Wildcard Active Directory Searches
June 27, 2001
by Marcin Policht
For system administrators, Active Directory Services Interface provides a way to access and manipulate various directory services (such as NT SAM, Netware Bindery and NDS, IIS metabase, Exchange Directory Services database, and Windows 2000 Active Directory or other third party LDAP-based directory stores). ADSI is a very powerful tool that hides the complexity of the underlying directory structure. The majority of account management tasks can be accomplished by writing simple, short scripts. These include creating and deleting users as well as modifying their properties (such as password, expiration date, profile, home directory, logon script, group membership, etc.)
There are, however, tasks that involve a bit more effort to automate. One of them is implementing wildcard searches of Active Directory (such as searching for names containing a particular string of characters). This can be accomplished by employing another set of COM interfaces called ActiveX Data Objects (or ADO in short).
ADO, in its current implementation, uses a low-level OLE DB provider to simplify access to various databases. It also is capable of representing structured information stores, such as directory services databases, in a form that yields itself to typical database operations, such as queries.
The queries used for accessing Active Directory can be written in one of two formats (also called dialects):
Dialect A: LDAP - consisting of four parts separated by semicolons:
1) Base distinguished name determining Active Directory container to
2) LDAP search filter indicating criteria for search e.g.(&(objectCategory=person)(sn=Jsmith)). The filter can include wild cards(*) e.g. (&(objectCategory=person)(cn=*admin*))
3) Attributes to be returned from the query e.g. profilePath, telephoneNumber, etc.
4) Search scope e.g. base (search of the base container only), one-level (one-level deep search), or subtree (searching all subcontainers of the base container)
For example, the following statement will search for all users with the last name starting with "Pol" and return the path of the user account object, last name, first name, and telephone number:
SQL - constructed like a typical SQL (or Transact-SQL) statement and consisting
of the following keywords:
2) FROM - followed by AD's path of the search e.g.'LDAP://CN=users,DC=swynk,DC=com'
3) WHERE - followed by filter criteria, based on one of selected attributes.
With the exception of the query format, a script implementing the search would be identical in both cases.
The sample script that follows searches domain swynk.com for user accounts starting with the string "Pol".
The script first creates the Connection object. This object represents a unique session with a data source (Active Directory in our case). The provider property of this object needs to be set to the string "ADsDSOOBJECT"
representing the OLE DB provider. Next, Open method needs to be called. Once the
connection is open, you can run either query (using LDAP or SQL dialect). The
query populates a structure called a RecordSet, where results satisfying
specified criteria are stored. MoveNext method of the RecordSet object is used
in a While loop to list all results.
The script will list all the full names of user account with last names starting with "Pol", as well as their telephone numbers and the full ADSI path of each user account object in Active Directory.