Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Active Directory Search for attribute
Active Directory Search for attribute [message #337526] Mon, 07 December 2009 12:31 Go to next message
Elvis  is currently offline Elvis
Messages: 18
Registered: August 2009
Junior Member
Hi,

Does anyone have a custom Quesry for Active Directory that is able to find a
"null" value for any attributes within AD. We are looking to use an existing
Active Directory Attribute field but need to be certain that it is not being
used. Is there a way to seach AD to verify which attributes are not being
used by anyone?

Thanks

Elvis
Re: Active Directory Search for attribute [message #337591 is a reply to message #337526] Mon, 07 December 2009 13:56 Go to previous messageGo to next message
rlmueller-nospam  is currently offline rlmueller-nospam  United States
Messages: 292
Registered: July 2009
Senior Member
"Elvis" <Elvis@discussions.microsoft.com> wrote in message
news:B26AAA71-046A-4EC4-A11E-E88F22898ADC@microsoft.com...
> Hi,
>
> Does anyone have a custom Quesry for Active Directory that is able to find
> a
> "null" value for any attributes within AD. We are looking to use an
> existing
> Active Directory Attribute field but need to be certain that it is not
> being
> used. Is there a way to seach AD to verify which attributes are not being
> used by anyone?
>
> Thanks
>
> Elvis

I use ADO in VBScript programs to query AD. See this link for details:

http://www.rlmueller.net/ADOSearchTips.htm

Using the syntax and variables from the link, you can filter on objects
where a specified attribute has or has not been assigned a value. For
example, the filter for all users where the employeeID attribute has a value
would be:

strFilter = " (&(objectCategory=person)(objectClass=user(employeeID=*) ) "

A VBScript program to find all users with a value assigned to employeeID
could be similar to below:
===========
Option Explicit
Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, strName

' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection

' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"

' Filter on all users with value assigned to employeeID attribute.
strFilter = " (&(objectCategory=person)(objectClass=user)(employeeID=* )) "

' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName,sAMAccountName"

' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False

' Run the query.
Set adoRecordset = adoCommand.Execute

' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values.
strDN = adoRecordset.Fields("distinguishedName").Value
strName = adoRecordset.Fields("sAMAccountName").Value
Wscript.Echo strDN & " (" & strName & ")"
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop

' Clean up.
adoRecordset.Close
adoConnection.Close
===========
You can also use the same filter with adfind. For example:

adfind -default -f
" (&(objectCategory=person)(objectClass=user)(employeeID=* )) " sAMAccountName

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
Re: Active Directory Search for attribute [message #338040 is a reply to message #337526] Tue, 08 December 2009 00:08 Go to previous message
florian  is currently offline florian  Switzerland
Messages: 484
Registered: July 2009
Senior Member
Howdie!

Elvis schrieb:
> Does anyone have a custom Quesry for Active Directory that is able to find a
> "null" value for any attributes within AD. We are looking to use an existing
> Active Directory Attribute field but need to be certain that it is not being
> used. Is there a way to seach AD to verify which attributes are not being
> used by anyone?

You probably want to return all objects that have a value set to an
attribute. If the query does not return any objects, chances are the
attribute isn't used.

The advice you got from Richard is great - checking with the start (*)
operator gives you all objects that have a certain value set for the
attribute:

(someAttribute=*)

If you're going to search an empty attribute for users only (cause you
don't care about computers or the data you want to put into that empty
attribute isn't applicable to computers, you might want to filter down
further:

(&(objectClass=user)(objectCategory=person)(someAttribut e=*))

Besides finding a good candidate for custom provisioning of data, you
might want to think about making sure how data is
(a) entered there, as ADUaC isn't as flexible - and WHO manages the data
(b) secured against manual tempering in case it has to be read-only to a
couple of candidates (note that objects themselves have permission to
change most of their own attributes)
(c) something you to be replicated to Global Catalogs
(d) good to be replicated to RODCs.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
ANY advice you get on the Newsgroups should be tested thoroughly in your
lab.
Previous Topic:Assigning software using GPO
Next Topic:Adding partition query
Goto Forum:
  


Current Time: Tue Jan 16 10:41:19 MST 2018

Total time taken to generate the page: 0.04881 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software