Re: script to retrieve active users that are not in a specific OU
- From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 19 Jul 2007 11:57:51 -0500
You are using SQL syntax in your query, which is fine, but there is no way I
know of to query based on bits of userAccountControl with SQL syntax. I use
LDAP syntax for AD. For more information see this link:
http://www.rlmueller.net/ADOSearchTips.htm
There still is no way to exclude OU's in the query, so you will need to test
when the recordset is enumerated. I would suggest code similar to:
===================
Option Explicit
Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strNTName
Dim strUserDN, objUser, objParent, strOU
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection
' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE";)
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://"; & strDNSDomain & ">"
' Filter on active user objects.
strFilter = "(&(objectCategory=person)(objectClass=user)" _
& "(!userAccountControl:1.2.840.113556.1.4.803:=2))"
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName,sAMAccountName"
' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
' Run the query.
Set adoRecordset = adoCommand.Execute
' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values and display.
strNTName = adoRecordset.Fields("sAMAccountName").Value
strUserDN = adoRecordset.Fields("distinguishedName").value
Set objUser = GetObject("LDAP://"; & strUserDN)
Set objParent = GetObject(objUser.Parent)
strOU = objParent.Get("Name")
If (LCase(strOU) <> "skipou") Then
Wscript.Echo "NT Name: " & strNTName
End If
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop
' Clean up.
adoRecordset.Close
adoConnection.Close
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
"abjt" <abjt@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0548A21C-4AF6-4F1A-9DA8-C6287204BA56@xxxxxxxxxxxxxxxx
Thanks for the reply!
I mean a specific OU which contains users that I do not need to create
home
folder for.
Part of my code is:
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
"Select sAMAccountName from " & _
"'LDAP://DC=mydomain,DC=mycompany,DC=com' where
objectCategory='user' "
I wanted to use the query to select all users that are active, not builtin
accounts, not in the OU that I specify.
I am not very familiar with ldap. How should I use the information you
suggested in the query?
Thanks much!
"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
Set objRecordSet = objCommand.Execute
"Richard Mueller [MVP]" wrote:
abjt wrote:
Hello, I need to retrieve all the users that are
- active (not disabled)
- not buildin accounts (like Administrator)
- not in an organization unit
in my VBscipt in order to create home folders for those users. Does
anyone
know how to build the LDAP query?
Thank you!
The best way I know to distinguished "builtin" accounts is that they are
in
the cn=Users container. I create all other users in OU's. Otherwise, I
cannot think of a way to skip these users, except to list them:
Administrator, Guest, etc.
To retrieve all active users:
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))
or alternatively:
(&(sAMAccountType=805306368)(!userAccountControl:1.2.840.113556.1.4.803:=2))
I'm not sure what you mean by "not in an organizational unit". Do you
mean
not in a specific OU, or not in any OU. To search for all users that are
not
in any OU, you would specify the base of the search as the "cn=Users"
container, assuming that is the only container in your domain with users.
Of
course, this container has the "builtin" accounts. Otherwise, there is no
way to retrieve users that are not in a specific OU. You would have to
retrieve all users, then in a VBScript where you enumerate the resultant
recordset, only operate on the users that are not in the OU.
Assuming you can identify OU's by their Relative Distinguished Names, the
best way to determine the OU is with code similar to:
=========
strUserDN = "cn=Jim Smith,ou=Sales\, West,ou=Engr,dc=MyDomain,dc=com"
Set objUser = GetObject("LDAP://"; & strUserDN)
Set objParent = GetObject(objUser.Parent)
strOU = objParent.Get("Name")
=========
In this example, strOU will be the string "Sales, West", the RDN of the
parent container. Note, however, that this may not uniquely identify the
OU.
There could be several OU's in the domain with same RDN.
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
.
- References:
- Re: script to retrieve active users that are not in a specific OU
- From: Richard Mueller [MVP]
- Re: script to retrieve active users that are not in a specific OU
- From: abjt
- Re: script to retrieve active users that are not in a specific OU
- Prev by Date: Re: script to retrieve active users that are not in a specific OU
- Next by Date: Adding multiple entries for the same user with xcacls...
- Previous by thread: Re: script to retrieve active users that are not in a specific OU
- Next by thread: RE: Printer script
- Index(es):
Relevant Pages
|
