Solved

Active Directory VBScript not returning role correctly

Posted on 2006-07-06
6
1,261 Views
Last Modified: 2012-05-05
In our test lab AD, we have three computers, two of them show "Machine Role" in the AD Find box as "Workstation or Server" and the other has role "Domain Controller". I wanted to extract this information into VB, but when I query machineRole it returns nothing in that field.

Heres the script

     SET con = CreateObject("ADODB.Connection")
     With con
          .Provider = "ADsDSOObject"
          .Properties("User ID") = "RESTRICTED\Administrator"
          .Properties("Password") = inputbox("enter admin pwd")
          .Properties("Encrypt Password") = True
          .Open "ADs Provider"
     End With
     Set adoRecordset = CreateObject("ADODB.Recordset")
     SQLText = " select  Name, canonicalName, distinguishedName, operatingSystem, operatingSystemVersion, OperatingSystemServicePack,  OperatingSystemHotfix, dnsHostName, Location, Description, UserAccountControl, whenCreated, whenChanged, machineRole, userAccountControl"

     SQLText = SQLText & " FROM 'LDAP://SERVERNAME/DC=RESTRICTED,DC=MYDOMAIN,DC=NET' "
     SQLText = SQLText & " WHERE objectClass='Computer' "
     adoRecordset.Open SQLText, con


Now adoRecordset.Fields("machineRole").value returns null. I wondered if it was an array so I ran it with cscript using .net 2005 debugger and although it may be an array it has no elements. I have checked this on every record.

Is there a different way of retrieving machineRole - or is it another field ?

thanks
0
Comment
Question by:plq
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 16

Expert Comment

by:mdiglio
ID: 17051170
Hello,

add this code to what you posted and it will return what you want

'5 represents domain controller fsmo holder and 4 represents backup domain controller
'Since you only have 1 DC in your test environment you won't need the 4 part

Do While Not adoRecordset.EOF
    strComputer = adoRecordset.Fields("name")
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    Set colItems = objWMIService.ExecQuery("Select domainRole from Win32_ComputerSystem", , 48)
    For Each objItem In colItems
        If objItem.DomainRole = 5 Or objItem.DomainRole = 4 Then
            MsgBox "Domain Controller"
         Else
            MsgBox "Workstation Or Server"
        End If
    Next

Loop
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 17051181
I know that wasn't a very efficient solution but I'm not sure what is wrong with that attribute.
As a test, not a solution, you might want to try changing the attribute so it is replicated to the GC and/or indexed

Open Active Directory SChema
start > run > mmc > add/remove snap-in > look for 'Active Directory SChema'

Under attributes look for machineRole and change it so it is replicated to the Global Catalog and/or it is indexed
Honestly, I can't see why that would work because I can query other attributes that aren't relpicated/indexed,
but since this is a test environment, and if you feel comfortable doing so, you might as well give it a shot.
0
 
LVL 8

Assisted Solution

by:Shakti109
Shakti109 earned 150 total points
ID: 17051184

While the Display name of the property is "MachineRole", the actual CN name is "Machine-Role", query on that and you should be ok.

An alternative is to use WMI to query the win32_computersystem class and extract the DomainRole parameter.

This will return one of the following values :
0 Standalone Workstation
1 Member Workstation
2 Standalone Server
3 Member Server
4 Backup Domain Controller
5 Primary Domain Controller


Here is a link to all of the default Active Directory Schema attributes :
http://msdn.microsoft.com/library/?url=/library/en-us/adschema/adschema/attributes_all.asp


0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 8

Author Comment

by:plq
ID: 17052362
I think the correct name is machineRole - it errors if you give a field name that doesnt exist. And machine-role does raise an error.

In the AD Schema snap in, machineRole is there, Machine-Role is its display name/description. I added it to global catalog but script output is still the same

Perhaps there's some kind of bug in the ads provider. I haven't actually proved to myself that the Machine-Role or machineRole field actually contains the value - I've just seen "Machine Role" as a column header in search results and that was populated. Is there a way of inspecting all AD attributes using the MMC or other tools ?


thanks
0
 
LVL 16

Accepted Solution

by:
mdiglio earned 350 total points
ID: 17052539
I think it is the attribute and not the provider
I tried using the adsi .get method and it failed as well

The only uncommon characteristic about it is the syntax is 'enumerate', I would have thought it to be a string

The only tool I use to inspect all AD attributes is the schema snap-in
0
 
LVL 8

Author Comment

by:plq
ID: 17072728
I dont see any way forward with this. I will park it for now and update here if I find out a way of getting that data back.
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question