I have been fighting with this for so long.  I have a VB script that will export all the user and information to a text file so I can import into SQL and run all of my security audits that I wrote.  The problem is that this script binds to root and requires domain admin access.  My new job will not give me any access higher than domain user.  I do not know how to write the script so I can get the data with read only rights.

Now the other option I hear is to do it all in SQL and have SQL pull the ADSI data directly into a table.

Could somebody please help me out?  I need to get this work done.

 Thank you,

Darla

Hi dfriel,

Please post the code you're using that isn't working, and the exact error message you're getting, and we might be able to help.

Bill

Thank you Bill,

This is the code that I am using.  It will pull back one user only.  I need all accounts, any where in SD.  The account am using has domain user access only.

------------------------------------------------

On Error Resume Next
' Option Explicit
Dim strquery
Dim strdbpath
Dim objrecordset
Dim objitem

' WRITE TO LOG FILE
set FSO = CreateObject("Scripting.FileSystemObject")
Set ResultFile = FSO.CreateTextFile ("C:\AD_Scripts\Populate.txt")
Set ResultFile = FSO.OpenTextFile ("C:\AD_Scripts\Populate.txt", 2)
arrComputers = Array("server.company.net")
For Each strComputer In arrComputers

' - Connect to AD
Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection
strQuery = "<;(objectCategory=person/">LDAP://dc=Company,dc=Net>;(objectCategory=person);" & "adsPath;subtree"
objCommand.CommandText = strQuery
Set objRecordSet = objCommand.Execute

Do Until objRecordSet.EOF

Set objItem  = GetObject(objRecordSet.Fields ("adspath"))

      ResultFile.write ("sAMAccountName " & ";")  
      ResultFile.write ("distinguishedName " & ";")
      ResultFile.write ("displayName " & ";")
      ResultFile.write ("givenName " & ";")
      ResultFile.write ("LastName " & ";")
      ResultFile.write ("telephoneNumber " & ";")
      ResultFile.write ("mobile " & ";")
      ResultFile.write ("userAccountControl " & " |")
'-----------------------------------------
'-----------------------------------------
' - Loop through all of the users and insert their details into the DB
 Do Until objRecordSet.EOF

While Not tsTextFile.AtEndOfStream
      ResultFile.write (objItem.sAMAccountName & " ;")
      ResultFile.write (objItem.distinguishedName & " ;")
      ResultFile.write (objItem.displayName & " ;")
      ResultFile.write (objItem.givenName & " ;")
      ResultFile.write (objItem.sn & " ;")
      ResultFile.write (objItem.telephoneNumber & " ;")
      ResultFile.write (objItem.mobile & " ;")
      ResultFile.write (";" & objItem.userAccountControl & "|")

  objRecordSet.MoveNext

Wend
loop
 loop
Next

-------------------------------------------------------------

Hi dfriel,

I wrote a quick JScript script that queries my AD domain for some of the attributes you listed, and it ran fine as a standard domain user. Here's a copy of the script I wrote:

var defaultNC, connection, command, rs;

defaultNC = GetObject("LDAP://rootDSE").Get("defaultNamingContext");
connection = new ActiveXObject("ADODB.Connection");
connection.Provider = "ADsDSOObject";
connection.Open();

command = new ActiveXObject("ADODB.Command");
command.ActiveConnection = connection;
command.Properties.Item("Cache results") = false;
command.Properties.Item("Page size") = 1000;
command.CommandText = "<LDAP://" + defaultNC + ">;" +
  "(&(objectCategory=person)(objectClass=user));" +
  "sAMAccountName,distinguishedName,displayName,givenName," +
  "sn,telephoneNumber,userAccountControl" +
  ";subtree";

rs = command.Execute();
while (! rs.EOF) {
  WScript.Echo('"' + rs.Fields.Item("sAMAccountName") + '",' +
    '"' + rs.Fields.Item("distinguishedName")  + '",' +
    '"' + rs.Fields.Item("displayName")        + '",' +
    '"' + rs.Fields.Item("givenName")          + '",' +
    '"' + rs.Fields.Item("sn")                 + '",' +
    '"' + rs.Fields.Item("telephoneNumber")    + '",' +
    '"' + rs.Fields.Item("userAccountControl") + '"');
  rs.MoveNext();
}

I'm note sure what some of your code is doing, but the sample code above does a serverless bind to rootDSE to determine the default naming context, and then it queries AD using ADO using the specified attributes.

HTH,

Bill

You could simply redirect the output i.e.

csript programX.js > MyFile.cvs

where program X is the name of your script and MyFile.cvs is where you want the output stored.

Hi dfriel,

RKirchhof has the answer -- the script I wrote generates CSV data, so you can simply redirect its output to a CSV file. Make sure you run it with CScript is CScript is not your default host.

HTH,

Bill

Thank you, Thank you, everybody.

Where is the best place to learn more about jscript.  It look much more simple the VB.

oriented.

Would you know how to add in the group membership for each user, into this same script?  When I followed the same format as the rest of the script, I am getting a null value for the group membership.  I also changed the script to be separtated semi colon between the colums because the data contains " ,"

var defaultNC, connection, command, rs;defaultNC = GetObject("LDAP://rootDSE").Get("defaultNamingContext");
connection = new ActiveXObject("ADODB.Connection");
connection.Provider = "ADsDSOObject";
connection.Open();command = new ActiveXObject("ADODB.Command");

command.ActiveConnection = connection;
command.Properties.Item("Cache results") = false;
command.Properties.Item("Page size") = 1000;
command.CommandText = "<LDAP://" + defaultNC + ">;" +
  "(&(objectCategory=person)(objectClass=user));" +
  "sAMAccountName,distinguishedName,displayName,givenName," +
  "sn,telephoneNumber,mobile,whenChanged,whenCreated,userAccountControl,memberOf" +
  ";subtree";
rs = command.Execute();
while (! rs.EOF) {
  WScript.Echo('"' + rs.Fields.Item("sAMAccountName") + '";' +
    '"' + rs.Fields.Item("distinguishedName")   + '";' +
    '"' + rs.Fields.Item("displayName")         + '";' +
    '"' + rs.Fields.Item("givenName")           + '";' +
    '"' + rs.Fields.Item("sn")                  + '";' +
    '"' + rs.Fields.Item("telephoneNumber")     + '";' +
    '"' + rs.Fields.Item("mobile")  + '";' +
    '"' + rs.Fields.Item("whenChanged")     + '";' +
    '"' + rs.Fields.Item("whenCreated")  + '";' +
    '"' + rs.Fields.Item("userAccountControl") + '";' +
    '"' + rs.Fields.Item("memberOf")  + '"|');
  rs.MoveNext();
}

Hi dfriel,

I'm not sure it's possible to query every possible attribute using ADO. I would recommend looking perhaps at a different tool, such as the dsquery command-line tool.

Bill 

Here is a batch file I wrote to return the group membership(s) of a user.

Copy into notepad and save as dsg.bat

@Echo off
If (%1)==() Goto Help
If Exist Groups1.txt Del Groups1.txt
dsquery  user -name %1  > Location.Txt
dsget user < Location.txt -memberof >Groups.txt
FOR /F "tokens=1 delims=," %%G IN (groups.txt) DO @echo %%G% >>Groups2.txt
echo %1's Location in Active Directory has been found. >Groups1.txt
type Location.txt >> Groups1.txt
Echo This is the Group Membership report for %1.>>Groups1.txt
FOR /F "tokens=2 delims==" %%G IN (groups2.txt) DO @echo %%G% >>Groups1.txt
del Groups2.txt
explorer groups1.txt
goto End
:Help
echo Robert's Group Membership List Creator
echo Will not list Expanded group membership. Use DSG-E.BAT
echo To use, type dsg User Name (In quotes) i.e. dgs "RKirchhof"
echo For Example: dsg "First Last" (First.Last is the naming convention in my domain)
:End

This one includes expanded member ships .  i.e. User is in a group thats in a group ... 
Copy into notepad and save as dsg-e.bat

@Echo off
If (%1)==() Goto Help
If Exist Groups1.txt Del Groups1.txt
dsquery  user -name %1  > Location.Txt
dsget user < Location.txt -memberof -expand >Groups.txt
rem del Location.txt
FOR /F "tokens=1 delims=," %%G IN (groups.txt) DO @echo %%G% >>Groups2.txt
echo %1's Location in Active Directory has been found. >Groups1.txt
type Location.txt >> Groups1.txt
Echo This is the Group Membership report for %1.>>Groups1.txt
FOR /F "tokens=2 delims==" %%G IN (groups2.txt) DO @echo %%G% >>Groups1.txt
del Groups2.txt
explorer groups1.txt
goto End
:Help
echo Robert's Group Membership List Creator
echo Expanded (Will list all groups to which the user belongs)
echo To use, type dsg-e User Name (In quotes)  i.e. dgs-e "RKirchhof"
echo For Example: dsg-e "First Last" (First.Last is the naming convention in my domain)
:End

Here is a neat one. It copies the members of GroupA to GroupB
Save as CopyMBRS.bat

@echo off
If {%1} == {} goto Help
for /F  "delims=" %%x in ('Dsquery Group -Name %1') do set DNS=%%x
for /F  "delims=" %%x in ('Dsquery Group -Name %2') do set DND=%%x
dsget group %DNS% -members > MBRS.Txt
FOR /F "delims=" %%h in (MBRS.Txt) do dsmod group %DND% -addmbr %%h
goto End
:Help
@echo Copies the members of Group A to Group B
@echo Syntax:  CopyMbrs Sources Destination
@echo Example: CopyMbrs GroupA GroupB
:end

Hope these help. Oh BTW allthese DS commands are in the Windows 2003 adminpac or resources kit I'm not sure which.