Re: Open to suggestions

From: "Richard Mueller [MVP]" <rlmueller-NOSPAM@xxxxxxxxxxxxxxxxxxxx>
Date: Tue, 30 Jan 2007 11:26:08 -0600

Steve wrote:

Across a few domains with no trust relationships, I would like to be able

audit the usage of roaming profiles. Specifically, I would like to be

able

to query an OU similar to each domain -
exampledomain\MyBusiness\Users\SBSUsers. (Common to any SBS 2003 domain).

My intention is to have a script that will query the AD profile attribute
for each user object in the OU, and if a user account does not have a
profile path set, write a specific event to the Application Log (which in
turn, would be picked up by a monitoring application that watches the

event

logs).

I'm a scripting neophyte, looking for any suggestions, or possibly a
ready-script if someone has one sitting around.

If there is no trust relationship, you will have to authenticate with a
username and password. Perhaps you can pass credentials to an ADO connection
object and use ADO to retrieve the information. To filter on users that do
not have a value assigned to the profilePath attribute, I would define:

strFilter = "(&(objectCategory=Person)(objectClass=user)(!profilePath=*))"

You can use the LogEvent method of the wshShell method to write events to
the application log. In the example below, the users with no profilePath are
echo'ed to the screen, assuming the script is run at a command prompt. The
output can be redirected to a text file.
================
Option Explicit

Dim strOU, objConnection
Dim strBase, strFilter, strAttributes, strQuery, objRecordSet
Dim strNTName, strDN
Dim objShell

' Hard code Distinguished Name of OU.
strOU = "ou=Sales,ou=West,dc=MyDomain,dc=com"

' Use ADO to search Active Directory.
Set objRecordset = CreateObject("ADODB.Recordset")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
' Specify credentials.
objConnection.Properties("User ID") =
"cn=Administrator,cn=Users,dc=MyDomain,dc=com"
objConnection.Properties("Password") = "xyz12345"
objConnection.Properties("Encrypt Password") = True
objConnection.Open "Active Directory Provider"
objRecordset.ActiveConnection = objConnection

' Search entire OU.
strBase = "<LDAP://"; & strOU & ">"

' Filter on user objects with profile path.
strFilter = "(&(objectCategory=person)(objectClass=user)(!profilePath=*))"

' Comma delimited list of attribute values to retrieve.
strAttributes = "sAMAccountName,distinguishedName"

' Construct the ADO query, using LDAP syntax.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"

' Run the query.
objRecordset.Source = strQuery
objRecordset.Open

' Enumerate the recordset and output the values retrieved.
Do Until objRecordSet.EOF
strNTName = objRecordSet.Fields("sAMAccountName").Value
strDN = objRecordSet.Fields("distinguishedName").Value
Wscript.Echo strNTName & " ; " & strDN
objRecordSet.MoveNext
Loop
objRecordSet.Close

' Clean up.
objConnection.Close
Set objConnection = Nothing
Set objRecordSet = Nothing
=========
To instead write events to the application log, use a loop similar to:
===========
Const Event_Warning = 2

Set objShell = CreateObject("Wscript.Shell")

' Enumerate the recordset and output the values retrieved.
Do Until objRecordSet.EOF
strNTName = objRecordSet.Fields("sAMAccountName").Value
objShell.LogEvent Event_Warning, strNTName & " has no profilePath"
objRecordSet.MoveNext
Loop
objRecordSet.Close
===========
By default, the above will write the event to the application log of the
computer where the script runs. You can also specify a different computer.
See this link for more info on writing events to the application log.

http://www.microsoft.com/technet/scriptcenter/guide/sas_log_akqy.mspx

For more on using ADO to query AD, see this link:

http://www.rlmueller.net/ADOSearchTips.htm

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab web site - http://www.rlmueller.net
--

.

References:
- Open to suggestions
  - From: Steve

Prev by Date: Re: Set a user accounts pw to never expire
Next by Date: Re: how to open a file and set window properties?
Previous by thread: Open to suggestions
Next by thread: TCP/IP enable in connection configuration
Index(es):
- Date
- Thread

Relevant Pages

Re: Large ADO RecordSet Issues
... I'm performing a query on Active Directory using ADO, ... The count script works fine for small numbers of users, ... but when it comes to counting the 2.5 million it ...
(microsoft.public.vb.database)
Re: Executing a Script via ADO that contains multiple GOs
... PROCEDURE' must be the first statement in a query batch". ... different command to send multiple batches in one shot via ADO? ... The script itself looks like this... ...
(microsoft.public.sqlserver.programming)
Re: Locate Users without State/Province Field Populated
... is it possible to develop a script to populate those ... An LDAP query for all users with no value ... You could use these queries with ADO to return either the names of the ... The city attribute is called "l". ...
(microsoft.public.windows.server.active_directory)
Re: Sync AD computer description field with local computer description field.
... Is there a way (script) to find the current logged on user and query ... Active Directory for the user's first name and last name and then ... integralli's Profile: http://forums.techarena.in/members/integralli.htm ...
(microsoft.public.windows.server.scripting)
Re: HELP! Need AD Query for Last login
... query the DCs in the USA domain, how would I modify the script? ... I'm new to VB script and making this simple modification is beyond me at ... >> ' Because the lastLogon attribute is not replicated, ... Then, for each Domain Controller, ADO is used to search the ...
(microsoft.public.scripting.vbscript)