Searching for a User Account Attribute in a Container and Its Subcontainers

Microsoft® Windows® 2000 Scripting Guide

The script in Listing 7.25 is limited to returning the name attribute of objects in the Management OU. If there are child OUs of the Management OU, objects within the child OUs are not searched for the value of their name attribute. To find all objects meeting the criteria of the search in the Management OU and all child OUs, change the search scope from onelevel (line 10 in Listing 7.25) to subtree.

To expand the search to all objects in the domain, modify the search base to the domain and specify subtree as the search scope. The LDAP search dialect as it would appear in a script for this search is the following:

objCommand.CommandText = _
"<LDAP://dc=NA,dc=fabrikam,dc=com>;" & _
"(&(objectCategory=person)(objectClass=user));" & _

Using the LDAP moniker in the LDAP search dialect of the preceding example limits the search to the contents of the domain by default. Any child domains of are not searched. This default behavior can be changed, but if the attributes that should be returned by the script are in the global catalog, a better option is to use the GC moniker to bind to the global catalog instead of the domain.

Unlike the domain, the global catalog contains a partial attribute list of all objects in its domain and all child domains. Therefore, if you bind to a global catalog server in the root domain, you can perform a forest-wide search from a single global catalog server.

Scripting Steps

Listing 7.26 contains a script that uses LDAP search dialect to limit a result set to the values of an attribute assigned to a specific type of user account in a forest. To carry out this task, the script performs the following steps:

  1. Create an ADO Connection object to access the Active Directory database by using the ADSI OLE DB provider.

  2. Create an ADO Command object, and assign the ADO connection to it.

  3. Assign the query string to the CommandText property of the ADO Command object. The string uses LDAP search dialect.

    Lines 810 specify the search base, two search filters, the attribute to return, and the search scope.

    The search base binds to the global catalog because the name attribute is contained in the global catalog, and the global catalog in the root domain contains a partial replica of all objects in the forest.

  4. Run the query by assigning the Execute method to the Command object and storing the return value in the RecordSet object, objRecordSet.

  5. Use a While Wend statement to display each record in objRecordSet. Use the MoveNext method of the RecordSet object to move to the next record.

  6. Close the Connection object.

Listing 7.26 Performing a Search to Display the Names of User Account Types That Are Security Principals in a Forest


Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"

Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection

objCommand.CommandText = _
"<GC://dc=fabrikam,dc=com>;" & _
 "(&(objectCategory=person)(objectClass=user));" & _

Set objRecordSet = objCommand.Execute

While Not objRecordset.EOF
 Wscript.Echo objRecordset.Fields("name")