Connecting to Active Directory with ADO


In this section, you will learn a special query technique to search Active Directory using ActiveX Data Objects (ADO). The technique is exactly the same technique you will use to search other databases. You will be able to use the results returned by that custom query to perform additional tasks. For example, you could search Active Directory for all users who don’t have telephone numbers assigned to them. You could then send that list to the person in charge of maintaining the telephone numbers. Even better, you could modify the search so that it returns the user names and their managers’ names. You could then take the list of users with no phone numbers that is returned and send e-mail to the managers to update the phone list in Active Directory. The functionality incorporated in your scripts is primarily limited by your imagination. The following list summarizes uses of the search technology:

  • Query Active Directory for a list of computers that meet a given search criterion

  • Query Active Directory for a list of users who meet a given search criterion

  • Query Active Directory for a list of printers that meet a given search criterion

  • Use the data returned from the preceding three queries to perform additional operations

All the scripts mentioned in this chapter can be found in the corresponding scripts folder on the CD.

Just the Steps 

To search Active Directory

  1. Create a connection to Active Directory by using ADO.

  2. Use the Open() method of the object to access Active Directory.

  3. Create an ADO Command object and assign the ActiveConnection property to the Connection object.

  4. Assign the query string to the CommandText property of the Command object.

  5. Use the Execute() method to run the query and store the results in a RecordSet object.

  6. Read information in the result set using properties of the RecordSet object.

  7. Close the connection by using the Close() method of the Connection object.

The script image from book BasicQuery.ps1 (shown later) illustrates how to search Active Directory by using ADO. Keep in mind that image from book BasicQuery.ps1 can be used as a template script to make it easy to perform Active Directory queries using ADO.

The image from book BasicQuery.ps1 script begins with defining the query that will be used. The string is stored in the $strQuery variable. When querying Active Directory using ADO, there are two ways the query can be specified. The one used here is called the Lightweight Directory Access Protocol (LDAP) dialect. The other means of specifying the query is called the SQL dialect and will be explored later in this chapter.

The LDAP dialect string is made up of four parts. Each of the parts is separated by a semicolon. If one part is left out, then the semicolon must still be present. This is actually seen in the image from book BasicQuery.ps1 script because we do not supply a value for the filter portion. This line of code is shown here:

 $strQuery = "<LDAP://dc=nwtraders,dc=msft>;;name;subtree"

Table 8-1 illustrates the LDAP dialect parts. In the image from book BasicQuery.ps1 script, the filter is left out of the query. The base portion is used to specify the exact point of the connection into Active Directory. Here we are connecting to the root of the NwTraders.msft domain. We could connect to an organizational unit (OU) called MyTestOU by using the distinguished name, as shown here:

 ou=myTestOU,dc=nwtraders,dc=msft

Table 8-1: LDAP Dialect Query Syntax
Open table as spreadsheet

Base

Filter

Attributes

Search Scope

<LDAP://dc=nwtraders,dc=msft>

(objectCategory=computer)

name

subtree

When we create the filter portion of the LDAP dialect query, we specify the attribute name on the left and the value for the attribute we are looking for on the right. If I were looking for every object that had a location of Atlanta, then the filter would look like the one shown here:

 (l=Atlanta)

The attribute portion of the LDAP query is a simple list of attributes you are looking for, each separated by a comma. If after you had found objects in Atlanta, you wanted to know the name and category of the objects, your attribute list would look like the following:

 Name, objectCategory

The search scope is the last portion of the LDAP dialect query. There are three possible values for the search scope. The first is base. If we specify the search scope as base, then it will only return the single that was the target of the query, that is, the base portion of the query. Using base is valuable if you want to determine whether an object is present in active directory.

The second allowable value for the search scope is oneLevel. When you use the search scope of oneLevel, it will return the Child objects of the base of your query. It does not, however, perform a recursive query. If your base is an OU, then it will list the items contained in the OU. But it will not go into any child OUs and list their members. This is an effective query technique and should be considered standard practice.

The last allowable value for the search scope is subtree. Subtree begins at the base of your query and then recurses into everything under the base of your query. It is sometimes referred to in the Platform Software Development Kit (SDK) as the deep search option because it will dig deeply into all sublevels of your Active Directory hierarchy. If you target the domain root, then it will go into every OU under the domain root, and then into the child OUs, and so forth. This should be done with great care because it can generate a great deal of network traffic and a great deal of workload on the server. If you do need to perform such a query, then you should perform the query asynchronously, and use paging to break the result set into smaller chunks. This will level out the network utilization. In addition, you should try to include one attribute that is indexed. If the attributes you are interested in are replicated to the Global Catalog (GC), then you should query the GC instead of connecting to rootDSE (DSA-specific entry). These techniques will all be examined in this chapter.

After the query is defined, we need to create two objects. We will use the New-Object cmdlet to create these objects. The first object to create is the ADODB.Connection object. The line of code used to create the Connection object is shown here:

 $objConnection = New-Object -comObject "ADODB.Connection"

This object is a com object and is contained in the variable $objConnection. The second object that is needed is the ADODB.Command object. The code to create the Command object is shown here:

 objCommand = New-Object -comObject "ADODB.Command"

After the two objects are created, we need to open the connection into Active Directory. To open the connection, we use the Open method from the ADODB.Connection object. When we call the Open method, we need to specify the name of the provider that knows how to read the Active Directory database. For this, we will use the ADsDSOObject provider. This line of code is shown here:

 $objConnection.Open("Provider=ADsDSOObject;")

After the connection into the Active Directory database has been opened, we need to associate the Command object with the Connection object. To do this, we use the ActiveConnection property of the Command object. The line of code that does this is shown here:

 $objCommand.ActiveConnection = $objConnection

Now that we have an active connection into Active Directory, we can go ahead and assign the query to the command text of the Command object. To do this, we use the CommandText property of the Command object. In the image from book BasicQuery.ps1 script, we use the following line of code to do this:

 $objCommand.CommandText = $strQuery

After everything is lined up, we call the Execute method of the Command object. The Execute method will return a RecordSet object, which is stored in the $objRecordSet variable. This line of code is shown here:

 $objRecordSet = $objCommand.Execute()

To examine individual records from the RecordSet object, we use the do until statement to walk through the collection. The script block of the do until statement is used to retrieve the Name property from the RecordSet object. To retrieve the specific property, we retrieve the Fields.Item property and specify the property we retrieved from the attributes portion of the query. We then pipeline the resulting object into the Select-Object cmdlet and choose both the name and the Value property. This line of code is shown here:

 $objRecordSet.Fields.item("name") |Select-Object Name,Value

To move to the next record in the recordset, we need to use the MoveNext method from the RecordSet object. This line of code is shown here:

 $objRecordSet.MoveNext()

The complete image from book BasicQuery.ps1 script is shown here:

 BasicQuery.ps1 $strQuery = "<LDAP://dc=nwtraders,dc=msft>;;name;subtree" $objConnection = New-Object -comObject "ADODB.Connection" $objCommand = New-Object -comObject "ADODB.Command" $objConnection.Open("Provider=ADsDSOObject;") $objCommand.ActiveConnection = $objConnection $objCommand.CommandText = $strQuery $objRecordSet = $objCommand.Execute() Do {     $objRecordSet.Fields.item("name") |Select-Object Name,Value     $objRecordSet.MoveNext() } Until ($objRecordSet.eof) $objConnection.Close()

image from book
Quick Check

Q. What technology is utilized to search Active Directory?

A. DO is the technology that is used to search Active Directory.

Q. Which part of the script is used to perform the query?

A. The command portion of the script is used to perform the query.

Q. How are results returned from an ADO search of Active Directory?

A. The results are returned in a recordset.

image from book




Microsoft Press - Microsoft Windows PowerShell Step by Step
MicrosoftВ® Windows PowerShell(TM) Step By Step (Step By Step (Microsoft))
ISBN: 0735623953
EAN: 2147483647
Year: 2007
Pages: 128
Authors: Ed Wilson

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net