本文介绍如何自动化创建计算机帐户。 描述两种方法：

•	Netdom
•	计算机帐户使用 ActiveDirectory 服务接口 (ADSI) 和 WindowsScriptHost 脚本

创建使用 " NETDOM " 计算机帐户

请注意， 您应该使用它是随 WindowsXPCD Support\Tools\Support.cab 文件中只是 netdom , WindowsXP 版本。 对于 WindowsXP 中所有功能无法正常工作版本。

可用于脚本计算机帐户创建 netdom 从命令行 （或可选从批处理文件调用它）。 本示例创建计算机帐户仅并显示如何指定授权用户有权在域中创建计算机帐户的凭据。 按照此 Netdom 命令语法的示例

netdom 加入 ComputerName /domain: DomainName / userd 用户 / passwordd UserPassword ::

用户 是用户有权加入域。

有关使用 NETDOM, 请单击下列文章编号以查看 Microsoft 知识库中相应：

150493 (http://support.microsoft.com/kb/150493/) 如何从命令行加入域

脚本使用 ADSI 和 WindowsScriptHost 计算机帐户

使用 Active Directory Services Interface (ADSI) 和 Windows Script Host (WSH), 管理员可以创建一个 VisualBasic 脚本 (VBScript) 来自动化创建计算机帐户。

有关 Visual Basic Scripting, 请访问 Microsoft Web 站点：

要使用此方法, 以下示例脚本中所述创建脚本并以 .vbs 扩展名保存文件。 要运行文件, 双击文件或在命令提示符处键入 cscript myscript.vbs 。

示例脚本

'***********************
'* Start Script
'***********************
Dim sComputerName, sUserOrGroup, sPath, computerContainer, rootDSE, lFlag
Dim secDescriptor, dACL, ACE, oComputer, sPwd
'*********************************************************************
'* Declare constants used in defining the default location for the
'* machine account, flags to identify the object as a machine account,
'* and security flags
'*********************************************************************
Const UF_WORKSTATION_TRUST_ACCOUNT = &H1000
Const UF_ACCOUNTDISABLE = &H2
Const ADS_GUID_COMPUTRS_CONTAINER = "aa312825768811d1aded00c04fd8d5cd"
Const ADS_ACETYPE_ACCESS_ALLOWED = 0
Const ADS_ACEFLAG_INHERIT_ACE = 2
'*********************************************************************
'* Set the flags on this object to identify it as a machine account
'* and determine the name.  The name is used statically here, but may
'* be determined by a command line parameter or by using an InputBox
'*********************************************************************
lFlag = UF_WORKSTATION_TRUST_ACCOUNT Or UF_ACCOUNTDISABLE
sComputerName = "TestAccount"
'*********************************************************************
'* Establish a path to the container in the Active Directory where
'* the machine account will be created.  In this example, this will
'* automatically locate a domain controller for the domain, read the
'* domain name, and bind to the default "Computers" container
'*********************************************************************
Set rootDSE = GetObject("LDAP://RootDSE")
sPath = "LDAP://<WKGUID=" & ADS_GUID_COMPUTRS_CONTAINER
sPath = sPath + ","
sPath = sPath + rootDSE.Get("defaultNamingContext")
sPath = sPath + ">"
Set computerContainer = GetObject(sPath)
sPath = "LDAP://" & computerContainer.Get("distinguishedName")
Set computerContainer = GetObject(sPath)
'*********************************************************************
'* Here, the computer account is created.  Certain attributes must
'* have a value before calling .SetInfo to commit (write) the object
'* to the Active Directory
'*********************************************************************
Set oComputer = computerContainer.Create("computer", "CN=" & sComputerName)
oComputer.Put "samAccountName", sComputerName + "$"
oComputer.Put "userAccountControl", lFlag
oComputer.SetInfo
'*********************************************************************
'* Establish a default password for the machine account
'*********************************************************************
sPwd = sComputerName & "$"
sPwd = LCase(sPwd)
oComputer.SetPassword sPwd
'*********************************************************************
'* Specify which user or group may activate/join this computer to the
'* domain.  In this example, "MYDOMAIN" is the domain name and
'* "JoeSmith" is the account being given the permission.  Note that
'* this is the downlevel naming convention used in this example.
'*********************************************************************
sUserOrGroup = "MYDOMAIN\joesmith"
'*********************************************************************
'* Bind to the Discretionary ACL on the newly created computer account
'* and create an Access Control Entry (ACE) that gives the specified
'* user or group full control on the machine account
'*********************************************************************
Set secDescriptor = oComputer.Get("ntSecurityDescriptor")
Set dACL = secDescriptor.DiscretionaryAcl
Set ACE = CreateObject("AccessControlEntry")
'*********************************************************************
'* An AccessMask of "-1" grants Full Control
'*********************************************************************
ACE.AccessMask = -1
ACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
ACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE
'*********************************************************************
'* Grant this control to the user or group specified earlier.
'*********************************************************************
ACE.Trustee = sUserOrGroup
'*********************************************************************
'* Now, add this ACE to the DACL on the machine account
'*********************************************************************
dACL.AddAce ACE
secDescriptor.DiscretionaryAcl = dACL
'*********************************************************************
'* Commit (write) the security changes to the machine account
'*********************************************************************
oComputer.Put "ntSecurityDescriptor", Array(secDescriptor)
oComputer.SetInfo
'*********************************************************************
'* Once all parameters and permissions have been set, enable the
'* account.
'*********************************************************************
oComputer.AccountDisabled = False
oComputer.SetInfo
'*********************************************************************
'* Create an Access Control Entry (ACE) that gives the specified user
'* or group full control on the machine account
'*********************************************************************
wscript.echo "The command completed successfully."
'*****************
'* End Script
'*****************

Microsoft 提供编程示例仅, 供图示不附带任何明示或暗示。 这包括, 但不仅限于, 适销性或用于特定目的适用性的暗示保证。 本文假定您已熟悉与正在演示编程语言以及工具来调试过程来创建和使用。 Microsoft 支持工程师可以帮助解释功能的特定过程, 但它们将会修改这些示例以提供添加功能或构建过程以满足特定要求。

有关 UserAccountControl 标志, 请单击下列文章编号以查看 Microsoft 知识库中相应：

305144 (http://support.microsoft.com/kb/305144/) 如何使用 UserAccountControl 标志来操纵用户帐户属性