Performing an Administrative Task Using a Result Set
Microsoft® Windows® 2000 Scripting Guide
The ADSI OLE DB provider gains read-only access to Active Directory. Therefore, you cannot use ADO to modify Active Directory directly. However, you can use the result set returned by a search operation to perform administrative tasks using a combination of ADO and ADSI methods. For example, you can:
Search for the sAMAccountName attribute of an object in a domain and, if the result set is empty, use the Create method to create the object.
For an example of how to complete this task, see "Active Directory Users" in this book.
Search for all computer objects using the objectCategory attribute and then use the Put method to modify an attribute of each object.
Search for all objects whose description attribute designates that the object is owned by a specific department and then use the MoveHere method to consolidate all objects in a container.
The goal of the two scripts in this section is to demonstrate how to use a result set returned by a search operation to perform an administrative task.
Modifying an Attribute in Multiple Objects
The script in Listing 5.37 modifies the location attribute to Atlanta, Georgia, for all computers in a domain whose name begins with ATL. The steps to complete this task are a combination of the steps described in "Searching" and "Modifying Directory Service Objects" earlier in this chapter; therefore, the steps are summarized here.
Using ADO, query Active Directory for all computer objects starting with the name ATL.
In line 9, two filters are combined, (objectCategory=Computer) and (cn=ATL*). The second filter uses the asterisk wildcard to find all computers whose name starts with ATL.
In line 10, ADsPath is the attribute returned for each computer in the result set.
Use a While Wend statement and the MoveNext method to read each record in the result set.
For each record in the result set, bind to the corresponding object in Active Directory, write the location attribute to the object, and then commit the object to Active Directory (lines 15-18).
Show the number of records modified by echoing the value of the RecordSet object's RecordCount property to the command window (lines 21 and 22).
Listing 5.37 Modifying Multiple Computer Objects Using the Result Set Returned by a Search
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
|
Moving Objects Containing a Certain Value for an Attribute
The script in Listing 5.38 moves user account objects to the HR OU if their department attribute is set to Human Resources. The steps to complete this task are a combination of the steps described in "Searching" and "Moving and Renaming Objects" earlier in this chapter; therefore, the steps are summarized here.
Using ADO, query Active Directory for all user account objects with a department attribute value of Human Resources.
On lines 9 and 10, three filters are combined: (objectCategory=person), (objectClass=user), and (department=Human Resources). Take note of how ampersands and parentheses are used to combine the filters. The script uses both objectCategory and objectClass so that all user account types that are security principals are returned by the query. For more information about why this filter combination is necessary, see "Active Directory Users" in this book.
On line 10, return the ADsPath, distinguishedName, and name attributes of each user account that matches the filter properties and scope. All of these attributes are used later in the script.
Bind to the target OU of the move operation (line 14).
Note that this binding operation could have been completed inside the While Wend statement that starts on line 16. However, it is more efficient to perform a binding operation once and reuse it as many times as necessary in the script.
Use a While Wend statement to read each record in the result set (line 16).
Initialize the strADsPath variable with the field containing the ADsPath.
Initialize two variables, strDNRecord and strDNCompare. The strDNRecord contains the value of the distinguishedName attribute returned by the query. The strDNCompare attribute contains a distinguishedName that is constructed from the name field returned by the query and the path to the HR OU. Use the strDNCompare variable to determine whether the user account specified by strDNRecord is currently located in the HR OU.
If the user account is not already in the HR OU, (that is, strDNRecord is not equal to strDNCompare), use the MoveHere method to move the object into the that OU. Then echo the distinguishedName of the user account before it was moved and state that it was moved. Otherwise, echo the distinguishedName of the user account in the HR OU and state that it was not moved.
Listing 5.38 Moving Multiple User Accounts Using the Result Set Returned by a Search
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
|
Important observations about the scripts in this section are:
Both scripts perform the same basic steps: They use ADO to create a Connection, a Command, and a RecordSet object, and then they read each record in the RecordSet object.
Using the information in the result set, both scripts perform an administrative task.