (such as Active Server Page (ASP) pages and Windows Scripting Host (WSH) scripts) to set up new recipient mailboxes for Microsoft Exchange Server.
When creating new Exchange Server 5.5 mailboxes using the Active Directory Services Interfaces (ADSI) LDAP provider, NT account security identifiers and descriptors need to be set in the mailbox object's Assoc-NT-Account and NT-Security-Descriptor attributes respectively. This process associates the Windows NT domain account with the mailbox. This requires possibly creating a new Windows NT domain account or using an existing one, and then packaging the descriptor and identifier for transport through ADSI into the directory object. You can use instances of the AcctMgmt COM class to create the new Windows NT domain account if necessary, and then package the descriptor and identifier into the format (SAFEARRAY of VT_UI1 or unsigned chars) required by ADSI methods for transport to the Exchange Server 5.5 directory.
The following example in Visual Basic, Scripting Edition demonstrates how to go about creating an account with an instance of the AcctMgmt COM class, retrieving the new account's security identifier (SID) and descriptor as a SAFEARRAY of bytes (unsigned chars) and then inserting them as the values for a mailbox recipient's NT-Security-Descriptor and Assoc-NT-Account attributes respectively.
Set mntAcct = CreateObject("MSExchange.AcctMgmt")
strDomain = "domain"
strUser = "username"
strPassword = "password"
strPath = "LDAP://server/o=Orgname/ou=Sitename/cn=Recipients"
Const gstrNone = ""
' Create the account
Call mntAcct.NtAccountCreate(strDomain, _
strUser, _
strPassword, _
gstrNone, _
gstrNone)
' Get the SID and descriptor for the directory object
Call mntAcct.GetSidFromName(strDomain, strUser, varSecurityID)
Call mntAcct.GenerateSecDescriptor(strDomain, strUser, varSecurityDescriptor)
' convert the default value below so its suitable for ADSI/LDAP transport
strDelivContTypes = "2A864886F7140501" ' the default for accounts
' create the mailbox in the DS with ADSI
'
'
set recipcont_obj = getobject(CStr(strPath))
set recip_obj = recipcont_obj.create( "organizationalPerson", "cn=MBName")
' now we set the required attributes for the directory object
recip_obj.put "Deliv-Ext-Cont-Types", strDelivContTypes
recip_obj.put "NT-Security-Descriptor", (varSecurityDescriptor)
recip_obj.put "Assoc-NT-Account", (varSecurityID)
... ' add the rest of the properties to the adsi object
recip_obj.setinfo ' commit the contents of the adsi object to the directory
Tip Note the parentheses around the variable in the calls to IADs Put method. These are required since VBScript passes a reference to a VARIANT variable, rather than the VARIANT itself when the variable is used as an argument to a method. (This causes the VARIANT variables vt value to be set as VT_VARIANT | VT_BYREF and a reference to a VARIANT is actually passed within the VARIANT union) The ADSI LDAP provider does not expect a pointer to a VARIANT in the Put method argument for VARIANT variables holding SAFEARRAY values, and this causes an exception to be thrown. The parentheses override this behavior, sending the VARIANT itself, and not a reference to the VARIANT.