Active Directory UDF - GetObjectsInOU: Difference between revisions
Jump to navigation
Jump to search
mNo edit summary |
m (BR tag cleanup (BR best avoided when not needed. Generally not needed.)) |
||
Line 2: | Line 2: | ||
The function _AD_GetObjectsInOU is the swiss army knife of the Active Directory UDF.<br>It allows to search for whatever criteria you specify and returns whatever properties you want. | The function _AD_GetObjectsInOU is the swiss army knife of the Active Directory UDF.<br>It allows to search for whatever criteria you specify and returns whatever properties you want. | ||
==Parameters== | ==Parameters== | ||
The following parameters define what is searched for and what properties are returned by the function: | The following parameters define what is searched for and what properties are returned by the function: | ||
Line 15: | Line 16: | ||
:'''''Base''''': | :'''''Base''''': | ||
:You search only the so-called “base” object (that is, the Active Directory container where you begin your search as defined by $sAD_OU); child containers are not searched. The base search is useful when you want to pull out information for a single OU (for example, a list of all the user accounts in the Finance OU). | :You search only the so-called “base” object (that is, the Active Directory container where you begin your search as defined by $sAD_OU); child containers are not searched. The base search is useful when you want to pull out information for a single OU (for example, a list of all the user accounts in the Finance OU). | ||
:Set the parameter to 0 to use this contraint. | :Set the parameter to 0 to use this contraint. | ||
:'''''One Level''''': | :'''''One Level''''': | ||
:A one-level search is restricted to the immediate children of a base object, but excludes the base object itself. A one-level search can be used to enumerate all children of an object. | :A one-level search is restricted to the immediate children of a base object, but excludes the base object itself. A one-level search can be used to enumerate all children of an object. | ||
:Set the parameter to 1 to use this contraint. | :Set the parameter to 1 to use this contraint. | ||
:'''''Subtree''''': | :'''''Subtree''''': | ||
:The entire subtree is searched: that includes the base container, all sub-containers and any containers contained within those sub-containers. A subtree search is normally used to search objects for a given scope. For example, search for all users with accounts that will expire in 30 days or less. | :The entire subtree is searched: that includes the base container, all sub-containers and any containers contained within those sub-containers. A subtree search is normally used to search objects for a given scope. For example, search for all users with accounts that will expire in 30 days or less. | ||
:Set the parameter to 2 to use this contraint. This is the default value. | :Set the parameter to 2 to use this contraint. This is the default value. | ||
Line 38: | Line 39: | ||
==Remarks== | ==Remarks== | ||
* Multi-value attributes are returned as a string with the pipe character (|) as separator. | * Multi-value attributes are returned as a string with the pipe character (|) as separator. | ||
* To make sure that all properties you specify in $sAD_DataToRetrieve exist in the AD you can use _AD_ObjectExistsInSchema. | * To make sure that all properties you specify in $sAD_DataToRetrieve exist in the AD you can use _AD_ObjectExistsInSchema. | ||
* This function returns the selected properties "as is". To "decode" unreadable properties you need to use function _AD_GetObjectProperties. | * This function returns the selected properties "as is". To "decode" unreadable properties you need to use function _AD_GetObjectProperties. | ||
* If you need a single property of a single object you can use function _AD_GetObjectAttribute. | * If you need a single property of a single object you can use function _AD_GetObjectAttribute. | ||
Line 47: | Line 48: | ||
$aObjects = _AD_GetObjectsInOU("", "(objectClass=groupPolicyContainer)", 2, "displayName,gPCFileSysPath") | $aObjects = _AD_GetObjectsInOU("", "(objectClass=groupPolicyContainer)", 2, "displayName,gPCFileSysPath") | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Users that never logged on before<syntaxhighlight lang="autoit"> | Users that never logged on before<syntaxhighlight lang="autoit"> | ||
$aObjects = _AD_GetObjectsInOU("", "(&(&(objectCategory=person)(objectClass=user))(|(lastLogon=0)(!(lastLogon=*))))", 2, "sAMAccountName,distinguishedName,displayname") | $aObjects = _AD_GetObjectsInOU("", "(&(&(objectCategory=person)(objectClass=user))(|(lastLogon=0)(!(lastLogon=*))))", 2, "sAMAccountName,distinguishedName,displayname") | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Users that must change their password the next time they logon<syntaxhighlight lang="autoit"> | Users that must change their password the next time they logon<syntaxhighlight lang="autoit"> | ||
$aObjects = _AD_GetObjectsInOU("", "(&(objectCategory=person)(objectClass=user)(pwdLastSet=0))", 2, "sAMAccountName,distinguishedName,displayname") | $aObjects = _AD_GetObjectsInOU("", "(&(objectCategory=person)(objectClass=user)(pwdLastSet=0))", 2, "sAMAccountName,distinguishedName,displayname") | ||
</syntaxhighlight> | </syntaxhighlight> |
Revision as of 17:33, 1 February 2013
This page is still a work in progress.
The function _AD_GetObjectsInOU is the swiss army knife of the Active Directory UDF.
It allows to search for whatever criteria you specify and returns whatever properties you want.
Parameters
The following parameters define what is searched for and what properties are returned by the function:
- $sAD_OU
- The Active Directory container where to begin the search.
- $sAD_Filter
- The LDAP filter defines what to search for. More details can be found in the next section.
- $iAD_SearchScope
- Defines the search constraints. The following constraints are supported:
- Base:
- You search only the so-called “base” object (that is, the Active Directory container where you begin your search as defined by $sAD_OU); child containers are not searched. The base search is useful when you want to pull out information for a single OU (for example, a list of all the user accounts in the Finance OU).
- Set the parameter to 0 to use this contraint.
- One Level:
- A one-level search is restricted to the immediate children of a base object, but excludes the base object itself. A one-level search can be used to enumerate all children of an object.
- Set the parameter to 1 to use this contraint.
- Subtree:
- The entire subtree is searched: that includes the base container, all sub-containers and any containers contained within those sub-containers. A subtree search is normally used to search objects for a given scope. For example, search for all users with accounts that will expire in 30 days or less.
- Set the parameter to 2 to use this contraint. This is the default value.
- For more information please check this site [1].
- $sAD_DataToRetrieve
- A comma separated list of properties to be returned for each object that matches the search criteria.
- $sAD_SortBy
- A single property the resulting records will be sorted by. This has to be one of the properties specified in $sAD_DataToRetrieve.
LDAP filter
The best description how to create a LDAP filter can be found here [2].
Remarks
- Multi-value attributes are returned as a string with the pipe character (|) as separator.
- To make sure that all properties you specify in $sAD_DataToRetrieve exist in the AD you can use _AD_ObjectExistsInSchema.
- This function returns the selected properties "as is". To "decode" unreadable properties you need to use function _AD_GetObjectProperties.
- If you need a single property of a single object you can use function _AD_GetObjectAttribute.
Examples
List all Group Policies
$aObjects = _AD_GetObjectsInOU("", "(objectClass=groupPolicyContainer)", 2, "displayName,gPCFileSysPath")
Users that never logged on before
$aObjects = _AD_GetObjectsInOU("", "(&(&(objectCategory=person)(objectClass=user))(|(lastLogon=0)(!(lastLogon=*))))", 2, "sAMAccountName,distinguishedName,displayname")
Users that must change their password the next time they logon
$aObjects = _AD_GetObjectsInOU("", "(&(objectCategory=person)(objectClass=user)(pwdLastSet=0))", 2, "sAMAccountName,distinguishedName,displayname")