AD search using ADO....scope problem

TheMSsForum.com: The Microsoft Software Forum

Hi guys,

have a little problem.

I'm trying to write a script to automatically move disabled accounts
onto the appropriate OU. The problem is, I do not want all the domain
users to be included in the search. Only from a given OU downwards.

So, I figured out two alternatives:

- do not use a dynamic bind to the directory but use a "hard-coded"
bind to the OU where the users to be searched exist.

- do a normal bind to the active directory and then set the scope
accordingly.

So my question is:
is it possible to bind to the current domain as follows:

Set objADsRootDSE = GetObject("GC://RootDSE")
strADsPath = "GC://" & objADsRootDSE.Get("rootDomainNamingContext")
strBase = "<" & strADsPath & ">"
Set objADsRootDSE = Nothing

And then tell ADO to perform the search only on a given path (see
strScope), ie:

strObjects = "(objectCategory=person)"
strFilter = "(&" & strObjects & ")"
strAttributes = "distinguishedName, userAccountControl,
SAMAccountName, cn"
strScope = "ou=bla,dc=my,dc=domain,dc=org"
I tried like this but nothing, it does not work...
??????

Alternatively, I tried the second solution, ie to do a "hard" bind to
the domain:
Set objADsRootDSE =
GetObject("LDAP://ou=bla,dc=my,dc=domain,dc=org")
And use the strScope = "subtree"
but the script still fails...

If anybody can help me on this matter I would be very grateful!

Thanks
Bar
Top

Re: AD search using ADO....scope problem by Richard

Richard
Wed Sep 17 11:45:39 CDT 2003

barabba wrote:

> I'm trying to write a script to automatically move disabled accounts
> onto the appropriate OU. The problem is, I do not want all the domain
> users to be included in the search. Only from a given OU downwards.
>
> So, I figured out two alternatives:
>
> - do not use a dynamic bind to the directory but use a "hard-coded"
> bind to the OU where the users to be searched exist.
>
> - do a normal bind to the active directory and then set the scope
> accordingly.
>
> So my question is:
> is it possible to bind to the current domain as follows:
>
> Set objADsRootDSE = GetObject("GC://RootDSE")
> strADsPath = "GC://" & objADsRootDSE.Get("rootDomainNamingContext")
> strBase = "<" & strADsPath & ">"
> Set objADsRootDSE = Nothing
>
> And then tell ADO to perform the search only on a given path (see
> strScope), ie:
>
> strObjects = "(objectCategory=person)"
> strFilter = "(&" & strObjects & ")"
> strAttributes = "distinguishedName, userAccountControl,
> SAMAccountName, cn"
> strScope = "ou=bla,dc=my,dc=domain,dc=org"
> I tried like this but nothing, it does not work...
> ??????
>
> Alternatively, I tried the second solution, ie to do a "hard" bind to
> the domain:
> Set objADsRootDSE =
> GetObject("LDAP://ou=bla,dc=my,dc=domain,dc=org")
> And use the strScope = "subtree"
> but the script still fails...
>
> If anybody can help me on this matter I would be very grateful!

Hi,

The ADO scope can be "subtree" or "oneLevel" or "base", but that's it. You
need to adjust strBase so it specifies the OU you want. You can have ADO
search from that base on down in the hierarchy by using scope "subtree".

strBase = "<LDAP://ou=bla,dc=my,dc=domain,dc=org>"

and then set:

strScope = "subtree"

From your terminology, I would expect code similar to:

strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";" & strScope
objCommand.CommandText = strQuery
Set objRecordSet = objCommand.Execute

Also, your strFilter will return all user and contact objects. I'm sure you
retrieve userAccountControl so you can enumerate all users (and contacts)
and test userAccountControl to determine which accounts are disabled.
However, you can also filter on userAccountControl. I would suggest:

strFilter =
"(&(objectCategory=person)(objectClass=user)" _
& "(userAccountControl:1.2.840.113556.1.4.803:=2))"
strAttributes = "distinguishedName,sAMAccountName,cn"

This will return user objects (not contacts) where the bit &H02 of
userAccountControl is set, meaning the account is disabled. I can only
describe the syntax as black magic, but it works great.

--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--



Top

Re: AD search using ADO....scope problem by barabba72

barabba72
Thu Sep 18 05:49:37 CDT 2003

Thank you Richard, your answer was very clear and useful !

Bar

"Richard Mueller [MVP]" <rlmueller@ameritech.net> wrote in message news:<eARKXtTfDHA.2576@TK2MSFTNGP11.phx.gbl>...
> barabba wrote:
>
> > I'm trying to write a script to automatically move disabled accounts
> > onto the appropriate OU. The problem is, I do not want all the domain
> > users to be included in the search. Only from a given OU downwards.
> >
> > So, I figured out two alternatives:
> >
> > - do not use a dynamic bind to the directory but use a "hard-coded"
> > bind to the OU where the users to be searched exist.
> >
> > - do a normal bind to the active directory and then set the scope
> > accordingly.
> >
> > So my question is:
> > is it possible to bind to the current domain as follows:
> >
> > Set objADsRootDSE = GetObject("GC://RootDSE")
> > strADsPath = "GC://" & objADsRootDSE.Get("rootDomainNamingContext")
> > strBase = "<" & strADsPath & ">"
> > Set objADsRootDSE = Nothing
> >
> > And then tell ADO to perform the search only on a given path (see
> > strScope), ie:
> >
> > strObjects = "(objectCategory=person)"
> > strFilter = "(&" & strObjects & ")"
> > strAttributes = "distinguishedName, userAccountControl,
> > SAMAccountName, cn"
> > strScope = "ou=bla,dc=my,dc=domain,dc=org"
> > I tried like this but nothing, it does not work...
> > ??????
> >
> > Alternatively, I tried the second solution, ie to do a "hard" bind to
> > the domain:
> > Set objADsRootDSE =
> > GetObject("LDAP://ou=bla,dc=my,dc=domain,dc=org")
> > And use the strScope = "subtree"
> > but the script still fails...
> >
> > If anybody can help me on this matter I would be very grateful!
>
> Hi,
>
> The ADO scope can be "subtree" or "oneLevel" or "base", but that's it. You
> need to adjust strBase so it specifies the OU you want. You can have ADO
> search from that base on down in the hierarchy by using scope "subtree".
>
> strBase = "<LDAP://ou=bla,dc=my,dc=domain,dc=org>"
>
> and then set:
>
> strScope = "subtree"
>
> From your terminology, I would expect code similar to:
>
> strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";" & strScope
> objCommand.CommandText = strQuery
> Set objRecordSet = objCommand.Execute
>
> Also, your strFilter will return all user and contact objects. I'm sure you
> retrieve userAccountControl so you can enumerate all users (and contacts)
> and test userAccountControl to determine which accounts are disabled.
> However, you can also filter on userAccountControl. I would suggest:
>
> strFilter =
> "(&(objectCategory=person)(objectClass=user)" _
> & "(userAccountControl:1.2.840.113556.1.4.803:=2))"
> strAttributes = "distinguishedName,sAMAccountName,cn"
>
> This will return user objects (not contacts) where the bit &H02 of
> userAccountControl is set, meaning the account is disabled. I can only
> describe the syntax as black magic, but it works great.
Top