Set UNIX ID Script
This is an extensive script designed to set the UNIX attributes for user and groups objects in Active Directory. This script currently sets the values from the Microsoft Services for UNIX 3.5 (MSFU3.5) schema extensions to Active Directory. However it should be trivial to modify this to the attributes in Windows Server 2003 R2, MSFU3.0 or other third party schema extensions.
This script is designed to ease the pain of using Active Directory for your centralized account information. All users and groups must have a Unix ID (UID or GID) assigned along with some other meta information. Rather then using the antiquated NIS as recommended by Microsoft with MSFU3.5 we are using nss_ldap with kerberos authentication. Microsoft does supply a snap in for Active Directory Users and Computers (nisprop.dll) that allows you to set and modify these UNIX attributes. However in my environment this snapin did not function correctly. Also setting the attributes for a large number of users would be quite tedious if all done manually.
This script is designed to be called from the command line to set attributes for a specific user or group. For example:
cscript /nologo setuid.vbs jdoe user
This would set the UNIX attributes for the jdoe user. The numeric UID set would be current highest UID value plus one or ten thousand if no UID is currently defined. The default shell (msSFU30LoginShell), default home directory (msSFU30HomeDirectory), default GID (msSFU30GidNumber) are all based off default values defined as global variables.
Alternatively you can set the UNIX attributes for all users and groups in your Active directory tree with the following command:
cscript /nologo setuid.vbs ALL
This will perform a search for all users and groups that do not currently have UNIX attributes defined and then add these same attributes. We have this command scheduled as a cron job to run periodically to add attributes to new created users and groups.
Thirdly, it is possible to use this script directly from Active Directory Users and Computers as a replacement for the nisprop.dll snap in. I would recommend using the snapin if possible, but this script does offer some benefits such as being able to define sensible defaults. For more details please see the source code.
Requirements:
- Active Directory schema extended with Microsoft Services for UNIX 3.5 Schema Extensions
- Run by an account with security permissions to modify targeted user and group objects
Instructions:
Modify these lines below to your desired settings and to match your enviroment:
Download:
setuid.vbs
This script is designed to ease the pain of using Active Directory for your centralized account information. All users and groups must have a Unix ID (UID or GID) assigned along with some other meta information. Rather then using the antiquated NIS as recommended by Microsoft with MSFU3.5 we are using nss_ldap with kerberos authentication. Microsoft does supply a snap in for Active Directory Users and Computers (nisprop.dll) that allows you to set and modify these UNIX attributes. However in my environment this snapin did not function correctly. Also setting the attributes for a large number of users would be quite tedious if all done manually.
This script is designed to be called from the command line to set attributes for a specific user or group. For example:
cscript /nologo setuid.vbs jdoe user
This would set the UNIX attributes for the jdoe user. The numeric UID set would be current highest UID value plus one or ten thousand if no UID is currently defined. The default shell (msSFU30LoginShell), default home directory (msSFU30HomeDirectory), default GID (msSFU30GidNumber) are all based off default values defined as global variables.
Alternatively you can set the UNIX attributes for all users and groups in your Active directory tree with the following command:
cscript /nologo setuid.vbs ALL
This will perform a search for all users and groups that do not currently have UNIX attributes defined and then add these same attributes. We have this command scheduled as a cron job to run periodically to add attributes to new created users and groups.
Thirdly, it is possible to use this script directly from Active Directory Users and Computers as a replacement for the nisprop.dll snap in. I would recommend using the snapin if possible, but this script does offer some benefits such as being able to define sensible defaults. For more details please see the source code.
Requirements:
- Active Directory schema extended with Microsoft Services for UNIX 3.5 Schema Extensions
- Run by an account with security permissions to modify targeted user and group objects
Instructions:
Modify these lines below to your desired settings and to match your enviroment:
' ---------------------------------------------------------
' Configuration Variables
' ---------------------------------------------------------
ldapBase = "DC=DOMAIN,DC=COM"
domainName = "DOMAIN"
defaultShell = "/bin/sh"
defaultGidNumber = "10000"
studentGidNumber = "10122"
defaultBaseHomeDir = "/home/staff/"
studentBaseHomeDir = "/home/student/"
studentIdentifier = "OU=Students"
alumnIdentifier = "OU=Alumn"
maxsetIDTries = 20
defaultBaseID = "9999"
Download:
setuid.vbs
Thank you so much. I saw your posting out on the nssldap mailing list. I was about 20% of the way through writing something like this. I need to change some of the behaviors but this will save me a ton of time!.
Posted by
Anonymous |
7:22 AM
Hi Walt. Seen your script, have not read it line for line yet. I have a similar script that reads users from a text file and adds unix attributes, with unique id's (seting next number and a + 1 counter) . The problem I have is that when I then go to ADUC and manually add UNIX attributes to a user via the GUI it gives a UID that I have already issued via the script. There is obviously something in AD storing this data. I was wondering wether you have come across this problem and found a resolution. Regards PS hope this makes sense!
Posted by
Aaron Hossain |
5:00 AM
Hi Aaron.
I have indeed the same problem.
Where is nisprop.dll searching for the highest UID to set the next number ??
Does anyone know, where the default LoginShell and HomeDirectory are stored, used by nisprop.dll ? Or is it hard coded in the dll ?
Marc.Wuyts@headbird.com
Posted by
Anonymous |
5:17 AM
Hi,
Thanks for you useful script. I modified it to work with Windows 2003r2. I'm trying to post the diff below, will post the complete script later at my own website
eemal@basement:~/setuid_script$ diff setuid-v1_4_w2k3r2.vbs setuid.vbs | more
5c5
< ' Version 1.4-w2k3r2
---
> ' Version 1.4
8,9c8
< ' Eelco Maljaars - 03/17/2008
< ' -modifications for SFU in Windows 2003r2
---
> '
63,65c62,64
< ldapBase = "DC=EXAMPLE,DC=COM"
< domainName = "EXAMPLE"
< defaultShell = "/bin/bash"
---
> ldapBase = "DC=DOMAIN,DC=COM"
> domainName = "DOMAIN"
> defaultShell = "/bin/sh"
114c113
< allUsersWithoutUID = returnProperty("sAMAccountName", "User", "UidNumber", "*", "NOT")
---
> allUsersWithoutUID = returnProperty("sAMAccountName", "User", "msSFU30UidNumber", "*", "NOT")
139c138
< allGroupsWithoutGID = returnProperty("sAMAccountName", "Group", "GidNumber", "*", "NOT")
---
> allGroupsWithoutGID = returnProperty("sAMAccountName", "Group", "msSFU30GidNumber", "*", "NOT")
192,195c191,194
< objectID = returnProperty("UidNumber", objectclass, "distinguishedName", objectDN, "")
< homeDirectory = returnProperty("unixHomeDirectory", objectclass, "distinguishedName", objectDN, "")
< loginShell = returnProperty("LoginShell", objectclass, "distinguishedName", objectDN, "")
< 'GidNumber = returnProperty("GidNumber", objectclass, "distinguishedName", objectDN, "")
---
> objectID = returnProperty("msSFU30UidNumber", objectclass, "distinguishedName", objectDN, "")
> homeDirectory = returnProperty("msSFU30HomeDirectory", objectclass, "distinguishedName", objectDN, "")
> loginShell = returnProperty("msSFU30LoginShell", objectclass, "distinguishedName", objectDN, "")
> 'GidNumber = returnProperty("msSFU30GidNumber", objectclass, "distinguishedName", objectDN, "")
216c215
< End If
---
> End If
244c243
< checkCN = returnProperty("cn", objectclass, "UidNumber", newObjectID, "")
---
> checkCN = returnProperty("cn", objectclass, "msSFU30UidNumber", newObjectID, "")
264c263
< objectID = returnProperty("GidNumber", objectclass, "distinguishedName", objectDN, "")
---
> objectID = returnProperty("msSFU30GidNumber", objectclass, "distinguishedName", objectDN, "")
288c287
< checkCN = returnProperty("cn", objectclass, "GidNumber", newObjectID, "")
---
> checkCN = returnProperty("cn", objectclass, "msSFU30GidNumber", newObjectID, "")
405,407c404,406
< adObj.Put "GidNumber", gidNumber
< adObj.Put "unixHomeDirectory", homeDirectory
< adObj.Put "LoginShell", loginShell
---
> adObj.Put "msSFU30GidNumber", gidNumber
> adObj.Put "msSFU30HomeDirectory", homeDirectory
> adObj.Put "msSFU30LoginShell", loginShell
410c409
< adObj.Put "UidNumber", objectID
---
> adObj.Put "msSFU30UidNumber", objectID
413c412
< verifyUniqueID = returnProperty("UidNumber", objectclass, "UidNumber", objectID, "")
---
> verifyUniqueID = returnProperty("msSFU30UidNumber", objectclass, "msSFU30UidNumber", objectID, "")
417c416
< adObj.Put "GidNumber", objectid
---
> adObj.Put "msSFU30GidNumber", objectid
420c419
< verifyUniqueID = returnProperty("GidNumber", objectclass, "GidNumber", objectID, "")
---
> verifyUniqueID = returnProperty("msSFU30GidNumber", objectclass, "msSFU30GidNumber", objectID, "")
489c488
< idnumber = "UidNumber"
---
> idnumber = "msSFU30UidNumber"
491c490
< idnumber = "GidNumber"
---
> idnumber = "msSFU30GidNumber"
Posted by
Anonymous |
6:31 AM
Hmm I'm not if my former comment made it. I took your script and updated it for Windows 2003r2. The result can be found at http://eelco.maljaars.net/setuid-script-modified-for-windows-2003r2.html
one-time-email-12345@maljaars.net
Posted by
Eelco |
6:54 AM
Many thanks to you.
such a great post.
actually I'm very happy with your script. and I'm planning to use it on my site.
Posted by
Gambel |
2:38 AM