活动目录是Windows NT 4.0和Windows 2000使用的目录服务。要想使用活动目录服务,需要调用ADSI(活动目录服务接口)。ADSI是一组以COM接口的形式提供目录服务的,程序员可以通过ADSI存取四种网络目录结构:WinNT (Microsoft SAM 数据库)、LDAP (轻量目录存取协议)、NDS (NetWare目录服务)和NWCOMPAT (Novell NetWare 3.x)。 ADSI可以使Windows NT 管理员的工作变得轻松。ADSI支持管理员执行一些一般的管理任务,比如添加新用户、管理打印机、安全设定和控制NT域。因为ADSI使用COM接口,任何支持COM的编程语言像Delphi、BCB、VB、VC等都可以调用ADSI。
活动目录运行在Windows NT 4.0和Windows 2000上。客户端程序可以运行在Windows 95、Windows 98、Windows NT 4.0和Windows 2000上。为了使用ADSI,必须安装ADSI COM接口。ADSI 2.5 SDK可以从Microsoft ADSI网址http://www.microsoft.com/ntserver/nts/downloads/other/ADSI25/default.asp下载。SDK包括文档、在线帮助和很多例子
Example 3 <% strMachineName = "localhost" 'domain name strObjectPath = "W3SVC/1" 'object name'construct object location in IIS strPath = "IIS://" & strMachineName & "/" & strObjectPath Set IISObject = GetObject (strPath) 'connect to IIS metabase %> Name = "<%= IISObject.Name %>"<br> Parent= "<%= IISObject.Parent %>"<br> SchemaLocation = "<%= IISObject.Schema %>"<br> Class = "<%= IISObject.Class %>"<br> Guid = "<%= IISObject.Guid %>"<br> ADSPath = "<%= IISObject.AdsPath %>"<br> The output of this code is: Name = "1" Parent= "IIS://localhost/W3SVC" SchemaLocation = "IIS://localhost/schema/IIsWebServer" Class = "IIsWebServer" Guid = "{8B645280-7BA4-11CF-B03D-00AA006E0975}" ADSPath = "IIS://localhost/W3SVC/1"
An Introduction to ADSI The web delivers information, pure and simple. By using ADO and RDS we can retrieve information from a database and manipulate it just as we want. But what if we want information on our server's current configuration? How can we access things like: What files are in which directory? What users are in which groups? What print jobs and pending in which print queues? What services are running on which computer? We're unlikely to be able to get this kind of information from a database! Yet these are the kind of questions that a systems administrator asks every day. In addition, the systems administrator will also need to make changes to these aspects of the system ?possibly daily ?according to the demands placed on the system. In order to answer these questions and exact these changes, the administrator needs access to his system's directory services ?and for that he needs to be at a terminal on his network. Or, at least, that used to be the case. We can now write ASP code that can emulate ?and in some cases, offer more functionality than ?the suite of tools that we commonly associate with system administration (User Manager, Print Manager and the like). The server's file system manager, Windows Explorer, can be approximated using the FileSystemObject scripting object. For the rest, we need to use the Active Directory Services Interface (ADSI). ADSI allows us to govern the lifecycle of abstract directory objects ?things like Computers, Printers and User Groups. In addition, we can also use ADSI to access these objects even if they are located on a different operating system. For example, before ADSI, sharing user information across Windows NT and Novell Netware was pretty much limited to duplicating user information manually on both systems. With ADSI installed, we can update user information from a web page and disseminate it automatically across a multi-operating system network. How Does ADSI Work? Setting up ADSI is pretty simple. In order for ADSI ASP pages to work, you simply need to install ADSI 2.0 (or ADSI 2.5 beta) on your web server. Obviously, the server of choice here is IIS4.0, but ADSI does run fine alongside Personal Web Server too. The lack of security on a Win9x platform however, would suggest this would be unwise. You can find all the necessary installation files on the download page of Microsoft's Backoffice site. When set up, ADSI basically creates a super (directory) structure within which you access any directory service using the same universal commands. This structure contains two basic types of objectA container object, which holds a number of other objects as either children or 'members' A leaf object, which has neither children nor members The keystone to the whole structure is the container named ADS://. Inside this container are stored a number of namespace containers. Each namespace represents a particular syntax with which you can access your target directory service. Unfortunately, your target service will not be found in a namespace unless it has an ADSI provider installed or you write one of your own and give it a namespace.Currently, there are just six directory services that also run an ADSI provider, as shown below. However, ADSI is an open standard, and the incentive for other vendors to provide an ADSI implementation is very strong. At least one more ?Windows 2000 Active Directory ?is due in 1999. In the meantime, we have an abundance of things to do with the six providers that are currently available.Beneath each namespace is a hierarchy of container objects and leaf objects. Each container and leaf has its own basic properties, which are dependent on the identity of the object. We can't go into them all here. However, as an example, you can begin to see the power and scale of ADSI by looking at the object hierarchy for the WinNT:// namespace:As you can see, Windows NT has a quite straightforward structure ?you probably recognize most (or all) of the object names in the diagram above. Note that there is only one schema object for each namespace provider that ADSI recognizes ?this is the object that stores the list of all the objects on the system, and their properties. The real power in ADSI is via correct manipulation of the WinNT schema, a fact that will become abundantly clear when Windows 2000 and its Active Directory are released. You can create new objects (with their own properties) for ADSI to recognize, or alter the property set of existing objects. For example, you could remove the need for a user to have a password by deleting a property. We can go a step further. The schema also defines which of an object's properties are mandatory and which are optional . (If he'd known at the time that we'd have the potential to force information out of clients, by denying access to a terminal until each mandatory property had a value, then George Orwell might have called his book 1999? ADSI has some security issues ?for example, if you've created a completely functional remote administration site for your network the risks attached to unauthorized access are high. However ?those concerns aside ?the site itself is incredibly easy to implement, once a few basics are understood.
The Basic Concepts Every ADSI object has six core properties: the Parent object, ADsPath , Name , Guid (a unique identification number), the schema (which governs it) and the object class (to which it belongs). Once you've identified that you want to change or monitor a particular item in the directory structure, you bind an object to that item. For example, suppose we want to change a user account:Set objUser = GetObject("WinNT://DOMAIN/UserName") Here, DOMAIN is the name of our local domain and UserName is the name of the account.We can now access those six core properties with the simple object.method syntax, and print them on the screen. Since we've bound to a User object, we also have access to the properties and methods defined by the ADSI User object. The number of properties varies from one namespace provider to another - in WinNT:// , there are 48 properties and three methods ?more configurable options than you'd find in the User Manager.The other key thing that 's useful to know is how to enumerate the objects within a container ?e.g. the users within a group, or the computers within a domain. In this case, the code varies slightly depending on whether the container objects are members or children of the container. For example, users are members of a group, while groups are children of a domain. The code to enumerate the User members of the Administrators group looks like this:<HTML> <BODY> <% Dim oGroup Dim oMember Set oGroup = GetObject("WinNT://DOMAIN/Administrators") For Each oMember in oGroup.Members Response.Write oMember.Name & "<BR>" Next %> </BODY> </HTML> If we want to list the children of an object, it's a simple case of altering the For Each...Next loop to read as follows:Set oContainer = GetObject("WinNT://DOMAIN") For Each oChild in oContainer Response.Write oChild.Name & "<BR>" Next These really are the two key coding methods to appreciate in an ADSI page. With these techniques safely under your belt, it's a matter of finding out what properties and methods each object class supports. To do that, you can either consult the ADSI help files or write a quick ASP page to enumerate the members of the MandatoryProperties and OptionalProperties properties of the schema for that object's class.Suggested Applications It may seem as though ADSI is oriented towards system administration ?indeed, the obvious application for ADSI may well be creating a remote administration kit. However, by adding ADSI and ADO to ASP (and we could throw a few other things into the pot too) we can use any of the resources that are accessible via ADSI, in any namespace, for many practical applications. For example:Personalized Intranet : Instead of creating a user database with ADO, you could extend the user schema with personalization properties using ADSI, and then refer to this information to personalize your intranet to the user's taste. Automated website providers : With its access to the IIS:// namespace, you could create a request page for users who wish to create their own homepages. You can then use ADSI or the FileSystemObject object to create a new virtual or physical directory respectively on which to locate the home page, and pass details back to the requester explaining how to access that page. Project management : A system could be set up such that each project in your company is represented by an 'ADSI Project Object' defined by the schema, with project-related status reports and facts defined as properties of the project object. Another property could perhaps point to a small database governed by ADO, which contains all communication about the project in a searchable format for reference purposes. This communication might take the form of many emails copied and put into the database using ADO and CDO. ADSI is much more applicable than you might think. Moreover, with the approach of Web Based Enterprise Management (WBEM) (the ADSI counterpart for Enterprise management, finally heralded in with the release of Service Pack 4 for NT), we can expect ADSI's profile to keep on rising.I Need to Know More ADSI 2.0 is available as a download from Microsoft's Backoffice download page at http://backoffice.microsoft.com/. In fact, ADSI comes in two different forms - the set of runtime libraries, and the SDK for writing your own namespace provider. To use ADSI with ASP, you need only the runtime libraries and the accompanying help files. However, it should be noted that the help files are intended to assist developers writing ADSI client applications in Visual Basic or C++.There is only one book on ADSI website programming at the moment ?its ADSI ASP Programmer's Reference by Steven Hahn (Wrox Press, 1998, ISBN 1-861001-69-X). However, there are a few sites on the web which provide ADSI references and help pages. 15seconds.com, for example, hosts an ADSI listserv for those with problems on which you'd like to canvas others' opinions. There is also one ADSI newsgroup ?news://microsoft.public.active.directory.interfaces/ which has an active stream of Q&A threads on it (though it's not as busy as one might expect). Microsoft hasn't exactly pushed ADSI as yet ?instead, it has been allowed simply to exist in the background until now. However, once Windows 2000 appears, we can expect that to change.
活动目录运行在Windows NT 4.0和Windows 2000上。客户端程序可以运行在Windows 95、Windows 98、Windows NT 4.0和Windows 2000上。为了使用ADSI,必须安装ADSI COM接口。ADSI 2.5 SDK可以从Microsoft ADSI网址http://www.microsoft.com/ntserver/nts/downloads/other/ADSI25/default.asp下载。SDK包括文档、在线帮助和很多例子
<%
strMachineName = "localhost" 'domain name
strObjectPath = "W3SVC/1" 'object name'construct object location in IIS
strPath = "IIS://" & strMachineName & "/" & strObjectPath
Set IISObject = GetObject (strPath) 'connect to IIS metabase
%>
Name = "<%= IISObject.Name %>"<br>
Parent= "<%= IISObject.Parent %>"<br>
SchemaLocation = "<%= IISObject.Schema %>"<br>
Class = "<%= IISObject.Class %>"<br>
Guid = "<%= IISObject.Guid %>"<br>
ADSPath = "<%= IISObject.AdsPath %>"<br>
The output of this code is: Name = "1"
Parent= "IIS://localhost/W3SVC"
SchemaLocation = "IIS://localhost/schema/IIsWebServer"
Class = "IIsWebServer"
Guid = "{8B645280-7BA4-11CF-B03D-00AA006E0975}"
ADSPath = "IIS://localhost/W3SVC/1"
The web delivers information, pure and simple. By using ADO and RDS we can retrieve information from a database and manipulate it just as we want. But what if we want information on our server's current configuration? How can we access things like: What files are in which directory?
What users are in which groups?
What print jobs and pending in which print queues?
What services are running on which computer?
We're unlikely to be able to get this kind of information from a database! Yet these are the kind of questions that a systems administrator asks every day. In addition, the systems administrator will also need to make changes to these aspects of the system ?possibly daily ?according to the demands placed on the system. In order to answer these questions and exact these changes, the administrator needs access to his system's directory services ?and for that he needs to be at a terminal on his network. Or, at least, that used to be the case. We can now write ASP code that can emulate ?and in some cases, offer more functionality than ?the suite of tools that we commonly associate with system administration (User Manager, Print Manager and the like). The server's file system manager, Windows Explorer, can be approximated using the FileSystemObject scripting object. For the rest, we need to use the Active Directory Services Interface (ADSI). ADSI allows us to govern the lifecycle of abstract directory objects ?things like Computers, Printers and User Groups. In addition, we can also use ADSI to access these objects even if they are located on a different operating system. For example, before ADSI, sharing user information across Windows NT and Novell Netware was pretty much limited to duplicating user information manually on both systems. With ADSI installed, we can update user information from a web page and disseminate it automatically across a multi-operating system network. How Does ADSI Work?
Setting up ADSI is pretty simple. In order for ADSI ASP pages to work, you simply need to install ADSI 2.0 (or ADSI 2.5 beta) on your web server. Obviously, the server of choice here is IIS4.0, but ADSI does run fine alongside Personal Web Server too. The lack of security on a Win9x platform however, would suggest this would be unwise. You can find all the necessary installation files on the download page of Microsoft's Backoffice site. When set up, ADSI basically creates a super (directory) structure within which you access any directory service using the same universal commands. This structure contains two basic types of objectA container object, which holds a number of other objects as either children or 'members'
A leaf object, which has neither children nor members
The keystone to the whole structure is the container named ADS://. Inside this container are stored a number of namespace containers. Each namespace represents a particular syntax with which you can access your target directory service. Unfortunately, your target service will not be found in a namespace unless it has an ADSI provider installed or you write one of your own and give it a namespace.Currently, there are just six directory services that also run an ADSI provider, as shown below. However, ADSI is an open standard, and the incentive for other vendors to provide an ADSI implementation is very strong. At least one more ?Windows 2000 Active Directory ?is due in 1999. In the meantime, we have an abundance of things to do with the six providers that are currently available.Beneath each namespace is a hierarchy of container objects and leaf objects. Each container and leaf has its own basic properties, which are dependent on the identity of the object. We can't go into them all here. However, as an example, you can begin to see the power and scale of ADSI by looking at the object hierarchy for the WinNT:// namespace:As you can see, Windows NT has a quite straightforward structure ?you probably recognize most (or all) of the object names in the diagram above. Note that there is only one schema object for each namespace provider that ADSI recognizes ?this is the object that stores the list of all the objects on the system, and their properties. The real power in ADSI is via correct manipulation of the WinNT schema, a fact that will become abundantly clear when Windows 2000 and its Active Directory are released. You can create new objects (with their own properties) for ADSI to recognize, or alter the property set of existing objects. For example, you could remove the need for a user to have a password by deleting a property. We can go a step further. The schema also defines which of an object's properties are mandatory and which are optional . (If he'd known at the time that we'd have the potential to force information out of clients, by denying access to a terminal until each mandatory property had a value, then George Orwell might have called his book 1999? ADSI has some security issues ?for example, if you've created a completely functional remote administration site for your network the risks attached to unauthorized access are high. However ?those concerns aside ?the site itself is incredibly easy to implement, once a few basics are understood.
Every ADSI object has six core properties: the Parent object, ADsPath , Name , Guid (a unique identification number), the schema (which governs it) and the object class (to which it belongs). Once you've identified that you want to change or monitor a particular item in the directory structure, you bind an object to that item. For example, suppose we want to change a user account:Set objUser = GetObject("WinNT://DOMAIN/UserName")
Here, DOMAIN is the name of our local domain and UserName is the name of the account.We can now access those six core properties with the simple object.method syntax, and print them on the screen. Since we've bound to a User object, we also have access to the properties and methods defined by the ADSI User object. The number of properties varies from one namespace provider to another - in WinNT:// , there are 48 properties and three methods ?more configurable options than you'd find in the User Manager.The other key thing that 's useful to know is how to enumerate the objects within a container ?e.g. the users within a group, or the computers within a domain. In this case, the code varies slightly depending on whether the container objects are members or children of the container. For example, users are members of a group, while groups are children of a domain. The code to enumerate the User members of the Administrators group looks like this:<HTML>
<BODY>
<%
Dim oGroup
Dim oMember
Set oGroup = GetObject("WinNT://DOMAIN/Administrators")
For Each oMember in oGroup.Members
Response.Write oMember.Name & "<BR>"
Next
%>
</BODY>
</HTML>
If we want to list the children of an object, it's a simple case of altering the For Each...Next loop to read as follows:Set oContainer = GetObject("WinNT://DOMAIN")
For Each oChild in oContainer
Response.Write oChild.Name & "<BR>"
Next
These really are the two key coding methods to appreciate in an ADSI page. With these techniques safely under your belt, it's a matter of finding out what properties and methods each object class supports. To do that, you can either consult the ADSI help files or write a quick ASP page to enumerate the members of the MandatoryProperties and OptionalProperties properties of the schema for that object's class.Suggested Applications
It may seem as though ADSI is oriented towards system administration ?indeed, the obvious application for ADSI may well be creating a remote administration kit. However, by adding ADSI and ADO to ASP (and we could throw a few other things into the pot too) we can use any of the resources that are accessible via ADSI, in any namespace, for many practical applications. For example:Personalized Intranet : Instead of creating a user database with ADO, you could extend the user schema with personalization properties using ADSI, and then refer to this information to personalize your intranet to the user's taste.
Automated website providers : With its access to the IIS:// namespace, you could create a request page for users who wish to create their own homepages. You can then use ADSI or the FileSystemObject object to create a new virtual or physical directory respectively on which to locate the home page, and pass details back to the requester explaining how to access that page.
Project management : A system could be set up such that each project in your company is represented by an 'ADSI Project Object' defined by the schema, with project-related status reports and facts defined as properties of the project object. Another property could perhaps point to a small database governed by ADO, which contains all communication about the project in a searchable format for reference purposes. This communication might take the form of many emails copied and put into the database using ADO and CDO.
ADSI is much more applicable than you might think. Moreover, with the approach of Web Based Enterprise Management (WBEM) (the ADSI counterpart for Enterprise management, finally heralded in with the release of Service Pack 4 for NT), we can expect ADSI's profile to keep on rising.I Need to Know More
ADSI 2.0 is available as a download from Microsoft's Backoffice download page at http://backoffice.microsoft.com/. In fact, ADSI comes in two different forms - the set of runtime libraries, and the SDK for writing your own namespace provider. To use ADSI with ASP, you need only the runtime libraries and the accompanying help files. However, it should be noted that the help files are intended to assist developers writing ADSI client applications in Visual Basic or C++.There is only one book on ADSI website programming at the moment ?its ADSI ASP Programmer's Reference by Steven Hahn (Wrox Press, 1998, ISBN 1-861001-69-X). However, there are a few sites on the web which provide ADSI references and help pages. 15seconds.com, for example, hosts an ADSI listserv for those with problems on which you'd like to canvas others' opinions. There is also one ADSI newsgroup ?news://microsoft.public.active.directory.interfaces/ which has an active stream of Q&A threads on it (though it's not as busy as one might expect). Microsoft hasn't exactly pushed ADSI as yet ?instead, it has been allowed simply to exist in the background until now. However, once Windows 2000 appears, we can expect that to change.
MSTOP(CJH) 老弟,那是EXCHANGE 2000 数据库,这样子不行的,要从AD信息里面取数据出来