Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Active Directory VBScript not returning role correctly

Posted on 2006-07-06
6
Medium Priority
?
1,266 Views
Last Modified: 2012-05-05
In our test lab AD, we have three computers, two of them show "Machine Role" in the AD Find box as "Workstation or Server" and the other has role "Domain Controller". I wanted to extract this information into VB, but when I query machineRole it returns nothing in that field.

Heres the script

     SET con = CreateObject("ADODB.Connection")
     With con
          .Provider = "ADsDSOObject"
          .Properties("User ID") = "RESTRICTED\Administrator"
          .Properties("Password") = inputbox("enter admin pwd")
          .Properties("Encrypt Password") = True
          .Open "ADs Provider"
     End With
     Set adoRecordset = CreateObject("ADODB.Recordset")
     SQLText = " select  Name, canonicalName, distinguishedName, operatingSystem, operatingSystemVersion, OperatingSystemServicePack,  OperatingSystemHotfix, dnsHostName, Location, Description, UserAccountControl, whenCreated, whenChanged, machineRole, userAccountControl"

     SQLText = SQLText & " FROM 'LDAP://SERVERNAME/DC=RESTRICTED,DC=MYDOMAIN,DC=NET' "
     SQLText = SQLText & " WHERE objectClass='Computer' "
     adoRecordset.Open SQLText, con


Now adoRecordset.Fields("machineRole").value returns null. I wondered if it was an array so I ran it with cscript using .net 2005 debugger and although it may be an array it has no elements. I have checked this on every record.

Is there a different way of retrieving machineRole - or is it another field ?

thanks
0
Comment
Question by:plq
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 16

Expert Comment

by:mdiglio
ID: 17051170
Hello,

add this code to what you posted and it will return what you want

'5 represents domain controller fsmo holder and 4 represents backup domain controller
'Since you only have 1 DC in your test environment you won't need the 4 part

Do While Not adoRecordset.EOF
    strComputer = adoRecordset.Fields("name")
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    Set colItems = objWMIService.ExecQuery("Select domainRole from Win32_ComputerSystem", , 48)
    For Each objItem In colItems
        If objItem.DomainRole = 5 Or objItem.DomainRole = 4 Then
            MsgBox "Domain Controller"
         Else
            MsgBox "Workstation Or Server"
        End If
    Next

Loop
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 17051181
I know that wasn't a very efficient solution but I'm not sure what is wrong with that attribute.
As a test, not a solution, you might want to try changing the attribute so it is replicated to the GC and/or indexed

Open Active Directory SChema
start > run > mmc > add/remove snap-in > look for 'Active Directory SChema'

Under attributes look for machineRole and change it so it is replicated to the Global Catalog and/or it is indexed
Honestly, I can't see why that would work because I can query other attributes that aren't relpicated/indexed,
but since this is a test environment, and if you feel comfortable doing so, you might as well give it a shot.
0
 
LVL 8

Assisted Solution

by:Shakti109
Shakti109 earned 600 total points
ID: 17051184

While the Display name of the property is "MachineRole", the actual CN name is "Machine-Role", query on that and you should be ok.

An alternative is to use WMI to query the win32_computersystem class and extract the DomainRole parameter.

This will return one of the following values :
0 Standalone Workstation
1 Member Workstation
2 Standalone Server
3 Member Server
4 Backup Domain Controller
5 Primary Domain Controller


Here is a link to all of the default Active Directory Schema attributes :
http://msdn.microsoft.com/library/?url=/library/en-us/adschema/adschema/attributes_all.asp


0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 8

Author Comment

by:plq
ID: 17052362
I think the correct name is machineRole - it errors if you give a field name that doesnt exist. And machine-role does raise an error.

In the AD Schema snap in, machineRole is there, Machine-Role is its display name/description. I added it to global catalog but script output is still the same

Perhaps there's some kind of bug in the ads provider. I haven't actually proved to myself that the Machine-Role or machineRole field actually contains the value - I've just seen "Machine Role" as a column header in search results and that was populated. Is there a way of inspecting all AD attributes using the MMC or other tools ?


thanks
0
 
LVL 16

Accepted Solution

by:
mdiglio earned 1400 total points
ID: 17052539
I think it is the attribute and not the provider
I tried using the adsi .get method and it failed as well

The only uncommon characteristic about it is the syntax is 'enumerate', I would have thought it to be a string

The only tool I use to inspect all AD attributes is the schema snap-in
0
 
LVL 8

Author Comment

by:plq
ID: 17072728
I dont see any way forward with this. I will park it for now and update here if I find out a way of getting that data back.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question