Vista - Move computer in AD based on DSQUERY script syntax help!

01-10-2009

Hi,

I have run a dsquery against my AD for computer accounts with a stale
password of 90 days. I now have this list of computers in a text file. I have
noted the problems with piping the output from a dsquery direct to dsmove so
I wrote a very basic vbscript (Not a good vbscripter) to read the list and do
the move.

Now before anyone replies I know I could probably have done a bind to AD and
returned the adspath worked on that but I had no idea how to work the
pwdlastset attribute to return 90 days ago (Any ideas?)... also I have seen a
for delims script which looked interesting and I shall investigate it further
but want to know whats wrong with my own script!!

Here is my script...

option explicit

dim objOU, objFSO, objFile
dim strComputerDN

const ForReading = 1
set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local")

set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt", ForReading)

Do Until objFile.AtEndOfStream
strComputerDN = objFile.ReadLine
objOU.MoveHere "LDAP://" & strComputerDN, vbNullString
Loop

wscript.echo "All Computers Moved"

To get this to work I had to do a find and replace on the text file to
remove the " marks also... (Why is this?)

Now this worked fine and moved all computers except 2. I discovered that
these two computers had a distinguished name which contained two instances of
the / character. I renamed the 2 OU's in question to not contain / (replaced
them with a -) and edited my computers text file to put the - in and it runs
fine..

So my question is... I am not sure what the problem is with the slashes in
the DN and would binding to the adspath have caused the same issue?

01-10-2009

"UselessUser" <UselessUser@xxxxxx> wrote in message
news:86D8D269-6620-4142-A7FF-5CAC72F4A2B6@xxxxxx

Quote:

> Hi,
>
> I have run a dsquery against my AD for computer accounts with a stale
> password of 90 days. I now have this list of computers in a text file. I
> have
> noted the problems with piping the output from a dsquery direct to dsmove
> so
> I wrote a very basic vbscript (Not a good vbscripter) to read the list and
> do
> the move.
>
> Now before anyone replies I know I could probably have done a bind to AD
> and
> returned the adspath worked on that but I had no idea how to work the
> pwdlastset attribute to return 90 days ago (Any ideas?)... also I have
> seen a
> for delims script which looked interesting and I shall investigate it
> further
> but want to know whats wrong with my own script!!
>
> Here is my script...
>
> option explicit
>
> dim objOU, objFSO, objFile
> dim strComputerDN
>
> const ForReading = 1
> set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local")
>
> set objFSO = CreateObject("Scripting.FileSystemObject")
> Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt", ForReading)
>
> Do Until objFile.AtEndOfStream
> strComputerDN = objFile.ReadLine
> objOU.MoveHere "LDAP://" & strComputerDN, vbNullString
> Loop
>
> wscript.echo "All Computers Moved"
>
> To get this to work I had to do a find and replace on the text file to
> remove the " marks also... (Why is this?)
>
> Now this worked fine and moved all computers except 2. I discovered that
> these two computers had a distinguished name which contained two instances
> of
> the / character. I renamed the 2 OU's in question to not contain /
> (replaced
> them with a -) and edited my computers text file to put the - in and it
> runs
> fine..
>
> So my question is... I am not sure what the problem is with the slashes in
> the DN and would binding to the adspath have caused the same issue?

As you have discovered, double quotes and forward slashes in DN values need
special handling. However, they can be escaped with the backslash, "\",
escape character. See this link for details, and a list of all characters
that need to be escaped:

http://www.rlmueller.net/CharactersEscaped.htm

For Example:
======
Do Until objFile.AtEndOfStream
strComputerDN = Trim(objFile.ReadLine)
If (strComputerDN <> = "") Then
strComputerDN = Replace(strComputerDN, """", "\""")
strComputerDN = Replace(strComputerDN, "/", "\/")
objOU.MoveHere "LDAP://" & strComputerDN, vbNullString
End If
Loop
====
I Trim blanks and skip blank lines, since it is so easy to have a blank line
at the end of a text file. Notice that the " character must be doubled
inside a quoted string. However, I'm surprised that your list of computer
DN's does not already escape the " character. Did you manually create the
list? Most ADSI methods display DN values with all of the characters
escaped, except the forward slash character, "/". I find this is the only
character I need to escape in my VBScript programs.

I have an example VBScript program that disables and moves computer objects
where the password as not been changed in a specified number of days. The
program is linked here:

http://www.rlmueller.net/MoveOldComputers.htm

The program demonstrates how to handle the pwdLastSet attribute. It uses ADO
to retrieve computer DN values. ADO escapes all characters except the "/".
The program includes a line to replace "/" with "\/". Details on converting
Integer8 attributes like pwdLastSet to date/time values linked here:

http://www.rlmueller.net/Integer8Attributes.htm

Finally, to find unused computer objects and deal with them, I recommend Joe
Richards' free oldcmp utility:

http://www.joeware.net/freetools/tools/oldcmp/index.htm

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

01-10-2009

Hi Richard,

Thanks for your prompt reply. I shall read your links and make changes
accordingly, thank you very much!

I obtained the list simply by running the following:

dsquery computer -stalepwd 90 limit 0 > C:\computers.txt

I then opened it up in notepad and did a F+R on " to nothing.

So clearly dsquery just returns the DN without making any changes...

To be honest I am little disappointed with the ds suite as they seem to be a
simply brilliant idea and the information they give is fast and accurate
however when it comes to wanting to do the simplest things with the gained
information ie a dsquery piped into a dsmove, they just fall over with no
readily apparent explanation.

But at least we have people like you on the forums...

Thanks again

"Richard Mueller [MVP]" wrote:

Quote:

>
> "UselessUser" <UselessUser@xxxxxx> wrote in message
> news:86D8D269-6620-4142-A7FF-5CAC72F4A2B6@xxxxxx

Quote:

> > Hi,
> >
> > I have run a dsquery against my AD for computer accounts with a stale
> > password of 90 days. I now have this list of computers in a text file. I
> > have
> > noted the problems with piping the output from a dsquery direct to dsmove
> > so
> > I wrote a very basic vbscript (Not a good vbscripter) to read the list and
> > do
> > the move.
> >
> > Now before anyone replies I know I could probably have done a bind to AD
> > and
> > returned the adspath worked on that but I had no idea how to work the
> > pwdlastset attribute to return 90 days ago (Any ideas?)... also I have
> > seen a
> > for delims script which looked interesting and I shall investigate it
> > further
> > but want to know whats wrong with my own script!!
> >
> > Here is my script...
> >
> > option explicit
> >
> > dim objOU, objFSO, objFile
> > dim strComputerDN
> >
> > const ForReading = 1
> > set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local")
> >
> > set objFSO = CreateObject("Scripting.FileSystemObject")
> > Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt", ForReading)
> >
> > Do Until objFile.AtEndOfStream
> > strComputerDN = objFile.ReadLine
> > objOU.MoveHere "LDAP://" & strComputerDN, vbNullString
> > Loop
> >
> > wscript.echo "All Computers Moved"
> >
> > To get this to work I had to do a find and replace on the text file to
> > remove the " marks also... (Why is this?)
> >
> > Now this worked fine and moved all computers except 2. I discovered that
> > these two computers had a distinguished name which contained two instances
> > of
> > the / character. I renamed the 2 OU's in question to not contain /
> > (replaced
> > them with a -) and edited my computers text file to put the - in and it
> > runs
> > fine..
> >
> > So my question is... I am not sure what the problem is with the slashes in
> > the DN and would binding to the adspath have caused the same issue?

>
> As you have discovered, double quotes and forward slashes in DN values need
> special handling. However, they can be escaped with the backslash, "\",
> escape character. See this link for details, and a list of all characters
> that need to be escaped:
>
> http://www.rlmueller.net/CharactersEscaped.htm
>
> For Example:
> ======
> Do Until objFile.AtEndOfStream
> strComputerDN = Trim(objFile.ReadLine)
> If (strComputerDN <> = "") Then
> strComputerDN = Replace(strComputerDN, """", "\""")
> strComputerDN = Replace(strComputerDN, "/", "\/")
> objOU.MoveHere "LDAP://" & strComputerDN, vbNullString
> End If
> Loop
> ====
> I Trim blanks and skip blank lines, since it is so easy to have a blank line
> at the end of a text file. Notice that the " character must be doubled
> inside a quoted string. However, I'm surprised that your list of computer
> DN's does not already escape the " character. Did you manually create the
> list? Most ADSI methods display DN values with all of the characters
> escaped, except the forward slash character, "/". I find this is the only
> character I need to escape in my VBScript programs.
>
> I have an example VBScript program that disables and moves computer objects
> where the password as not been changed in a specified number of days. The
> program is linked here:
>
> http://www.rlmueller.net/MoveOldComputers.htm
>
> The program demonstrates how to handle the pwdLastSet attribute. It uses ADO
> to retrieve computer DN values. ADO escapes all characters except the "/".
> The program includes a line to replace "/" with "\/". Details on converting
> Integer8 attributes like pwdLastSet to date/time values linked here:
>
> http://www.rlmueller.net/Integer8Attributes.htm
>
> Finally, to find unused computer objects and deal with them, I recommend Joe
> Richards' free oldcmp utility:
>
> http://www.joeware.net/freetools/tools/oldcmp/index.htm
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
>
>

01-10-2009

I don't use dsquery, so didn't realize it has this problem. In my test
domain I find that dsquery properly escapes the following characters:

, \

It does not escape the following characters that require it in VBScript (and
ADSI):

# + < > ; " = /

I find that ADO, NameTranslate, and AD object attributes and methods (like
the member and memberOf multi-valued attributes, and the Members method of
groups and the Groups method of users) return DN values properly escaped,
except that the "/" character is never escaped. AD and LDAP do not require
that "/" be escaped, but ADSI does. These characters should be rare, and
it's easy to recommend that they not be used, buy the fact is they are
allowed in AD.

I also note that Joe Richards' free adfind utility properly escapes all
characters required by AD and LDAP. Again, it does not escape "/" because
escaping that character is only required by ADSI. If you want to try adfind,
which is easier to use and more powerful, see this link:

http://www.joeware.net/freetools/tools/adfind/index.htm

If you use Joe Richards' free admod utility, it should work great with
adfind. Since Joe does not use ADSI, admod does not require that "/" be
escaped:

http://www.joeware.net/freetools/tools/admod/index.htm

In all of my VBScript programs I try to remember to replace "/" with "\/"
when I retrieve DN values before I use the value to bind. I may be the only
nutty person to use these characters, but I don't want my scripts to fail
for crazy reasons just because someone uses a perfectly valid character.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"UselessUser" <UselessUser@xxxxxx> wrote in message
news:F0D242E4-9663-49B7-BC7E-48F8F5D87DC5@xxxxxx

Quote:

> Hi Richard,
>
> Thanks for your prompt reply. I shall read your links and make changes
> accordingly, thank you very much!
>
> I obtained the list simply by running the following:
>
> dsquery computer -stalepwd 90 limit 0 > C:\computers.txt
>
> I then opened it up in notepad and did a F+R on " to nothing.
>
> So clearly dsquery just returns the DN without making any changes...
>
> To be honest I am little disappointed with the ds suite as they seem to be
> a
> simply brilliant idea and the information they give is fast and accurate
> however when it comes to wanting to do the simplest things with the gained
> information ie a dsquery piped into a dsmove, they just fall over with no
> readily apparent explanation.
>
> But at least we have people like you on the forums...
>
> Thanks again
>
> "Richard Mueller [MVP]" wrote:
>

Quote:

>>
>> "UselessUser" <UselessUser@xxxxxx> wrote in message
>> news:86D8D269-6620-4142-A7FF-5CAC72F4A2B6@xxxxxx

Quote:

>> > Hi,
>> >
>> > I have run a dsquery against my AD for computer accounts with a stale
>> > password of 90 days. I now have this list of computers in a text file.
>> > I
>> > have
>> > noted the problems with piping the output from a dsquery direct to
>> > dsmove
>> > so
>> > I wrote a very basic vbscript (Not a good vbscripter) to read the list
>> > and
>> > do
>> > the move.
>> >
>> > Now before anyone replies I know I could probably have done a bind to
>> > AD
>> > and
>> > returned the adspath worked on that but I had no idea how to work the
>> > pwdlastset attribute to return 90 days ago (Any ideas?)... also I have
>> > seen a
>> > for delims script which looked interesting and I shall investigate it
>> > further
>> > but want to know whats wrong with my own script!!
>> >
>> > Here is my script...
>> >
>> > option explicit
>> >
>> > dim objOU, objFSO, objFile
>> > dim strComputerDN
>> >
>> > const ForReading = 1
>> > set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local")
>> >
>> > set objFSO = CreateObject("Scripting.FileSystemObject")
>> > Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt",
>> > ForReading)
>> >
>> > Do Until objFile.AtEndOfStream
>> > strComputerDN = objFile.ReadLine
>> > objOU.MoveHere "LDAP://" & strComputerDN, vbNullString
>> > Loop
>> >
>> > wscript.echo "All Computers Moved"
>> >
>> > To get this to work I had to do a find and replace on the text file to
>> > remove the " marks also... (Why is this?)
>> >
>> > Now this worked fine and moved all computers except 2. I discovered
>> > that
>> > these two computers had a distinguished name which contained two
>> > instances
>> > of
>> > the / character. I renamed the 2 OU's in question to not contain /
>> > (replaced
>> > them with a -) and edited my computers text file to put the - in and it
>> > runs
>> > fine..
>> >
>> > So my question is... I am not sure what the problem is with the slashes
>> > in
>> > the DN and would binding to the adspath have caused the same issue?

>>
>> As you have discovered, double quotes and forward slashes in DN values
>> need
>> special handling. However, they can be escaped with the backslash, "\",
>> escape character. See this link for details, and a list of all characters
>> that need to be escaped:
>>
>> http://www.rlmueller.net/CharactersEscaped.htm
>>
>> For Example:
>> ======
>> Do Until objFile.AtEndOfStream
>> strComputerDN = Trim(objFile.ReadLine)
>> If (strComputerDN <> = "") Then
>> strComputerDN = Replace(strComputerDN, """", "\""")
>> strComputerDN = Replace(strComputerDN, "/", "\/")
>> objOU.MoveHere "LDAP://" & strComputerDN, vbNullString
>> End If
>> Loop
>> ====
>> I Trim blanks and skip blank lines, since it is so easy to have a blank
>> line
>> at the end of a text file. Notice that the " character must be doubled
>> inside a quoted string. However, I'm surprised that your list of computer
>> DN's does not already escape the " character. Did you manually create the
>> list? Most ADSI methods display DN values with all of the characters
>> escaped, except the forward slash character, "/". I find this is the only
>> character I need to escape in my VBScript programs.
>>
>> I have an example VBScript program that disables and moves computer
>> objects
>> where the password as not been changed in a specified number of days. The
>> program is linked here:
>>
>> http://www.rlmueller.net/MoveOldComputers.htm
>>
>> The program demonstrates how to handle the pwdLastSet attribute. It uses
>> ADO
>> to retrieve computer DN values. ADO escapes all characters except the
>> "/".
>> The program includes a line to replace "/" with "\/". Details on
>> converting
>> Integer8 attributes like pwdLastSet to date/time values linked here:
>>
>> http://www.rlmueller.net/Integer8Attributes.htm
>>
>> Finally, to find unused computer objects and deal with them, I recommend
>> Joe
>> Richards' free oldcmp utility:
>>
>> http://www.joeware.net/freetools/tools/oldcmp/index.htm
>>
>> --
>> Richard Mueller
>> MVP Directory Services
>> Hilltop Lab - http://www.rlmueller.net
>> --
>>
>>
>>

01-10-2009

Hi again!

I appreciate your testing efforts to clarify the situation. However I am now
a tad confused by what you mean by this:

"It does not escape the following characters that require it in VBScript (and
ADSI):"

"AD and LDAP do not require that "/" be escaped, but ADSI does"

Do you mean if I wrote a standard LDAP query or filter I would not need to
escape the / (Or any of the other characters for that matter) but in vbscript
(Which is the method of using ADSI) I do? Is it vbscript that is taking the
characters out or the method I am attempting to implement?

Sorry I think I have got a bit lost in the terminology...

Thanks again!

"Richard Mueller [MVP]" wrote:

Quote:

> I don't use dsquery, so didn't realize it has this problem. In my test
> domain I find that dsquery properly escapes the following characters:
>
> , \
>
> It does not escape the following characters that require it in VBScript (and
> ADSI):
>
> # + < > ; " = /
>
> I find that ADO, NameTranslate, and AD object attributes and methods (like
> the member and memberOf multi-valued attributes, and the Members method of
> groups and the Groups method of users) return DN values properly escaped,
> except that the "/" character is never escaped. AD and LDAP do not require
> that "/" be escaped, but ADSI does. These characters should be rare, and
> it's easy to recommend that they not be used, buy the fact is they are
> allowed in AD.
>
> I also note that Joe Richards' free adfind utility properly escapes all
> characters required by AD and LDAP. Again, it does not escape "/" because
> escaping that character is only required by ADSI. If you want to try adfind,
> which is easier to use and more powerful, see this link:
>
> http://www.joeware.net/freetools/tools/adfind/index.htm
>
> If you use Joe Richards' free admod utility, it should work great with
> adfind. Since Joe does not use ADSI, admod does not require that "/" be
> escaped:
>
> http://www.joeware.net/freetools/tools/admod/index.htm
>
> In all of my VBScript programs I try to remember to replace "/" with "\/"
> when I retrieve DN values before I use the value to bind. I may be the only
> nutty person to use these characters, but I don't want my scripts to fail
> for crazy reasons just because someone uses a perfectly valid character.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
> "UselessUser" <UselessUser@xxxxxx> wrote in message
> news:F0D242E4-9663-49B7-BC7E-48F8F5D87DC5@xxxxxx

Quote:

> > Hi Richard,
> >
> > Thanks for your prompt reply. I shall read your links and make changes
> > accordingly, thank you very much!
> >
> > I obtained the list simply by running the following:
> >
> > dsquery computer -stalepwd 90 limit 0 > C:\computers.txt
> >
> > I then opened it up in notepad and did a F+R on " to nothing.
> >
> > So clearly dsquery just returns the DN without making any changes...
> >
> > To be honest I am little disappointed with the ds suite as they seem to be
> > a
> > simply brilliant idea and the information they give is fast and accurate
> > however when it comes to wanting to do the simplest things with the gained
> > information ie a dsquery piped into a dsmove, they just fall over with no
> > readily apparent explanation.
> >
> > But at least we have people like you on the forums...
> >
> > Thanks again
> >
> > "Richard Mueller [MVP]" wrote:
> >

Quote:

> >>
> >> "UselessUser" <UselessUser@xxxxxx> wrote in message
> >> news:86D8D269-6620-4142-A7FF-5CAC72F4A2B6@xxxxxx
> >> > Hi,
> >> >
> >> > I have run a dsquery against my AD for computer accounts with a stale
> >> > password of 90 days. I now have this list of computers in a text file.
> >> > I
> >> > have
> >> > noted the problems with piping the output from a dsquery direct to
> >> > dsmove
> >> > so
> >> > I wrote a very basic vbscript (Not a good vbscripter) to read the list
> >> > and
> >> > do
> >> > the move.
> >> >
> >> > Now before anyone replies I know I could probably have done a bind to
> >> > AD
> >> > and
> >> > returned the adspath worked on that but I had no idea how to work the
> >> > pwdlastset attribute to return 90 days ago (Any ideas?)... also I have
> >> > seen a
> >> > for delims script which looked interesting and I shall investigate it
> >> > further
> >> > but want to know whats wrong with my own script!!
> >> >
> >> > Here is my script...
> >> >
> >> > option explicit
> >> >
> >> > dim objOU, objFSO, objFile
> >> > dim strComputerDN
> >> >
> >> > const ForReading = 1
> >> > set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local")
> >> >
> >> > set objFSO = CreateObject("Scripting.FileSystemObject")
> >> > Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt",
> >> > ForReading)
> >> >
> >> > Do Until objFile.AtEndOfStream
> >> > strComputerDN = objFile.ReadLine
> >> > objOU.MoveHere "LDAP://" & strComputerDN, vbNullString
> >> > Loop
> >> >
> >> > wscript.echo "All Computers Moved"
> >> >
> >> > To get this to work I had to do a find and replace on the text file to
> >> > remove the " marks also... (Why is this?)
> >> >
> >> > Now this worked fine and moved all computers except 2. I discovered
> >> > that
> >> > these two computers had a distinguished name which contained two
> >> > instances
> >> > of
> >> > the / character. I renamed the 2 OU's in question to not contain /
> >> > (replaced
> >> > them with a -) and edited my computers text file to put the - in and it
> >> > runs
> >> > fine..
> >> >
> >> > So my question is... I am not sure what the problem is with the slashes
> >> > in
> >> > the DN and would binding to the adspath have caused the same issue?
> >>
> >> As you have discovered, double quotes and forward slashes in DN values
> >> need
> >> special handling. However, they can be escaped with the backslash, "\",
> >> escape character. See this link for details, and a list of all characters
> >> that need to be escaped:
> >>
> >> http://www.rlmueller.net/CharactersEscaped.htm
> >>
> >> For Example:
> >> ======
> >> Do Until objFile.AtEndOfStream
> >> strComputerDN = Trim(objFile.ReadLine)
> >> If (strComputerDN <> = "") Then
> >> strComputerDN = Replace(strComputerDN, """", "\""")
> >> strComputerDN = Replace(strComputerDN, "/", "\/")
> >> objOU.MoveHere "LDAP://" & strComputerDN, vbNullString
> >> End If
> >> Loop
> >> ====
> >> I Trim blanks and skip blank lines, since it is so easy to have a blank
> >> line
> >> at the end of a text file. Notice that the " character must be doubled
> >> inside a quoted string. However, I'm surprised that your list of computer
> >> DN's does not already escape the " character. Did you manually create the
> >> list? Most ADSI methods display DN values with all of the characters
> >> escaped, except the forward slash character, "/". I find this is the only
> >> character I need to escape in my VBScript programs.
> >>
> >> I have an example VBScript program that disables and moves computer
> >> objects
> >> where the password as not been changed in a specified number of days. The
> >> program is linked here:
> >>
> >> http://www.rlmueller.net/MoveOldComputers.htm
> >>
> >> The program demonstrates how to handle the pwdLastSet attribute. It uses
> >> ADO
> >> to retrieve computer DN values. ADO escapes all characters except the
> >> "/".
> >> The program includes a line to replace "/" with "\/". Details on
> >> converting
> >> Integer8 attributes like pwdLastSet to date/time values linked here:
> >>
> >> http://www.rlmueller.net/Integer8Attributes.htm
> >>
> >> Finally, to find unused computer objects and deal with them, I recommend
> >> Joe
> >> Richards' free oldcmp utility:
> >>
> >> http://www.joeware.net/freetools/tools/oldcmp/index.htm
> >>
> >> --
> >> Richard Mueller
> >> MVP Directory Services
> >> Hilltop Lab - http://www.rlmueller.net
> >> --
> >>
> >>
> >>

>
>
>

01-10-2009

What I am told is that the only characters that must be escaped in AD are:

, \ # + < > ; " =

All LDAP API's properly escape these characters. However, ADSI does not know
how to handle the "/" character, so ADSI methods also require this character
to be escaped. When you bind to an object in VBScript (or VB) you invoke
IADs interfaces provided by ADSI. If a utility like adfind uses LDAP API's,
it should escape the characters required in AD, but not "/".

For some reason dsquery only escapes the characters "," and "\". I have no
explanation for that, except they are the most common characters requiring
it. I would think this behaviour is a bug.

Bottom line, in VBScript the only character I need to worry about is the "/"
character. All others will be properly escaped, unless I manually enter the
DN. Actually, you can see this using ADSI Edit. While ADUC will show you a
user with Common Name "Last, First", in ADSI Edit you will see the value of
the cn attribute is actually "Last\, First". You can also see that "/" is
not escaped in AD, but a VBScript program will raise an error if the ADsPath
does not have this character escaped.

I'm not sure in what environment you create your LDAP queries. In VBScript I
use ADO and the resulting recordsets always escape all characters that AD
requires to be escaped. However, because ADSI requires that "/" also be
escaped, I replace "/" with "\/" before binding to an object with the DN (or
ADsPath or cn) retrieved from the ADO recordset. The same goes for DN values
retrieved using IADsNameTranslate.

I hope I haven't confused you further.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"UselessUser" <UselessUser@xxxxxx> wrote in message
news:8FEB1584-1DDC-43E3-8C56-8934C295A4F1@xxxxxx

Quote:

> Hi again!
>
> I appreciate your testing efforts to clarify the situation. However I am
> now
> a tad confused by what you mean by this:
>
> "It does not escape the following characters that require it in VBScript
> (and
> ADSI):"
>
> "AD and LDAP do not require that "/" be escaped, but ADSI does"
>
> Do you mean if I wrote a standard LDAP query or filter I would not need to
> escape the / (Or any of the other characters for that matter) but in
> vbscript
> (Which is the method of using ADSI) I do? Is it vbscript that is taking
> the
> characters out or the method I am attempting to implement?
>
> Sorry I think I have got a bit lost in the terminology...
>
> Thanks again!
>
> "Richard Mueller [MVP]" wrote:
>

Quote:

>> I don't use dsquery, so didn't realize it has this problem. In my test
>> domain I find that dsquery properly escapes the following characters:
>>
>> , \
>>
>> It does not escape the following characters that require it in VBScript
>> (and
>> ADSI):
>>
>> # + < > ; " = /
>>
>> I find that ADO, NameTranslate, and AD object attributes and methods
>> (like
>> the member and memberOf multi-valued attributes, and the Members method
>> of
>> groups and the Groups method of users) return DN values properly escaped,
>> except that the "/" character is never escaped. AD and LDAP do not
>> require
>> that "/" be escaped, but ADSI does. These characters should be rare, and
>> it's easy to recommend that they not be used, buy the fact is they are
>> allowed in AD.
>>
>> I also note that Joe Richards' free adfind utility properly escapes all
>> characters required by AD and LDAP. Again, it does not escape "/" because
>> escaping that character is only required by ADSI. If you want to try
>> adfind,
>> which is easier to use and more powerful, see this link:
>>
>> http://www.joeware.net/freetools/tools/adfind/index.htm
>>
>> If you use Joe Richards' free admod utility, it should work great with
>> adfind. Since Joe does not use ADSI, admod does not require that "/" be
>> escaped:
>>
>> http://www.joeware.net/freetools/tools/admod/index.htm
>>
>> In all of my VBScript programs I try to remember to replace "/" with "\/"
>> when I retrieve DN values before I use the value to bind. I may be the
>> only
>> nutty person to use these characters, but I don't want my scripts to fail
>> for crazy reasons just because someone uses a perfectly valid character.
>>
>> --
>> Richard Mueller
>> MVP Directory Services
>> Hilltop Lab - http://www.rlmueller.net
>> --
>>
>> "UselessUser" <UselessUser@xxxxxx> wrote in message
>> news:F0D242E4-9663-49B7-BC7E-48F8F5D87DC5@xxxxxx

Quote:

>> > Hi Richard,
>> >
>> > Thanks for your prompt reply. I shall read your links and make changes
>> > accordingly, thank you very much!
>> >
>> > I obtained the list simply by running the following:
>> >
>> > dsquery computer -stalepwd 90 limit 0 > C:\computers.txt
>> >
>> > I then opened it up in notepad and did a F+R on " to nothing.
>> >
>> > So clearly dsquery just returns the DN without making any changes...
>> >
>> > To be honest I am little disappointed with the ds suite as they seem to
>> > be
>> > a
>> > simply brilliant idea and the information they give is fast and
>> > accurate
>> > however when it comes to wanting to do the simplest things with the
>> > gained
>> > information ie a dsquery piped into a dsmove, they just fall over with
>> > no
>> > readily apparent explanation.
>> >
>> > But at least we have people like you on the forums...
>> >
>> > Thanks again
>> >
>> > "Richard Mueller [MVP]" wrote:
>> >
>> >>
>> >> "UselessUser" <UselessUser@xxxxxx> wrote in message
>> >> news:86D8D269-6620-4142-A7FF-5CAC72F4A2B6@xxxxxx
>> >> > Hi,
>> >> >
>> >> > I have run a dsquery against my AD for computer accounts with a
>> >> > stale
>> >> > password of 90 days. I now have this list of computers in a text
>> >> > file.
>> >> > I
>> >> > have
>> >> > noted the problems with piping the output from a dsquery direct to
>> >> > dsmove
>> >> > so
>> >> > I wrote a very basic vbscript (Not a good vbscripter) to read the
>> >> > list
>> >> > and
>> >> > do
>> >> > the move.
>> >> >
>> >> > Now before anyone replies I know I could probably have done a bind
>> >> > to
>> >> > AD
>> >> > and
>> >> > returned the adspath worked on that but I had no idea how to work
>> >> > the
>> >> > pwdlastset attribute to return 90 days ago (Any ideas?)... also I
>> >> > have
>> >> > seen a
>> >> > for delims script which looked interesting and I shall investigate
>> >> > it
>> >> > further
>> >> > but want to know whats wrong with my own script!!
>> >> >
>> >> > Here is my script...
>> >> >
>> >> > option explicit
>> >> >
>> >> > dim objOU, objFSO, objFile
>> >> > dim strComputerDN
>> >> >
>> >> > const ForReading = 1
>> >> > set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local")
>> >> >
>> >> > set objFSO = CreateObject("Scripting.FileSystemObject")
>> >> > Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt",
>> >> > ForReading)
>> >> >
>> >> > Do Until objFile.AtEndOfStream
>> >> > strComputerDN = objFile.ReadLine
>> >> > objOU.MoveHere "LDAP://" & strComputerDN, vbNullString
>> >> > Loop
>> >> >
>> >> > wscript.echo "All Computers Moved"
>> >> >
>> >> > To get this to work I had to do a find and replace on the text file
>> >> > to
>> >> > remove the " marks also... (Why is this?)
>> >> >
>> >> > Now this worked fine and moved all computers except 2. I discovered
>> >> > that
>> >> > these two computers had a distinguished name which contained two
>> >> > instances
>> >> > of
>> >> > the / character. I renamed the 2 OU's in question to not contain /
>> >> > (replaced
>> >> > them with a -) and edited my computers text file to put the - in and
>> >> > it
>> >> > runs
>> >> > fine..
>> >> >
>> >> > So my question is... I am not sure what the problem is with the
>> >> > slashes
>> >> > in
>> >> > the DN and would binding to the adspath have caused the same issue?
>> >>
>> >> As you have discovered, double quotes and forward slashes in DN values
>> >> need
>> >> special handling. However, they can be escaped with the backslash,
>> >> "\",
>> >> escape character. See this link for details, and a list of all
>> >> characters
>> >> that need to be escaped:
>> >>
>> >> http://www.rlmueller.net/CharactersEscaped.htm
>> >>
>> >> For Example:
>> >> ======
>> >> Do Until objFile.AtEndOfStream
>> >> strComputerDN = Trim(objFile.ReadLine)
>> >> If (strComputerDN <> = "") Then
>> >> strComputerDN = Replace(strComputerDN, """", "\""")
>> >> strComputerDN = Replace(strComputerDN, "/", "\/")
>> >> objOU.MoveHere "LDAP://" & strComputerDN, vbNullString
>> >> End If
>> >> Loop
>> >> ====
>> >> I Trim blanks and skip blank lines, since it is so easy to have a
>> >> blank
>> >> line
>> >> at the end of a text file. Notice that the " character must be doubled
>> >> inside a quoted string. However, I'm surprised that your list of
>> >> computer
>> >> DN's does not already escape the " character. Did you manually create
>> >> the
>> >> list? Most ADSI methods display DN values with all of the characters
>> >> escaped, except the forward slash character, "/". I find this is the
>> >> only
>> >> character I need to escape in my VBScript programs.
>> >>
>> >> I have an example VBScript program that disables and moves computer
>> >> objects
>> >> where the password as not been changed in a specified number of days.
>> >> The
>> >> program is linked here:
>> >>
>> >> http://www.rlmueller.net/MoveOldComputers.htm
>> >>
>> >> The program demonstrates how to handle the pwdLastSet attribute. It
>> >> uses
>> >> ADO
>> >> to retrieve computer DN values. ADO escapes all characters except the
>> >> "/".
>> >> The program includes a line to replace "/" with "\/". Details on
>> >> converting
>> >> Integer8 attributes like pwdLastSet to date/time values linked here:
>> >>
>> >> http://www.rlmueller.net/Integer8Attributes.htm
>> >>
>> >> Finally, to find unused computer objects and deal with them, I
>> >> recommend
>> >> Joe
>> >> Richards' free oldcmp utility:
>> >>
>> >> http://www.joeware.net/freetools/tools/oldcmp/index.htm
>> >>
>> >> --
>> >> Richard Mueller
>> >> MVP Directory Services
>> >> Hilltop Lab - http://www.rlmueller.net
>> >> --
>> >>
>> >>
>> >>

>>
>>
>>

01-11-2009

Hi

Thank you very much I believe I finally understand!

Thanks for everything!

"Richard Mueller [MVP]" wrote:

Quote:

> What I am told is that the only characters that must be escaped in AD are:
>
> , \ # + < > ; " =
>
> All LDAP API's properly escape these characters. However, ADSI does not know
> how to handle the "/" character, so ADSI methods also require this character
> to be escaped. When you bind to an object in VBScript (or VB) you invoke
> IADs interfaces provided by ADSI. If a utility like adfind uses LDAP API's,
> it should escape the characters required in AD, but not "/".
>
> For some reason dsquery only escapes the characters "," and "\". I have no
> explanation for that, except they are the most common characters requiring
> it. I would think this behaviour is a bug.
>
> Bottom line, in VBScript the only character I need to worry about is the "/"
> character. All others will be properly escaped, unless I manually enter the
> DN. Actually, you can see this using ADSI Edit. While ADUC will show you a
> user with Common Name "Last, First", in ADSI Edit you will see the value of
> the cn attribute is actually "Last\, First". You can also see that "/" is
> not escaped in AD, but a VBScript program will raise an error if the ADsPath
> does not have this character escaped.
>
> I'm not sure in what environment you create your LDAP queries. In VBScript I
> use ADO and the resulting recordsets always escape all characters that AD
> requires to be escaped. However, because ADSI requires that "/" also be
> escaped, I replace "/" with "\/" before binding to an object with the DN (or
> ADsPath or cn) retrieved from the ADO recordset. The same goes for DN values
> retrieved using IADsNameTranslate.
>
> I hope I haven't confused you further.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
> "UselessUser" <UselessUser@xxxxxx> wrote in message
> news:8FEB1584-1DDC-43E3-8C56-8934C295A4F1@xxxxxx

Quote:

> > Hi again!
> >
> > I appreciate your testing efforts to clarify the situation. However I am
> > now
> > a tad confused by what you mean by this:
> >
> > "It does not escape the following characters that require it in VBScript
> > (and
> > ADSI):"
> >
> > "AD and LDAP do not require that "/" be escaped, but ADSI does"
> >
> > Do you mean if I wrote a standard LDAP query or filter I would not need to
> > escape the / (Or any of the other characters for that matter) but in
> > vbscript
> > (Which is the method of using ADSI) I do? Is it vbscript that is taking
> > the
> > characters out or the method I am attempting to implement?
> >
> > Sorry I think I have got a bit lost in the terminology...
> >
> > Thanks again!
> >
> > "Richard Mueller [MVP]" wrote:
> >

Quote:

> >> I don't use dsquery, so didn't realize it has this problem. In my test
> >> domain I find that dsquery properly escapes the following characters:
> >>
> >> , \
> >>
> >> It does not escape the following characters that require it in VBScript
> >> (and
> >> ADSI):
> >>
> >> # + < > ; " = /
> >>
> >> I find that ADO, NameTranslate, and AD object attributes and methods
> >> (like
> >> the member and memberOf multi-valued attributes, and the Members method
> >> of
> >> groups and the Groups method of users) return DN values properly escaped,
> >> except that the "/" character is never escaped. AD and LDAP do not
> >> require
> >> that "/" be escaped, but ADSI does. These characters should be rare, and
> >> it's easy to recommend that they not be used, buy the fact is they are
> >> allowed in AD.
> >>
> >> I also note that Joe Richards' free adfind utility properly escapes all
> >> characters required by AD and LDAP. Again, it does not escape "/" because
> >> escaping that character is only required by ADSI. If you want to try
> >> adfind,
> >> which is easier to use and more powerful, see this link:
> >>
> >> http://www.joeware.net/freetools/tools/adfind/index.htm
> >>
> >> If you use Joe Richards' free admod utility, it should work great with
> >> adfind. Since Joe does not use ADSI, admod does not require that "/" be
> >> escaped:
> >>
> >> http://www.joeware.net/freetools/tools/admod/index.htm
> >>
> >> In all of my VBScript programs I try to remember to replace "/" with "\/"
> >> when I retrieve DN values before I use the value to bind. I may be the
> >> only
> >> nutty person to use these characters, but I don't want my scripts to fail
> >> for crazy reasons just because someone uses a perfectly valid character.
> >>
> >> --
> >> Richard Mueller
> >> MVP Directory Services
> >> Hilltop Lab - http://www.rlmueller.net
> >> --
> >>
> >> "UselessUser" <UselessUser@xxxxxx> wrote in message
> >> news:F0D242E4-9663-49B7-BC7E-48F8F5D87DC5@xxxxxx
> >> > Hi Richard,
> >> >
> >> > Thanks for your prompt reply. I shall read your links and make changes
> >> > accordingly, thank you very much!
> >> >
> >> > I obtained the list simply by running the following:
> >> >
> >> > dsquery computer -stalepwd 90 limit 0 > C:\computers.txt
> >> >
> >> > I then opened it up in notepad and did a F+R on " to nothing.
> >> >
> >> > So clearly dsquery just returns the DN without making any changes...
> >> >
> >> > To be honest I am little disappointed with the ds suite as they seem to
> >> > be
> >> > a
> >> > simply brilliant idea and the information they give is fast and
> >> > accurate
> >> > however when it comes to wanting to do the simplest things with the
> >> > gained
> >> > information ie a dsquery piped into a dsmove, they just fall over with
> >> > no
> >> > readily apparent explanation.
> >> >
> >> > But at least we have people like you on the forums...
> >> >
> >> > Thanks again
> >> >
> >> > "Richard Mueller [MVP]" wrote:
> >> >
> >> >>
> >> >> "UselessUser" <UselessUser@xxxxxx> wrote in message
> >> >> news:86D8D269-6620-4142-A7FF-5CAC72F4A2B6@xxxxxx
> >> >> > Hi,
> >> >> >
> >> >> > I have run a dsquery against my AD for computer accounts with a
> >> >> > stale
> >> >> > password of 90 days. I now have this list of computers in a text
> >> >> > file.
> >> >> > I
> >> >> > have
> >> >> > noted the problems with piping the output from a dsquery direct to
> >> >> > dsmove
> >> >> > so
> >> >> > I wrote a very basic vbscript (Not a good vbscripter) to read the
> >> >> > list
> >> >> > and
> >> >> > do
> >> >> > the move.
> >> >> >
> >> >> > Now before anyone replies I know I could probably have done a bind
> >> >> > to
> >> >> > AD
> >> >> > and
> >> >> > returned the adspath worked on that but I had no idea how to work
> >> >> > the
> >> >> > pwdlastset attribute to return 90 days ago (Any ideas?)... also I
> >> >> > have
> >> >> > seen a
> >> >> > for delims script which looked interesting and I shall investigate
> >> >> > it
> >> >> > further
> >> >> > but want to know whats wrong with my own script!!
> >> >> >
> >> >> > Here is my script...
> >> >> >
> >> >> > option explicit
> >> >> >
> >> >> > dim objOU, objFSO, objFile
> >> >> > dim strComputerDN
> >> >> >
> >> >> > const ForReading = 1
> >> >> > set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local")
> >> >> >
> >> >> > set objFSO = CreateObject("Scripting.FileSystemObject")
> >> >> > Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt",
> >> >> > ForReading)
> >> >> >
> >> >> > Do Until objFile.AtEndOfStream
> >> >> > strComputerDN = objFile.ReadLine
> >> >> > objOU.MoveHere "LDAP://" & strComputerDN, vbNullString
> >> >> > Loop
> >> >> >
> >> >> > wscript.echo "All Computers Moved"
> >> >> >
> >> >> > To get this to work I had to do a find and replace on the text file
> >> >> > to
> >> >> > remove the " marks also... (Why is this?)
> >> >> >
> >> >> > Now this worked fine and moved all computers except 2. I discovered
> >> >> > that
> >> >> > these two computers had a distinguished name which contained two
> >> >> > instances
> >> >> > of
> >> >> > the / character. I renamed the 2 OU's in question to not contain /
> >> >> > (replaced
> >> >> > them with a -) and edited my computers text file to put the - in and
> >> >> > it
> >> >> > runs
> >> >> > fine..
> >> >> >
> >> >> > So my question is... I am not sure what the problem is with the
> >> >> > slashes
> >> >> > in
> >> >> > the DN and would binding to the adspath have caused the same issue?
> >> >>
> >> >> As you have discovered, double quotes and forward slashes in DN values
> >> >> need
> >> >> special handling. However, they can be escaped with the backslash,
> >> >> "\",
> >> >> escape character. See this link for details, and a list of all
> >> >> characters
> >> >> that need to be escaped:
> >> >>
> >> >> http://www.rlmueller.net/CharactersEscaped.htm
> >> >>
> >> >> For Example:
> >> >> ======
> >> >> Do Until objFile.AtEndOfStream
> >> >> strComputerDN = Trim(objFile.ReadLine)
> >> >> If (strComputerDN <> = "") Then
> >> >> strComputerDN = Replace(strComputerDN, """", "\""")
> >> >> strComputerDN = Replace(strComputerDN, "/", "\/")
> >> >> objOU.MoveHere "LDAP://" & strComputerDN, vbNullString
> >> >> End If
> >> >> Loop
> >> >> ====
> >> >> I Trim blanks and skip blank lines, since it is so easy to have a
> >> >> blank
> >> >> line
> >> >> at the end of a text file. Notice that the " character must be doubled
> >> >> inside a quoted string. However, I'm surprised that your list of
> >> >> computer
> >> >> DN's does not already escape the " character. Did you manually create
> >> >> the
> >> >> list? Most ADSI methods display DN values with all of the characters
> >> >> escaped, except the forward slash character, "/". I find this is the
> >> >> only
> >> >> character I need to escape in my VBScript programs.
> >> >>
> >> >> I have an example VBScript program that disables and moves computer
> >> >> objects
> >> >> where the password as not been changed in a specified number of days.
> >> >> The
> >> >> program is linked here:
> >> >>
> >> >> http://www.rlmueller.net/MoveOldComputers.htm
> >> >>
> >> >> The program demonstrates how to handle the pwdLastSet attribute. It
> >> >> uses
> >> >> ADO
> >> >> to retrieve computer DN values. ADO escapes all characters except the
> >> >> "/".
> >> >> The program includes a line to replace "/" with "\/". Details on
> >> >> converting
> >> >> Integer8 attributes like pwdLastSet to date/time values linked here:
> >> >>
> >> >> http://www.rlmueller.net/Integer8Attributes.htm
> >> >>
> >> >> Finally, to find unused computer objects and deal with them, I
> >> >> recommend
> >> >> Joe
> >> >> Richards' free oldcmp utility:
> >> >>
> >> >> http://www.joeware.net/freetools/tools/oldcmp/index.htm
> >> >>
> >> >> --
> >> >> Richard Mueller
> >> >> MVP Directory Services
> >> >> Hilltop Lab - http://www.rlmueller.net
> >> >> --
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>

>
>
>

01-10-2009	#1 (permalink)
UselessUser n/a posts	Move computer in AD based on DSQUERY script syntax help! Hi, I have run a dsquery against my AD for computer accounts with a stale password of 90 days. I now have this list of computers in a text file. I have noted the problems with piping the output from a dsquery direct to dsmove so I wrote a very basic vbscript (Not a good vbscripter) to read the list and do the move. Now before anyone replies I know I could probably have done a bind to AD and returned the adspath worked on that but I had no idea how to work the pwdlastset attribute to return 90 days ago (Any ideas?)... also I have seen a for delims script which looked interesting and I shall investigate it further but want to know whats wrong with my own script!! Here is my script... option explicit dim objOU, objFSO, objFile dim strComputerDN const ForReading = 1 set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local") set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt", ForReading) Do Until objFile.AtEndOfStream strComputerDN = objFile.ReadLine objOU.MoveHere "LDAP://" & strComputerDN, vbNullString Loop wscript.echo "All Computers Moved" To get this to work I had to do a find and replace on the text file to remove the " marks also... (Why is this?) Now this worked fine and moved all computers except 2. I discovered that these two computers had a distinguished name which contained two instances of the / character. I renamed the 2 OU's in question to not contain / (replaced them with a -) and edited my computers text file to put the - in and it runs fine.. So my question is... I am not sure what the problem is with the slashes in the DN and would binding to the adspath have caused the same issue?
My System Specs

01-10-2009	#2 (permalink)
Richard Mueller [MVP] n/a posts	Re: Move computer in AD based on DSQUERY script syntax help! "UselessUser" <UselessUser@xxxxxx> wrote in message news:86D8D269-6620-4142-A7FF-5CAC72F4A2B6@xxxxxx Quote: > Hi, > > I have run a dsquery against my AD for computer accounts with a stale > password of 90 days. I now have this list of computers in a text file. I > have > noted the problems with piping the output from a dsquery direct to dsmove > so > I wrote a very basic vbscript (Not a good vbscripter) to read the list and > do > the move. > > Now before anyone replies I know I could probably have done a bind to AD > and > returned the adspath worked on that but I had no idea how to work the > pwdlastset attribute to return 90 days ago (Any ideas?)... also I have > seen a > for delims script which looked interesting and I shall investigate it > further > but want to know whats wrong with my own script!! > > Here is my script... > > option explicit > > dim objOU, objFSO, objFile > dim strComputerDN > > const ForReading = 1 > set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local") > > set objFSO = CreateObject("Scripting.FileSystemObject") > Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt", ForReading) > > Do Until objFile.AtEndOfStream > strComputerDN = objFile.ReadLine > objOU.MoveHere "LDAP://" & strComputerDN, vbNullString > Loop > > wscript.echo "All Computers Moved" > > To get this to work I had to do a find and replace on the text file to > remove the " marks also... (Why is this?) > > Now this worked fine and moved all computers except 2. I discovered that > these two computers had a distinguished name which contained two instances > of > the / character. I renamed the 2 OU's in question to not contain / > (replaced > them with a -) and edited my computers text file to put the - in and it > runs > fine.. > > So my question is... I am not sure what the problem is with the slashes in > the DN and would binding to the adspath have caused the same issue? As you have discovered, double quotes and forward slashes in DN values need special handling. However, they can be escaped with the backslash, "\", escape character. See this link for details, and a list of all characters that need to be escaped: http://www.rlmueller.net/CharactersEscaped.htm For Example: ====== Do Until objFile.AtEndOfStream strComputerDN = Trim(objFile.ReadLine) If (strComputerDN <> = "") Then strComputerDN = Replace(strComputerDN, """", "\""") strComputerDN = Replace(strComputerDN, "/", "\/") objOU.MoveHere "LDAP://" & strComputerDN, vbNullString End If Loop ==== I Trim blanks and skip blank lines, since it is so easy to have a blank line at the end of a text file. Notice that the " character must be doubled inside a quoted string. However, I'm surprised that your list of computer DN's does not already escape the " character. Did you manually create the list? Most ADSI methods display DN values with all of the characters escaped, except the forward slash character, "/". I find this is the only character I need to escape in my VBScript programs. I have an example VBScript program that disables and moves computer objects where the password as not been changed in a specified number of days. The program is linked here: http://www.rlmueller.net/MoveOldComputers.htm The program demonstrates how to handle the pwdLastSet attribute. It uses ADO to retrieve computer DN values. ADO escapes all characters except the "/". The program includes a line to replace "/" with "\/". Details on converting Integer8 attributes like pwdLastSet to date/time values linked here: http://www.rlmueller.net/Integer8Attributes.htm Finally, to find unused computer objects and deal with them, I recommend Joe Richards' free oldcmp utility: http://www.joeware.net/freetools/tools/oldcmp/index.htm -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net --
My System Specs

01-10-2009	#3 (permalink)
UselessUser n/a posts	Re: Move computer in AD based on DSQUERY script syntax help! Hi Richard, Thanks for your prompt reply. I shall read your links and make changes accordingly, thank you very much! I obtained the list simply by running the following: dsquery computer -stalepwd 90 limit 0 > C:\computers.txt I then opened it up in notepad and did a F+R on " to nothing. So clearly dsquery just returns the DN without making any changes... To be honest I am little disappointed with the ds suite as they seem to be a simply brilliant idea and the information they give is fast and accurate however when it comes to wanting to do the simplest things with the gained information ie a dsquery piped into a dsmove, they just fall over with no readily apparent explanation. But at least we have people like you on the forums... Thanks again "Richard Mueller [MVP]" wrote: Quote: > > "UselessUser" <UselessUser@xxxxxx> wrote in message > news:86D8D269-6620-4142-A7FF-5CAC72F4A2B6@xxxxxx Quote: > > Hi, > > > > I have run a dsquery against my AD for computer accounts with a stale > > password of 90 days. I now have this list of computers in a text file. I > > have > > noted the problems with piping the output from a dsquery direct to dsmove > > so > > I wrote a very basic vbscript (Not a good vbscripter) to read the list and > > do > > the move. > > > > Now before anyone replies I know I could probably have done a bind to AD > > and > > returned the adspath worked on that but I had no idea how to work the > > pwdlastset attribute to return 90 days ago (Any ideas?)... also I have > > seen a > > for delims script which looked interesting and I shall investigate it > > further > > but want to know whats wrong with my own script!! > > > > Here is my script... > > > > option explicit > > > > dim objOU, objFSO, objFile > > dim strComputerDN > > > > const ForReading = 1 > > set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local") > > > > set objFSO = CreateObject("Scripting.FileSystemObject") > > Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt", ForReading) > > > > Do Until objFile.AtEndOfStream > > strComputerDN = objFile.ReadLine > > objOU.MoveHere "LDAP://" & strComputerDN, vbNullString > > Loop > > > > wscript.echo "All Computers Moved" > > > > To get this to work I had to do a find and replace on the text file to > > remove the " marks also... (Why is this?) > > > > Now this worked fine and moved all computers except 2. I discovered that > > these two computers had a distinguished name which contained two instances > > of > > the / character. I renamed the 2 OU's in question to not contain / > > (replaced > > them with a -) and edited my computers text file to put the - in and it > > runs > > fine.. > > > > So my question is... I am not sure what the problem is with the slashes in > > the DN and would binding to the adspath have caused the same issue? > > As you have discovered, double quotes and forward slashes in DN values need > special handling. However, they can be escaped with the backslash, "\", > escape character. See this link for details, and a list of all characters > that need to be escaped: > > http://www.rlmueller.net/CharactersEscaped.htm > > For Example: > ====== > Do Until objFile.AtEndOfStream > strComputerDN = Trim(objFile.ReadLine) > If (strComputerDN <> = "") Then > strComputerDN = Replace(strComputerDN, """", "\""") > strComputerDN = Replace(strComputerDN, "/", "\/") > objOU.MoveHere "LDAP://" & strComputerDN, vbNullString > End If > Loop > ==== > I Trim blanks and skip blank lines, since it is so easy to have a blank line > at the end of a text file. Notice that the " character must be doubled > inside a quoted string. However, I'm surprised that your list of computer > DN's does not already escape the " character. Did you manually create the > list? Most ADSI methods display DN values with all of the characters > escaped, except the forward slash character, "/". I find this is the only > character I need to escape in my VBScript programs. > > I have an example VBScript program that disables and moves computer objects > where the password as not been changed in a specified number of days. The > program is linked here: > > http://www.rlmueller.net/MoveOldComputers.htm > > The program demonstrates how to handle the pwdLastSet attribute. It uses ADO > to retrieve computer DN values. ADO escapes all characters except the "/". > The program includes a line to replace "/" with "\/". Details on converting > Integer8 attributes like pwdLastSet to date/time values linked here: > > http://www.rlmueller.net/Integer8Attributes.htm > > Finally, to find unused computer objects and deal with them, I recommend Joe > Richards' free oldcmp utility: > > http://www.joeware.net/freetools/tools/oldcmp/index.htm > > -- > Richard Mueller > MVP Directory Services > Hilltop Lab - http://www.rlmueller.net > -- > > >
My System Specs

01-10-2009	#4 (permalink)
Richard Mueller [MVP] n/a posts	Re: Move computer in AD based on DSQUERY script syntax help! I don't use dsquery, so didn't realize it has this problem. In my test domain I find that dsquery properly escapes the following characters: , \ It does not escape the following characters that require it in VBScript (and ADSI): # + < > ; " = / I find that ADO, NameTranslate, and AD object attributes and methods (like the member and memberOf multi-valued attributes, and the Members method of groups and the Groups method of users) return DN values properly escaped, except that the "/" character is never escaped. AD and LDAP do not require that "/" be escaped, but ADSI does. These characters should be rare, and it's easy to recommend that they not be used, buy the fact is they are allowed in AD. I also note that Joe Richards' free adfind utility properly escapes all characters required by AD and LDAP. Again, it does not escape "/" because escaping that character is only required by ADSI. If you want to try adfind, which is easier to use and more powerful, see this link: http://www.joeware.net/freetools/tools/adfind/index.htm If you use Joe Richards' free admod utility, it should work great with adfind. Since Joe does not use ADSI, admod does not require that "/" be escaped: http://www.joeware.net/freetools/tools/admod/index.htm In all of my VBScript programs I try to remember to replace "/" with "\/" when I retrieve DN values before I use the value to bind. I may be the only nutty person to use these characters, but I don't want my scripts to fail for crazy reasons just because someone uses a perfectly valid character. -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net -- "UselessUser" <UselessUser@xxxxxx> wrote in message news:F0D242E4-9663-49B7-BC7E-48F8F5D87DC5@xxxxxx Quote: > Hi Richard, > > Thanks for your prompt reply. I shall read your links and make changes > accordingly, thank you very much! > > I obtained the list simply by running the following: > > dsquery computer -stalepwd 90 limit 0 > C:\computers.txt > > I then opened it up in notepad and did a F+R on " to nothing. > > So clearly dsquery just returns the DN without making any changes... > > To be honest I am little disappointed with the ds suite as they seem to be > a > simply brilliant idea and the information they give is fast and accurate > however when it comes to wanting to do the simplest things with the gained > information ie a dsquery piped into a dsmove, they just fall over with no > readily apparent explanation. > > But at least we have people like you on the forums... > > Thanks again > > "Richard Mueller [MVP]" wrote: > Quote: >> >> "UselessUser" <UselessUser@xxxxxx> wrote in message >> news:86D8D269-6620-4142-A7FF-5CAC72F4A2B6@xxxxxx Quote: >> > Hi, >> > >> > I have run a dsquery against my AD for computer accounts with a stale >> > password of 90 days. I now have this list of computers in a text file. >> > I >> > have >> > noted the problems with piping the output from a dsquery direct to >> > dsmove >> > so >> > I wrote a very basic vbscript (Not a good vbscripter) to read the list >> > and >> > do >> > the move. >> > >> > Now before anyone replies I know I could probably have done a bind to >> > AD >> > and >> > returned the adspath worked on that but I had no idea how to work the >> > pwdlastset attribute to return 90 days ago (Any ideas?)... also I have >> > seen a >> > for delims script which looked interesting and I shall investigate it >> > further >> > but want to know whats wrong with my own script!! >> > >> > Here is my script... >> > >> > option explicit >> > >> > dim objOU, objFSO, objFile >> > dim strComputerDN >> > >> > const ForReading = 1 >> > set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local") >> > >> > set objFSO = CreateObject("Scripting.FileSystemObject") >> > Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt", >> > ForReading) >> > >> > Do Until objFile.AtEndOfStream >> > strComputerDN = objFile.ReadLine >> > objOU.MoveHere "LDAP://" & strComputerDN, vbNullString >> > Loop >> > >> > wscript.echo "All Computers Moved" >> > >> > To get this to work I had to do a find and replace on the text file to >> > remove the " marks also... (Why is this?) >> > >> > Now this worked fine and moved all computers except 2. I discovered >> > that >> > these two computers had a distinguished name which contained two >> > instances >> > of >> > the / character. I renamed the 2 OU's in question to not contain / >> > (replaced >> > them with a -) and edited my computers text file to put the - in and it >> > runs >> > fine.. >> > >> > So my question is... I am not sure what the problem is with the slashes >> > in >> > the DN and would binding to the adspath have caused the same issue? >> >> As you have discovered, double quotes and forward slashes in DN values >> need >> special handling. However, they can be escaped with the backslash, "\", >> escape character. See this link for details, and a list of all characters >> that need to be escaped: >> >> http://www.rlmueller.net/CharactersEscaped.htm >> >> For Example: >> ====== >> Do Until objFile.AtEndOfStream >> strComputerDN = Trim(objFile.ReadLine) >> If (strComputerDN <> = "") Then >> strComputerDN = Replace(strComputerDN, """", "\""") >> strComputerDN = Replace(strComputerDN, "/", "\/") >> objOU.MoveHere "LDAP://" & strComputerDN, vbNullString >> End If >> Loop >> ==== >> I Trim blanks and skip blank lines, since it is so easy to have a blank >> line >> at the end of a text file. Notice that the " character must be doubled >> inside a quoted string. However, I'm surprised that your list of computer >> DN's does not already escape the " character. Did you manually create the >> list? Most ADSI methods display DN values with all of the characters >> escaped, except the forward slash character, "/". I find this is the only >> character I need to escape in my VBScript programs. >> >> I have an example VBScript program that disables and moves computer >> objects >> where the password as not been changed in a specified number of days. The >> program is linked here: >> >> http://www.rlmueller.net/MoveOldComputers.htm >> >> The program demonstrates how to handle the pwdLastSet attribute. It uses >> ADO >> to retrieve computer DN values. ADO escapes all characters except the >> "/". >> The program includes a line to replace "/" with "\/". Details on >> converting >> Integer8 attributes like pwdLastSet to date/time values linked here: >> >> http://www.rlmueller.net/Integer8Attributes.htm >> >> Finally, to find unused computer objects and deal with them, I recommend >> Joe >> Richards' free oldcmp utility: >> >> http://www.joeware.net/freetools/tools/oldcmp/index.htm >> >> -- >> Richard Mueller >> MVP Directory Services >> Hilltop Lab - http://www.rlmueller.net >> -- >> >> >>
My System Specs

01-10-2009	#5 (permalink)
UselessUser n/a posts	Re: Move computer in AD based on DSQUERY script syntax help! Hi again! I appreciate your testing efforts to clarify the situation. However I am now a tad confused by what you mean by this: "It does not escape the following characters that require it in VBScript (and ADSI):" "AD and LDAP do not require that "/" be escaped, but ADSI does" Do you mean if I wrote a standard LDAP query or filter I would not need to escape the / (Or any of the other characters for that matter) but in vbscript (Which is the method of using ADSI) I do? Is it vbscript that is taking the characters out or the method I am attempting to implement? Sorry I think I have got a bit lost in the terminology... Thanks again! "Richard Mueller [MVP]" wrote: Quote: > I don't use dsquery, so didn't realize it has this problem. In my test > domain I find that dsquery properly escapes the following characters: > > , \ > > It does not escape the following characters that require it in VBScript (and > ADSI): > > # + < > ; " = / > > I find that ADO, NameTranslate, and AD object attributes and methods (like > the member and memberOf multi-valued attributes, and the Members method of > groups and the Groups method of users) return DN values properly escaped, > except that the "/" character is never escaped. AD and LDAP do not require > that "/" be escaped, but ADSI does. These characters should be rare, and > it's easy to recommend that they not be used, buy the fact is they are > allowed in AD. > > I also note that Joe Richards' free adfind utility properly escapes all > characters required by AD and LDAP. Again, it does not escape "/" because > escaping that character is only required by ADSI. If you want to try adfind, > which is easier to use and more powerful, see this link: > > http://www.joeware.net/freetools/tools/adfind/index.htm > > If you use Joe Richards' free admod utility, it should work great with > adfind. Since Joe does not use ADSI, admod does not require that "/" be > escaped: > > http://www.joeware.net/freetools/tools/admod/index.htm > > In all of my VBScript programs I try to remember to replace "/" with "\/" > when I retrieve DN values before I use the value to bind. I may be the only > nutty person to use these characters, but I don't want my scripts to fail > for crazy reasons just because someone uses a perfectly valid character. > > -- > Richard Mueller > MVP Directory Services > Hilltop Lab - http://www.rlmueller.net > -- > > "UselessUser" <UselessUser@xxxxxx> wrote in message > news:F0D242E4-9663-49B7-BC7E-48F8F5D87DC5@xxxxxx Quote: > > Hi Richard, > > > > Thanks for your prompt reply. I shall read your links and make changes > > accordingly, thank you very much! > > > > I obtained the list simply by running the following: > > > > dsquery computer -stalepwd 90 limit 0 > C:\computers.txt > > > > I then opened it up in notepad and did a F+R on " to nothing. > > > > So clearly dsquery just returns the DN without making any changes... > > > > To be honest I am little disappointed with the ds suite as they seem to be > > a > > simply brilliant idea and the information they give is fast and accurate > > however when it comes to wanting to do the simplest things with the gained > > information ie a dsquery piped into a dsmove, they just fall over with no > > readily apparent explanation. > > > > But at least we have people like you on the forums... > > > > Thanks again > > > > "Richard Mueller [MVP]" wrote: > > Quote: > >> > >> "UselessUser" <UselessUser@xxxxxx> wrote in message > >> news:86D8D269-6620-4142-A7FF-5CAC72F4A2B6@xxxxxx > >> > Hi, > >> > > >> > I have run a dsquery against my AD for computer accounts with a stale > >> > password of 90 days. I now have this list of computers in a text file. > >> > I > >> > have > >> > noted the problems with piping the output from a dsquery direct to > >> > dsmove > >> > so > >> > I wrote a very basic vbscript (Not a good vbscripter) to read the list > >> > and > >> > do > >> > the move. > >> > > >> > Now before anyone replies I know I could probably have done a bind to > >> > AD > >> > and > >> > returned the adspath worked on that but I had no idea how to work the > >> > pwdlastset attribute to return 90 days ago (Any ideas?)... also I have > >> > seen a > >> > for delims script which looked interesting and I shall investigate it > >> > further > >> > but want to know whats wrong with my own script!! > >> > > >> > Here is my script... > >> > > >> > option explicit > >> > > >> > dim objOU, objFSO, objFile > >> > dim strComputerDN > >> > > >> > const ForReading = 1 > >> > set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local") > >> > > >> > set objFSO = CreateObject("Scripting.FileSystemObject") > >> > Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt", > >> > ForReading) > >> > > >> > Do Until objFile.AtEndOfStream > >> > strComputerDN = objFile.ReadLine > >> > objOU.MoveHere "LDAP://" & strComputerDN, vbNullString > >> > Loop > >> > > >> > wscript.echo "All Computers Moved" > >> > > >> > To get this to work I had to do a find and replace on the text file to > >> > remove the " marks also... (Why is this?) > >> > > >> > Now this worked fine and moved all computers except 2. I discovered > >> > that > >> > these two computers had a distinguished name which contained two > >> > instances > >> > of > >> > the / character. I renamed the 2 OU's in question to not contain / > >> > (replaced > >> > them with a -) and edited my computers text file to put the - in and it > >> > runs > >> > fine.. > >> > > >> > So my question is... I am not sure what the problem is with the slashes > >> > in > >> > the DN and would binding to the adspath have caused the same issue? > >> > >> As you have discovered, double quotes and forward slashes in DN values > >> need > >> special handling. However, they can be escaped with the backslash, "\", > >> escape character. See this link for details, and a list of all characters > >> that need to be escaped: > >> > >> http://www.rlmueller.net/CharactersEscaped.htm > >> > >> For Example: > >> ====== > >> Do Until objFile.AtEndOfStream > >> strComputerDN = Trim(objFile.ReadLine) > >> If (strComputerDN <> = "") Then > >> strComputerDN = Replace(strComputerDN, """", "\""") > >> strComputerDN = Replace(strComputerDN, "/", "\/") > >> objOU.MoveHere "LDAP://" & strComputerDN, vbNullString > >> End If > >> Loop > >> ==== > >> I Trim blanks and skip blank lines, since it is so easy to have a blank > >> line > >> at the end of a text file. Notice that the " character must be doubled > >> inside a quoted string. However, I'm surprised that your list of computer > >> DN's does not already escape the " character. Did you manually create the > >> list? Most ADSI methods display DN values with all of the characters > >> escaped, except the forward slash character, "/". I find this is the only > >> character I need to escape in my VBScript programs. > >> > >> I have an example VBScript program that disables and moves computer > >> objects > >> where the password as not been changed in a specified number of days. The > >> program is linked here: > >> > >> http://www.rlmueller.net/MoveOldComputers.htm > >> > >> The program demonstrates how to handle the pwdLastSet attribute. It uses > >> ADO > >> to retrieve computer DN values. ADO escapes all characters except the > >> "/". > >> The program includes a line to replace "/" with "\/". Details on > >> converting > >> Integer8 attributes like pwdLastSet to date/time values linked here: > >> > >> http://www.rlmueller.net/Integer8Attributes.htm > >> > >> Finally, to find unused computer objects and deal with them, I recommend > >> Joe > >> Richards' free oldcmp utility: > >> > >> http://www.joeware.net/freetools/tools/oldcmp/index.htm > >> > >> -- > >> Richard Mueller > >> MVP Directory Services > >> Hilltop Lab - http://www.rlmueller.net > >> -- > >> > >> > >> > > >
My System Specs

01-10-2009	#6 (permalink)
Richard Mueller [MVP] n/a posts	Re: Move computer in AD based on DSQUERY script syntax help! What I am told is that the only characters that must be escaped in AD are: , \ # + < > ; " = All LDAP API's properly escape these characters. However, ADSI does not know how to handle the "/" character, so ADSI methods also require this character to be escaped. When you bind to an object in VBScript (or VB) you invoke IADs interfaces provided by ADSI. If a utility like adfind uses LDAP API's, it should escape the characters required in AD, but not "/". For some reason dsquery only escapes the characters "," and "\". I have no explanation for that, except they are the most common characters requiring it. I would think this behaviour is a bug. Bottom line, in VBScript the only character I need to worry about is the "/" character. All others will be properly escaped, unless I manually enter the DN. Actually, you can see this using ADSI Edit. While ADUC will show you a user with Common Name "Last, First", in ADSI Edit you will see the value of the cn attribute is actually "Last\, First". You can also see that "/" is not escaped in AD, but a VBScript program will raise an error if the ADsPath does not have this character escaped. I'm not sure in what environment you create your LDAP queries. In VBScript I use ADO and the resulting recordsets always escape all characters that AD requires to be escaped. However, because ADSI requires that "/" also be escaped, I replace "/" with "\/" before binding to an object with the DN (or ADsPath or cn) retrieved from the ADO recordset. The same goes for DN values retrieved using IADsNameTranslate. I hope I haven't confused you further. -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net -- "UselessUser" <UselessUser@xxxxxx> wrote in message news:8FEB1584-1DDC-43E3-8C56-8934C295A4F1@xxxxxx Quote: > Hi again! > > I appreciate your testing efforts to clarify the situation. However I am > now > a tad confused by what you mean by this: > > "It does not escape the following characters that require it in VBScript > (and > ADSI):" > > "AD and LDAP do not require that "/" be escaped, but ADSI does" > > Do you mean if I wrote a standard LDAP query or filter I would not need to > escape the / (Or any of the other characters for that matter) but in > vbscript > (Which is the method of using ADSI) I do? Is it vbscript that is taking > the > characters out or the method I am attempting to implement? > > Sorry I think I have got a bit lost in the terminology... > > Thanks again! > > "Richard Mueller [MVP]" wrote: > Quote: >> I don't use dsquery, so didn't realize it has this problem. In my test >> domain I find that dsquery properly escapes the following characters: >> >> , \ >> >> It does not escape the following characters that require it in VBScript >> (and >> ADSI): >> >> # + < > ; " = / >> >> I find that ADO, NameTranslate, and AD object attributes and methods >> (like >> the member and memberOf multi-valued attributes, and the Members method >> of >> groups and the Groups method of users) return DN values properly escaped, >> except that the "/" character is never escaped. AD and LDAP do not >> require >> that "/" be escaped, but ADSI does. These characters should be rare, and >> it's easy to recommend that they not be used, buy the fact is they are >> allowed in AD. >> >> I also note that Joe Richards' free adfind utility properly escapes all >> characters required by AD and LDAP. Again, it does not escape "/" because >> escaping that character is only required by ADSI. If you want to try >> adfind, >> which is easier to use and more powerful, see this link: >> >> http://www.joeware.net/freetools/tools/adfind/index.htm >> >> If you use Joe Richards' free admod utility, it should work great with >> adfind. Since Joe does not use ADSI, admod does not require that "/" be >> escaped: >> >> http://www.joeware.net/freetools/tools/admod/index.htm >> >> In all of my VBScript programs I try to remember to replace "/" with "\/" >> when I retrieve DN values before I use the value to bind. I may be the >> only >> nutty person to use these characters, but I don't want my scripts to fail >> for crazy reasons just because someone uses a perfectly valid character. >> >> -- >> Richard Mueller >> MVP Directory Services >> Hilltop Lab - http://www.rlmueller.net >> -- >> >> "UselessUser" <UselessUser@xxxxxx> wrote in message >> news:F0D242E4-9663-49B7-BC7E-48F8F5D87DC5@xxxxxx Quote: >> > Hi Richard, >> > >> > Thanks for your prompt reply. I shall read your links and make changes >> > accordingly, thank you very much! >> > >> > I obtained the list simply by running the following: >> > >> > dsquery computer -stalepwd 90 limit 0 > C:\computers.txt >> > >> > I then opened it up in notepad and did a F+R on " to nothing. >> > >> > So clearly dsquery just returns the DN without making any changes... >> > >> > To be honest I am little disappointed with the ds suite as they seem to >> > be >> > a >> > simply brilliant idea and the information they give is fast and >> > accurate >> > however when it comes to wanting to do the simplest things with the >> > gained >> > information ie a dsquery piped into a dsmove, they just fall over with >> > no >> > readily apparent explanation. >> > >> > But at least we have people like you on the forums... >> > >> > Thanks again >> > >> > "Richard Mueller [MVP]" wrote: >> > >> >> >> >> "UselessUser" <UselessUser@xxxxxx> wrote in message >> >> news:86D8D269-6620-4142-A7FF-5CAC72F4A2B6@xxxxxx >> >> > Hi, >> >> > >> >> > I have run a dsquery against my AD for computer accounts with a >> >> > stale >> >> > password of 90 days. I now have this list of computers in a text >> >> > file. >> >> > I >> >> > have >> >> > noted the problems with piping the output from a dsquery direct to >> >> > dsmove >> >> > so >> >> > I wrote a very basic vbscript (Not a good vbscripter) to read the >> >> > list >> >> > and >> >> > do >> >> > the move. >> >> > >> >> > Now before anyone replies I know I could probably have done a bind >> >> > to >> >> > AD >> >> > and >> >> > returned the adspath worked on that but I had no idea how to work >> >> > the >> >> > pwdlastset attribute to return 90 days ago (Any ideas?)... also I >> >> > have >> >> > seen a >> >> > for delims script which looked interesting and I shall investigate >> >> > it >> >> > further >> >> > but want to know whats wrong with my own script!! >> >> > >> >> > Here is my script... >> >> > >> >> > option explicit >> >> > >> >> > dim objOU, objFSO, objFile >> >> > dim strComputerDN >> >> > >> >> > const ForReading = 1 >> >> > set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local") >> >> > >> >> > set objFSO = CreateObject("Scripting.FileSystemObject") >> >> > Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt", >> >> > ForReading) >> >> > >> >> > Do Until objFile.AtEndOfStream >> >> > strComputerDN = objFile.ReadLine >> >> > objOU.MoveHere "LDAP://" & strComputerDN, vbNullString >> >> > Loop >> >> > >> >> > wscript.echo "All Computers Moved" >> >> > >> >> > To get this to work I had to do a find and replace on the text file >> >> > to >> >> > remove the " marks also... (Why is this?) >> >> > >> >> > Now this worked fine and moved all computers except 2. I discovered >> >> > that >> >> > these two computers had a distinguished name which contained two >> >> > instances >> >> > of >> >> > the / character. I renamed the 2 OU's in question to not contain / >> >> > (replaced >> >> > them with a -) and edited my computers text file to put the - in and >> >> > it >> >> > runs >> >> > fine.. >> >> > >> >> > So my question is... I am not sure what the problem is with the >> >> > slashes >> >> > in >> >> > the DN and would binding to the adspath have caused the same issue? >> >> >> >> As you have discovered, double quotes and forward slashes in DN values >> >> need >> >> special handling. However, they can be escaped with the backslash, >> >> "\", >> >> escape character. See this link for details, and a list of all >> >> characters >> >> that need to be escaped: >> >> >> >> http://www.rlmueller.net/CharactersEscaped.htm >> >> >> >> For Example: >> >> ====== >> >> Do Until objFile.AtEndOfStream >> >> strComputerDN = Trim(objFile.ReadLine) >> >> If (strComputerDN <> = "") Then >> >> strComputerDN = Replace(strComputerDN, """", "\""") >> >> strComputerDN = Replace(strComputerDN, "/", "\/") >> >> objOU.MoveHere "LDAP://" & strComputerDN, vbNullString >> >> End If >> >> Loop >> >> ==== >> >> I Trim blanks and skip blank lines, since it is so easy to have a >> >> blank >> >> line >> >> at the end of a text file. Notice that the " character must be doubled >> >> inside a quoted string. However, I'm surprised that your list of >> >> computer >> >> DN's does not already escape the " character. Did you manually create >> >> the >> >> list? Most ADSI methods display DN values with all of the characters >> >> escaped, except the forward slash character, "/". I find this is the >> >> only >> >> character I need to escape in my VBScript programs. >> >> >> >> I have an example VBScript program that disables and moves computer >> >> objects >> >> where the password as not been changed in a specified number of days. >> >> The >> >> program is linked here: >> >> >> >> http://www.rlmueller.net/MoveOldComputers.htm >> >> >> >> The program demonstrates how to handle the pwdLastSet attribute. It >> >> uses >> >> ADO >> >> to retrieve computer DN values. ADO escapes all characters except the >> >> "/". >> >> The program includes a line to replace "/" with "\/". Details on >> >> converting >> >> Integer8 attributes like pwdLastSet to date/time values linked here: >> >> >> >> http://www.rlmueller.net/Integer8Attributes.htm >> >> >> >> Finally, to find unused computer objects and deal with them, I >> >> recommend >> >> Joe >> >> Richards' free oldcmp utility: >> >> >> >> http://www.joeware.net/freetools/tools/oldcmp/index.htm >> >> >> >> -- >> >> Richard Mueller >> >> MVP Directory Services >> >> Hilltop Lab - http://www.rlmueller.net >> >> -- >> >> >> >> >> >> >> >> >>
My System Specs

01-11-2009	#7 (permalink)
UselessUser n/a posts	Re: Move computer in AD based on DSQUERY script syntax help! Hi Thank you very much I believe I finally understand! Thanks for everything! "Richard Mueller [MVP]" wrote: Quote: > What I am told is that the only characters that must be escaped in AD are: > > , \ # + < > ; " = > > All LDAP API's properly escape these characters. However, ADSI does not know > how to handle the "/" character, so ADSI methods also require this character > to be escaped. When you bind to an object in VBScript (or VB) you invoke > IADs interfaces provided by ADSI. If a utility like adfind uses LDAP API's, > it should escape the characters required in AD, but not "/". > > For some reason dsquery only escapes the characters "," and "\". I have no > explanation for that, except they are the most common characters requiring > it. I would think this behaviour is a bug. > > Bottom line, in VBScript the only character I need to worry about is the "/" > character. All others will be properly escaped, unless I manually enter the > DN. Actually, you can see this using ADSI Edit. While ADUC will show you a > user with Common Name "Last, First", in ADSI Edit you will see the value of > the cn attribute is actually "Last\, First". You can also see that "/" is > not escaped in AD, but a VBScript program will raise an error if the ADsPath > does not have this character escaped. > > I'm not sure in what environment you create your LDAP queries. In VBScript I > use ADO and the resulting recordsets always escape all characters that AD > requires to be escaped. However, because ADSI requires that "/" also be > escaped, I replace "/" with "\/" before binding to an object with the DN (or > ADsPath or cn) retrieved from the ADO recordset. The same goes for DN values > retrieved using IADsNameTranslate. > > I hope I haven't confused you further. > > -- > Richard Mueller > MVP Directory Services > Hilltop Lab - http://www.rlmueller.net > -- > > "UselessUser" <UselessUser@xxxxxx> wrote in message > news:8FEB1584-1DDC-43E3-8C56-8934C295A4F1@xxxxxx Quote: > > Hi again! > > > > I appreciate your testing efforts to clarify the situation. However I am > > now > > a tad confused by what you mean by this: > > > > "It does not escape the following characters that require it in VBScript > > (and > > ADSI):" > > > > "AD and LDAP do not require that "/" be escaped, but ADSI does" > > > > Do you mean if I wrote a standard LDAP query or filter I would not need to > > escape the / (Or any of the other characters for that matter) but in > > vbscript > > (Which is the method of using ADSI) I do? Is it vbscript that is taking > > the > > characters out or the method I am attempting to implement? > > > > Sorry I think I have got a bit lost in the terminology... > > > > Thanks again! > > > > "Richard Mueller [MVP]" wrote: > > Quote: > >> I don't use dsquery, so didn't realize it has this problem. In my test > >> domain I find that dsquery properly escapes the following characters: > >> > >> , \ > >> > >> It does not escape the following characters that require it in VBScript > >> (and > >> ADSI): > >> > >> # + < > ; " = / > >> > >> I find that ADO, NameTranslate, and AD object attributes and methods > >> (like > >> the member and memberOf multi-valued attributes, and the Members method > >> of > >> groups and the Groups method of users) return DN values properly escaped, > >> except that the "/" character is never escaped. AD and LDAP do not > >> require > >> that "/" be escaped, but ADSI does. These characters should be rare, and > >> it's easy to recommend that they not be used, buy the fact is they are > >> allowed in AD. > >> > >> I also note that Joe Richards' free adfind utility properly escapes all > >> characters required by AD and LDAP. Again, it does not escape "/" because > >> escaping that character is only required by ADSI. If you want to try > >> adfind, > >> which is easier to use and more powerful, see this link: > >> > >> http://www.joeware.net/freetools/tools/adfind/index.htm > >> > >> If you use Joe Richards' free admod utility, it should work great with > >> adfind. Since Joe does not use ADSI, admod does not require that "/" be > >> escaped: > >> > >> http://www.joeware.net/freetools/tools/admod/index.htm > >> > >> In all of my VBScript programs I try to remember to replace "/" with "\/" > >> when I retrieve DN values before I use the value to bind. I may be the > >> only > >> nutty person to use these characters, but I don't want my scripts to fail > >> for crazy reasons just because someone uses a perfectly valid character. > >> > >> -- > >> Richard Mueller > >> MVP Directory Services > >> Hilltop Lab - http://www.rlmueller.net > >> -- > >> > >> "UselessUser" <UselessUser@xxxxxx> wrote in message > >> news:F0D242E4-9663-49B7-BC7E-48F8F5D87DC5@xxxxxx > >> > Hi Richard, > >> > > >> > Thanks for your prompt reply. I shall read your links and make changes > >> > accordingly, thank you very much! > >> > > >> > I obtained the list simply by running the following: > >> > > >> > dsquery computer -stalepwd 90 limit 0 > C:\computers.txt > >> > > >> > I then opened it up in notepad and did a F+R on " to nothing. > >> > > >> > So clearly dsquery just returns the DN without making any changes... > >> > > >> > To be honest I am little disappointed with the ds suite as they seem to > >> > be > >> > a > >> > simply brilliant idea and the information they give is fast and > >> > accurate > >> > however when it comes to wanting to do the simplest things with the > >> > gained > >> > information ie a dsquery piped into a dsmove, they just fall over with > >> > no > >> > readily apparent explanation. > >> > > >> > But at least we have people like you on the forums... > >> > > >> > Thanks again > >> > > >> > "Richard Mueller [MVP]" wrote: > >> > > >> >> > >> >> "UselessUser" <UselessUser@xxxxxx> wrote in message > >> >> news:86D8D269-6620-4142-A7FF-5CAC72F4A2B6@xxxxxx > >> >> > Hi, > >> >> > > >> >> > I have run a dsquery against my AD for computer accounts with a > >> >> > stale > >> >> > password of 90 days. I now have this list of computers in a text > >> >> > file. > >> >> > I > >> >> > have > >> >> > noted the problems with piping the output from a dsquery direct to > >> >> > dsmove > >> >> > so > >> >> > I wrote a very basic vbscript (Not a good vbscripter) to read the > >> >> > list > >> >> > and > >> >> > do > >> >> > the move. > >> >> > > >> >> > Now before anyone replies I know I could probably have done a bind > >> >> > to > >> >> > AD > >> >> > and > >> >> > returned the adspath worked on that but I had no idea how to work > >> >> > the > >> >> > pwdlastset attribute to return 90 days ago (Any ideas?)... also I > >> >> > have > >> >> > seen a > >> >> > for delims script which looked interesting and I shall investigate > >> >> > it > >> >> > further > >> >> > but want to know whats wrong with my own script!! > >> >> > > >> >> > Here is my script... > >> >> > > >> >> > option explicit > >> >> > > >> >> > dim objOU, objFSO, objFile > >> >> > dim strComputerDN > >> >> > > >> >> > const ForReading = 1 > >> >> > set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local") > >> >> > > >> >> > set objFSO = CreateObject("Scripting.FileSystemObject") > >> >> > Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt", > >> >> > ForReading) > >> >> > > >> >> > Do Until objFile.AtEndOfStream > >> >> > strComputerDN = objFile.ReadLine > >> >> > objOU.MoveHere "LDAP://" & strComputerDN, vbNullString > >> >> > Loop > >> >> > > >> >> > wscript.echo "All Computers Moved" > >> >> > > >> >> > To get this to work I had to do a find and replace on the text file > >> >> > to > >> >> > remove the " marks also... (Why is this?) > >> >> > > >> >> > Now this worked fine and moved all computers except 2. I discovered > >> >> > that > >> >> > these two computers had a distinguished name which contained two > >> >> > instances > >> >> > of > >> >> > the / character. I renamed the 2 OU's in question to not contain / > >> >> > (replaced > >> >> > them with a -) and edited my computers text file to put the - in and > >> >> > it > >> >> > runs > >> >> > fine.. > >> >> > > >> >> > So my question is... I am not sure what the problem is with the > >> >> > slashes > >> >> > in > >> >> > the DN and would binding to the adspath have caused the same issue? > >> >> > >> >> As you have discovered, double quotes and forward slashes in DN values > >> >> need > >> >> special handling. However, they can be escaped with the backslash, > >> >> "\", > >> >> escape character. See this link for details, and a list of all > >> >> characters > >> >> that need to be escaped: > >> >> > >> >> http://www.rlmueller.net/CharactersEscaped.htm > >> >> > >> >> For Example: > >> >> ====== > >> >> Do Until objFile.AtEndOfStream > >> >> strComputerDN = Trim(objFile.ReadLine) > >> >> If (strComputerDN <> = "") Then > >> >> strComputerDN = Replace(strComputerDN, """", "\""") > >> >> strComputerDN = Replace(strComputerDN, "/", "\/") > >> >> objOU.MoveHere "LDAP://" & strComputerDN, vbNullString > >> >> End If > >> >> Loop > >> >> ==== > >> >> I Trim blanks and skip blank lines, since it is so easy to have a > >> >> blank > >> >> line > >> >> at the end of a text file. Notice that the " character must be doubled > >> >> inside a quoted string. However, I'm surprised that your list of > >> >> computer > >> >> DN's does not already escape the " character. Did you manually create > >> >> the > >> >> list? Most ADSI methods display DN values with all of the characters > >> >> escaped, except the forward slash character, "/". I find this is the > >> >> only > >> >> character I need to escape in my VBScript programs. > >> >> > >> >> I have an example VBScript program that disables and moves computer > >> >> objects > >> >> where the password as not been changed in a specified number of days. > >> >> The > >> >> program is linked here: > >> >> > >> >> http://www.rlmueller.net/MoveOldComputers.htm > >> >> > >> >> The program demonstrates how to handle the pwdLastSet attribute. It > >> >> uses > >> >> ADO > >> >> to retrieve computer DN values. ADO escapes all characters except the > >> >> "/". > >> >> The program includes a line to replace "/" with "\/". Details on > >> >> converting > >> >> Integer8 attributes like pwdLastSet to date/time values linked here: > >> >> > >> >> http://www.rlmueller.net/Integer8Attributes.htm > >> >> > >> >> Finally, to find unused computer objects and deal with them, I > >> >> recommend > >> >> Joe > >> >> Richards' free oldcmp utility: > >> >> > >> >> http://www.joeware.net/freetools/tools/oldcmp/index.htm > >> >> > >> >> -- > >> >> Richard Mueller > >> >> MVP Directory Services > >> >> Hilltop Lab - http://www.rlmueller.net > >> >> -- > >> >> > >> >> > >> >> > >> > >> > >> > > >
My System Specs

Similar Threads
Thread	Forum
Java Script Syntax Problem	VB Script
script based host	Network & Sharing
move-item based on content of file	PowerShell
Example of a script converted to HTML with syntax highlighting	PowerShell
Re: using xp based drive as slave on new vista based computer??	Vista installation & setup