How to Query Distinguished Name in AD

[Bodman]

Hi, I am trying to output 2 figures from AD

The First is to count how many users in AD have the String OU=C3084* in the Distinguished name attribute and

the second is of the first output how many have them have the mail attribute set.

I have read what feels like the entire internet about adfunctions but im not sure how to start Can anyone point me in the right direction please

I was trying to run a query like this

$objCommand.CommandText = "<LDAP://" & $strDNSDomain & ">;(&(objectCategory=person)(objectClass=user)(ou=*c3408*)); distinguishedname,mail;subtree"

to no avail

Any pointers in the right direction appreciated

//Bodman

Edited January 11, 2011 by Bodman

[enaiman]

Did you have a look at Active Directory UDF?

There isn't anything in there to help you?

[water]

To get all users with mail attribute set you could use

#include <ad.au3>
_AD_Open()
$aResult = _AD_GetObjectsInOU("","(&(objectCategory=person)(objectClass=user)(mail=*))",2,"samAccountName")
_ArrayDisplay($aResult)
_AD_Close()

I'm investigating how to query the OU.

Edit: Unfortunately you can't use a wildcard with a distinguishedName (according to the X.500 standards). So you have to do it yourself:

#include <ad.au3>
Global $aResult[1]
$sOU = "OU=C3084"
_AD_Open()
$aOUs = _AD_GetAllOUs()
For $iIndex = 1 To $aOUs[0][0]
    $aTemp = StringSplit($aOUs[$iIndex][1], ",")
    If StringInStr($aTemp[1], $sOU) > 0 Then
        $aMail = _AD_GetObjectsInOU($aOUs[$iIndex][1],"(&(objectCategory=person)(objectClass=user)(mail=*))",1,"samAccountName")
        _ArrayConcatenate($aResult, $aMail, 1)
    EndIf
Next
$aResult[0] = UBound($aResult, 1) - 1
_ArrayDisplay($aResult)
_AD_Close()

This example gets a list of all OUs in your AD, searches for OUs starting with C3084 and queries each of this OUs for all users with attribute mail <> "" and returns the samaccountname. The result is concatenated to a result table.

If you want to get more then the samaccountname then you have to do the concatenation yourself as _ArrayConcatenate only works for 1-dimensional arrays.

Howto use LDAP-Filters: SelfADSI

Edited January 13, 2011 by water

[enaiman]

Well - you're lucky - you got the help from the person who wrote the UDF

[Bodman]

Brilliant thank you (you should see the weird and wonderfull scripts ive been writing to try and get this to work). Ill start trying again now

[Bodman]

ok im missing something here if I run

#include <ad.au3>
_AD_Open()
$aResult = _AD_GetObjectsInOU("","(&(objectCategory=person)(objectClass=user))",2,"samAccountName")
_ArrayDisplay($aResult)
_AD_Close()

I removed the (mail=*) to try and get a list of all users first but I dont get anything at all returned

I ran

#include <AD.au3>
_AD_Open()
ConsoleWrite($sAD_DNSDomain & @CRLF)
ConsoleWrite($sAD_HostServer & @CRLF)
ConsoleWrite($sAD_Configuration & @CRLF)
_AD_Close()

and got

DC=mydomain,DC=net

s0000664.mydomain.net

CN=Configuration,DC=mydomain,DC=net

and tried to add that to _AD_Open()but as far as I can see its opening the connection as I get a error code of 1

My domain is 5 levels could that have something to do with it ?

Domain

Continent

Country

Site

SiteID

Users

Although if I run the LDAP query

$objCommand.CommandText = "<LDAP://" & $strDNSDomain & ">;(&(objectCategory=person)(objectClass=user)); name,sAMAccountName,distinguishedname;subtree"

it dumps everything

Any help appreciated

Bod

Edited January 20, 2011 by Bodman

[water]

If you run the _AD_GetobjectsInOU example script - what do you get?

[Bodman]

If you run the _AD_GetobjectsInOU example script - what do you get?

If I run your ADAudit.au3 script and try any queries I get the error (Is this what u want me to try)

Error 1 in _AD_GetObjectsInOU processing your query:.........

[water]

If I run your ADAudit.au3 script and try any queries I get the error (Is this what u want me to try)

Error 1 in _AD_GetObjectsInOU processing your query:.........

No, in the AD.ZIP file there is an example script for every function of the Active Directory UDF.

So you can find a _AD_GetObjectsInOU.au3 in the ZIP file.

What do you get if you run this example script?

BTW: Which version of the UDF do you run (can be found in the header - line 11 - of AD.au3)

Edited January 21, 2011 by water

[Bodman]

No, in the AD.ZIP file there is an example script for every function of the Active Directory UDF.

So you can find a _AD_GetObjectsInOU.au3 in the ZIP file.

What do you get if you run this example script?

BTW: Which version of the UDF do you run (can be found in the header - line 11 - of AD.au3)

UDF Version ...: 0.42

Sry I missed the examples in there (DOH) if I run the example script I get a list of everyone in the Same OU that I am in (Example 1 - so it appears to work fine )

Edited January 21, 2011 by Bodman

[Bodman]

it looks like if I add

#include <AD.au3>

; Get FQDN for the currently logged on user
Global $sFQDN = _AD_SamAccountNameToFQDN()

; Strip off the CN
Global $iPos = StringInStr($sFQDN, ",")
Global $sOU = StringMid($sFQDN, $iPos + 1)

Global $aObjects[1][1]

from the example file then the script may work

//Bod

Edited January 21, 2011 by Bodman

[water]

As the example script works there just seems to be a problem with the other script.

... then the script may work

What script are you talking about? My script posted in or do you have your own version? Edited January 21, 2011 by water

[Bodman]

Sorry im confusing things, OK

If I run the original script from #3

#include <ad.au3>
_AD_Open()
$aResult = _AD_GetObjectsInOU("","(&(objectCategory=person)(objectClass=user)(mail=*))",2,"samAccountName")
_ArrayDisplay($aResult)
_AD_Close()

I cant get that to work (The script runs, then exits)

However if I take the first part from your example and add it to that script it appears to work.

#include <ad.au3>
_AD_Open()

; Get FQDN for the currently logged on user
Global $sFQDN = _AD_SamAccountNameToFQDN()


; Strip off the CN
Global $iPos = StringInStr($sFQDN, ",")
Global $sOU = StringMid($sFQDN, $iPos + 1)

Global $aObjects[1][1]


$aResult = _AD_GetObjectsInOU($sOU,"(&(objectCategory=person)(objectClass=user)(mail=*))",2,"samAccountName")
_ArrayDisplay($aResult)
_AD_Close()

It looks like for me that the line

$aResult = _AD_GetObjectsInOU($sOU,"(&(objectCategory=person)(objectClass=user)(mail=*))",2,"samAccountName")

must have the OU set $sOU instead of "" although as far as I can see "" should be enough to make it work.

//Bod

Edited January 21, 2011 by Bodman

[water]

I'm confused

In function _AD_GetObjectsInOU the first parameter (starting OU) is replaced with $sAD_DNSDomain if empty.

In your example you start to search in the OU where the currently logged on userid is located.

So:

"" is replaced with "DC=mydomain,DC=net" => should search the entire tree

"OU=User_Accounts,DC=mydomain,DC=net" => only searches the OU (and children) where your userid is located. So you only get a subset of the possible results.

Be sure that parameter 3 ($iAD_SearchScope) is set to 2 so the starting OU plus sub-tree is scanned!

Be sure that the first parameter is two double quotes without a space between them: "" yiels correct results, " " yields nothing!

Let's do some error checking to trap this down:

#include <ad.au3>
$iResult = _AD_Open()
MsgBox(16, "_AD_Open", "Result: " & $iResult & @CRLF & "Error: " & @error & @CRLF & "Extended: " & @extended)
$aResult = _AD_GetObjectsInOU("","(&(objectCategory=person)(objectClass=user)(mail=*))",2,"samAccountName")
$iError = @error
$iExtended = @extended
If IsArray($aResult) Then
    _ArrayDisplay($aResult)
Else
    MsgBox(16, "_AD_GetObjectsInOU", "Result: " & $aResult & @CRLF & "Error: " & $iError & @CRLF & "Extended: " & $iExtended)
EndIf
_AD_Close()

Could you please run this script and post the results?

Edited January 21, 2011 by water

[Bodman]

OK ive attached the results (Screenshots)

[water]

Sorry, I had to edit the script (didn't return the correct @error information).

Could you please rerun the script as it is now and just post the result of the second msgbox?

Thanks

Edited January 21, 2011 by water

[Bodman]

second box

[water]

Sh......t! Once again I introduced a bug in this simple script!

I once more edited the script. Could you please rerun it?

_AD_GetObjectsInOU(" ", ..)

had to be changed to

_AD_GetObjectsInOU("", ..)

Edit: Have to leave now for the weekend. I'm sure we will trap down this problem in the next few days

Edited January 21, 2011 by water

[Bodman]

here you go

Can I just say thanks for all your time your putting into this. its been driving me insane trying to get it working

[water]

Can I just say thanks for all your time your putting into this.

Can't help - it's my baby

@error = 3 means: No records returned from Active Directory. $sAD_Filter didn't return a record

So let's reduce the filter! Could you please try this little test script:

#include <ad.au3>
$iResult = _AD_Open()
$aResult = _AD_GetObjectsInOU("","(mail=*)",2,"samAccountName")
$iError = @error
$iExtended = @extended
If IsArray($aResult) Then
    _ArrayDisplay($aResult)
Else
    MsgBox(16, "_AD_GetObjectsInOU", "Result: " & $aResult & @CRLF & "Error: " & $iError & @CRLF & "Extended: " & $iExtended)
EndIf
_AD_Close()

Edited January 21, 2011 by water