You want to find objects that match certain criteria in a domain.
From the menu, select Connection Connect.
For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
For Port, enter 389.
From the menu, select Connection Bind.
Enter credentials of a user.
From the menu, select Browse Search.
For BaseDN, type the base distinguished name where the search will start.
For Scope, select the appropriate scope.
For Filter, enter an LDAP filter.
> dsquery * <BaseDN> -scope <Scope> -filter "<Filter>" -attr "<AttrList>"
' This code searches for objects based on the specified criteria. ' ------ SCRIPT CONFIGURATION ------ strBase = "<LDAP://<BaseDN>>;" ' BaseDN should be the search base strFilter = "<Filter>;" ' Valid LDAP search filter strAttrs = "<AttrList>;" ' Comma-seperated list strScope = "<Scope>" ' Should be on of Subtree, Onelevel, or Base ' ------ END CONFIGURATION --------- set objConn = CreateObject("ADODB.Connection") objConn.Provider = "ADsDSOObject" objConn.Open "Active Directory Provider" set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope) objRS.MoveFirst While Not objRS.EOF Wscript.Echo objRS.Fields(0).Value objRS.MoveNext Wend
Most tools that can be used to search Active Directory require a basic understanding of how to perform LDAP searches using a base DN, search scope, and search filter as described in RFC 2251 and 2254. The base DN is where the search begins in the directory tree. The search scope defines how far down in the tree to search from the base DN. The search filter is a prefix notation string that contains equality comparisons of attribute and value pairs.
The scope can be base, onelevel (or one), or subtree (or sub). A base scope will only match the base DN, onelevel will only match objects that are contained directly under the base DN, and subtree will match everything below the base DN (not including the base DN).
The search filter syntax is a powerful way to represent simple and complex queries. An example filter that matches all user objects would be (&(objectclass=user)(objectcategory=Person)). For more information on filters, see RFC 2254.
To customize the list of attributes returned for each matching object, look at the GUI discussion in Recipe 4.2.
<AttrList> should be a space-separated list of attributes to return. If left blank, all attributes that have a value will be returned.
The VBScript solution used ADO to perform the search. When using ADO, you must first create a connection object with the following three lines:
set objConn = CreateObject("ADODB.Connection") objConn.Provider = "ADsDSOObject" objConn.Open "Active Directory Provider"
At this point you can pass parameters to the Execute method, which will return a ResultSet object. You can iterate over the ResultSet by using the MoveFirst and MoveNext methods.
See Recipe 4.7 for more information on specifying advanced options in ADO like the page size.
Recipe 4.2 for viewing attributes of objects, Recipe 4.7 for setting advanced ADO options, RFC 2251 (Lightweight Directory Access Protocol (v3)), RFC 2254 (Lightweight Directory Access Protocol (v3)), MSDN: Searching with ActiveX Data Objects (ADO), and for a good white paper on performing queries with LDAP see: http://www.microsoft.com/windows2000/techinfo/howitworks/activedirectory/ldap.asp