O'Reilly logo

Active Directory Cookbook by Robbie Allen

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

4.5. Searching for Objects in a Domain

Problem

You want to find objects that match certain criteria in a domain.

Solution

Using a graphical user interface

  1. Open LDP.

  2. From the menu, select Connection Connect.

  3. For Server, enter the name of a domain controller (or leave blank to do a serverless bind).

  4. For Port, enter 389.

  5. Click OK.

  6. From the menu, select Connection Bind.

  7. Enter credentials of a user.

  8. Click OK.

  9. From the menu, select Browse Search.

  10. For BaseDN, type the base distinguished name where the search will start.

  11. For Scope, select the appropriate scope.

  12. For Filter, enter an LDAP filter.

  13. Click Run.

Using a command-line interface

> dsquery * <BaseDN> -scope <Scope> -filter "<Filter>" -attr "<AttrList>"

Using VBScript

' This code searches for objects based on the specified criteria.
' ------ SCRIPT CONFIGURATION ------
strBase    =  "<LDAP://<BaseDN>>;" ' BaseDN should be the search base
strFilter  = "<Filter>;"           ' Valid LDAP search filter
strAttrs   = "<AttrList>;"         ' Comma-seperated list
strScope   = "<Scope>"             ' Should be on of Subtree, Onelevel, or Base
' ------ END CONFIGURATION ---------

set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)
objRS.MoveFirst
While Not objRS.EOF
    Wscript.Echo objRS.Fields(0).Value
    objRS.MoveNext
Wend

Discussion

Most tools that can be used to search Active Directory require a basic understanding of how to perform LDAP searches using a base DN, search scope, and search filter as described in RFC 2251 and 2254. The base DN is where the search begins in the directory tree. The search scope defines how far down in the tree to search from the base DN. The search filter is a prefix notation string that contains equality comparisons of attribute and value pairs.

The scope can be base, onelevel (or one), or subtree (or sub). A base scope will only match the base DN, onelevel will only match objects that are contained directly under the base DN, and subtree will match everything below the base DN (not including the base DN).

The search filter syntax is a powerful way to represent simple and complex queries. An example filter that matches all user objects would be (&(objectclass=user)(objectcategory=Person)). For more information on filters, see RFC 2254.

Using a graphical user interface

To customize the list of attributes returned for each matching object, look at the GUI discussion in Recipe 4.2.

Using a command-line interface

<AttrList> should be a space-separated list of attributes to return. If left blank, all attributes that have a value will be returned.

Using VBScript

The VBScript solution used ADO to perform the search. When using ADO, you must first create a connection object with the following three lines:

set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"

At this point you can pass parameters to the Execute method, which will return a ResultSet object. You can iterate over the ResultSet by using the MoveFirst and MoveNext methods.

See Recipe 4.7 for more information on specifying advanced options in ADO like the page size.

See Also

Recipe 4.2 for viewing attributes of objects, Recipe 4.7 for setting advanced ADO options, RFC 2251 (Lightweight Directory Access Protocol (v3)), RFC 2254 (Lightweight Directory Access Protocol (v3)), MSDN: Searching with ActiveX Data Objects (ADO), and for a good white paper on performing queries with LDAP see: http://www.microsoft.com/windows2000/techinfo/howitworks/activedirectory/ldap.asp

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required