#139444 - 2005-05-09 07:44 PM
Script Problem
|
Arkane
Getting the hang of it
Registered: 2004-08-14
Posts: 50
Loc: Bath, UK
|
Apologies for not using a more creative title but I couldn't think of one (it's been a long day).
I'm having trouble with this particular function, I can't give credit (I didn't write it) as there is no information in the routine itself as to who wrote it.
However the problem I'm having is the function is designed to search AD for a given object ($type) with name ($cn) starting in the LDAP root ($root) and finally looking for a particular attribute ($attribute).
What I'm having difficulty with is that some users are found by the script but some are not, yet a search using the AD MMC (Users and Computers) shows me exactly where they are.
Basically what I want to do is to have a function search the AD tree starting at the root ($root), for a particular username ($cn) - if it doesn't find it, return nothing. If it finds it, return the DN of the object found (as parts later in my script rely on this).
The problem with this is it doesn't seem to search ALL the AD users, it seems to get 3/4 of them and then just gives up (we have 1500+ users). Does anyone have any ideas why this is, or does anyone have any clue as to how I could write a function that does exactly what I want, or does anyone have a UDF for this? I've look around and can't seem to find anything that does this specifically.
Thanking you all in advance.
Code:
Function searchAD( $root, $cn, $type, $attribute )
$objConnection = CreateObject( "ADODB.Connection")
$objConnection.Open( "Provider=ADsDSOObject;")
$objCommand = CreateObject( "ADODB.Command")
$objCommand.ActiveConnection = $objConnection
$objCommand.Commandtext = ";(objectCategory=$Type);distinguishedName,$attribute;subtree"
$objRecordSet = $objCommand.Execute
While NOT $objRecordSet.EOF
If CStr( $objRecordSet.Fields( $attribute ) ) = $cn
$searchAD = CStr( $objRecordSet.Fields( "distinguishedName" ) ) ; Returns the LDAP string if object is found
Exit
Else
$searchAD = 0 ; Otherwise, it returns a Zero
EndIf
$objRecordSet.MoveNext
Loop
EndFunction
|
|
Top
|
|
|
|
#139447 - 2005-05-09 09:12 PM
Re: Script Problem
|
Arkane
Getting the hang of it
Registered: 2004-08-14
Posts: 50
Loc: Bath, UK
|
Am about to try the 'Page Size' option with ADO, if this should fail (I hope not), does anyone else have anything else I can try? The VBScript from MS which tells me if a user is in AD is fine, that tells me if a user is in AD, but it does not give me back the DN of that user, which my script needs later on.
|
|
Top
|
|
|
|
|
#139448 - 2005-05-09 09:29 PM
Re: Script Problem
|
Arkane
Getting the hang of it
Registered: 2004-08-14
Posts: 50
Loc: Bath, UK
|
I just tried it with a page size of 1600, it seemed to have returned all records except for the last 14 which is an improvement - yet I can't understand why it missed the last 14 as I only have 1481 records and the page size was 1600. Is it better to set page size to be 1000 or less based on the amount of data I am trying to check?
|
|
Top
|
|
|
|
|
#139449 - 2005-05-09 10:18 PM
Re: Script Problem
|
Arkane
Getting the hang of it
Registered: 2004-08-14
Posts: 50
Loc: Bath, UK
|
Okay, I've tried various values for 'page size' and nothing seems to help. If anyone has any really good ideas about what is going on here I'd really appreciate it, I'm totally stuck.
|
|
Top
|
|
|
|
|
#139450 - 2005-05-09 10:53 PM
Re: Script Problem
|
Chris S.
MM club member
Registered: 2002-03-18
Posts: 2368
Loc: Earth
|
Use fnADQuery() to search for your results.
Here is an example...
Code:
$aWhat = "Name", "AdsPath", "distinguishedName"
$sFrom = "LDAP://"+GetObject("LDAP://rootDSE").Get("defaultNamingContext")
$sWhere = "objectClass = 'User'"
$ticks = @TICKS
$aResults = fnADQuery($aWhat,$sFrom,$sWhere,,2)
@ERROR " | " @SERROR ?
For Each $Result in $aResults
If VarType($Result)>8192
For Each $R in $Result
$R ?
Next
Else
$Result ?
EndIf
Next
? "The query returned " + (UBound($aResults)+1) + " results in " + ((@TICKS-$ticks)/1000) + " seconds." ?
Edited by Chris S. (2005-05-09 11:00 PM)
|
|
Top
|
|
|
|
#139452 - 2005-05-12 02:57 PM
Re: Script Problem
|
Arkane
Getting the hang of it
Registered: 2004-08-14
Posts: 50
Loc: Bath, UK
|
I'm now using fnADQuery and this works great, but I want to be able to search other AD domains - I've changed the LDAP://RootDSE part into LDAP://server-name/rootDSE as MS's website says you should - yet I can never find any users. The domain in question has a 2-way trust relationship and I'm a domain admin on my current and target domains.
Any ideas as to why I can't search for objects in another forest?
|
|
Top
|
|
|
|
|
#139453 - 2005-05-12 04:49 PM
Re: Script Problem
|
Chris S.
MM club member
Registered: 2002-03-18
Posts: 2368
Loc: Earth
|
In the fnADQuery() function change the line for error checking after $oRS = $oCMD.Execute to...
Code:
$oRS=$oCMD.Execute
If @ERROR Exit @ERROR EndIf
If $oRS.BOF AND $oRS.EOF Exit @ERROR EndIf
...and check the @error and @serror. My guess is that you are not using the correct ADsPath to the foreign domain.
|
|
Top
|
|
|
|
|
#139454 - 2005-05-12 08:13 PM
Re: Script Problem
|
Arkane
Getting the hang of it
Registered: 2004-08-14
Posts: 50
Loc: Bath, UK
|
I've changed the routine to fnLDAPQuery as it seemed to be a better option (and more up to date). I've checked the error checking - $oRS.BOF AND $oRS.EOF both read as nothing (as if no data was returned). @error returns 0 and @serror returns 'The operation completed successfully'. It doesn't seem to complain about anything, it just doesn't return anything at all. It's a two-way trust between the domains, using WMI I can enumerate groups on both sides without trouble but as you know, I had trouble with WMI and the size of the active directory I have to search. Any thoughts?
|
|
Top
|
|
|
|
|
#139455 - 2005-05-12 09:03 PM
Re: Script Problem
|
Arkane
Getting the hang of it
Registered: 2004-08-14
Posts: 50
Loc: Bath, UK
|
Using fnADQuery I can find a user without problem, after looking through the code, I think I'm actually having trouble with the 'sFilter' part of the search. What should I be putting in to return the adspath, name and distinguished name of EVERY user?
Code:
$sWhat = "Name", "AdsPath", "distinguishedName"
$sFrom = "LDAP://"+GetObject("LDAP://rootDSE").Get("defaultNamingContext")
$sFilter = "(objectCategory=user)"
$sScope = "subtree"
I'm sure that my filter is wrong, I have ADSI edit but it's a little confusing to find what I'm looking for, any good links that I can use so I could learn how to use the filters properly and possibly solve my own problem or would someone point out where I'm going wrong with this?
|
|
Top
|
|
|
|
|
#139456 - 2005-05-12 10:00 PM
Re: Script Problem
|
Arkane
Getting the hang of it
Registered: 2004-08-14
Posts: 50
Loc: Bath, UK
|
After tinkering around, I am now back to a point where I can do searches on users in my domain - however the target domain still remains elusive. @error reports '0' and @serror reports 'the command completed successfully' as before. I am using the following line to attempt access to my remote server :
Code:
$sFrom = "LDAP://"+GetObject("LDAP://$useDC/rootDSE").Get("defaultNamingContext")
The $useDC variable is set based on your computername, it corresponds to 3 possible server DNs. The format of these DNs are : DC=someserver,DC=net etc.
With $useDC equalling the server I am CURRENTLY sat at, it has no trouble finding my users, if it equals another DC, it has trouble. Are there any special things I need to do about accessing a remote AD forest?
|
|
Top
|
|
|
|
|
#139457 - 2005-05-12 10:52 PM
Re: Script Problem
|
Chris S.
MM club member
Registered: 2002-03-18
Posts: 2368
Loc: Earth
|
I'm looking, but not finding any answers. 
|
|
Top
|
|
|
|
|
#139458 - 2005-05-12 11:26 PM
Re: Script Problem
|
Arkane
Getting the hang of it
Registered: 2004-08-14
Posts: 50
Loc: Bath, UK
|
It seems using VBScript and GetObject does allow it, however that's a very simply enumerate_groups VB script, all it does is enum members of the domain admins group.
Code:
On Error Resume Next
Set objGroup = GetObject _
("LDAP://cn=domain admins,cn=users,dc=forest1,dc=net")
objGroup.GetInfo
Set objGroup2 = GetObject _
("LDAP://cn=domain admins,cn=users,dc=forest2,dc=net")
objGroup2.GetInfo
arrMemberOf = objGroup.GetEx("member")
arrMemberOf2 = objGroup2.GetEx("member")
WScript.Echo "Members:"
For Each strMember in arrMemberOf
WScript.echo strMember
Next
For Each strMember in arrMemberOf2
WScript.echo strMember
Next
As I said above, this works - however it sorta seems to suggest that you need the exact DN of a target and as that's what I'm trying to get, it's sort of like chicken and egg.
|
|
Top
|
|
|
|
|
#139459 - 2005-05-13 04:47 PM
Re: Script Problem
|
Chris S.
MM club member
Registered: 2002-03-18
Posts: 2368
Loc: Earth
|
Oddly enough, this worked for me using the latest fnLDAPQuery()...
Code:
; This syntax does not work..
$sFrom = "LDAP://DC=remote,DC=domain,DC=com"
; This syntax does...
$sFrom = "LDAP://remote.domain.com"
|
|
Top
|
|
|
|
|
#139460 - 2005-05-13 08:23 PM
Re: Script Problem
|
Arkane
Getting the hang of it
Registered: 2004-08-14
Posts: 50
Loc: Bath, UK
|
I rewrote the entire script and used VB Script for the core AD finding stuff - this seems to work just fine, has one or two little 'glitches' but nothing I can't fix up as soon as I get enough time. It's fast and is very simple to use, so it meets managements' criteria - phew. I'd like to thank you all for your help with this, particularly Chris S for his continued assistance. 
|
|
Top
|
|
|
|
Moderator: Glenn Barnas, NTDOC, Arend_, Jochen, Radimus, Allen, ShaneEP, Ruud van Velsen, Mart
|
1 registered
(Allen)
and 675 anonymous users online.
|
|
|
