Searching for Specific Types of Objects
One of the best ways to improve the performance of Active Directory searches is to limit the scope of the search operation. Fortunately, searching for a specific type of object is one of the easiest tasks to perform. For example, to perform a task on a group of computers, limit your search to the Computer class of objects. To work with only groups, users, computers, or printers, specify objectClass or objectCategory in the search filter. The objectCategory attribute is a single value that specifies the class from which the object in Active Directory is derived. Users are derived from an object category called users. All the classes you looked at in the last chapter (users, computers) are defined in the schema as values for the objectCategory attribute. When you create a new user, Active Directory identifies the attributes the user class contains. Then it uses those attributes when the new user is created. In this way, all users have the same attributes available to them. The attribute called objectClass is a multivalued attribute, and as you learned in the discussion of WMI, you have to use a For...Next statement to iterate all instances of values contained in the multivalued attribute.
Just the Steps  | To limit the Active Directory search
1. | Create a connection to Active Directory by using ADO.
| 2. | Use the Open method of the connection object to access Active Directory.
| 3. | Create an ADO command object and assign it to the ActiveConnection property of the Connection object.
| 4. | In the query string, specify the object category of the target query.
| 5. | Choose specific fields of data to return in response to the query.
| 6. | Assign the query string to the CommandText property of the Command object.
| 7. | Use the Execute method to run the query and store the results in a RecordSet object.
| 8. | Read information in the result set using properties of the RecordSet object.
| 9. | Close the connection by using the Close method of the connection object.
|
|
In the FilterComputers.vbs script, you use ADO to query Active Directory with the goal of returning a record set containing selected properties from all the computers with accounts in the directory. The Header information and Worker information sections of the script are the same as in the previous script, so we won't discuss them.
FilterComputers.vbs
Option Explicit
On Error Resume Next
dim strQuery
dim objConnection
dim objCommand
dim objRecordSet
strQuery = "<LDAP://dc=nwtraders,dc=msft>;" & _
"(objectCategory=computer);" &_
"name,distinguishedName;subtree"
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Open "Provider=ADsDSOObject;"
objCommand.ActiveConnection = objConnection
objCommand.CommandText = strQuery
Set objRecordSet = objCommand.Execute
Do until objRecordSet.EOF
WScript.Echo objRecordSet("name"), objRecordSet("distinguishedName")
objrecordset.MoveNext
loop
objConnection.Close
Reference Information
The Reference information section is basically the same as in the previous script, with the exception of the query. You call the query strQuery in this script, as shown here:
strQuery = "<LDAP://dc=nwtraders,dc=msft>;" & _
"(objectCategory=computer);" &_
"name,distinguishedName;subtree"
You can see the power of using the ADO connection to query Active Directory. You choose a couple of attributes from the dozens of available attributes associated with the Computer object in Active Directory. This makes an efficient query because you return only the desired information.
Output Information
The alert reader will realize that we've returned data on two attributes of the Computer object: the distinguishedName and the name of the computer. The Output information section of the script looks like the following:
WScript.Echo objRecordSet("name"), objRecordSet("distinguishedName")
At this point, it is sufficient to illustrate how to write data from the record set. You use the Echo command to send the data out, but the interesting part is you specify the field by name. It is perhaps confusing here that the field you are sending out is called name. To send out the distinguishedName field, put distinguishedName in quotation marks. We are actually specifying the Field property of the record set, but because it is the default property, we do not need to list it in our reference to objRecordSet. This also gives us the ability to specify two attributes at the same time, as seen in our output line.
 |
Q. | What is one way to limit the amount of data returned by an ADO query of Active Directory?
| A. | To limit the amount of data returned by an ADO query of Active Directory, you can specify objectCategory, which is easy to do. In this way, you can limit searches to just computers, users, printers, or other objects in Active Directory. | Q. | To specify an alternate set of credentials or to encrypt the password, what must be done in your script?
| A. | To specify an alternate set of credentials or to encrypt the password, you must use the authentication properties of the connection object. | Q. | What two items must be specified for ADO to talk to Active Directory?
| A. | The two items that must be specified for ADO to talk to Active Directory are the connection string and record set. All other fields are optional. |
|
|
Querying multiple attributes
1. | Open Microsoft Notepad or your favorite script editor.
| 2. | Open \My Documents\Microsoft Press\VBScriptSBS\ch13\FilterComputers.vbs and save it as YourNameFilterComputersByName.vbs.
| 3. | Edit the strQuery line to add an additional attribute to the filter. On the second line, add an extra set of parentheses around (objectCategory=computer) to hold the extra attribute. Your filter will now look like:
((objectCategory=computer))
| 4. | Before objectCategory=computer, but between the new parentheses you added on the right side, add the new filter criteria: (name=MyNewComputer). Make sure you use the name of a computer that will be present in Active Directory. This line will now look like the following:
((objectCategory=computer)(name=MyNewComputer))
| 5. | To glue the two search attributes together, add an ampersand (&) character between the set of parentheses on the left side of the filter. It will look like the following:
(&(objectCategory=computer)(name=MyNewComputer))
| 6. | Add the location attribute to the list of properties you are selecting. This is seen below:
";name,location,distinguishedname;subtree"
| 7. | Compare your complete search filter with the code below.
strQuery = "<LDAP://dc=nwtraders,dc=msft>;" & _
"(&(objectCategory=computer)(name=MyNewComputer))"&_
";name,location,distinguishedname;subtree"
| 8. | Save and run your script. It should retrieve only the computer you specified in the name= portion of your search filter.
| 9. | Modify the Output section of the script to print out the name of the computer for which you searched. This will be the first line in your Output section. Underline the name of the computer by using the ForMatTxt function.
WScript.Echo ForMatTxt("Computer named: " & objRecordSet("name"))
| 10. | Copy the ForMatTxt function from the ForMatTxt.vbs script in the Chapter 13 folder. Place it at the bottom of your script. This function is seen below:
Function ForMatTxt(lineOfText)
Dim numEQs
Dim separator
Dim i
numEQs = Len(lineOfText)
For i = 1 To numEQs
separator = separator & "="
Next
ForMatTxt = lineOfText & vbcrlf &separator & vbcrlf
End Function
| 11. | Remove the additional WScript.Echo statements in the Output section and add appropriate labels to each field when it is printed out. Use line continuation and concatenation as required. When done, the Output section will look similar to the one below.
WScript.Echo ForMatTxt("Computer named: " & objRecordSet("name")) &_
objRecordSet.Fields("name") & " is located: " & objRecordSet.Fields("location") &_
vbcrlf & "Distinguished name: " & objRecordSet.fields("distinguishedname")
| 12. | Save and run your script. If it does not produce the expected output, compare it with \My Documents\Microsoft Press\VBScriptSBS\ch13\FilterComputersByName.vbs.
|
 |