From the menu, select Connection → Connect.
For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
For Port, enter 389.
From the menu, select Connection → Bind.
Enter credentials of a user.
From the menu, select Browse → Search.
For BaseDN, type the base distinguished name where the search will start.
For Scope, select the appropriate scope.
For Filter, enter an LDAP filter.
> dsquery * <
BaseDN> -scope <
Scope> -filter "<
Filter>" -attr "<
' This code searches for objects based on the specified criteria. ' ------ SCRIPT CONFIGURATION ------ strBase = "<LDAP://
<BaseDN>>;" ' BaseDN should be the search base strFilter = "
<Filter>;" ' Valid LDAP search filter strAttrs = "
<AttrList>;" ' Comma-seperated list strScope = "
<Scope>" ' Should be on of Subtree, Onelevel, or Base ' ------ END CONFIGURATION --------- set objConn = CreateObject("ADODB.Connection") objConn.Provider = "ADsDSOObject" objConn.Open "Active Directory Provider" set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope) objRS.MoveFirst While Not objRS.EOF Wscript.Echo objRS.Fields(0).Value objRS.MoveNext Wend
Most tools that can be used to search Active Directory require a basic understanding of how to perform LDAP searches using a base DN, search scope, and search filter as described in RFC 2251 and 2254. The base DN is where the search begins in the directory tree. The search scope defines how far down in the tree to search from the base DN. The search filter is a prefix notation string that contains equality comparisons of attribute and value pairs.
The scope can be base, onelevel (or one), or subtree (or sub). A base scope will only match the base DN, onelevel will only match objects that are contained directly under the base DN, and subtree will match everything below the base DN (not including the base DN).
The search filter syntax is a powerful way to represent simple and
complex queries. An example filter that matches all
user objects would be
For more information on filters, see RFC 2254.
To customize the list of attributes returned for each matching object, look at the GUI discussion in Recipe 4.2.
<AttrList> should be a
space-separated list of attributes to return. If left blank, all
attributes that have a value will be returned.
The VBScript solution used ADO to perform the search. When using ADO, you must first create a connection object with the following three lines:
set objConn = CreateObject("ADODB.Connection") objConn.Provider = "ADsDSOObject" objConn.Open "Active Directory Provider"
At this point you can pass parameters to the Execute method, which
will return a
ResultSet object. You can iterate
ResultSet by using the
See Recipe 4.7 for more information on specifying advanced options in ADO like the page size.
Recipe 4.2 for viewing attributes of objects, Recipe 4.7 for setting advanced ADO options, RFC 2251 (Lightweight Directory Access Protocol (v3)), RFC 2254 (Lightweight Directory Access Protocol (v3)), MSDN: Searching with ActiveX Data Objects (ADO), and for a good white paper on performing queries with LDAP see: http://www.microsoft.com/windows2000/techinfo/howitworks/activedirectory/ldap.asp