Solved

Active Directory VBScript not returning role correctly

Posted on 2006-07-06
6
1,253 Views
Last Modified: 2012-05-05
In our test lab AD, we have three computers, two of them show "Machine Role" in the AD Find box as "Workstation or Server" and the other has role "Domain Controller". I wanted to extract this information into VB, but when I query machineRole it returns nothing in that field.

Heres the script

     SET con = CreateObject("ADODB.Connection")
     With con
          .Provider = "ADsDSOObject"
          .Properties("User ID") = "RESTRICTED\Administrator"
          .Properties("Password") = inputbox("enter admin pwd")
          .Properties("Encrypt Password") = True
          .Open "ADs Provider"
     End With
     Set adoRecordset = CreateObject("ADODB.Recordset")
     SQLText = " select  Name, canonicalName, distinguishedName, operatingSystem, operatingSystemVersion, OperatingSystemServicePack,  OperatingSystemHotfix, dnsHostName, Location, Description, UserAccountControl, whenCreated, whenChanged, machineRole, userAccountControl"

     SQLText = SQLText & " FROM 'LDAP://SERVERNAME/DC=RESTRICTED,DC=MYDOMAIN,DC=NET' "
     SQLText = SQLText & " WHERE objectClass='Computer' "
     adoRecordset.Open SQLText, con


Now adoRecordset.Fields("machineRole").value returns null. I wondered if it was an array so I ran it with cscript using .net 2005 debugger and although it may be an array it has no elements. I have checked this on every record.

Is there a different way of retrieving machineRole - or is it another field ?

thanks
0
Comment
Question by:plq
  • 3
  • 2
6 Comments
 
LVL 16

Expert Comment

by:mdiglio
ID: 17051170
Hello,

add this code to what you posted and it will return what you want

'5 represents domain controller fsmo holder and 4 represents backup domain controller
'Since you only have 1 DC in your test environment you won't need the 4 part

Do While Not adoRecordset.EOF
    strComputer = adoRecordset.Fields("name")
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    Set colItems = objWMIService.ExecQuery("Select domainRole from Win32_ComputerSystem", , 48)
    For Each objItem In colItems
        If objItem.DomainRole = 5 Or objItem.DomainRole = 4 Then
            MsgBox "Domain Controller"
         Else
            MsgBox "Workstation Or Server"
        End If
    Next

Loop
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 17051181
I know that wasn't a very efficient solution but I'm not sure what is wrong with that attribute.
As a test, not a solution, you might want to try changing the attribute so it is replicated to the GC and/or indexed

Open Active Directory SChema
start > run > mmc > add/remove snap-in > look for 'Active Directory SChema'

Under attributes look for machineRole and change it so it is replicated to the Global Catalog and/or it is indexed
Honestly, I can't see why that would work because I can query other attributes that aren't relpicated/indexed,
but since this is a test environment, and if you feel comfortable doing so, you might as well give it a shot.
0
 
LVL 8

Assisted Solution

by:Shakti109
Shakti109 earned 150 total points
ID: 17051184

While the Display name of the property is "MachineRole", the actual CN name is "Machine-Role", query on that and you should be ok.

An alternative is to use WMI to query the win32_computersystem class and extract the DomainRole parameter.

This will return one of the following values :
0 Standalone Workstation
1 Member Workstation
2 Standalone Server
3 Member Server
4 Backup Domain Controller
5 Primary Domain Controller


Here is a link to all of the default Active Directory Schema attributes :
http://msdn.microsoft.com/library/?url=/library/en-us/adschema/adschema/attributes_all.asp


0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 8

Author Comment

by:plq
ID: 17052362
I think the correct name is machineRole - it errors if you give a field name that doesnt exist. And machine-role does raise an error.

In the AD Schema snap in, machineRole is there, Machine-Role is its display name/description. I added it to global catalog but script output is still the same

Perhaps there's some kind of bug in the ads provider. I haven't actually proved to myself that the Machine-Role or machineRole field actually contains the value - I've just seen "Machine Role" as a column header in search results and that was populated. Is there a way of inspecting all AD attributes using the MMC or other tools ?


thanks
0
 
LVL 16

Accepted Solution

by:
mdiglio earned 350 total points
ID: 17052539
I think it is the attribute and not the provider
I tried using the adsi .get method and it failed as well

The only uncommon characteristic about it is the syntax is 'enumerate', I would have thought it to be a string

The only tool I use to inspect all AD attributes is the schema snap-in
0
 
LVL 8

Author Comment

by:plq
ID: 17072728
I dont see any way forward with this. I will park it for now and update here if I find out a way of getting that data back.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question