Program to use ADO to query Active Directory for objects meeting specified filter criteria and display the values of specified attributes of the objects found. The program first prompts for the base of the search, which must be the Distinguished Name of a container, organizational unit, or the domain. If you enter nothing, the program will default to search the entire domain. Next the program prompts for the LDAP syntax filter to be used. For example, to retrieve information on all user objects in Active Directory you would enter:

(&(objectCategory=person)(objectClass=user))

Finally, the program prompts for a comma delimited list of attribute values to retrieve. You must specify the LDAP Display Names of the attributes. Operational attributes cannot be retrieved. The program always retrieves the Distinguished Names of the objects and displays this value first. For each object that meets the filter criteria in the base of the search, the program outputs the values of all of the attributes requested. The scope of the query is always subtree, so that the search includes all child OU's and containers of the base.

The program is designed to be run at a command prompt with the cscript host. The output can be redirected to a text file. If you want the program to output in a comma delimited (CSV) format that can be read by a spreadsheet program, specify the optional parameter /csv. If you do not use /csv, the program outputs each attribute value on separate lines. If you use /csv, multi-valued attributes are documented with the values delimited by semicolons.

Just about all attributes, other than operational ones (like tokenGroups), can be retrieved. All Integer8 attributes (like pwdLastSet, lastLogon, or lockoutTime) are converted into Long integer values. If the value is large enough to correspond to a date (after about April 4, 1981), the equivalent date value in the local time zone is shown in parentheses. All SID and OctetString attributes are converted into hex strings. In addition, if any OctetString value is recognized as a SID, it is converted into the standard decimal format beginning with the string "S-1-5". If any OctetString value is recognized as a GUID value, it is converted into the standard decimal format enclosed in curly braces. If any attribute is not assigned a value, this is indicated in the output.

The logonHours attribute (a byte array in Active Directory) is converted into a string of 168 bits, one for each hour of the week (Sunday through Saturday). The hours are converted into the local time zone (the values are saved in Active Directory in UTC). In the string a "1" means the user is allowed to logon during the corresponding hour, while a "0" means the user is not allowed to logon. The 168 hours are arranged in groups of 8, separated by dashes, to make them easier to  read.

The LDAP filter specification assigns special meaning to a few characters. You must use the ASCII hex representation of these characters if they are used in the LDAP filter:

* \2A
( \28
) \29
\ \5C
NUL \00

For example, to find all user objects that contain the "*" character anywhere in the Common Name (the value of the cn attribute), use the following filter:

(&(objectCategory=person)(objectClass=user)(cn=*\2A*))

No attempt is made to validate the values supplied by the user. An error will be raised if the base of the query is not a valid Distinguished Name of a container, if the filter syntax is incorrect, or if any attribute names are invalid.

GenericADO.txt <<-- Click here to view or download the program

You can also target specific Domain Controllers when you run this program. You would do this if you are retrieving attributes that are not replicated. For example, you might want to see how the value of the logonCount attribute varies between Domain Controllers. To specify a specific Domain Controller, include the name of the DC in the Base you supply for the query. For example, if you want to search ou=West,dc=MyDomain,dc=com, and you have a DC called West211, then supply the following for the base of the query:

West211/ou=West,dc=MyDomain,dc=com

An equivalent PowerShell script is linked below. This PowerShell script has been revised to improve the display of the logonHours attribute. Also functions have been added to interpret many flag attributes, such as userAccountControl. The script now accepts a -Count property, to display just the count of the number of objects that meet the filter conditions. A -OneLevel parameter has also been added so you can specify the scope as OneLevel, rather than the default SubTree. Finally, improved error trapping has been added.

PSGenericADO.txt <<-- Click here to view or download the program