Verifying That an Attribute Is Unique in the Forest
Microsoft® Windows® 2000 Scripting Guide
The sAMAccountName attribute must be unique among all security principal objects within a forest. If you are using a script to create a user account in a domain, one way to verify that the sAMAccountName has not already been used is to search for the sAMAccountName attribute in the forest.
Listing 7.27 contains a script that uses LDAP search dialect to verify that a user account with a particular sAMAccountName does not already exist. To carry out this task, the script performs the following steps:
Create an ADO Connection object to access the Active Directory database by using the ADSI OLE DB provider.
Create an ADO Command object, and assign the ADO connection to it.
Assign the query string to the CommandText property of the ADO Command object. The string uses LDAP search dialect.
Lines 811 specify the search base, two search filters, the attribute to return, and the search scope.
The search filter on line 10 limits the query to a sAMAccountName of myerken.
The first part of line 11 requests two attributes, sAMAccountName and the distinguishedName. The distinguishedName is specified so that the output of the script displays the exact location of the user account object with the specified sAMAccountName.
Run the query by assigning the Execute method to the Command object and storing the return value in the RecordSet object, objRecordSet.
If the RecordCount property of the RecordSet object is 0, display a message stating that the sAMAccountName is not in use.
If the RecordCount property is not 0, use a While Wend statement to display each record in objRecordSet. Use the MoveNext method of the RecordSet object to move to the next record.
A sAMAccountName value can be used only once in a forest. However, it is possible that user account types can exist in the LostAndFound container in a domain. A user account in this container does not prevent you from creating a duplicate user account type with the sAMAccountName. However, if the sAMAccountName is in use in another container, the While Wend statement will display both the sAMAccountName in LostAndFound and the sAMAccountName in the other container.
Close the Connection object.
Listing 7.27 Performing a Search to Determine Whether a User Account Name Is in Use
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
Set objConnection = CreateObject("ADODB.Connection") objConnection.Open "Provider=ADsDSOObject;" Set objCommand = CreateObject("ADODB.Command") objCommand.ActiveConnection = objConnection objCommand.CommandText = _ "<GC://dc=fabrikam,dc=com>;" & _ "(&(objectCategory=person)(objectClass=user)" & _ "(sAMAccountName=myerken));" & _ "sAMAccountName, distinguishedName;subtree" Set objRecordSet = objCommand.Execute If objRecordSet.RecordCount = 0 Then Wscript.Echo "The sAMAccountName is not in use." Else While Not objRecordset.EOF Wscript.Echo "sAMAccountName = " & _ objRecordset.Fields("sAMAccountName") Wscript.Echo "distinguishedName = " & _ objRecordset.Fields("distinguishedName") objRecordset.MoveNext Wend End If objConnection.Close