Active Directory Query from VBS - get user status

[johnlopez2000]

Colleagues,

I have written the following function to extract users data from AD:

function GetUserInformation (UserName)
  
    dim objConnection, objCommand, objRecordSet
    
    CheckUserResult = CheckUser(UserName)
    if CheckUserResult = "True" then
  
        Set objConnection = CreateObject("ADODB.Connection")
        objConnection.Open "Provider=ADsDSOObject;"
        
        Set objCommand = CreateObject("ADODB.Command")
        objCommand.ActiveConnection = objConnection
        
        objCommand.CommandText = _
         "<GC://ou=Landing Gear Division,dc=goodrich,dc=root,dc=local>;" & _
         "(&(objectCategory=person)(objectClass=user)" & _
         "(sAMAccountName="&UserName&"));" & _
         "sAMAccountName, displayName, distinguishedName, givenName, initials, sn, mail, userPrincipalName,  streetAddress, l, st, postalCode, c,  telephoneNumber, pager, mobile, info, facsimileTelephoneNumber, title, department, company, manager;subtree"
        
        Set objRecordSet = objCommand.Execute
      
        GetUserInformation = "UserName=" & UserName & VBNEWLINE & _  
        "exists=True" & VBNEWLINE & _  
        "sAMAccountName=" & objRecordSet.Fields("sAMAccountName").Value & VBNEWLINE & _  
        "displayName=" & objRecordSet.Fields("displayName").Value & VBNEWLINE & _  
        "givenName=" & objRecordSet.Fields("givenName").Value & VBNEWLINE & _  
        "initials=" & objRecordSet.Fields("initials").Value & VBNEWLINE & _  
        "surname=" & objRecordSet.Fields("sn").Value & VBNEWLINE & _  
        "userPrincipalName=" & objRecordSet.Fields("userPrincipalName").Value & VBNEWLINE & _  
        "distinguishedName=" & objRecordSet.Fields("distinguishedName").Value & VBNEWLINE & _  
        "email=" & objRecordSet.Fields("mail").Value & VBNEWLINE & _    
        "info=" & objRecordSet.Fields("info").Value & VBNEWLINE & _  
        "streetAddress=" & objRecordSet.Fields("streetAddress").Value & VBNEWLINE & _  
        "city=" & objRecordSet.Fields("l").Value & VBNEWLINE & _  
        "state=" & objRecordSet.Fields("st").Value & VBNEWLINE & _  
        "postalCode=" & objRecordSet.Fields("postalCode").Value & VBNEWLINE & _  
        "country=" & objRecordSet.Fields("c").Value & VBNEWLINE & _    
        "telephoneNumber=" & objRecordSet.Fields("telephoneNumber").Value & VBNEWLINE & _  
        "pager=" & objRecordSet.Fields("pager").Value & VBNEWLINE & _  
        "mobile=" & objRecordSet.Fields("mobile").Value & VBNEWLINE & _  
        "facsimileTelephoneNumber=" & objRecordSet.Fields("facsimileTelephoneNumber").Value & VBNEWLINE & _    
        "title=" & objRecordSet.Fields("title").Value & VBNEWLINE & _  
        "department=" & objRecordSet.Fields("department").Value & VBNEWLINE & _  
        "company=" & objRecordSet.Fields("company").Value & VBNEWLINE & _  
        "manager=" & objRecordSet.Fields("manager").Value
                  
      objConnection.Close
  else
      GetUserInformation = "UserName=" & UserName & VBNEWLINE & _  
        "exists=False"
  end if 

End Function

which works fine.

However I am trying to get user status information, using some fields I found in LDAP documentation ...

[b]
objRecordSet.Fields([COLOR=red]"AccountDisabled"[/color]).Value
objRecordSet.Fields([COLOR=red]"AccountExpirationDate"[/color]).Value
objRecordSet.Fields([COLOR=red]"IsAccountLocked"[/color]).Value 
[/b]

but it would appear that the ADODB provider can not return the above.

I assume then that it is either only available via a subsequent LDAP query or has some alternate attribute names in the AD database. I DO NOT really want to do this as a subsequent LDAP query, but just get it as part of the initial ADOBD query.

Thanks
John



John Lopez
Enterprise PDM Architect

 

[markdmac]

Set objUser = GetObject _
  ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")

If objUser.AccountDisabled = FALSE Then
      WScript.echo "The account is enabled."
Else
      WScript.echo "The account is disabled."
End If

If objUser.IsAccountLocked = FALSE Then
      WScript.echo "The account is unlocked."
Else
      WScript.echo "The account is locked."
End If

expiredate = objUser.AccountExpirationDate
WScript.Echo "The account expires on " & expiredate

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[tsuji]

Those three attributes are not replicated, some among them are not even "store" in the AD. You cannot get it querying gc. Besides, the face values of all of them is often misleading.

 

[markdmac]

You are correct tsuji, but you can get thse attributes if you bind to the user object directly.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[tsuji]

Binding to the object and getting its attributes, sure... But, I am just answering the op's question. And that effectively mean if you want so much to get them, bind to the user object.

 

[johnlopez2000]

Colleagues,

thanks for the information. However, did I not 'bind' it to the user via:

"(sAMAccountName="&UserName&"));"

as passed to the code frag above? Should not the recordset contain the queried information?

Thanks again. Your help is most appreciated particularly since I am new to AD and LDAP.

John

John Lopez
Enterprise PDM Architect

 

[johnlopez2000]

Guys - tried this out and it works great. Just did a seperate LDAP query per the above in a seperage function def and returns the info needed. Again, thanks.

function GetUserAcctActivationStatus (distinguishedName)

    Set objUser = GetObject ("LDAP://"&distinguishedName)
    
    GetUserAcctActivationStatus = FALSE
    
    If objUser.AccountDisabled = FALSE Then
          GetUserAcctActivationStatus = TRUE
    Else
          GetUserAcctActivationStatus = FALSE
    End If
    
    If objUser.IsAccountLocked = FALSE Then
          GetUserAcctActivationStatus = TRUE
    Else
          GetUserAcctActivationStatus = FALSE
    End If
    
End Function

called by:

...
Set objConnection = CreateObject("ADODB.Connection")
        objConnection.Open "Provider=ADsDSOObject;"
        
        Set objCommand = CreateObject("ADODB.Command")
        objCommand.ActiveConnection = objConnection
        
        objCommand.CommandText = _
         "<GC://ou=Landing Gear Division,dc=goodrich,dc=root,dc=local>;" & _
         "(&(objectCategory=person)(objectClass=user)" & _
         "(sAMAccountName="&UserName&"));" & _
         "sAMAccountName, displayName, distinguishedName, givenName, initials, sn, mail, userPrincipalName,  streetAddress, l, st, postalCode, c,  telephoneNumber, pager, mobile, info, facsimileTelephoneNumber, title, department, company, manager;subtree"
        
        Set objRecordSet = objCommand.Execute
        
        status = GetUserAcctActivationStatus(objRecordSet.Fields("distinguishedName").Value)
...

again, thanks for the help.

John

John Lopez
Enterprise PDM Architect

 

[tsuji]

>[tt]I DO NOT really want to do this as a subsequent LDAP query, but just get it as part of the initial ADOBD query.[/tt]
I suppose thereby you retract your _strong_ desire _not_ to use "subsequent LDAP query". Then that's the way to go.

 

[johnlopez2000]

... indeed I retract ... my statement was more from ignorance than anything ... just a beggar looking for new bread

~(;-}}

Again - many thanks


John Lopez
Enterprise PDM Architect