Board index » Visual Studio » AD search using ADO....scope problem

karlgardner

AD search using ADO....scope problem

Visual Studio171
Hi guys,



have a little problem.



I'm trying to write a script to automatically move disabled accounts

onto the appropriate OU. The problem is, I do not want all the domain

users to be included in the search. Only from a given OU downwards.



So, I figured out two alternatives:



- do not use a dynamic bind to the directory but use a "hard-coded"

bind to the OU where the users to be searched exist.



- do a normal bind to the active directory and then set the scope

accordingly.



So my question is:

is it possible to bind to the current domain as follows:



Set objADsRootDSE = GetObject("GC://RootDSE")

strADsPath = "GC://" & objADsRootDSE.Get("rootDomainNamingContext")

strBase = "<" & strADsPath & ">"

Set objADsRootDSE = Nothing



And then tell ADO to perform the search only on a given path (see

strScope), ie:



strObjects = "(objectCategory=person)"

strFilter = "(&" & strObjects & ")"

strAttributes = "distinguishedName, userAccountControl,

SAMAccountName, cn"

strScope = "ou=bla,dc=my,dc=domain,dc=org"

I tried like this but nothing, it does not work...

??????



Alternatively, I tried the second solution, ie to do a "hard" bind to

the domain:

Set objADsRootDSE =

GetObject("LDAP://ou=bla,dc=my,dc=domain,dc=org")

And use the strScope = "subtree"

but the script still fails...



If anybody can help me on this matter I would be very grateful!



Thanks

Bar


-
 
Richard

Registered User

Wed Sep 17 11:45:39 CDT 2003

Re:AD search using ADO....scope problem

barabba wrote:



Quote
I'm trying to write a script to automatically move disabled accounts

onto the appropriate OU. The problem is, I do not want all the domain

users to be included in the search. Only from a given OU downwards.



So, I figured out two alternatives:



- do not use a dynamic bind to the directory but use a "hard-coded"

bind to the OU where the users to be searched exist.



- do a normal bind to the active directory and then set the scope

accordingly.



So my question is:

is it possible to bind to the current domain as follows:



Set objADsRootDSE = GetObject("GC://RootDSE")

strADsPath = "GC://" & objADsRootDSE.Get("rootDomainNamingContext")

strBase = "<" & strADsPath & ">"

Set objADsRootDSE = Nothing



And then tell ADO to perform the search only on a given path (see

strScope), ie:



strObjects = "(objectCategory=person)"

strFilter = "(&" & strObjects & ")"

strAttributes = "distinguishedName, userAccountControl,

SAMAccountName, cn"

strScope = "ou=bla,dc=my,dc=domain,dc=org"

I tried like this but nothing, it does not work...

??????



Alternatively, I tried the second solution, ie to do a "hard" bind to

the domain:

Set objADsRootDSE =

GetObject("LDAP://ou=bla,dc=my,dc=domain,dc=org")

And use the strScope = "subtree"

but the script still fails...



If anybody can help me on this matter I would be very grateful!



Hi,



The ADO scope can be "subtree" or "oneLevel" or "base", but that's it. You

need to adjust strBase so it specifies the OU you want. You can have ADO

search from that base on down in the hierarchy by using scope "subtree".



strBase = "<LDAP://ou=bla,dc=my,dc=domain,dc=org>"



and then set:



strScope = "subtree"



From your terminology, I would expect code similar to:



strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";" & strScope

objCommand.CommandText = strQuery

Set objRecordSet = objCommand.Execute



Also, your strFilter will return all user and contact objects. I'm sure you

retrieve userAccountControl so you can enumerate all users (and contacts)

and test userAccountControl to determine which accounts are disabled.

However, you can also filter on userAccountControl. I would suggest:



strFilter =

"(&(objectCategory=person)(objectClass=user)" _

& "(userAccountControl:1.2.840.113556.1.4.803:=2))"

strAttributes = "distinguishedName,sAMAccountName,cn"



This will return user objects (not contacts) where the bit &H02 of

userAccountControl is set, meaning the account is disabled. I can only

describe the syntax as black magic, but it works great.



--

Richard

Microsoft MVP Scripting and ADSI

HilltopLab web site - www.rlmueller.net">www.rlmueller.net

--







-
barabba72

Registered User

Thu Sep 18 05:49:37 CDT 2003

Re:AD search using ADO....scope problem

Thank you Richard, your answer was very clear and useful !



Bar



"Richard Mueller [MVP]" <rlmueller@ameritech.net>wrote in message news:<eARKXtTfDHA.2576@TK2MSFTNGP11.phx.gbl>...

Quote
barabba wrote:



>I'm trying to write a script to automatically move disabled accounts

>onto the appropriate OU. The problem is, I do not want all the domain

>users to be included in the search. Only from a given OU downwards.

>

 >So, I figured out two alternatives:

>

 >- do not use a dynamic bind to the directory but use a "hard-coded"

>bind to the OU where the users to be searched exist.

>

 >- do a normal bind to the active directory and then set the scope

>accordingly.

>

 >So my question is:

>is it possible to bind to the current domain as follows:

>

 >Set objADsRootDSE = GetObject("GC://RootDSE")

>strADsPath = "GC://" & objADsRootDSE.Get("rootDomainNamingContext")

>strBase = "<" & strADsPath & ">"

>Set objADsRootDSE = Nothing

>

 >And then tell ADO to perform the search only on a given path (see

>strScope), ie:

>

 >strObjects = "(objectCategory=person)"

>strFilter = "(&" & strObjects & ")"

>strAttributes = "distinguishedName, userAccountControl,

>SAMAccountName, cn"

>strScope = "ou=bla,dc=my,dc=domain,dc=org"

>I tried like this but nothing, it does not work...

>??????

>

 >Alternatively, I tried the second solution, ie to do a "hard" bind to

>the domain:

>Set objADsRootDSE =

>GetObject("LDAP://ou=bla,dc=my,dc=domain,dc=org")

>And use the strScope = "subtree"

>but the script still fails...

>

 >If anybody can help me on this matter I would be very grateful!



Hi,



The ADO scope can be "subtree" or "oneLevel" or "base", but that's it. You

need to adjust strBase so it specifies the OU you want. You can have ADO

search from that base on down in the hierarchy by using scope "subtree".



strBase = "<LDAP://ou=bla,dc=my,dc=domain,dc=org>"



and then set:



strScope = "subtree"



From your terminology, I would expect code similar to:



strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";" & strScope

objCommand.CommandText = strQuery

Set objRecordSet = objCommand.Execute



Also, your strFilter will return all user and contact objects. I'm sure you

retrieve userAccountControl so you can enumerate all users (and contacts)

and test userAccountControl to determine which accounts are disabled.

However, you can also filter on userAccountControl. I would suggest:



strFilter =

"(&(objectCategory=person)(objectClass=user)" _

& "(userAccountControl:1.2.840.113556.1.4.803:=2))"

strAttributes = "distinguishedName,sAMAccountName,cn"



This will return user objects (not contacts) where the bit &H02 of

userAccountControl is set, meaning the account is disabled. I can only

describe the syntax as black magic, but it works great.

-