Hey, Scripting Guy!<\/I> (and who isn\u2019t?) then you know that 9 times out of 10 our answer to a question is, \u201cSearch Active Directory.\u201d That\u2019s going to be our answer today as well, although we must confess that we\u2019re not 100% satisfied with that answer (you\u2019ll see why in a moment). At first glance, you might think this would be an easy search to carry out in Active Directory; after all, you\u2019d have to do nothing more than include a WHERE clause that tells the script to skip any computers found in the Test Lab OU. In other words:<\/P>objCommand.CommandText = _\n “SELECT Name FROM ‘LDAP:\/\/dc=fabrikam,dc=com’ WHERE OU <> ‘TestLab OU’ AND ” _\n & “objectCategory=’computer'”\n<\/PRE>\nThis is a great solution, except for one problem: Active Directory computer accounts don\u2019t have a property named OU; that means you can\u2019t use the OU in a WHERE clause. So much for Plan A.<\/P>\n
Of course, you might then think, \u201cHey, what about the Distinguished Name (DN)?\u201d After all, the DN for a computer (e.g., CN=atl-ws-01,OU=Test Lab OU,DC=fabrikam,DC=com<\/B>) contains the name of the OU where the computer account resides. Couldn\u2019t we just do a wildcard search on the Distinguished Name, something similar to this:<\/P>objCommand.CommandText = _\n “SELECT Name FROM ‘LDAP:\/\/dc=fabrikam,dc=com’ WHERE distinguishedName <> ” _\n ” ‘*OU=Finance’ AND objectCategory=’computer'”\n<\/PRE>\nAlas, this won\u2019t work, either. As it turns out, the DN is a \u201cconstructed\u201d attribute. The DN isn\u2019t actually stored in Active Directory, it\u2019s constructed on-the-fly any time you request it. Thus you can\u2019t do a wildcard search on the distinguishedName attribute. And don\u2019t bother asking about the ADsPath attribute, which also contains the OU name; you can\u2019t do a wildcard search on the ADsPath, either.<\/P>\n
In fact, as far as we know, the only way to do this is to conduct a search that returns a list of all<\/I> your computers. When you get that list back, you\u2019re probably going to do something with it (for now, we\u2019ll assume you just want to echo the computer names to the screen). Before anything is done to a computer in the list, however, our script will check the DN to see if the target string (for example, OU=Test Lab OU<\/B>) can be found. If it is, the script will simple skip that computer and go on to the machine in the list. If the target string isn\u2019t found, then the script will echo the computer name.<\/P>\n
Maybe this will make more sense if you see the actual script:<\/P>
On Error Resume Next<\/p>\nConst ADS_SCOPE_SUBTREE = 2<\/p>\n
Set objConnection = CreateObject(“ADODB.Connection”)\nSet objCommand = CreateObject(“ADODB.Command”)\nobjConnection.Provider = “ADsDSOObject”\nobjConnection.Open “Active Directory Provider”\nSet objCommand.ActiveConnection = objConnection<\/p>\n
objCommand.Properties(“Page Size”) = 1000\nobjCommand.Properties(“Searchscope”) = ADS_SCOPE_SUBTREE <\/p>\n
objCommand.CommandText = _\n “SELECT Name, distinguishedName FROM ‘LDAP:\/\/dc=fabrikam,dc=com’ ” _\n & “WHERE objectCategory=’computer'” \nSet objRecordSet = objCommand.Execute<\/p>\n
objRecordSet.MoveFirst\nDo Until objRecordSet.EOF\n intTestOU = InStr(objRecordSet.Fields(“distinguishedName”).Value, “OU=Test Lab OU”)\n If intTestOU = 0 Then\n Wscript.Echo objRecordSet.Fields(“Name”).Value\n End If\n objRecordSet.MoveNext\nLoop\n<\/PRE>\n
The lines of code we care about are these:<\/P>
intTestOU = InStr(objRecordSet.Fields(“distinguishedName”).Value, “OU=Test Lab OU”)\nIf intTestOU = 0 Then\n Wscript.Echo objRecordSet.Fields(“Name”).Value\nEnd If\n<\/PRE>\nWhat we\u2019re doing here is using the InStr function to see if the string OU=TestLab OU<\/B> can be found anywhere within the computer\u2019s Distinguished Name. If the string is found, then intTestOU gets set to the character position where the string begins. For example, in the DN CN=atl-ws-01,OU=Test Lab OU,DC=fabrikam,DC=com<\/B>, intTestOu would be set to 14, because our target phrase begins at the 14th<\/SUP> letter in the string.<\/P>\nBut what if intTestOU equals zero? That can only mean one thing: the target phrase wasn\u2019t found. In turn, that must mean this particular computer is not<\/I> in the Test Lab OU, so we go ahead and echo the computer name. Thus we end up echoing the names of all the computers except<\/I> those in the Test Lab OU. <\/P>\n
Like we said, this approach does the job, although it lacks a certain elegance. But, hey, style isn\u2019t everything, right? <\/P>\n
Alternatively, you might consider storing OU names in an unused computer account attribute; for example, you could record the OU name in the description attribute. That way, you could<\/I> search on that attribute, using a query similar to this:<\/P>objCommand.CommandText = _\n “SELECT Name FROM ‘LDAP:\/\/dc=fabrikam,dc=com’ WHERE objectCategory=’computer’ ” & _\n “AND description<>’Test Lab OU'”\n<\/PRE>\nThis works great; you\u2019ll just have to remember to change the value of the description attribute should you ever move the computer to a new OU<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! I need to get back a list of all the computers in my domain, except for the computers which are in our Test Lab OU. How do I do that?— AM Hey, AM. This seems to be one of the hot new trends in the IT world: in the past two weeks […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,3,8,5],"class_list":["post-70863","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-scripting-guy","tag-searching-active-directory","tag-vbscript"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! I need to get back a list of all the computers in my domain, except for the computers which are in our Test Lab OU. How do I do that?— AM Hey, AM. This seems to be one of the hot new trends in the IT world: in the past two weeks […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/70863","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=70863"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/70863\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=70863"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=70863"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=70863"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"Hey,](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/q-for-powertip.jpg\" "\\"Hey,")
\n![\"Spacer\"](\"https:\/\/devblogs.microsoft.com\/scripting\/wp-content\/uploads\/sites\/29\/2019\/05\/spacer.gif\")
![\"Hey,](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/a-for-powertip.jpg\" "\\"Hey,")
![\"Script](\"http:\/\/img.microsoft.com\/library\/media\/1033\/technet\/images\/scriptcenter\/ad.jpg\" "\\"Script")
<\/A> \n