Active Directory Search for attribute

Hi,

Does anyone have a custom Quesry for Active Directory that is able to find a
"null" value for any attributes within AD. We are looking to use an existing
Active Directory Attribute field but need to be certain that it is not being
used. Is there a way to seach AD to verify which attributes are not being
used by anyone?

Thanks

Elvis

"Elvis" <> wrote in message
news:B26AAA71-046A-4EC4-A11E-...
> Hi,
>
> Does anyone have a custom Quesry for Active Directory that is able to find
> a
> "null" value for any attributes within AD. We are looking to use an
> existing
> Active Directory Attribute field but need to be certain that it is not
> being
> used. Is there a way to seach AD to verify which attributes are not being
> used by anyone?
>
> Thanks
>
> Elvis

I use ADO in VBScript programs to query AD. See this link for details:

http://www.rlmueller.net/ADOSearchTips.htm

Using the syntax and variables from the link, you can filter on objects
where a specified attribute has or has not been assigned a value. For
example, the filter for all users where the employeeID attribute has a value
would be:

strFilter = "(&(objectCategory=person)(objectClass=user(employ eeID=*))"

A VBScript program to find all users with a value assigned to employeeID
could be similar to below:
===========
Option Explicit
Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, strName

' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection

' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"

' Filter on all users with value assigned to employeeID attribute.
strFilter = "(&(objectCategory=person)(objectClass=user)(emplo yeeID=*))"

' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName,sAMAccountName"

' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False

' Run the query.
Set adoRecordset = adoCommand.Execute

' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values.
strDN = adoRecordset.Fields("distinguishedName").Value
strName = adoRecordset.Fields("sAMAccountName").Value
Wscript.Echo strDN & " (" & strName & ")"
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop

' Clean up.
adoRecordset.Close
adoConnection.Close
===========
You can also use the same filter with adfind. For example:

adfind -default -f
"(&(objectCategory=person)(objectClass=user)(emplo yeeID=*))" sAMAccountName

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

Howdie!

Elvis schrieb:
> Does anyone have a custom Quesry for Active Directory that is able to find a
> "null" value for any attributes within AD. We are looking to use an existing
> Active Directory Attribute field but need to be certain that it is not being
> used. Is there a way to seach AD to verify which attributes are not being
> used by anyone?

You probably want to return all objects that have a value set to an
attribute. If the query does not return any objects, chances are the
attribute isn't used.

The advice you got from Richard is great - checking with the start (*)
operator gives you all objects that have a certain value set for the
attribute:

(someAttribute=*)

If you're going to search an empty attribute for users only (cause you
don't care about computers or the data you want to put into that empty
attribute isn't applicable to computers, you might want to filter down
further:

(&(objectClass=user)(objectCategory=person)(someAt tribute=*))

Besides finding a good candidate for custom provisioning of data, you
might want to think about making sure how data is
(a) entered there, as ADUaC isn't as flexible - and WHO manages the data
(b) secured against manual tempering in case it has to be read-only to a
couple of candidates (note that objects themselves have permission to
change most of their own attributes)
(c) something you to be replicated to Global Catalogs
(d) good to be replicated to RODCs.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
ANY advice you get on the Newsgroups should be tested thoroughly in your
lab.