Friday, February 6, 2009


I have searched high and I have searched low, but even though all M$ documentation claims that VB script can be used to work on any Version 3 Compliant LDAP Directory, I could not find any one or any documentation on how to do it.

After a time I figured out how to bind to LDAP using the DSObject binding and load the LDAP directory into a collection.

Set objDSO = GetObject(strProvider)
Set objDomain = objDSO.OpenDSObject (LDAP://,dc=domain,dc=com,CN=ADMIN USERID, Password, 0)

This will load the LDAP directory in it's entirety and allow you manipulate any user and make modifications or reports.

The down side is that it's very slow to manipulate and if you need to do a comparision between the LDAP collection and a csv (for example) you may end up reloading the collection several times and it can run very slowly.

Recently I have discovered another way to work with LDAP in VBscript. You can use an ADO search to query ldap and return only the attributes you want to work with. This is much faster than using the OpenDSObject and allows you do queries and comparisions and load the individual users if you need to do modifications.

To do an ADO search

' Use ADO to search Active Directory.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Properties("User ID") = "cn=ADMINID"
adoConnection.Properties("Password") = "PASSWORD"
adoConnection.Properties("Encrypt Password") = False
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection

'Search String
strBase = ""

' Filter on all user objects.
strFilter = "(objectClass=person)"

' Comma delimited list of attribute values to retrieve.
strAttributes = "cn,uid"

' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"

' Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 60
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute

' Enumerate resulting recordset.
Do Until adoRecordset.EOF
strUID= adoRecordset.Fields("uid").Value
WScript.Echo strDN(0)
strCN= adoRecordset.Fields("cn").Value
WScript.Echo struid(0)

There are some oddities I'm still working through. many values in LDAP seem to come up as arrays, rather htan string values, even though there are no other values in the array. Others do not. cn, and uid both came up as single value arrays, but the createtimestamp didn't.

If you need to get a users DN through this query, simply query the attribute, entryDN. yOu can use this to bind to the user and make modifications if needed, just as you would on AD.

One other great thing you can do is use this same code to query Oracle Iternet Directory. Unfortunately, OID does not have an ADSPATH (like AD) or an entryDN(LDAP) attribute so it may not help with searching users for the purposes of modifications, but you can use this method to run reports.


No comments: