I have multiple domains in our Active Directory like below:
pnc.com → root domain
europe.pnc.com → Child domain
asia.pnc.com → Child domain
americas.pnc.com → Child domain
I want a write a VBScript that can search for a user in entire forest and show me the location of the user object.
I have tried in the past searching like this but I had to give the exact domain name.
You need to enable referral chasing for subordinate domains:
Set rootDSE = GetObject("LDAP://RootDSE")
base = "<LDAP://" & rootDSE.Get("defaultNamingContext") & ">"
filter = "(&(objectClass=user)(objectCategory=Person))"
attr = "distinguishedName"
scope = "subtree"
Set conn = CreateObject("ADODB.Connection")
conn.Provider = "ADsDSOObject"
conn.Open "Active Directory Provider"
Set cmd = CreateObject("ADODB.Command")
Set cmd.ActiveConnection = conn
cmd.Properties("Chase referrals") = &h20
cmd.CommandText = base & ";" & filter & ";" & attr & ";" & scope
Set rs = cmd.Execute
...
Back in the day I wrote a wrapper class for AD queries, which enables this by default:
'add/import class here
Set qry = New ADQuery
qry.Filter = "..."
qry.Attributes = Array("sAMAccountName", ...)
Set rs = qry.Execute
...
Related
I am creating a script that will allow me to enter a username in our domain, and have it look up attributes from their AD profile.
So first I am getting the users' DN. Once I have that - I can run;
Set objAD = CreateObject("ADSystemInfo")
Set objUser = GetObject("LDAP://" & ***I NEED DN HERE***)
and query specific attributes to be output.
So what I need to do is somehow get the DN into a variable to put into the LDAP query. I know (I think) I need to get it from the Do Loop below, but am having a complete blank and can't figure out how to just put the whole DN into a variable.
Username = InputBox("Enter UserName to lookup...")
Set rootDSE = GetObject("LDAP://RootDSE")
base = "<LDAP://" & rootDSE.Get("defaultNamingContext") & ">"
fltr = "(&(objectClass=user)(objectCategory=Person)" & "(sAMAccountName=" & UserName & "))"
attr = "distinguishedName,sAMAccountName"
scope = "subtree"
Set conn = CreateObject("ADODB.Connection")
conn.Provider = "ADsDSOObject"
conn.Open "Active Directory Provider"
Set cmd = CreateObject("ADODB.Command")
Set cmd.ActiveConnection = conn
cmd.CommandText = base & ";" & fltr & ";" & attr & ";" & scope
Set rs = cmd.Execute
Do Until rs.EOF
WScript.Echo rs.Fields("distinguishedName").Value
rs.MoveNext
Loop
rs.Close
conn.Close
In case anyone has the same problem - it was an easy fix.
Just needed to write it to a variable instead of echoing.
Do Until rs.EOF
strDN = rs.Fields("distinguishedname").value
rs.MoveNext
Loop
Set objDomain = GetObject("WinNT://abc.local")
For each objDomainItem in objDomain
if objDomainItem.Class = "User" then
'WScript.echo "Name: " & objDomainItem.Name + " : Full Name: " + objDomainItem.FullName
Set objUser = Nothing
err.clear
Set objUser = GetObject("LDAP://cn=" & objDomainItem.FullName & ",OU=IS, OU=Users, OU=ABC Company, DC=ABC, dc=local")
if err.number = 0 then
wscript.echo "distinguishedName: " & objUser.distinguishedName
end if
end if
Next
Right now, this works fine to list all users in the IS department (OU=IS). But when I take out "OU=IS" to list all users in all departments, it returns nothing; no user objects at all. The only way it will return the user object for the given fullName is if I also specify the OU that that user is contained in; but I do not have the OU to supply it.
Our AD structure is
ABC Company --> Users --> IS
ABC Company --> Users --> FINANCE
ABC Company --> Users --> Management
ABC Company --> Users --> Flight Operations
etc etc etc
I want to use the code above to enumerate all users from the "Users" level, down through ALL departments, but again, as soon as I remove "OU=IS", it returns nothing.
Any help?
Do a query with scope Subtree using an ADODB.Connection and an ADODB.Command object:
base = "<LDAP://OU=Users,OU=ABC Company,DC=ABC,DC=local>"
fltr = "(&(objectClass=user)(objectCategory=Person))"
attr = "distinguishedName,sAMAccountName"
scope = "subtree"
Set cn = CreateObject("ADODB.Connection")
cn.Provider = "ADsDSOObject"
cn.Open "Active Directory Provider"
Set cmd = CreateObject("ADODB.Command")
Set cmd.ActiveConnection = cn
cmd.CommandText = base & ";" & fltr & ";" & attr & ";" & scope
Set rs = cmd.Execute
Do Until rs.EOF
WScript.Echo rs.Fields("distinguishedName").Value
WScript.Echo rs.Fields("sAMAccountName").Value
rs.MoveNext
Loop
Add other attributes to attr as required (the variable contains a list of attribute names as a comma-separated string).
Since these queries require the same boilerplate code every time, I got fed up with writing it over and over again some time ago and wrapped it in a custom class (ADQuery) to simplify its usage:
'<-- paste or include class code here
Set qry = New ADQuery
qry.SearchBase = "OU=Users,OU=ABC Company,DC=ABC,DC=local"
qry.Attributes = Array("distinguishedName", "sAMAccountName")
Set rs = qry.Execute
Do Until rs.EOF
WScript.Echo rs.Fields("distinguishedName").Value
WScript.Echo rs.Fields("sAMAccountName").Value
rs.MoveNext
Loop
How can i get all user from Oracle Internet Directory using vbscript?
As far as I understand, OID is just another LDAP service so I assume it can be queried using code similar to this:
Const ADS_SCOPE_SUBTREE = 2
Set conn = CreateObject("ADODB.Connection")
Set cmd = CreateObject("ADODB.Command")
conn.Provider = "ADsDSOObject"
conn.Open "Active Directory Provider"
Set cmd.ActiveConnection = conn
cmd.Properties("Page Size") = 1000
cmd.Properties("Searchscope") = ADS_SCOPE_SUBTREE
cmd.CommandText = "SELECT Name FROM 'LDAP://dc=test,dc=com' WHERE objectCategory='user'"
Set rec = cmd.Execute
rec.MoveFirst
Do Until rec.EOF
Wscript.Echo rec.Fields("Name").Value
rec.MoveNext
Loop
But changing LDAP://dc=test,dc=com to what you need to use to bind to it properly.
Can ADO access attributes other that ADsPath and Name when bound to an LDAP server?
Below is the code I use to bind to and query a LDAP server on the internet:
Set ado = CreateObject("ADODB.Connection")
ado.Provider = "ADSDSOObject"
ado.Properties("User ID") = ""
ado.Properties("Password") = ""
ado.Properties("Encrypt Password") = False
ado.Open "NameSearch"
serverName = "xxxxxx.xxxx.xxx"
filterStr = "(objectClass=*)"
Set Ol= ado.Execute("<LDAP://" & serverName & ">;" & filterStr & ";ADsPath;SubTree")
While Not Ol
WScript.Echo Ol.Fields(0).value
Ol.MoveNext
Wend
Also how do assign the search base in the above code to "o= xxxxxx University;c=US"?
See How To Use ADO to Access Objects Through an ADSI LDAP Provider.
The connection object Execute method's
CommandText (first object) is an LDAP
query composed of four elements
separated by semicolons, in the
following format:
<LDAP://server/adsidn>;ldapfilter;attributescsv;scope
where adsidn is the distinguished name
(DN) of the starting point for your
query expressed ADsPath format with
"/" separators and the root of the
namespace to the left. You can also
use an X.500 style attributed name
format with the relative distinguished
names separated by commas and the root
of the name space to the right.
To return the ADsPath, class, and cn
attributes of all the objects in all
the recipient containers in an
Exchange server, you can use the
following CommandText (in URL format):
LDAP:; (objectClass=*);ADsPath,objectClass,cn;subtree
To put it all together,
Dim conn As ADODB.Connection
Dim rs As ADODB.Recordset
Set conn = New ADODB.Connection
conn.Provider = "ADSDSOObject"
conn.Open "ADs Provider"
Set rs = conn.Execute( _
"<LDAP://server/o=organization/o=xxxxxx University/c=US>;" _
& "(objectClass=*);ADsPath,objectClass,cn;subtree")
While Not rs.EOF
Debug.Print rs.Fields(0).Value, rs.Fields(1).Value, _
rs.Fields(2).Value
rs.MoveNext
Wend
conn.Close
In Active Directory, there is a tab called "Dial-In", and under that tab is a radio button control with three settings:
Allow Access
Deny Access
Control access through remote access policy
I'd like to write a VBScript to take a user name, and return the setting for that user.
(I'm actually modifying an existing VBScript, which is why I am forced to use that tool).
What is the best way to do that?
Here is the best solution I was able to come up with. It is easy to modify it to output the setting for all users.
Main
Function Main
'Usage: cscript /nologo lookup.vbs mydomain username
Wscript.Echo CanDialIn(Wscript.Arguments(0), Wscript.Arguments(1))
Main = 0
End Function
Function CanDialIn(domainname, username)
'Take a user name and query whether they have permission to Dial in or not
'http://www.microsoft.com/technet/scriptcenter/resources/qanda/aug05/hey0825.mspx
Const ADS_SCOPE_SUBTREE = 2
Dim objConnection
Dim objCommand
Dim objRecordSet
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
'Three possible values for msNPAllowDialin:
'TRUE = "Allow Access"
'FALSE = "Deny Access"
'EMPTY = "Control access through remote access policy"
objCommand.CommandText = _
"SELECT msNPAllowDialin FROM 'LDAP://dc=" & domainname & ",dc=com' WHERE objectCategory='user' AND sAMAccountName = '" & username & "'"
On Error Resume Next
Set objRecordSet = objCommand.Execute
if objRecordSet.EOF then
CanDialIn = "Could not find user " & username
else
if objRecordSet.Fields("msNPAllowDialin").Value = True then
CanDialIn = "Allow"
else
if objRecordSet.Fields("msNPAllowDialin").Value = False then
CanDialIn = "Deny"
else
CanDialIn = "Control"
end if
end if
end if
End Function