Scripting Container Enumeration

  • Article

Microsoft® Windows® 2000 Scripting Guide

Enumerating the contents of an Active Directory container typically involves three basic steps:

  1. Bind to an Active Directory container to be enumerated.

    Typically, the container is an OU.

  2. Limit the result set with the Filter property.

    This step is optional but should be used if you need to limit the type of objects enumerated in a container of many objects.

  3. Create a loop to perform an administrative task against the objects in the container.

Enumerating the Contents of a Container

The script in Listing 5.39 enumerates the Configuration container and echoes the names of the child containers to the command window. The Configuration container is located in the fabrikam.com root domain. The script involves the following steps:

  1. Bind to the Configuration container in the root domain.

  2. Use a For Each statement to echo the names of each child container in the Configuration container.

Listing 5.39 Enumerating the Configuration Container for Names of Objects Within It

   
1 
2 
3 
4 
5 
6

Set objConfiguration = GetObject _ 
 ("LDAP://cn=Configuration,dc=fabrikam,dc=com") 
  
For Each objContainer in objConfiguration 
 Wscript.Echo objContainer.Name 
Next

When the script runs in the fabrikam.com forest, it echoes the name of each child container of the Configuration container to the command window, as shown:

CN=DisplaySpecifiers 
CN=Extended-Rights 
CN=ForestUpdates 
CN=LostAndFoundConfig 
CN=Partitions 
CN=Physical Locations 
CN=Services 
CN=Sites 
CN=WellKnown Security Principals

The script works from any domain in the forest.

Enumerating a Container to Perform an Administrative Task

The script in Listing 5.40 enumerates the Partitions container, which is located in the Configuration container of the fabrikam.com root domain. During enumeration, two entries in the upnSuffixes multivalued attribute are updated and the script echoes all values in the attribute to the command window.

This script demonstrates container enumeration combined with writing and reading a multivalued attribute. For more information about multivalued attributes, see "Administering Multivalued Attributes" earlier in this chapter.

  1. Set the ADS_PROPERTY_APPEND constant equal to the control code parameter used by the PutEx method to indicate this mode of modification (used in lines 5-7).

  2. Bind to the Partitions container in the Configuration container of the root domain.

  3. Add entries to the upnSuffixes attribute.

  4. Use a For Each statement to echo the entries in the Partitions container's upnSuffixes attribute.

Listing 5.40 Enumerating the Partitions Container to Write and Read the upnSuffixes Attribute

   
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11

Const ADS_PROPERTY_APPEND = 3 
Set objPartitions = GetObject _ 
 ("LDAP://cn=Partitions,cn=Configuration,dc=fabrikam,dc=com") 
  
objPartitions.PutEx ADS_PROPERTY_APPEND, upnSuffixes", _ 
 Array("sa.fabrikam.com","corp.fabrikam.com") 
objPartitions.SetInfo 
 
For Each Suffix in objPartitions.GetEx("upnSuffixes") 
 Wscript.Echo Suffix 
Next

When this script runs in the fabrikam.com root domain, it inserts two entries in the upnSuffixes attribute and then echoes all entries in the upnSuffixes attribute to the command window, as shown:

corp.fabrikam.com 
sa.fabrikam.com

By default, the script in Listing 5.40 works only if your user account is a member of the Domain Admins global group or the Enterprise Admins universal group in the root domain. Both of these groups are granted the right to update attributes in the partitions container.

Limiting Container Enumeration to a Specific Object Type

The script in Listing 5.41 enumerates the Users container of the na.fabrikam.com root domain and uses the Filter method to limit the enumeration to all user account objects. The script then echoes the value of the primaryGroupID attribute and all entries in the memberOf attribute to the command window. For information about the Filter method, see "ADSI Interfaces" later in this chapter.

  1. Use the On Error Resume Next statement.

    This statement can be used to catch (or suppress) any run-time error; however, you should use it only if you are testing for and addressing errors that might occur when the script runs. In this case, the script uses the On Error Resume Next statement to catch the ADSI error that is generated if an attribute cannot be found in the local property cache.

  2. Set the E_ADS_PROPERTY_NOT_FOUND constant equal to the ADSI error code generated if the memberOf attribute cannot be found in the local property cache (used in line 15).

  3. Bind to the Users container in the na.fabrikam.com domain.

  4. Set the Filter property to return user account objects (line 6).

  5. Use a For Each statement to echo information about each user account. Inside the loop, do the following:

    1. Using the Get method, echo the value of the primaryGroupID single-valued attribute to the command window (line11).

    2. Using the GetEx method, initialize the arrMemberOf variable with the entries in the memberOf multivalued attribute (line 13).

      If the memberOf attribute is present, the script does not raise the error number corresponding to E_ADS_PROPERTY_NOT_FOUND. Therefore, echo each entry in the arrMemberOf variable to the command window (lines 15-18).

      Otherwise, echo a message stating that the memberOf attribute is empty, and clear the error code (lines 19-21).

Listing 5.41 Limiting Container Enumeration to User Accounts by Using the Filter Property

   
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24

On Error Resume Next 
Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D 
Set objOU = GetObject _ 
 ("LDAP://cn=Users,dc=NA,dc=fabrikam,dc=com") 
  
ObjOU.Filter= Array("user") 
 
For Each objUser in objOU 
 Wscript.Echo objUser.cn & " is a member of: " 
 Wscript.Echo vbTab & "Primary Group ID: " & _ 
 objUser.Get("primaryGroupID") 
  
 arrMemberOf = objUser.GetEx("memberOf") 
  
 If Err.Number <> E_ADS_PROPERTY_NOT_FOUND Then 
 For Each Group in arrMemberOf 
 Wscript.Echo vbTab & Group 
 Next 
 Else 
 Wscript.Echo vbTab & "memberOf attribute is not set" 
 Err.Clear 
 End If 
 Wscript.Echo VbCrLf 
Next

When this script runs in the na.fabrikam.com root domain, it echoes the primaryGroupID attribute and the entries in the memberOf attribute of user accounts to the command window, as shown in the following abbreviated list:

Administrator is a member of: 
        Primary Group ID: 513 
        CN=Group Policy Creator Owners,CN=Users,DC=na,DC=fabrikam,DC=com 
        CN=Domain Admins,CN=Users,DC=na,DC=fabrikam,DC=com 
        CN=Print Operators,CN=Builtin,DC=na,DC=fabrikam,DC=com 
        CN=Administrators,CN=Builtin,DC=na,DC=fabrikam,DC=com 
         
FABRIKAM$ is a member of: 
        Primary Group ID: 513 
        memberOf attribute is not set 
         
Guest is a member of: 
        Primary Group ID: 514 
        CN=Guests,CN=Builtin,DC=na,DC=fabrikam,DC=com 
...