"rushtosri" <> wrote in message
news:ac856bf4-0fcd-4932-9420-...
> Hi Guys,
>
> I'm working on a script to enumerate OUs for disabled computer
> objects. Any idea how the query should look like? The following script
> can lookup for disabled user accounts. Any thoughts on how to modify
> this script to lookup for disabled computer accounts??
>
> Set objCommand = CreateObject("ADODB.Command")
> objCommand.ActiveConnection = objConnection
> objCommand.CommandText = _
> "<GC://dc=fabrikam,dc=com>;(objectCategory=User)" & _
> ";userAccountControl,distinguishedName;subtree "
> Set objRecordSet = objCommand.Execute
>
> intCounter = 0
> Do Until objRecordset.EOF
> intUAC=objRecordset.Fields("userAccountControl")
> If intUAC AND ADS_UF_ACCOUNTDISABLE Then
> WScript.echo objRecordset.Fields("distinguishedName") & " is
> disabled"
> intCounter = intCounter + 1
> End If
> objRecordset.MoveNext
> Loop
>
> Thanks in advance.
Besides oldcomp and dsquery, you can revise your VBScript solution. The
filter for computer objects is (objectCategory=computer). Rather than
returning all computer objects and testing the ADS_UF_ACCOUNTDISABLE bit of
userAccountControl, you can query for just the computer objects where that
bit is set. See below:
===========
Option Explicit
Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN
Dim intCounter
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection
' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"
' Filter on disabled computer objects.
strFilter = "(&(objectCategory=computer)" _
& "(userAccountControl:1.2.840.113556.1.4.803:=2 ))"
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"
' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
' Run the query.
Set adoRecordset = adoCommand.Execute
' Enumerate the resulting recordset.
intCount = 0
Do Until adoRecordset.EOF
' Retrieve values and display.
strDN = adoRecordset.Fields("distinguishedName").Value
Wscript.Echo strDN & " is disabled"
intCount = intCount + 1
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop
' Clean up.
adoRecordset.Close
adoConnection.Close
Wscript.Echo CStr(intCounter) & " computers are disabled.
--
Richard Mueller
MVP Directory Services
Hilltop Lab -
http://www.rlmueller.net
--
Similar Threads
Linear Mode
