Searching for Multivalued Attributes

Microsoft® Windows® 2000 Scripting Guide

At times it might be necessary to search for multivalued attributes. For example, you might want a list of user accounts with URLs listed in the url multivalued attribute, or you might want to retrieve a list of direct reports listed in the directReports multivalued attribute for user accounts in a particular OU.

Multivalued attributes are not indexed and not located in the global catalog, so searches for this type of attribute should be limited in scope.

Scripting Steps

Listing 7.31 contains a script that finds all user accounts in an OU that contain values in a multivalued attribute. To carry out this task, the script performs the following steps:

  1. Create an ADO Connection object to access the Active Directory database by using the ADSI OLE DB provider.

  2. Create an ADO Command object, and assign the ADO connection to it.

  3. Assign the query string to the CommandText property of the ADO Command object. The string uses LDAP search dialect.

    Line 8 specifies the search base using the LDAP moniker to query a domain controller in the domain because the otherTelephone attribute is not replicated to the global catalog. The search base has been intentionally limited to the Management OU because not only is the otherTelephone attribute not in the global catalog, but it is not an indexed attribute, either. Limiting the result set by specifying the Management OU as the search base avoids overburdening the domain controller with an intensive search request.

    Line 9 specifies the objectCategory=person and otherTelephone=* search filters to limit the result set to all user account types that contain values for the otherTelephone attribute. This does not exclude the contact account type, which can contain a value for the otherTelephone attribute. User account types without a value for the otherTelephone attribute are not returned by the query because the * (ANY operator) means that the attribute must be present that is, it must contain a value.

    Line 10 specifies the attributes of the objects to return, the cn and otherTelephone attributes, and the scope of the search. The search scope has been limited to onelevel so that only user accounts in the Management OU are searched and child OUs are not.

  4. Run the query by assigning the Execute method to the Command object and storing the return value in the RecordSet object, objRecordSet.

  5. Use a While Wend statement to loop through all of the records in the RecordSet object.

  6. Display the cn value, a single-valued attribute stored in the Fields collection of the RecordSet object.

  7. Use a For Each loop to read each value stored in the otherTelephone field of the RecordSet object and then display the values.

    The end of line 16 shows that the Value property of the Fields collection is specified. The Value property is the default property and does not need to be specified when single-valued attributes are displayed. However, it is required for this script to display the values contained in the otherTelephone multivalued attribute.

  8. Move to the next record in the recordset by using the MoveNext method of the RecordSet object. When all records are processed, end the loop.

  9. Close the Connection object.

Listing 7.31 Searching for User Accounts Containing a Particular Multivalued Attribute


Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"

Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection

objCommand.CommandText = _
 "<LDAP://ou=Management,dc=NA,dc=fabrikam,dc=com>;" & _
 "(&(objectCategory=person)(otherTelephone=*));" & _

Set objRecordSet = objCommand.Execute

While Not objRecordset.EOF
 Wscript.Echo objRecordset.Fields("cn") & VbCr
 For Each varRecord in objRecordset.Fields("otherTelephone").Value
 Wscript.stdOut.Write varRecord & " "
 Wscript.Echo VbCrLf