![]() |
![]() | ![]() | ![]() | ![]() | ![]() | ![]() | ![]() |
| Welcome to Windows Vista Forums. Our forum is dedicated to helping you find solutions with any problems, errors or issues you are experiencing with Windows Vista. The Vista forum also covers news and updates and has an extensive Windows Vista tutorial section that covers a wide range of tips and tricks. |
| |||||||
![]() |
| |
| | #1 (permalink) |
| | Move computer in AD based on DSQUERY script syntax help! Hi, I have run a dsquery against my AD for computer accounts with a stale password of 90 days. I now have this list of computers in a text file. I have noted the problems with piping the output from a dsquery direct to dsmove so I wrote a very basic vbscript (Not a good vbscripter) to read the list and do the move. Now before anyone replies I know I could probably have done a bind to AD and returned the adspath worked on that but I had no idea how to work the pwdlastset attribute to return 90 days ago (Any ideas?)... also I have seen a for delims script which looked interesting and I shall investigate it further but want to know whats wrong with my own script!! Here is my script... option explicit dim objOU, objFSO, objFile dim strComputerDN const ForReading = 1 set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local") set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt", ForReading) Do Until objFile.AtEndOfStream strComputerDN = objFile.ReadLine objOU.MoveHere "LDAP://" & strComputerDN, vbNullString Loop wscript.echo "All Computers Moved" To get this to work I had to do a find and replace on the text file to remove the " marks also... (Why is this?) Now this worked fine and moved all computers except 2. I discovered that these two computers had a distinguished name which contained two instances of the / character. I renamed the 2 OU's in question to not contain / (replaced them with a -) and edited my computers text file to put the - in and it runs fine.. So my question is... I am not sure what the problem is with the slashes in the DN and would binding to the adspath have caused the same issue? |
My System Specs![]() |
| | #2 (permalink) |
| | Re: Move computer in AD based on DSQUERY script syntax help! "UselessUser" <UselessUser@xxxxxx> wrote in message news:86D8D269-6620-4142-A7FF-5CAC72F4A2B6@xxxxxx Quote: > Hi, > > I have run a dsquery against my AD for computer accounts with a stale > password of 90 days. I now have this list of computers in a text file. I > have > noted the problems with piping the output from a dsquery direct to dsmove > so > I wrote a very basic vbscript (Not a good vbscripter) to read the list and > do > the move. > > Now before anyone replies I know I could probably have done a bind to AD > and > returned the adspath worked on that but I had no idea how to work the > pwdlastset attribute to return 90 days ago (Any ideas?)... also I have > seen a > for delims script which looked interesting and I shall investigate it > further > but want to know whats wrong with my own script!! > > Here is my script... > > option explicit > > dim objOU, objFSO, objFile > dim strComputerDN > > const ForReading = 1 > set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local") > > set objFSO = CreateObject("Scripting.FileSystemObject") > Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt", ForReading) > > Do Until objFile.AtEndOfStream > strComputerDN = objFile.ReadLine > objOU.MoveHere "LDAP://" & strComputerDN, vbNullString > Loop > > wscript.echo "All Computers Moved" > > To get this to work I had to do a find and replace on the text file to > remove the " marks also... (Why is this?) > > Now this worked fine and moved all computers except 2. I discovered that > these two computers had a distinguished name which contained two instances > of > the / character. I renamed the 2 OU's in question to not contain / > (replaced > them with a -) and edited my computers text file to put the - in and it > runs > fine.. > > So my question is... I am not sure what the problem is with the slashes in > the DN and would binding to the adspath have caused the same issue? special handling. However, they can be escaped with the backslash, "\", escape character. See this link for details, and a list of all characters that need to be escaped: http://www.rlmueller.net/CharactersEscaped.htm For Example: ====== Do Until objFile.AtEndOfStream strComputerDN = Trim(objFile.ReadLine) If (strComputerDN <> = "") Then strComputerDN = Replace(strComputerDN, """", "\""") strComputerDN = Replace(strComputerDN, "/", "\/") objOU.MoveHere "LDAP://" & strComputerDN, vbNullString End If Loop ==== I Trim blanks and skip blank lines, since it is so easy to have a blank line at the end of a text file. Notice that the " character must be doubled inside a quoted string. However, I'm surprised that your list of computer DN's does not already escape the " character. Did you manually create the list? Most ADSI methods display DN values with all of the characters escaped, except the forward slash character, "/". I find this is the only character I need to escape in my VBScript programs. I have an example VBScript program that disables and moves computer objects where the password as not been changed in a specified number of days. The program is linked here: http://www.rlmueller.net/MoveOldComputers.htm The program demonstrates how to handle the pwdLastSet attribute. It uses ADO to retrieve computer DN values. ADO escapes all characters except the "/". The program includes a line to replace "/" with "\/". Details on converting Integer8 attributes like pwdLastSet to date/time values linked here: http://www.rlmueller.net/Integer8Attributes.htm Finally, to find unused computer objects and deal with them, I recommend Joe Richards' free oldcmp utility: http://www.joeware.net/freetools/tools/oldcmp/index.htm -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net -- |
My System Specs![]() |
| | #3 (permalink) |
| | Re: Move computer in AD based on DSQUERY script syntax help! Hi Richard, Thanks for your prompt reply. I shall read your links and make changes accordingly, thank you very much! I obtained the list simply by running the following: dsquery computer -stalepwd 90 limit 0 > C:\computers.txt I then opened it up in notepad and did a F+R on " to nothing. So clearly dsquery just returns the DN without making any changes... To be honest I am little disappointed with the ds suite as they seem to be a simply brilliant idea and the information they give is fast and accurate however when it comes to wanting to do the simplest things with the gained information ie a dsquery piped into a dsmove, they just fall over with no readily apparent explanation. But at least we have people like you on the forums... Thanks again "Richard Mueller [MVP]" wrote: Quote: > > "UselessUser" <UselessUser@xxxxxx> wrote in message > news:86D8D269-6620-4142-A7FF-5CAC72F4A2B6@xxxxxx Quote: > > Hi, > > > > I have run a dsquery against my AD for computer accounts with a stale > > password of 90 days. I now have this list of computers in a text file. I > > have > > noted the problems with piping the output from a dsquery direct to dsmove > > so > > I wrote a very basic vbscript (Not a good vbscripter) to read the list and > > do > > the move. > > > > Now before anyone replies I know I could probably have done a bind to AD > > and > > returned the adspath worked on that but I had no idea how to work the > > pwdlastset attribute to return 90 days ago (Any ideas?)... also I have > > seen a > > for delims script which looked interesting and I shall investigate it > > further > > but want to know whats wrong with my own script!! > > > > Here is my script... > > > > option explicit > > > > dim objOU, objFSO, objFile > > dim strComputerDN > > > > const ForReading = 1 > > set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local") > > > > set objFSO = CreateObject("Scripting.FileSystemObject") > > Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt", ForReading) > > > > Do Until objFile.AtEndOfStream > > strComputerDN = objFile.ReadLine > > objOU.MoveHere "LDAP://" & strComputerDN, vbNullString > > Loop > > > > wscript.echo "All Computers Moved" > > > > To get this to work I had to do a find and replace on the text file to > > remove the " marks also... (Why is this?) > > > > Now this worked fine and moved all computers except 2. I discovered that > > these two computers had a distinguished name which contained two instances > > of > > the / character. I renamed the 2 OU's in question to not contain / > > (replaced > > them with a -) and edited my computers text file to put the - in and it > > runs > > fine.. > > > > So my question is... I am not sure what the problem is with the slashes in > > the DN and would binding to the adspath have caused the same issue? > As you have discovered, double quotes and forward slashes in DN values need > special handling. However, they can be escaped with the backslash, "\", > escape character. See this link for details, and a list of all characters > that need to be escaped: > > http://www.rlmueller.net/CharactersEscaped.htm > > For Example: > ====== > Do Until objFile.AtEndOfStream > strComputerDN = Trim(objFile.ReadLine) > If (strComputerDN <> = "") Then > strComputerDN = Replace(strComputerDN, """", "\""") > strComputerDN = Replace(strComputerDN, "/", "\/") > objOU.MoveHere "LDAP://" & strComputerDN, vbNullString > End If > Loop > ==== > I Trim blanks and skip blank lines, since it is so easy to have a blank line > at the end of a text file. Notice that the " character must be doubled > inside a quoted string. However, I'm surprised that your list of computer > DN's does not already escape the " character. Did you manually create the > list? Most ADSI methods display DN values with all of the characters > escaped, except the forward slash character, "/". I find this is the only > character I need to escape in my VBScript programs. > > I have an example VBScript program that disables and moves computer objects > where the password as not been changed in a specified number of days. The > program is linked here: > > http://www.rlmueller.net/MoveOldComputers.htm > > The program demonstrates how to handle the pwdLastSet attribute. It uses ADO > to retrieve computer DN values. ADO escapes all characters except the "/". > The program includes a line to replace "/" with "\/". Details on converting > Integer8 attributes like pwdLastSet to date/time values linked here: > > http://www.rlmueller.net/Integer8Attributes.htm > > Finally, to find unused computer objects and deal with them, I recommend Joe > Richards' free oldcmp utility: > > http://www.joeware.net/freetools/tools/oldcmp/index.htm > > -- > Richard Mueller > MVP Directory Services > Hilltop Lab - http://www.rlmueller.net > -- > > > |
My System Specs![]() |
| | #4 (permalink) |
| | Re: Move computer in AD based on DSQUERY script syntax help! I don't use dsquery, so didn't realize it has this problem. In my test domain I find that dsquery properly escapes the following characters: , \ It does not escape the following characters that require it in VBScript (and ADSI): # + < > ; " = / I find that ADO, NameTranslate, and AD object attributes and methods (like the member and memberOf multi-valued attributes, and the Members method of groups and the Groups method of users) return DN values properly escaped, except that the "/" character is never escaped. AD and LDAP do not require that "/" be escaped, but ADSI does. These characters should be rare, and it's easy to recommend that they not be used, buy the fact is they are allowed in AD. I also note that Joe Richards' free adfind utility properly escapes all characters required by AD and LDAP. Again, it does not escape "/" because escaping that character is only required by ADSI. If you want to try adfind, which is easier to use and more powerful, see this link: http://www.joeware.net/freetools/tools/adfind/index.htm If you use Joe Richards' free admod utility, it should work great with adfind. Since Joe does not use ADSI, admod does not require that "/" be escaped: http://www.joeware.net/freetools/tools/admod/index.htm In all of my VBScript programs I try to remember to replace "/" with "\/" when I retrieve DN values before I use the value to bind. I may be the only nutty person to use these characters, but I don't want my scripts to fail for crazy reasons just because someone uses a perfectly valid character. -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net -- "UselessUser" <UselessUser@xxxxxx> wrote in message news:F0D242E4-9663-49B7-BC7E-48F8F5D87DC5@xxxxxx Quote: > Hi Richard, > > Thanks for your prompt reply. I shall read your links and make changes > accordingly, thank you very much! > > I obtained the list simply by running the following: > > dsquery computer -stalepwd 90 limit 0 > C:\computers.txt > > I then opened it up in notepad and did a F+R on " to nothing. > > So clearly dsquery just returns the DN without making any changes... > > To be honest I am little disappointed with the ds suite as they seem to be > a > simply brilliant idea and the information they give is fast and accurate > however when it comes to wanting to do the simplest things with the gained > information ie a dsquery piped into a dsmove, they just fall over with no > readily apparent explanation. > > But at least we have people like you on the forums... > > Thanks again > > "Richard Mueller [MVP]" wrote: > Quote: >> >> "UselessUser" <UselessUser@xxxxxx> wrote in message >> news:86D8D269-6620-4142-A7FF-5CAC72F4A2B6@xxxxxx Quote: >> > Hi, >> > >> > I have run a dsquery against my AD for computer accounts with a stale >> > password of 90 days. I now have this list of computers in a text file. >> > I >> > have >> > noted the problems with piping the output from a dsquery direct to >> > dsmove >> > so >> > I wrote a very basic vbscript (Not a good vbscripter) to read the list >> > and >> > do >> > the move. >> > >> > Now before anyone replies I know I could probably have done a bind to >> > AD >> > and >> > returned the adspath worked on that but I had no idea how to work the >> > pwdlastset attribute to return 90 days ago (Any ideas?)... also I have >> > seen a >> > for delims script which looked interesting and I shall investigate it >> > further >> > but want to know whats wrong with my own script!! >> > >> > Here is my script... >> > >> > option explicit >> > >> > dim objOU, objFSO, objFile >> > dim strComputerDN >> > >> > const ForReading = 1 >> > set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local") >> > >> > set objFSO = CreateObject("Scripting.FileSystemObject") >> > Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt", >> > ForReading) >> > >> > Do Until objFile.AtEndOfStream >> > strComputerDN = objFile.ReadLine >> > objOU.MoveHere "LDAP://" & strComputerDN, vbNullString >> > Loop >> > >> > wscript.echo "All Computers Moved" >> > >> > To get this to work I had to do a find and replace on the text file to >> > remove the " marks also... (Why is this?) >> > >> > Now this worked fine and moved all computers except 2. I discovered >> > that >> > these two computers had a distinguished name which contained two >> > instances >> > of >> > the / character. I renamed the 2 OU's in question to not contain / >> > (replaced >> > them with a -) and edited my computers text file to put the - in and it >> > runs >> > fine.. >> > >> > So my question is... I am not sure what the problem is with the slashes >> > in >> > the DN and would binding to the adspath have caused the same issue? >> As you have discovered, double quotes and forward slashes in DN values >> need >> special handling. However, they can be escaped with the backslash, "\", >> escape character. See this link for details, and a list of all characters >> that need to be escaped: >> >> http://www.rlmueller.net/CharactersEscaped.htm >> >> For Example: >> ====== >> Do Until objFile.AtEndOfStream >> strComputerDN = Trim(objFile.ReadLine) >> If (strComputerDN <> = "") Then >> strComputerDN = Replace(strComputerDN, """", "\""") >> strComputerDN = Replace(strComputerDN, "/", "\/") >> objOU.MoveHere "LDAP://" & strComputerDN, vbNullString >> End If >> Loop >> ==== >> I Trim blanks and skip blank lines, since it is so easy to have a blank >> line >> at the end of a text file. Notice that the " character must be doubled >> inside a quoted string. However, I'm surprised that your list of computer >> DN's does not already escape the " character. Did you manually create the >> list? Most ADSI methods display DN values with all of the characters >> escaped, except the forward slash character, "/". I find this is the only >> character I need to escape in my VBScript programs. >> >> I have an example VBScript program that disables and moves computer >> objects >> where the password as not been changed in a specified number of days. The >> program is linked here: >> >> http://www.rlmueller.net/MoveOldComputers.htm >> >> The program demonstrates how to handle the pwdLastSet attribute. It uses >> ADO >> to retrieve computer DN values. ADO escapes all characters except the >> "/". >> The program includes a line to replace "/" with "\/". Details on >> converting >> Integer8 attributes like pwdLastSet to date/time values linked here: >> >> http://www.rlmueller.net/Integer8Attributes.htm >> >> Finally, to find unused computer objects and deal with them, I recommend >> Joe >> Richards' free oldcmp utility: >> >> http://www.joeware.net/freetools/tools/oldcmp/index.htm >> >> -- >> Richard Mueller >> MVP Directory Services >> Hilltop Lab - http://www.rlmueller.net >> -- >> >> >> |
My System Specs![]() |
| | #5 (permalink) |
| | Re: Move computer in AD based on DSQUERY script syntax help! Hi again! I appreciate your testing efforts to clarify the situation. However I am now a tad confused by what you mean by this: "It does not escape the following characters that require it in VBScript (and ADSI):" "AD and LDAP do not require that "/" be escaped, but ADSI does" Do you mean if I wrote a standard LDAP query or filter I would not need to escape the / (Or any of the other characters for that matter) but in vbscript (Which is the method of using ADSI) I do? Is it vbscript that is taking the characters out or the method I am attempting to implement? Sorry I think I have got a bit lost in the terminology... Thanks again! "Richard Mueller [MVP]" wrote: Quote: > I don't use dsquery, so didn't realize it has this problem. In my test > domain I find that dsquery properly escapes the following characters: > > , \ > > It does not escape the following characters that require it in VBScript (and > ADSI): > > # + < > ; " = / > > I find that ADO, NameTranslate, and AD object attributes and methods (like > the member and memberOf multi-valued attributes, and the Members method of > groups and the Groups method of users) return DN values properly escaped, > except that the "/" character is never escaped. AD and LDAP do not require > that "/" be escaped, but ADSI does. These characters should be rare, and > it's easy to recommend that they not be used, buy the fact is they are > allowed in AD. > > I also note that Joe Richards' free adfind utility properly escapes all > characters required by AD and LDAP. Again, it does not escape "/" because > escaping that character is only required by ADSI. If you want to try adfind, > which is easier to use and more powerful, see this link: > > http://www.joeware.net/freetools/tools/adfind/index.htm > > If you use Joe Richards' free admod utility, it should work great with > adfind. Since Joe does not use ADSI, admod does not require that "/" be > escaped: > > http://www.joeware.net/freetools/tools/admod/index.htm > > In all of my VBScript programs I try to remember to replace "/" with "\/" > when I retrieve DN values before I use the value to bind. I may be the only > nutty person to use these characters, but I don't want my scripts to fail > for crazy reasons just because someone uses a perfectly valid character. > > -- > Richard Mueller > MVP Directory Services > Hilltop Lab - http://www.rlmueller.net > -- > > "UselessUser" <UselessUser@xxxxxx> wrote in message > news:F0D242E4-9663-49B7-BC7E-48F8F5D87DC5@xxxxxx Quote: > > Hi Richard, > > > > Thanks for your prompt reply. I shall read your links and make changes > > accordingly, thank you very much! > > > > I obtained the list simply by running the following: > > > > dsquery computer -stalepwd 90 limit 0 > C:\computers.txt > > > > I then opened it up in notepad and did a F+R on " to nothing. > > > > So clearly dsquery just returns the DN without making any changes... > > > > To be honest I am little disappointed with the ds suite as they seem to be > > a > > simply brilliant idea and the information they give is fast and accurate > > however when it comes to wanting to do the simplest things with the gained > > information ie a dsquery piped into a dsmove, they just fall over with no > > readily apparent explanation. > > > > But at least we have people like you on the forums... > > > > Thanks again > > > > "Richard Mueller [MVP]" wrote: > > Quote: > >> > >> "UselessUser" <UselessUser@xxxxxx> wrote in message > >> news:86D8D269-6620-4142-A7FF-5CAC72F4A2B6@xxxxxx > >> > Hi, > >> > > >> > I have run a dsquery against my AD for computer accounts with a stale > >> > password of 90 days. I now have this list of computers in a text file. > >> > I > >> > have > >> > noted the problems with piping the output from a dsquery direct to > >> > dsmove > >> > so > >> > I wrote a very basic vbscript (Not a good vbscripter) to read the list > >> > and > >> > do > >> > the move. > >> > > >> > Now before anyone replies I know I could probably have done a bind to > >> > AD > >> > and > >> > returned the adspath worked on that but I had no idea how to work the > >> > pwdlastset attribute to return 90 days ago (Any ideas?)... also I have > >> > seen a > >> > for delims script which looked interesting and I shall investigate it > >> > further > >> > but want to know whats wrong with my own script!! > >> > > >> > Here is my script... > >> > > >> > option explicit > >> > > >> > dim objOU, objFSO, objFile > >> > dim strComputerDN > >> > > >> > const ForReading = 1 > >> > set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local") > >> > > >> > set objFSO = CreateObject("Scripting.FileSystemObject") > >> > Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt", > >> > ForReading) > >> > > >> > Do Until objFile.AtEndOfStream > >> > strComputerDN = objFile.ReadLine > >> > objOU.MoveHere "LDAP://" & strComputerDN, vbNullString > >> > Loop > >> > > >> > wscript.echo "All Computers Moved" > >> > > >> > To get this to work I had to do a find and replace on the text file to > >> > remove the " marks also... (Why is this?) > >> > > >> > Now this worked fine and moved all computers except 2. I discovered > >> > that > >> > these two computers had a distinguished name which contained two > >> > instances > >> > of > >> > the / character. I renamed the 2 OU's in question to not contain / > >> > (replaced > >> > them with a -) and edited my computers text file to put the - in and it > >> > runs > >> > fine.. > >> > > >> > So my question is... I am not sure what the problem is with the slashes > >> > in > >> > the DN and would binding to the adspath have caused the same issue? > >> > >> As you have discovered, double quotes and forward slashes in DN values > >> need > >> special handling. However, they can be escaped with the backslash, "\", > >> escape character. See this link for details, and a list of all characters > >> that need to be escaped: > >> > >> http://www.rlmueller.net/CharactersEscaped.htm > >> > >> For Example: > >> ====== > >> Do Until objFile.AtEndOfStream > >> strComputerDN = Trim(objFile.ReadLine) > >> If (strComputerDN <> = "") Then > >> strComputerDN = Replace(strComputerDN, """", "\""") > >> strComputerDN = Replace(strComputerDN, "/", "\/") > >> objOU.MoveHere "LDAP://" & strComputerDN, vbNullString > >> End If > >> Loop > >> ==== > >> I Trim blanks and skip blank lines, since it is so easy to have a blank > >> line > >> at the end of a text file. Notice that the " character must be doubled > >> inside a quoted string. However, I'm surprised that your list of computer > >> DN's does not already escape the " character. Did you manually create the > >> list? Most ADSI methods display DN values with all of the characters > >> escaped, except the forward slash character, "/". I find this is the only > >> character I need to escape in my VBScript programs. > >> > >> I have an example VBScript program that disables and moves computer > >> objects > >> where the password as not been changed in a specified number of days. The > >> program is linked here: > >> > >> http://www.rlmueller.net/MoveOldComputers.htm > >> > >> The program demonstrates how to handle the pwdLastSet attribute. It uses > >> ADO > >> to retrieve computer DN values. ADO escapes all characters except the > >> "/". > >> The program includes a line to replace "/" with "\/". Details on > >> converting > >> Integer8 attributes like pwdLastSet to date/time values linked here: > >> > >> http://www.rlmueller.net/Integer8Attributes.htm > >> > >> Finally, to find unused computer objects and deal with them, I recommend > >> Joe > >> Richards' free oldcmp utility: > >> > >> http://www.joeware.net/freetools/tools/oldcmp/index.htm > >> > >> -- > >> Richard Mueller > >> MVP Directory Services > >> Hilltop Lab - http://www.rlmueller.net > >> -- > >> > >> > >> > > |
My System Specs![]() |
| | #6 (permalink) |
| | Re: Move computer in AD based on DSQUERY script syntax help! What I am told is that the only characters that must be escaped in AD are: , \ # + < > ; " = All LDAP API's properly escape these characters. However, ADSI does not know how to handle the "/" character, so ADSI methods also require this character to be escaped. When you bind to an object in VBScript (or VB) you invoke IADs interfaces provided by ADSI. If a utility like adfind uses LDAP API's, it should escape the characters required in AD, but not "/". For some reason dsquery only escapes the characters "," and "\". I have no explanation for that, except they are the most common characters requiring it. I would think this behaviour is a bug. Bottom line, in VBScript the only character I need to worry about is the "/" character. All others will be properly escaped, unless I manually enter the DN. Actually, you can see this using ADSI Edit. While ADUC will show you a user with Common Name "Last, First", in ADSI Edit you will see the value of the cn attribute is actually "Last\, First". You can also see that "/" is not escaped in AD, but a VBScript program will raise an error if the ADsPath does not have this character escaped. I'm not sure in what environment you create your LDAP queries. In VBScript I use ADO and the resulting recordsets always escape all characters that AD requires to be escaped. However, because ADSI requires that "/" also be escaped, I replace "/" with "\/" before binding to an object with the DN (or ADsPath or cn) retrieved from the ADO recordset. The same goes for DN values retrieved using IADsNameTranslate. I hope I haven't confused you further. -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net -- "UselessUser" <UselessUser@xxxxxx> wrote in message news:8FEB1584-1DDC-43E3-8C56-8934C295A4F1@xxxxxx Quote: > Hi again! > > I appreciate your testing efforts to clarify the situation. However I am > now > a tad confused by what you mean by this: > > "It does not escape the following characters that require it in VBScript > (and > ADSI):" > > "AD and LDAP do not require that "/" be escaped, but ADSI does" > > Do you mean if I wrote a standard LDAP query or filter I would not need to > escape the / (Or any of the other characters for that matter) but in > vbscript > (Which is the method of using ADSI) I do? Is it vbscript that is taking > the > characters out or the method I am attempting to implement? > > Sorry I think I have got a bit lost in the terminology... > > Thanks again! > > "Richard Mueller [MVP]" wrote: > Quote: >> I don't use dsquery, so didn't realize it has this problem. In my test >> domain I find that dsquery properly escapes the following characters: >> >> , \ >> >> It does not escape the following characters that require it in VBScript >> (and >> ADSI): >> >> # + < > ; " = / >> >> I find that ADO, NameTranslate, and AD object attributes and methods >> (like >> the member and memberOf multi-valued attributes, and the Members method >> of >> groups and the Groups method of users) return DN values properly escaped, >> except that the "/" character is never escaped. AD and LDAP do not >> require >> that "/" be escaped, but ADSI does. These characters should be rare, and >> it's easy to recommend that they not be used, buy the fact is they are >> allowed in AD. >> >> I also note that Joe Richards' free adfind utility properly escapes all >> characters required by AD and LDAP. Again, it does not escape "/" because >> escaping that character is only required by ADSI. If you want to try >> adfind, >> which is easier to use and more powerful, see this link: >> >> http://www.joeware.net/freetools/tools/adfind/index.htm >> >> If you use Joe Richards' free admod utility, it should work great with >> adfind. Since Joe does not use ADSI, admod does not require that "/" be >> escaped: >> >> http://www.joeware.net/freetools/tools/admod/index.htm >> >> In all of my VBScript programs I try to remember to replace "/" with "\/" >> when I retrieve DN values before I use the value to bind. I may be the >> only >> nutty person to use these characters, but I don't want my scripts to fail >> for crazy reasons just because someone uses a perfectly valid character. >> >> -- >> Richard Mueller >> MVP Directory Services >> Hilltop Lab - http://www.rlmueller.net >> -- >> >> "UselessUser" <UselessUser@xxxxxx> wrote in message >> news:F0D242E4-9663-49B7-BC7E-48F8F5D87DC5@xxxxxx Quote: >> > Hi Richard, >> > >> > Thanks for your prompt reply. I shall read your links and make changes >> > accordingly, thank you very much! >> > >> > I obtained the list simply by running the following: >> > >> > dsquery computer -stalepwd 90 limit 0 > C:\computers.txt >> > >> > I then opened it up in notepad and did a F+R on " to nothing. >> > >> > So clearly dsquery just returns the DN without making any changes... >> > >> > To be honest I am little disappointed with the ds suite as they seem to >> > be >> > a >> > simply brilliant idea and the information they give is fast and >> > accurate >> > however when it comes to wanting to do the simplest things with the >> > gained >> > information ie a dsquery piped into a dsmove, they just fall over with >> > no >> > readily apparent explanation. >> > >> > But at least we have people like you on the forums... >> > >> > Thanks again >> > >> > "Richard Mueller [MVP]" wrote: >> > >> >> >> >> "UselessUser" <UselessUser@xxxxxx> wrote in message >> >> news:86D8D269-6620-4142-A7FF-5CAC72F4A2B6@xxxxxx >> >> > Hi, >> >> > >> >> > I have run a dsquery against my AD for computer accounts with a >> >> > stale >> >> > password of 90 days. I now have this list of computers in a text >> >> > file. >> >> > I >> >> > have >> >> > noted the problems with piping the output from a dsquery direct to >> >> > dsmove >> >> > so >> >> > I wrote a very basic vbscript (Not a good vbscripter) to read the >> >> > list >> >> > and >> >> > do >> >> > the move. >> >> > >> >> > Now before anyone replies I know I could probably have done a bind >> >> > to >> >> > AD >> >> > and >> >> > returned the adspath worked on that but I had no idea how to work >> >> > the >> >> > pwdlastset attribute to return 90 days ago (Any ideas?)... also I >> >> > have >> >> > seen a >> >> > for delims script which looked interesting and I shall investigate >> >> > it >> >> > further >> >> > but want to know whats wrong with my own script!! >> >> > >> >> > Here is my script... >> >> > >> >> > option explicit >> >> > >> >> > dim objOU, objFSO, objFile >> >> > dim strComputerDN >> >> > >> >> > const ForReading = 1 >> >> > set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local") >> >> > >> >> > set objFSO = CreateObject("Scripting.FileSystemObject") >> >> > Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt", >> >> > ForReading) >> >> > >> >> > Do Until objFile.AtEndOfStream >> >> > strComputerDN = objFile.ReadLine >> >> > objOU.MoveHere "LDAP://" & strComputerDN, vbNullString >> >> > Loop >> >> > >> >> > wscript.echo "All Computers Moved" >> >> > >> >> > To get this to work I had to do a find and replace on the text file >> >> > to >> >> > remove the " marks also... (Why is this?) >> >> > >> >> > Now this worked fine and moved all computers except 2. I discovered >> >> > that >> >> > these two computers had a distinguished name which contained two >> >> > instances >> >> > of >> >> > the / character. I renamed the 2 OU's in question to not contain / >> >> > (replaced >> >> > them with a -) and edited my computers text file to put the - in and >> >> > it >> >> > runs >> >> > fine.. >> >> > >> >> > So my question is... I am not sure what the problem is with the >> >> > slashes >> >> > in >> >> > the DN and would binding to the adspath have caused the same issue? >> >> >> >> As you have discovered, double quotes and forward slashes in DN values >> >> need >> >> special handling. However, they can be escaped with the backslash, >> >> "\", >> >> escape character. See this link for details, and a list of all >> >> characters >> >> that need to be escaped: >> >> >> >> http://www.rlmueller.net/CharactersEscaped.htm >> >> >> >> For Example: >> >> ====== >> >> Do Until objFile.AtEndOfStream >> >> strComputerDN = Trim(objFile.ReadLine) >> >> If (strComputerDN <> = "") Then >> >> strComputerDN = Replace(strComputerDN, """", "\""") >> >> strComputerDN = Replace(strComputerDN, "/", "\/") >> >> objOU.MoveHere "LDAP://" & strComputerDN, vbNullString >> >> End If >> >> Loop >> >> ==== >> >> I Trim blanks and skip blank lines, since it is so easy to have a >> >> blank >> >> line >> >> at the end of a text file. Notice that the " character must be doubled >> >> inside a quoted string. However, I'm surprised that your list of >> >> computer >> >> DN's does not already escape the " character. Did you manually create >> >> the >> >> list? Most ADSI methods display DN values with all of the characters >> >> escaped, except the forward slash character, "/". I find this is the >> >> only >> >> character I need to escape in my VBScript programs. >> >> >> >> I have an example VBScript program that disables and moves computer >> >> objects >> >> where the password as not been changed in a specified number of days. >> >> The >> >> program is linked here: >> >> >> >> http://www.rlmueller.net/MoveOldComputers.htm >> >> >> >> The program demonstrates how to handle the pwdLastSet attribute. It >> >> uses >> >> ADO >> >> to retrieve computer DN values. ADO escapes all characters except the >> >> "/". >> >> The program includes a line to replace "/" with "\/". Details on >> >> converting >> >> Integer8 attributes like pwdLastSet to date/time values linked here: >> >> >> >> http://www.rlmueller.net/Integer8Attributes.htm >> >> >> >> Finally, to find unused computer objects and deal with them, I >> >> recommend >> >> Joe >> >> Richards' free oldcmp utility: >> >> >> >> http://www.joeware.net/freetools/tools/oldcmp/index.htm >> >> >> >> -- >> >> Richard Mueller >> >> MVP Directory Services >> >> Hilltop Lab - http://www.rlmueller.net >> >> -- >> >> >> >> >> >> >> >> |
My System Specs![]() |
| | #7 (permalink) |
| | Re: Move computer in AD based on DSQUERY script syntax help! Hi Thank you very much I believe I finally understand! Thanks for everything! "Richard Mueller [MVP]" wrote: Quote: > What I am told is that the only characters that must be escaped in AD are: > > , \ # + < > ; " = > > All LDAP API's properly escape these characters. However, ADSI does not know > how to handle the "/" character, so ADSI methods also require this character > to be escaped. When you bind to an object in VBScript (or VB) you invoke > IADs interfaces provided by ADSI. If a utility like adfind uses LDAP API's, > it should escape the characters required in AD, but not "/". > > For some reason dsquery only escapes the characters "," and "\". I have no > explanation for that, except they are the most common characters requiring > it. I would think this behaviour is a bug. > > Bottom line, in VBScript the only character I need to worry about is the "/" > character. All others will be properly escaped, unless I manually enter the > DN. Actually, you can see this using ADSI Edit. While ADUC will show you a > user with Common Name "Last, First", in ADSI Edit you will see the value of > the cn attribute is actually "Last\, First". You can also see that "/" is > not escaped in AD, but a VBScript program will raise an error if the ADsPath > does not have this character escaped. > > I'm not sure in what environment you create your LDAP queries. In VBScript I > use ADO and the resulting recordsets always escape all characters that AD > requires to be escaped. However, because ADSI requires that "/" also be > escaped, I replace "/" with "\/" before binding to an object with the DN (or > ADsPath or cn) retrieved from the ADO recordset. The same goes for DN values > retrieved using IADsNameTranslate. > > I hope I haven't confused you further. > > -- > Richard Mueller > MVP Directory Services > Hilltop Lab - http://www.rlmueller.net > -- > > "UselessUser" <UselessUser@xxxxxx> wrote in message > news:8FEB1584-1DDC-43E3-8C56-8934C295A4F1@xxxxxx Quote: > > Hi again! > > > > I appreciate your testing efforts to clarify the situation. However I am > > now > > a tad confused by what you mean by this: > > > > "It does not escape the following characters that require it in VBScript > > (and > > ADSI):" > > > > "AD and LDAP do not require that "/" be escaped, but ADSI does" > > > > Do you mean if I wrote a standard LDAP query or filter I would not need to > > escape the / (Or any of the other characters for that matter) but in > > vbscript > > (Which is the method of using ADSI) I do? Is it vbscript that is taking > > the > > characters out or the method I am attempting to implement? > > > > Sorry I think I have got a bit lost in the terminology... > > > > Thanks again! > > > > "Richard Mueller [MVP]" wrote: > > Quote: > >> I don't use dsquery, so didn't realize it has this problem. In my test > >> domain I find that dsquery properly escapes the following characters: > >> > >> , \ > >> > >> It does not escape the following characters that require it in VBScript > >> (and > >> ADSI): > >> > >> # + < > ; " = / > >> > >> I find that ADO, NameTranslate, and AD object attributes and methods > >> (like > >> the member and memberOf multi-valued attributes, and the Members method > >> of > >> groups and the Groups method of users) return DN values properly escaped, > >> except that the "/" character is never escaped. AD and LDAP do not > >> require > >> that "/" be escaped, but ADSI does. These characters should be rare, and > >> it's easy to recommend that they not be used, buy the fact is they are > >> allowed in AD. > >> > >> I also note that Joe Richards' free adfind utility properly escapes all > >> characters required by AD and LDAP. Again, it does not escape "/" because > >> escaping that character is only required by ADSI. If you want to try > >> adfind, > >> which is easier to use and more powerful, see this link: > >> > >> http://www.joeware.net/freetools/tools/adfind/index.htm > >> > >> If you use Joe Richards' free admod utility, it should work great with > >> adfind. Since Joe does not use ADSI, admod does not require that "/" be > >> escaped: > >> > >> http://www.joeware.net/freetools/tools/admod/index.htm > >> > >> In all of my VBScript programs I try to remember to replace "/" with "\/" > >> when I retrieve DN values before I use the value to bind. I may be the > >> only > >> nutty person to use these characters, but I don't want my scripts to fail > >> for crazy reasons just because someone uses a perfectly valid character. > >> > >> -- > >> Richard Mueller > >> MVP Directory Services > >> Hilltop Lab - http://www.rlmueller.net > >> -- > >> > >> "UselessUser" <UselessUser@xxxxxx> wrote in message > >> news:F0D242E4-9663-49B7-BC7E-48F8F5D87DC5@xxxxxx > >> > Hi Richard, > >> > > >> > Thanks for your prompt reply. I shall read your links and make changes > >> > accordingly, thank you very much! > >> > > >> > I obtained the list simply by running the following: > >> > > >> > dsquery computer -stalepwd 90 limit 0 > C:\computers.txt > >> > > >> > I then opened it up in notepad and did a F+R on " to nothing. > >> > > >> > So clearly dsquery just returns the DN without making any changes... > >> > > >> > To be honest I am little disappointed with the ds suite as they seem to > >> > be > >> > a > >> > simply brilliant idea and the information they give is fast and > >> > accurate > >> > however when it comes to wanting to do the simplest things with the > >> > gained > >> > information ie a dsquery piped into a dsmove, they just fall over with > >> > no > >> > readily apparent explanation. > >> > > >> > But at least we have people like you on the forums... > >> > > >> > Thanks again > >> > > >> > "Richard Mueller [MVP]" wrote: > >> > > >> >> > >> >> "UselessUser" <UselessUser@xxxxxx> wrote in message > >> >> news:86D8D269-6620-4142-A7FF-5CAC72F4A2B6@xxxxxx > >> >> > Hi, > >> >> > > >> >> > I have run a dsquery against my AD for computer accounts with a > >> >> > stale > >> >> > password of 90 days. I now have this list of computers in a text > >> >> > file. > >> >> > I > >> >> > have > >> >> > noted the problems with piping the output from a dsquery direct to > >> >> > dsmove > >> >> > so > >> >> > I wrote a very basic vbscript (Not a good vbscripter) to read the > >> >> > list > >> >> > and > >> >> > do > >> >> > the move. > >> >> > > >> >> > Now before anyone replies I know I could probably have done a bind > >> >> > to > >> >> > AD > >> >> > and > >> >> > returned the adspath worked on that but I had no idea how to work > >> >> > the > >> >> > pwdlastset attribute to return 90 days ago (Any ideas?)... also I > >> >> > have > >> >> > seen a > >> >> > for delims script which looked interesting and I shall investigate > >> >> > it > >> >> > further > >> >> > but want to know whats wrong with my own script!! > >> >> > > >> >> > Here is my script... > >> >> > > >> >> > option explicit > >> >> > > >> >> > dim objOU, objFSO, objFile > >> >> > dim strComputerDN > >> >> > > >> >> > const ForReading = 1 > >> >> > set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local") > >> >> > > >> >> > set objFSO = CreateObject("Scripting.FileSystemObject") > >> >> > Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt", > >> >> > ForReading) > >> >> > > >> >> > Do Until objFile.AtEndOfStream > >> >> > strComputerDN = objFile.ReadLine > >> >> > objOU.MoveHere "LDAP://" & strComputerDN, vbNullString > >> >> > Loop > >> >> > > >> >> > wscript.echo "All Computers Moved" > >> >> > > >> >> > To get this to work I had to do a find and replace on the text file > >> >> > to > >> >> > remove the " marks also... (Why is this?) > >> >> > > >> >> > Now this worked fine and moved all computers except 2. I discovered > >> >> > that > >> >> > these two computers had a distinguished name which contained two > >> >> > instances > >> >> > of > >> >> > the / character. I renamed the 2 OU's in question to not contain / > >> >> > (replaced > >> >> > them with a -) and edited my computers text file to put the - in and > >> >> > it > >> >> > runs > >> >> > fine.. > >> >> > > >> >> > So my question is... I am not sure what the problem is with the > >> >> > slashes > >> >> > in > >> >> > the DN and would binding to the adspath have caused the same issue? > >> >> > >> >> As you have discovered, double quotes and forward slashes in DN values > >> >> need > >> >> special handling. However, they can be escaped with the backslash, > >> >> "\", > >> >> escape character. See this link for details, and a list of all > >> >> characters > >> >> that need to be escaped: > >> >> > >> >> http://www.rlmueller.net/CharactersEscaped.htm > >> >> > >> >> For Example: > >> >> ====== > >> >> Do Until objFile.AtEndOfStream > >> >> strComputerDN = Trim(objFile.ReadLine) > >> >> If (strComputerDN <> = "") Then > >> >> strComputerDN = Replace(strComputerDN, """", "\""") > >> >> strComputerDN = Replace(strComputerDN, "/", "\/") > >> >> objOU.MoveHere "LDAP://" & strComputerDN, vbNullString > >> >> End If > >> >> Loop > >> >> ==== > >> >> I Trim blanks and skip blank lines, since it is so easy to have a > >> >> blank > >> >> line > >> >> at the end of a text file. Notice that the " character must be doubled > >> >> inside a quoted string. However, I'm surprised that your list of > >> >> computer > >> >> DN's does not already escape the " character. Did you manually create > >> >> the > >> >> list? Most ADSI methods display DN values with all of the characters > >> >> escaped, except the forward slash character, "/". I find this is the > >> >> only > >> >> character I need to escape in my VBScript programs. > >> >> > >> >> I have an example VBScript program that disables and moves computer > >> >> objects > >> >> where the password as not been changed in a specified number of days. > >> >> The > >> >> program is linked here: > >> >> > >> >> http://www.rlmueller.net/MoveOldComputers.htm > >> >> > >> >> The program demonstrates how to handle the pwdLastSet attribute. It > >> >> uses > >> >> ADO > >> >> to retrieve computer DN values. ADO escapes all characters except the > >> >> "/". > >> >> The program includes a line to replace "/" with "\/". Details on > >> >> converting > >> >> Integer8 attributes like pwdLastSet to date/time values linked here: > >> >> > >> >> http://www.rlmueller.net/Integer8Attributes.htm > >> >> > >> >> Finally, to find unused computer objects and deal with them, I > >> >> recommend > >> >> Joe > >> >> Richards' free oldcmp utility: > >> >> > >> >> http://www.joeware.net/freetools/tools/oldcmp/index.htm > >> >> > >> >> -- > >> >> Richard Mueller > >> >> MVP Directory Services > >> >> Hilltop Lab - http://www.rlmueller.net > >> >> -- > >> >> > >> >> > >> >> > >> > >> > >> > > |
My System Specs![]() |
![]() |
| Thread Tools | |
| |
Similar Threads | ||||
| Thread | Forum | |||
| Java Script Syntax Problem | VB Script | |||
| script based host | Network & Sharing | |||
| move-item based on content of file | PowerShell | |||
| Example of a script converted to HTML with syntax highlighting | PowerShell | |||
| Re: using xp based drive as slave on new vista based computer?? | Vista installation & setup | |||