How would I use winbatch to search LDAP with a scope of OneLevel(versus Subtree)

Started by galaara98, December 18, 2014, 09:13:29 AM

Previous topic - Next topic


I have a certain use case where i need to search an LDAP service, but need to use a Search Scope of onelevel
I know how to do it in PowerShell, and most LDAP GUIs, but the Winbatch AD extender seems to default to subtree, without a way to control that
(admittedly, in 15 years of LDAP/AD administration.. i probably have needed to NOT use subtree only a handful of times.. so i can see why)



You can use an ADO search.  Here is an untested code snippet I found on my workstation
Code (winbatch) Select

; Use ADO to QUERY Active Directory
objConnection = CreateObject("ADODB.Connection")
objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open("Active Directory Provider")
objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

; Domuserpath is the full ADSI path to searches start point in the directory.
objCommand.CommandText = "SELECT Name FROM '": domusrpath :"' WHERE objectCategory='group'"
objRecordSet = objCommand.Execute()
grouplist = ""
If objRecordSet.RecordCount
   While !objRecordSet.EOF
       groupname = objRecordSet.Fields("Name").Value
       grouplist = grouplist : @TAB: groupname
   AskItemlist(userid: ' Group list', StrTrim( grouplist ), @TAB, @UNSORTED, @SINGLE )
   Pause(userid: ' Group list', 'No records found')

There are more examples in the Tech Database. You can mix and match COM based and extender based access to Active directory so that is not a worry.

IIRC, we have never has a request to add one level search capabilities to dsFindPath before.  Will have to add it the feature request list. 
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade



So, i did this solution with ADO, but decided i didn't like that technology. 
I started to write this in Winbatch + .NET, but decided maybe that was over doing what you had already written

I stumbled upon this Winbatch tech support article
which appears to be a Extra info, more explanation, and some of the "why" behind the official Winbatch ADSI Extender.

In this article there is a paragraph (Emphasis Added by ME):


When the ADSI extender was written we really didn't have a feel for how people would use it. We opted to make it easy to use with as few steps as possible. We felt that it was the only way to give it some advantage over VBS or VB and COM. One way we did this was to remove the need save cached object changes to the Directory Service. The extender does this in the background every time you make a change to a property. While this makes ADSI a little less error prone and easier to use, it also adds a lot of network traffic. (With straight COM objects you have to tell ADSI to update the DS with your cached changes or they are lost.)

The problem is that the extender is prone to timing issues because of all the extra network traffic it generates. We may be making changes to the extender to work around this problem.
But right now I recommend using COM whenever possible.

Sample code to get and set a user full name:

newname = "Fred Flintstone"
objUser = ObjectGet("WinNT://yourdomain/UserID")
origname  = objUser.FullName
ret = AskYesNo('Change Users Full Name', StrCat('Are you sure you want to change the users full name from ',origname,' to ',newname,'?'))
If ret == @YES
   objUser.FullName = "Users Name"
objUser = ""
Message('Changed Users Full Name', StrCat('Changed ',origname,' to ',newname))

Microsoft offers a tool called ADSI Scriptomatic. It is designed to help you write ADSI COM scripts; that is, scripts that can be used to manage Active Directory. The ADSI Scriptomatic also teaches you an important point about ADSI scripting: like WMI, there are consistent patterns to ADSI scripts.

So is it still true that if time/skills/cost aside, using Winbatch + COM to call ADSI is preferred over Winbatch + Extender, unless simple is one of the primary goals of the code?



The article probably overstates the case a bit and the ADSI extender has evolved some since that article was written.  If you like using the extender and it is providing you with the functionality you need then by all means use it.  It is still supported and we do add new features on occasion.

As previously mentioned you can mix the technologies, including dotNet, to fill in a gap in the functionality in one technology with another technology.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade