Scripting Container Enumeration
Microsoft® Windows® 2000 Scripting Guide
Enumerating the contents of an Active Directory container typically involves three basic steps:
Bind to an Active Directory container to be enumerated.
Typically, the container is an OU.
Limit the result set with the Filter property.
This step is optional but should be used if you need to limit the type of objects enumerated in a container of many objects.
Create a loop to perform an administrative task against the objects in the container.
Enumerating the Contents of a Container
The script in Listing 5.39 enumerates the Configuration container and echoes the names of the child containers to the command window. The Configuration container is located in the fabrikam.com root domain. The script involves the following steps:
Bind to the Configuration container in the root domain.
Use a For Each statement to echo the names of each child container in the Configuration container.
Listing 5.39 Enumerating the Configuration Container for Names of Objects Within It
1 2 3 4 5 6 |
|
When the script runs in the fabrikam.com forest, it echoes the name of each child container of the Configuration container to the command window, as shown:
CN=DisplaySpecifiers
CN=Extended-Rights
CN=ForestUpdates
CN=LostAndFoundConfig
CN=Partitions
CN=Physical Locations
CN=Services
CN=Sites
CN=WellKnown Security Principals
The script works from any domain in the forest.
Enumerating a Container to Perform an Administrative Task
The script in Listing 5.40 enumerates the Partitions container, which is located in the Configuration container of the fabrikam.com root domain. During enumeration, two entries in the upnSuffixes multivalued attribute are updated and the script echoes all values in the attribute to the command window.
This script demonstrates container enumeration combined with writing and reading a multivalued attribute. For more information about multivalued attributes, see "Administering Multivalued Attributes" earlier in this chapter.
Set the ADS_PROPERTY_APPEND constant equal to the control code parameter used by the PutEx method to indicate this mode of modification (used in lines 5-7).
Bind to the Partitions container in the Configuration container of the root domain.
Add entries to the upnSuffixes attribute.
Use a For Each statement to echo the entries in the Partitions container's upnSuffixes attribute.
Listing 5.40 Enumerating the Partitions Container to Write and Read the upnSuffixes Attribute
1 2 3 4 5 6 7 8 9 10 11 |
|
When this script runs in the fabrikam.com root domain, it inserts two entries in the upnSuffixes attribute and then echoes all entries in the upnSuffixes attribute to the command window, as shown:
corp.fabrikam.com
sa.fabrikam.com
By default, the script in Listing 5.40 works only if your user account is a member of the Domain Admins global group or the Enterprise Admins universal group in the root domain. Both of these groups are granted the right to update attributes in the partitions container.
Limiting Container Enumeration to a Specific Object Type
The script in Listing 5.41 enumerates the Users container of the na.fabrikam.com root domain and uses the Filter method to limit the enumeration to all user account objects. The script then echoes the value of the primaryGroupID attribute and all entries in the memberOf attribute to the command window. For information about the Filter method, see "ADSI Interfaces" later in this chapter.
Use the On Error Resume Next statement.
This statement can be used to catch (or suppress) any run-time error; however, you should use it only if you are testing for and addressing errors that might occur when the script runs. In this case, the script uses the On Error Resume Next statement to catch the ADSI error that is generated if an attribute cannot be found in the local property cache.
Set the E_ADS_PROPERTY_NOT_FOUND constant equal to the ADSI error code generated if the memberOf attribute cannot be found in the local property cache (used in line 15).
Bind to the Users container in the na.fabrikam.com domain.
Set the Filter property to return user account objects (line 6).
Use a For Each statement to echo information about each user account. Inside the loop, do the following:
Using the Get method, echo the value of the primaryGroupID single-valued attribute to the command window (line11).
Using the GetEx method, initialize the arrMemberOf variable with the entries in the memberOf multivalued attribute (line 13).
If the memberOf attribute is present, the script does not raise the error number corresponding to E_ADS_PROPERTY_NOT_FOUND. Therefore, echo each entry in the arrMemberOf variable to the command window (lines 15-18).
Otherwise, echo a message stating that the memberOf attribute is empty, and clear the error code (lines 19-21).
Listing 5.41 Limiting Container Enumeration to User Accounts by Using the Filter Property
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
|
When this script runs in the na.fabrikam.com root domain, it echoes the primaryGroupID attribute and the entries in the memberOf attribute of user accounts to the command window, as shown in the following abbreviated list:
Administrator is a member of:
Primary Group ID: 513
CN=Group Policy Creator Owners,CN=Users,DC=na,DC=fabrikam,DC=com
CN=Domain Admins,CN=Users,DC=na,DC=fabrikam,DC=com
CN=Print Operators,CN=Builtin,DC=na,DC=fabrikam,DC=com
CN=Administrators,CN=Builtin,DC=na,DC=fabrikam,DC=com
FABRIKAM$ is a member of:
Primary Group ID: 513
memberOf attribute is not set
Guest is a member of:
Primary Group ID: 514
CN=Guests,CN=Builtin,DC=na,DC=fabrikam,DC=com
...