Recipe 4.5 Searching for Objects in a Domain

4.5.1 Problem

You want to find objects that match certain criteria in a domain.

4.5.2 Solution

4.5.2.1 Using a graphical user interface
  1. Open LDP.

  2. From the menu, select Connection Connect.

  3. For Server, enter the name of a domain controller (or leave blank to do a serverless bind).

  4. For Port, enter 389.

  5. Click OK.

  6. From the menu, select Connection Bind.

  7. Enter credentials of a user.

  8. Click OK.

  9. From the menu, select Browse Search.

  10. For BaseDN, type the base distinguished name where the search will start.

  11. For Scope, select the appropriate scope.

  12. For Filter, enter an LDAP filter.

  13. Click Run.

4.5.2.2 Using a command-line interface
> dsquery * <BaseDN> -scope <Scope> -filter "<Filter>" -attr "<AttrList>"
4.5.2.3 Using VBScript
' This code searches for objects based on the specified criteria. ' ------ SCRIPT CONFIGURATION ------ strBase    =  "<LDAP://<BaseDN>>;" ' BaseDN should be the search base strFilter  = "<Filter>;"           ' Valid LDAP search filter strAttrs   = "<AttrList>;"         ' Comma-seperated list strScope   = "<Scope>"             ' Should be on of Subtree, Onelevel, or Base ' ------ END CONFIGURATION --------- set objConn = CreateObject("ADODB.Connection") objConn.Provider = "ADsDSOObject" objConn.Open "Active Directory Provider" set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope) objRS.MoveFirst While Not objRS.EOF     Wscript.Echo objRS.Fields(0).Value     objRS.MoveNext Wend

4.5.3 Discussion

Most tools that can be used to search Active Directory require a basic understanding of how to perform LDAP searches using a base DN, search scope, and search filter as described in RFC 2251 and 2254. The base DN is where the search begins in the directory tree. The search scope defines how far down in the tree to search from the base DN. The search filter is a prefix notation string that contains equality comparisons of attribute and value pairs.

The scope can be base, onelevel (or one), or subtree (or sub). A base scope will only match the base DN, onelevel will only match objects that are contained directly under the base DN, and subtree will match everything below the base DN (not including the base DN).

The search filter syntax is a powerful way to represent simple and complex queries. An example filter that matches all user objects would be (&(objectclass=user)(objectcategory=Person)). For more information on filters, see RFC 2254.

4.5.3.1 Using a graphical user interface

To customize the list of attributes returned for each matching object, look at the GUI discussion in Recipe 4.2.

4.5.3.2 Using a command-line interface

<AttrList> should be a space-separated list of attributes to return. If left blank, all attributes that have a value will be returned.

4.5.3.3 Using VBScript

The VBScript solution used ADO to perform the search. When using ADO, you must first create a connection object with the following three lines:

set objConn = CreateObject("ADODB.Connection") objConn.Provider = "ADsDSOObject" objConn.Open "Active Directory Provider"

At this point you can pass parameters to the Execute method, which will return a ResultSet object. You can iterate over the ResultSet by using the MoveFirst and MoveNext methods.

See Recipe 4.7 for more information on specifying advanced options in ADO like the page size.

4.5.4 See Also

Recipe 4.2 for viewing attributes of objects, Recipe 4.7 for setting advanced ADO options, RFC 2251 (Lightweight Directory Access Protocol (v3)), RFC 2254 (Lightweight Directory Access Protocol (v3)), MSDN: Searching with ActiveX Data Objects (ADO), and for a good white paper on performing queries with LDAP see: http://www.microsoft.com/windows2000/techinfo/howitworks/activedirectory/ldap.asp



Active Directory Cookbook
Active Directory Cookbook, 3rd Edition
ISBN: 0596521103
EAN: 2147483647
Year: 2006
Pages: 456

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net