locked
vbscript 10 active directory filter RRS feed

  • Question

  • i have following requirement

    vbscript: LDAP custom filter queries trying to search for all computers in the domain but excluding an OU from distinguishedname

    Somehow following code is not working. it's either failing or not giving any records.

    strFilter = "(&(objectClass=computer) (!(distinguishedName=*,OU=Computers*)))"

    Please advise.

    • Moved by Dave PatrickMVP Thursday, October 25, 2018 9:01 PM not reporting forums profile issues
    Thursday, October 25, 2018 8:52 PM

Answers

  • I'd ask for help over here.

    https://social.technet.microsoft.com/Forums/en-US/home?forum=ITCG

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverDS

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=ADFS

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Thursday, October 25, 2018 9:01 PM
  • This question should be asked in a scripting forum:

    https://social.technet.microsoft.com/Forums/en-US/home?forum=ITCG

    Wildcard characters are not allowed in any filters involving LDAP syntax attributes, such as distinguishedName. You can assign a base for the query, which would be the full distinguished name of an OU or container, and a scope. A scope of subtree (the default) means to query all child OU's/containers of the base. A scope of oneLevel means to only query objects in the base.

    In PowerShell, a workaround would be to pipe the results of the query to a Where clause, where wildcard characters are allowed in the distinguishNames. In VBScript you can enumerate the resultset and remove rows where the distinguishedName includes a specified string.

    Edit: Not tested, but code similar to below, using the InStr function to only output if the DN does not include the string should work:

    Option Explicit
    
    Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
    Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN
    Dim strNTName
    
    ' Setup ADO objects.
    Set adoCommand = CreateObject("ADODB.Command")
    Set adoConnection = CreateObject("ADODB.Connection")
    adoConnection.Provider = "ADsDSOObject"
    adoConnection.Open "Active Directory Provider"
    Set adoCommand.ActiveConnection = adoConnection
    
    ' Search entire Active Directory domain.
    Set objRootDSE = GetObject("LDAP://RootDSE")
    strDNSDomain = objRootDSE.Get("defaultNamingContext")
    strBase = "<LDAP://" & strDNSDomain & ">"
    
    ' Filter on computer objects.
    strFilter = "(objectCategory=computer)"
    
    ' Comma delimited list of attribute values to retrieve.
    strAttributes = "distinguishedName,sAMAccountName"
    
    ' Construct the LDAP syntax query.
    strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
    adoCommand.CommandText = strQuery
    adoCommand.Properties("Page Size") = 100
    adoCommand.Properties("Timeout") = 30
    adoCommand.Properties("Cache Results") = False
    
    ' Run the query.
    Set adoRecordset = adoCommand.Execute
    
    ' Enumerate the resulting recordset.
    Do Until adoRecordset.EOF
        ' Retrieve values.
        strNTName = adoRecordset.Fields("sAMAccountName").Value
        strDN = adoRecordset.Fields("distinguishedName").Value
        If (InStr(strDN, ",ou=Computers,") = 0) Then
            Wscript.Echo strDN & " (" & strNTName & ")"
        End If
        ' Move to the next record in the recordset.
        adoRecordset.MoveNext
    Loop
    
    ' Clean up.
    adoRecordset.Close
    adoConnection.Close


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)



    Thursday, October 25, 2018 9:05 PM

All replies

  • I'd ask for help over here.

    https://social.technet.microsoft.com/Forums/en-US/home?forum=ITCG

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverDS

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=ADFS

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Thursday, October 25, 2018 9:01 PM
  • This question should be asked in a scripting forum:

    https://social.technet.microsoft.com/Forums/en-US/home?forum=ITCG

    Wildcard characters are not allowed in any filters involving LDAP syntax attributes, such as distinguishedName. You can assign a base for the query, which would be the full distinguished name of an OU or container, and a scope. A scope of subtree (the default) means to query all child OU's/containers of the base. A scope of oneLevel means to only query objects in the base.

    In PowerShell, a workaround would be to pipe the results of the query to a Where clause, where wildcard characters are allowed in the distinguishNames. In VBScript you can enumerate the resultset and remove rows where the distinguishedName includes a specified string.

    Edit: Not tested, but code similar to below, using the InStr function to only output if the DN does not include the string should work:

    Option Explicit
    
    Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
    Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN
    Dim strNTName
    
    ' Setup ADO objects.
    Set adoCommand = CreateObject("ADODB.Command")
    Set adoConnection = CreateObject("ADODB.Connection")
    adoConnection.Provider = "ADsDSOObject"
    adoConnection.Open "Active Directory Provider"
    Set adoCommand.ActiveConnection = adoConnection
    
    ' Search entire Active Directory domain.
    Set objRootDSE = GetObject("LDAP://RootDSE")
    strDNSDomain = objRootDSE.Get("defaultNamingContext")
    strBase = "<LDAP://" & strDNSDomain & ">"
    
    ' Filter on computer objects.
    strFilter = "(objectCategory=computer)"
    
    ' Comma delimited list of attribute values to retrieve.
    strAttributes = "distinguishedName,sAMAccountName"
    
    ' Construct the LDAP syntax query.
    strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
    adoCommand.CommandText = strQuery
    adoCommand.Properties("Page Size") = 100
    adoCommand.Properties("Timeout") = 30
    adoCommand.Properties("Cache Results") = False
    
    ' Run the query.
    Set adoRecordset = adoCommand.Execute
    
    ' Enumerate the resulting recordset.
    Do Until adoRecordset.EOF
        ' Retrieve values.
        strNTName = adoRecordset.Fields("sAMAccountName").Value
        strDN = adoRecordset.Fields("distinguishedName").Value
        If (InStr(strDN, ",ou=Computers,") = 0) Then
            Wscript.Echo strDN & " (" & strNTName & ")"
        End If
        ' Move to the next record in the recordset.
        adoRecordset.MoveNext
    Loop
    
    ' Clean up.
    adoRecordset.Close
    adoConnection.Close


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)



    Thursday, October 25, 2018 9:05 PM