populate group from LDAP query

Discussion in 'Scripting' started by andrew, Apr 22, 2005.

  1. andrew

    andrew Guest

    I have an LDAP query that finds all WinXP computers which don't have SP2
    installed. I want to use this to populate a group and then roll out SP2 with
    Group Policy to members of this group. Ideally I would like to keep the
    group membership up to date as well. What would be the best way to do this?

    The LDAP query is:-
    (&(objectCategory=computer)(operatingSystem=Windows XP
    Professional)(!operatingSystemServicePack=Service Pack 2))

    Thanks in advance for your help.
     
    andrew, Apr 22, 2005
    #1
    1. Advertisements

  2. andrew

    andrew Guest

    Sorted! If anyone is interested, here is the code:-

    'Add Computers to an Active Directory group based on an LDAP Query, select
    only non WinXP SP2 computers

    Option Explicit

    'Declare String Variables:
    Dim strGroupName, strLDAPpath, strFilter, strDNSDomain
    Dim strGroupDN, strBase, strAttributeDN, strAttributeSP, strQuery
    Dim strDN

    'Declare Object Variables:
    'Line 10
    Dim objRootDSE, objGroup, objCommand, objConnection
    Dim objComputer, objRecordSet

    '******************************************************************
    'SPECIFY NAME OF GROUP HERE:
    strGroupName = "MyGroupName"
    '******************************************************************

    '******************************************************************
    'Specify OU path here (working from child OU to parent OU)
    'Line 20
    strLDAPpath = "OU=ChildOU,OU=ParentOU,"
    '******************************************************************

    '******************************************************************
    'LDAP Query to retrieve only relevant computer objects - Computers without
    WinXP SP2
    strFilter = "(&(objectCategory=computer)(operatingSystem=Windows XP
    Professional)(!operatingSystemServicePack=Service Pack 2))"
    '******************************************************************

    'Specify DNS Domain:
    Set objRootDSE = GetObject("LDAP://RootDSE")
    'Line 30
    strDNSDomain = objRootDSE.Get("defaultNamingContext")

    'Alternate hard coded version for DNS Domain:
    'strDNSdomain = "DC=mydomain,DC=com"

    'Group DN:
    strGroupDN = "CN=" & strGroupName & "," & strLDAPpath & strDNSdomain

    ' Bind to the group:
    Set objGroup = GetObject("LDAP://" & strGroupDN)
    'Line 40

    ' Use ADO to search Active Directory.
    Set objCommand = CreateObject("ADODB.Command")
    Set objConnection = CreateObject("ADODB.Connection")
    objConnection.Provider = "ADsDSOObject"
    objConnection.Open "Active Directory Provider"
    objCommand.ActiveConnection = objConnection

    ' Search the entire domain:
    strBase = "<LDAP://" & strDNSDomain & ">"
    'Line 50

    ' Retrieve the distinguishedName attribute:
    strAttributeDN = "distinguishedName"

    ' Construct the LDAP query.
    strQuery = strBase & ";" & strFilter & ";" & strAttributeDN & ";subtree"

    objCommand.CommandText = strQuery
    objCommand.Properties("Page Size") = 100
    objCommand.Properties("Timeout") = 30
    'Line 60
    objCommand.Properties("Cache Results") = False
    Set objRecordSet = objCommand.Execute

    ' Enumerate the recordset.
    Do Until objRecordSet.EOF

    ' For each computer, retrieve DN:
    strDN = objRecordSet.Fields("distinguishedName").Value

    'Bind to computer object.
    'Line 70
    Set objComputer = GetObject("LDAP://" & strDN)

    ' Check if computer already a member of the group, if not add the
    computer to the group.
    If Not objGroup.IsMember(objComputer.AdsPath) Then
    objGroup.Add(objComputer.AdsPath)
    End If

    ' Go to the next record in the recordset.
    objRecordSet.MoveNext

    Loop
    'Line 80

    objRecordSet.close
    objConnection.close

    set objCommand = nothing
    set objRecordSet = nothing
    Set objConnection = nothing
    set objComputer = nothing

    '******************************************************************
    'LDAP Query to retrieve only relevant computer objects - Computers with
    WinXP SP2 'Line 91
    strFilter = "(&(objectCategory=computer)(operatingSystem=Windows XP
    Professional)(operatingSystemServicePack=Service Pack 2))"
    '******************************************************************

    ' Bind to the group:

    Set objGroup = GetObject("LDAP://" & strGroupDN)

    ' Use ADO to search Active Directory.
    Set objCommand = CreateObject("ADODB.Command")
    Set objConnection = CreateObject("ADODB.Connection")
    objConnection.Provider = "ADsDSOObject"
    'Line 101
    objConnection.Open "Active Directory Provider"
    objCommand.ActiveConnection = objConnection

    ' Search the entire domain:
    strBase = "<LDAP://" & strDNSDomain & ">"

    ' Retrieve the distinguishedName attribute:
    strAttributeDN = "distinguishedName"

    ' Construct the LDAP query:
    'Line 111
    strQuery = strBase & ";" & strFilter & ";" & strAttributeDN & ";subtree"

    objCommand.CommandText = strQuery
    objCommand.Properties("Page Size") = 100
    objCommand.Properties("Timeout") = 30
    objCommand.Properties("Cache Results") = False
    Set objRecordSet = objCommand.Execute

    ' Enumerate the recordset.
    Do Until objRecordSet.EOF
    'Line 121

    ' For each computer, retrieve DN:
    strDN = objRecordSet.Fields("distinguishedName").Value

    'Bind to computer object.
    Set objComputer = GetObject("LDAP://" & strDN)

    ' Check if computer already a member of the group, if not add the
    computer to the group.
    If objGroup.IsMember(objComputer.AdsPath) Then
    objGroup.Remove(objComputer.AdsPath)
    'Line 131
    End If

    ' Go to the next record in the recordset.
    objRecordSet.MoveNext

    Loop

    objRecordSet.close
    objConnection.close

    set objCommand = nothing
    'Line 141
    set objRecordSet = nothing
    Set objConnection = nothing
    set objComputer = nothing
     
    andrew, Apr 25, 2005
    #2
    1. Advertisements

  3. andrew

    justpaul Guest

    Thanks, andrew, for the great post. How would I modify your script to
    query/poulate based on users instead of computers? I have the ldap query I
    want (member of this group, not this one, etc) but cannot figure out what the
    equiv of distinguishedName attribute is for the user object.


    Thanks!
    -justpaul
     
    justpaul, Jun 2, 2005
    #3
  4. andrew

    andrew Guest

    andrew, Jun 2, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.