Active Directory Queries

Capture information at domain, OU, and OU subtree levels


Active Directory (AD) has added a whole new wrinkle to shell scripting. Under Windows NT 4.0 and NT 3.51, scriptwriters thought in terms of domains. We worked out strategies to query for groups, group memberships, individual user accounts, and computer accounts—all at the domain level. With the adoption of AD, many of us have seen our multitude of company domains reduced to one or just a few. Departments or locations that were domains are now broken out into organizational units (OUs). Shell script writers must face the challenge of capturing information at the domain level, the OU level, and the OU subtree level.

Several tools, including the Windows 2000 Support Tools Search.vbs utility, can help put the shell script writer in control of OU information. I've created a script, OS-SP-Report.bat, that uses Search.vbs to query multiple OUs for OS and service pack information. You can modify OS-SP-Report.bat to run similar queries on users, computers, and other AD objects. See the sidebar "AD Tools for the Shell Script Writer" for more AD command-shell tools.

OS-SP-Report.bat was born out of the need for a summary report that shows the OS and service pack level of computers in several targeted OUs. Some of these OUs included servers and PCs that had unknown OSs, probably because administrators had created computer accounts but never built the corresponding servers or PCs or joined the machines to the domain. Some servers and PCs were nested so deeply in the OU structure that we'd lost track of their service pack level. We needed a report that could give us some metrics about each OU so that we could contact the OU owners and clean up service pack installations.

OS-SP-Report.bat queries multiple OUs for OS and service pack information and creates an HTML report that you can serve up on your administrative Web site. Each time the script runs, it renames the previous HTML report so that you can retain access to as many as 11 previous reports. The script also creates a running log file so that you can review changes that occur in versions earlier than the retained versions of the report.

Search.vbs Syntax
Listing 1 shows an example of the basic Search.vbs syntax I used to find all the Win2K Professional computers in the ou=sales,ou=computers,dc=seattle,dc=yourcompany,dc=com OU. The /S:subtree option opens the search to the specified OU and its sub-OUs. Alternatively, you can use the /S:onelevel syntax to limit the search to only the targeted OU and to ignore objects in sub-OUs.

If you want to capture Win2K Pro computers that have Service Pack 1 (SP1) installed, you can use the filtering criteria that Listing 2 shows. I use this same basic syntax in OS-SP-Report.bat to test for Windows Server 2003, Windows XP, and Win2K Server OSs and the corresponding service pack levels.

Tools for Your Scripting Toolbelt
The OS-SP-Report.bat script uses several handy tools and techniques that should be part of your scripting toolbelt. The Set /a command lets you perform elementary math operations in your shell scripts. OS-SP-Report.bat contains more than 30 math operations.

Often in your scripts, you'll want to skip over a section of code. You can do so by using the GOTO command. OS-SP-Report.bat tests for a specific OS, and if it doesn't find the OS, it skips over all the tests for service packs on that OS, as the code at callout A in Listing 3 shows. I also used GOTO to skip over code for some future service packs.

Creating HTML reports is an easy way to make your script output look more professional. Instead of redirecting output to a .tsv, .csv, or .txt file, you can use HTML tables to create a nice-looking report.

Running the Script
To run OS-SP-Report.bat in your environment, download the code from the Windows Scripting Solutions Web site at You must also install Win2K Support Tools, which you can find on the Win2K CD-ROM.

Next, create an OUTargets.txt file with one ADsPath per line. Insert a tab after the ADsPath to separate the path from the scope of your search. Specify the scope as either subtree or onelevel. Your file should look like the sample that Figure 1 shows.

You'll need to configure the location of the OUTargets.txt input file, the location of HTML output files and the running log file that the script creates, and the location of the Search.vbs utility, as the code at callout A in Listing 4 shows. Also, you'll likely want to use Task Scheduler to run your script automatically.

At the time I wrote this article, the most recent releases were XP SP1 and Win2K SP3. As Microsoft issues more service packs, your script will need additional code and report rows to reflect that change. To make these additions easier for you, I've included the code to search for service packs up to SP6. The script currently skips over this code; to activate it, just look for the comment line that callout B in Listing 3 shows and remove or comment out the GOTO command that follows this line. The script will then begin looking for some or all of the specified service packs.

OS-SP-Report.bat offers you a good way to track OSs and service packs running in your AD OUs. It also gives you some sample code that you can modify and use in your command-shell scripts to query AD for other information you need.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.