Re: How to change script to run thru multiple objects
- From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 1 May 2007 19:39:32 -0500
As noted, you can use ADO to retrieve information on all users in AD (or
users meeting some filter criteria). For more on using ADO to search AD, see
this link:
http://www.rlmueller.net/ADOSearchTips.htm
However, you must retrieve attribute values. PasswordLastChanged is a
property method, meaning it returns a value calculated from other attribute
values. It is a method of the user object, exposed by the IADsUser
interface. In this case the PasswordLastChanged property method converts the
value of the pwdLastSet attribute to a date/time in the current time zone.
ADO cannot cannot return this value. You would need to bind to each user
object to invoke the PasswordLastChanged property method. This would be
inefficient.
However, ADO can retrieve the value of pwdLastSet. It is Integer8, a 64-bit
value. You need special code to convert this to a date. Also, since the
value is in UTC, you must use the local time zone bias (stored in the local
registry) to convert to a date/time in the current time zone. I have an
example VBScript program that retrieves pwdLastSet for all users linked
here:
http://www.rlmueller.net/PwdLastChanged.htm
You would revise the "base" clause of the query (see the first link above)
to specify the Distingished Name of your OU. This would limit the query to
your specified OU. Your snippet correctly retrieves the value of maxPwdAge
from the domain object. This is also Integer8, but you correctly use the
IADsLargeInteger interface to convert the 64-bit value into days. You don't
account for a bug (inaccuracy) in the IADsLargeInteger methods, but that's
not a big problem, as the error is only 7 minutes 9.5 seconds. See this
link:
http://www.rlmueller.net/Integer8Attributes.htm
An example program that retrieves password information for one user and
determines if and when the password will expire is linked here:
http://www.rlmueller.net/User%20Password%20Info.htm
Between these examples you should be able to code what you want. Oh, one bit
of advice. Do not use "On Error Resume Next". It's very difficult to
troubleshoot scripts when all errors are ignored. If something is wrong, you
want to know it.
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
"Jeremy" <jeremy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2D9E8D0B-EB09-47CF-84F8-5A8BAC95CAF9@xxxxxxxxxxxxxxxx
Have a look at this, it returns all users in a Domain, you should be able
to incorporate both.
Cheers,
Jeremy.
-->8
On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = _
"SELECT Name FROM 'LDAP://dc=fabrikam,dc=com' WHERE
objectCategory='user'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
Wscript.Echo objRecordSet.Fields("Name").Value
objRecordSet.MoveNext
Loop
-->8
"BookerT" <chipw@xxxxxxxxxx> wrote in message
news:1178028721.313912.301620@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Currently I have a script that will let me know when an individual
user inside of Active Directory password will change. I want to know
how to revise it to give me a report on all of the users in a
particular OU. The script is below:
On Error Resume Next
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D
Const ONE_HUNDRED_NANOSECOND = .000000100
Const SECONDS_IN_DAY = 86400
Set objUser = GetObject("LDAP://
CN=user1,OU=MBA,OU=People,DC=fabrikamt,DC=gt,DC=edu")
intUserAccountControl = objUser.Get("userAccountControl")
If intUserAccountControl And ADS_UF_DONT_EXPIRE_PASSWD Then ' LINE
11
WScript.Echo "The password does not expire."
WScript.Quit
Else
dtmValue = objUser.PasswordLastChanged
If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then ' LINE
16
WScript.Echo "The password has never been set."
WScript.Quit
Else
intTimeInterval = Int(Now - dtmValue)
WScript.Echo "The password was last set on " & _
DateValue(dtmValue) & " at " & TimeValue(dtmValue) & vbCrLf
& _
"The difference between when the password was last" & vbCrLf
& _
"set and today is " & intTimeInterval & " days"
End If
Set objDomain = GetObject("LDAP://DC=fabrikamt,DC=gt,DC=edu";)
Set objMaxPwdAge = objDomain.Get("maxPwdAge")
If objMaxPwdAge.LowPart = 0 Then
WScript.Echo "The Maximum Password Age is set to 0 in the " &
_
"domain. Therefore, the password does not
expire."
WScript.Quit
Else
dblMaxPwdNano = _
Abs(objMaxPwdAge.HighPart * 2^32 + objMaxPwdAge.LowPart)
dblMaxPwdSecs = dblMaxPwdNano * ONE_HUNDRED_NANOSECOND ' LINE
37
dblMaxPwdDays = Int(dblMaxPwdSecs / SECONDS_IN_DAY) ' LINE
38
WScript.Echo "Maximum password age is " & dblMaxPwdDays & "
days"
If intTimeInterval >= dblMaxPwdDays Then
WScript.Echo "The password has expired."
Else
WScript.Echo "The password will expire on " & _
DateValue(dtmValue + dblMaxPwdDays) & " (" & _
Int((dtmValue + dblMaxPwdDays) - Now) & " days from
today)."
End If
End If
End If
ANy ideas?
Thanks
.
- References:
- How to change script to run thru multiple objects
- From: BookerT
- Re: How to change script to run thru multiple objects
- From: Jeremy
- How to change script to run thru multiple objects
- Prev by Date: Re: (beta) -- Get longname of shortname, or get both from whatever mix...
- Next by Date: Re: AD Dump of all groups in an OU & their member of tab.
- Previous by thread: Re: How to change script to run thru multiple objects
- Next by thread: Re: Setting rights on an AD account using vb
- Index(es):
Relevant Pages
|
