Searching for Specific Types of Objects


One of the best ways to improve the performance of Active Directory searches is to limit the scope of the search operation. Fortunately, searching for a specific type of object is one of the easiest tasks to perform. For example, to perform a task on a group of computers, limit your search to the computer class of objects. To work with only groups, users, computers, or printers, specify the objectClass or the objectCategory attribute in the search filter. The objectCategory attribute is a single value that specifies the class from which the object in Active Directory is derived. In other words, users are derived from an objectCategory called users. All the properties you looked at in Chapter 7, “Working with Active Directory,” when we were creating objects in Active Directory are contained in a template called an objectCategory. When you create a new user, Active Directory does a lookup to find out what properties the user class contains. Then it copies all those properties onto the new user you just created. In this way, all users have the same properties available to them.

Just the Steps 

To limit the Active Directory search

  1. Create a connection to Active Directory by using ADO.

  2. Use the Open method of the object to access Active Directory.

  3. Create an ADO Command object, and assign the ActiveConnection property to the Connection object.

  4. Assign the query string to the CommandText property of the Command object.

  5. In the query string, specify the objectCategory of the target query.

  6. Choose specific fields of data to return in response to the query.

  7. Use the Execute method to run the query and store the results in a RecordSet object.

  8. Read information in the result set using properties of the RecordSet object.

  9. Close the connection by using the Close method of the Connection object.

In the image from book QueryComputers.ps1 script, you use ADO to query Active Directory with the goal of returning a recordset containing selected properties from all the computers with accounts in the directory.

To make the script easier to edit, we abstracted each of the four parts of the LDAP dialect query into a separate variable. The $strBase variable in the image from book QueryComputers.ps1 script is used to hold the base of the ADO query. The base is used to determine where the script will make its connection into Active Directory. The line of code that does this in the image from book QueryComputers.ps1 script is shown here:

 $strBase = "<LDAP://dc=nwtraders,dc=msft>"

The filter is used to remove the type of objects that are returned by the ADO query. In the image from book QueryComputers.ps1 script, we filter on the value of the objectCategory attribute when it has a value of computer. This line of code is shown here:

 $strFilter = "(objectCategory=computer)"

The attributes to be selected from the query are specified in the $strAttributes variable. In the image from book QueryComputers.ps1 script, we choose only the Name attribute. This line of code is shown here:

 $strAttributes = "name"

The search scope determines how deep the query will go. There are three possible values for this: base, oneLevel, and subtree. Base searches only at the level where the script connects. OneLevel tells ADO to go one level below where the $strbase connection is made. Subtree is probably the most commonly used and tells ADO to make a recursive query through Active Directory. This is the kind of query we do in image from book QueryComputers.ps1. This line of code is shown here:

 $strScope = "subtree"

The $strQuery is used to hold the query used to query from Active Directory. When it is abstracted into variables, it becomes easy to modify. The revised code is shown here:

 $strQuery = "$strBase;$strFilter;$strAttributes;$strScope"

The complete image from book QueryComputers.ps1 is shown here:

image from book QueryComputers.ps1

 $strBase = "<LDAP://dc=nwtraders,dc=msft>" $strFilter = "(objectCategory=computer)" $strAttributes = "name" $strScope = "subtree" $strQuery = "$strBase;$strFilter;$strAttributes;$strScope" $objConnection = New-Object -comObject "ADODB.Connection" $objCommand = New-Object -comObject "ADODB.Command" $objConnection.Open("Provider=ADsDSOObject;") $objCommand.ActiveConnection = $objConnection $objCommand.CommandText = $strQuery $objRecordSet = $objCommand.Execute() Do {     $objRecordSet.Fields.item("name") |Select-Object Name,Value     $objRecordSet.MoveNext() } Until ($objRecordSet.eof) $objConnection.Close()

Querying multiple attributes

  1. Open Notepad or your favorite Windows PowerShell editor.

  2. Open image from book QueryComputers.ps1, and save it as yournameimage from book QueryComputersByName.ps1.

  3. Edit the $strFilter line so that it includes the additional attribute name. To do this using the LDAP dialect, we will need to first add an extra set of parentheses around the entire filter expression. This is shown here:

     $strFilter = "((objectCategory=computer))"

  4. Between the first set of double parentheses, we will add the ampersand character (&), which will tell the LDAP dialect search filter we want both of the attributes we are getting ready to supply. This is shown here:

     $strFilter = "(&(objectCategory=computer))"

  5. At end of the first search filter expression, we want to add a second expression. We want to search by both Computer Type objects and usernames. This modified line of code is shown here:

     $strFilter = "(&(objectCategory=computer)(name=london))"

  6. Save and run your script. It should produce a script output that lists all computer accounts named London.

  7. This concludes the querying multiple attributes procedure.




Microsoft Press - Microsoft Windows PowerShell Step by Step
MicrosoftВ® Windows PowerShell(TM) Step By Step (Step By Step (Microsoft))
ISBN: 0735623953
EAN: 2147483647
Year: 2007
Pages: 128
Authors: Ed Wilson

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net