''* Here, the computer account is created. Certain attributes must
'* have a value before calling .SetInfo to commit (write) the object
'* to the Active Directory
'Set oComputer = computerContainer.Create("computer", "CN=" & sComputerName)
oComputer.Put "samAccountName", sComputerName + "$"
oComputer.Put "userAccountControl", lFlag
oComputer.SetInfo
'
'* Establish a default password for the machine account
'sPwd = sComputerName & "$"
sPwd = LCase(sPwd)
oComputer.SetPassword sPwd
''* Specify which user or group may activate/join this computer to the
'* domain. In this example, "MYDOMAIN" is the domain name and
'* "JoeSmith" is the account being given the permission. Note that
'* this is the downlevel naming convention used in this example.
'sUserOrGroup = "MYDOMAINjoesmith"
''* Bind to the Discretionary ACL on the newly created computer account
'* and create an Access Control Entry (ACE) that gives the specified
'* user or group full control on the machine account
'Set secDescriptor = oComputer.Get("ntSecurityDescriptor")
Set dACL = secDescriptor.DiscretionaryAcl
Set ACE = CreateObject("AccessControlEntry")
'
'* An AccessMask of "-1" grants Full Control
'
ACE.AccessMask = -1
ACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
ACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE
''* Grant this control to the user or group specified earlier.
'ACE.Trustee = sUserOrGroup
'
'* Now, add this ACE to the DACL on the machine account
'dACL.AddAce ACE
secDescriptor.DiscretionaryAcl = dACL
'
'* Commit (write) the security changes to the machine account
'oComputer.Put "ntSecurityDescriptor", Array(secDescriptor)
oComputer.SetInfo
