Hi,

I have run a dsquery against my AD for computer accounts with a stale
password of 90 days. I now have this list of computers in a text file. I have
noted the problems with piping the output from a dsquery direct to dsmove so
I wrote a very basic vbscript (Not a good vbscripter) to read the list and do
the move.



Now before anyone replies I know I could probably have done a bind to AD and
returned the adspath worked on that but I had no idea how to work the
pwdlastset attribute to return 90 days ago (Any ideas?)... also I have seen a
for delims script which looked interesting and I shall investigate it further
but want to know whats wrong with my own script!!

Here is my script...

option explicit

dim objOU, objFSO, objFile
dim strComputerDN

const ForReading = 1
set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local")

set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt", ForReading)

Do Until objFile.AtEndOfStream
strComputerDN = objFile.ReadLine
objOU.MoveHere "LDAP://" & strComputerDN, vbNullString
Loop

wscript.echo "All Computers Moved"

To get this to work I had to do a find and replace on the text file to
remove the " marks also... (Why is this?)

Now this worked fine and moved all computers except 2. I discovered that
these two computers had a distinguished name which contained two instances of
the / character. I renamed the 2 OU's in question to not contain / (replaced
them with a -) and edited my computers text file to put the - in and it runs
fine..

So my question is... I am not sure what the problem is with the slashes in
the DN and would binding to the adspath have caused the same issue?

"UselessUser" <UselessUser@xxxxxx> wrote in message
news:86D8D269-6620-4142-A7FF-5CAC72F4A2B6@xxxxxx

> Hi,
>
> I have run a dsquery against my AD for computer accounts with a stale
> password of 90 days. I now have this list of computers in a text file. I
> have
> noted the problems with piping the output from a dsquery direct to dsmove
> so
> I wrote a very basic vbscript (Not a good vbscripter) to read the list and
> do
> the move.
>
> Now before anyone replies I know I could probably have done a bind to AD
> and
> returned the adspath worked on that but I had no idea how to work the
> pwdlastset attribute to return 90 days ago (Any ideas?)... also I have
> seen a
> for delims script which looked interesting and I shall investigate it
> further
> but want to know whats wrong with my own script!!
>
> Here is my script...
>
> option explicit
>
> dim objOU, objFSO, objFile
> dim strComputerDN
>
> const ForReading = 1
> set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local")
>
> set objFSO = CreateObject("Scripting.FileSystemObject")
> Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt", ForReading)
>
> Do Until objFile.AtEndOfStream
> strComputerDN = objFile.ReadLine
> objOU.MoveHere "LDAP://" & strComputerDN, vbNullString
> Loop
>
> wscript.echo "All Computers Moved"
>
> To get this to work I had to do a find and replace on the text file to
> remove the " marks also... (Why is this?)
>
> Now this worked fine and moved all computers except 2. I discovered that
> these two computers had a distinguished name which contained two instances
> of
> the / character. I renamed the 2 OU's in question to not contain /
> (replaced
> them with a -) and edited my computers text file to put the - in and it
> runs
> fine..
>
> So my question is... I am not sure what the problem is with the slashes in
> the DN and would binding to the adspath have caused the same issue?

As you have discovered, double quotes and forward slashes in DN values need
special handling. However, they can be escaped with the backslash, "\",
escape character. See this link for details, and a list of all characters
that need to be escaped:

http://www.rlmueller.net/CharactersEscaped.htm

For Example:
======
Do Until objFile.AtEndOfStream
strComputerDN = Trim(objFile.ReadLine)
If (strComputerDN <> = "") Then
strComputerDN = Replace(strComputerDN, """", "\""")
strComputerDN = Replace(strComputerDN, "/", "\/")
objOU.MoveHere "LDAP://" & strComputerDN, vbNullString
End If
Loop
====
I Trim blanks and skip blank lines, since it is so easy to have a blank line
at the end of a text file. Notice that the " character must be doubled
inside a quoted string. However, I'm surprised that your list of computer
DN's does not already escape the " character. Did you manually create the
list? Most ADSI methods display DN values with all of the characters
escaped, except the forward slash character, "/". I find this is the only
character I need to escape in my VBScript programs.

I have an example VBScript program that disables and moves computer objects
where the password as not been changed in a specified number of days. The
program is linked here:

http://www.rlmueller.net/MoveOldComputers.htm

The program demonstrates how to handle the pwdLastSet attribute. It uses ADO
to retrieve computer DN values. ADO escapes all characters except the "/".
The program includes a line to replace "/" with "\/". Details on converting
Integer8 attributes like pwdLastSet to date/time values linked here:

http://www.rlmueller.net/Integer8Attributes.htm

Finally, to find unused computer objects and deal with them, I recommend Joe
Richards' free oldcmp utility:

http://www.joeware.net/freetools/tools/oldcmp/index.htm

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

Hi Richard,

Thanks for your prompt reply. I shall read your links and make changes
accordingly, thank you very much!

I obtained the list simply by running the following:

dsquery computer -stalepwd 90 limit 0 > C:\computers.txt

I then opened it up in notepad and did a F+R on " to nothing.

So clearly dsquery just returns the DN without making any changes...

To be honest I am little disappointed with the ds suite as they seem to be a
simply brilliant idea and the information they give is fast and accurate
however when it comes to wanting to do the simplest things with the gained
information ie a dsquery piped into a dsmove, they just fall over with no
readily apparent explanation.

But at least we have people like you on the forums...

Thanks again

"Richard Mueller [MVP]" wrote:

>
> "UselessUser" <UselessUser@xxxxxx> wrote in message
> news:86D8D269-6620-4142-A7FF-5CAC72F4A2B6@xxxxxx

> > Hi,
> >
> > I have run a dsquery against my AD for computer accounts with a stale
> > password of 90 days. I now have this list of computers in a text file. I
> > have
> > noted the problems with piping the output from a dsquery direct to dsmove
> > so
> > I wrote a very basic vbscript (Not a good vbscripter) to read the list and
> > do
> > the move.
> >
> > Now before anyone replies I know I could probably have done a bind to AD
> > and
> > returned the adspath worked on that but I had no idea how to work the
> > pwdlastset attribute to return 90 days ago (Any ideas?)... also I have
> > seen a
> > for delims script which looked interesting and I shall investigate it
> > further
> > but want to know whats wrong with my own script!!
> >
> > Here is my script...
> >
> > option explicit
> >
> > dim objOU, objFSO, objFile
> > dim strComputerDN
> >
> > const ForReading = 1
> > set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local")
> >
> > set objFSO = CreateObject("Scripting.FileSystemObject")
> > Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt", ForReading)
> >
> > Do Until objFile.AtEndOfStream
> > strComputerDN = objFile.ReadLine
> > objOU.MoveHere "LDAP://" & strComputerDN, vbNullString
> > Loop
> >
> > wscript.echo "All Computers Moved"
> >
> > To get this to work I had to do a find and replace on the text file to
> > remove the " marks also... (Why is this?)
> >
> > Now this worked fine and moved all computers except 2. I discovered that
> > these two computers had a distinguished name which contained two instances
> > of
> > the / character. I renamed the 2 OU's in question to not contain /
> > (replaced
> > them with a -) and edited my computers text file to put the - in and it
> > runs
> > fine..
> >
> > So my question is... I am not sure what the problem is with the slashes in
> > the DN and would binding to the adspath have caused the same issue?

>
> As you have discovered, double quotes and forward slashes in DN values need
> special handling. However, they can be escaped with the backslash, "\",
> escape character. See this link for details, and a list of all characters
> that need to be escaped:
>
> http://www.rlmueller.net/CharactersEscaped.htm
>
> For Example:
> ======
> Do Until objFile.AtEndOfStream
> strComputerDN = Trim(objFile.ReadLine)
> If (strComputerDN <> = "") Then
> strComputerDN = Replace(strComputerDN, """", "\""")
> strComputerDN = Replace(strComputerDN, "/", "\/")
> objOU.MoveHere "LDAP://" & strComputerDN, vbNullString
> End If
> Loop
> ====
> I Trim blanks and skip blank lines, since it is so easy to have a blank line
> at the end of a text file. Notice that the " character must be doubled
> inside a quoted string. However, I'm surprised that your list of computer
> DN's does not already escape the " character. Did you manually create the
> list? Most ADSI methods display DN values with all of the characters
> escaped, except the forward slash character, "/". I find this is the only
> character I need to escape in my VBScript programs.
>
> I have an example VBScript program that disables and moves computer objects
> where the password as not been changed in a specified number of days. The
> program is linked here:
>
> http://www.rlmueller.net/MoveOldComputers.htm
>
> The program demonstrates how to handle the pwdLastSet attribute. It uses ADO
> to retrieve computer DN values. ADO escapes all characters except the "/".
> The program includes a line to replace "/" with "\/". Details on converting
> Integer8 attributes like pwdLastSet to date/time values linked here:
>
> http://www.rlmueller.net/Integer8Attributes.htm
>
> Finally, to find unused computer objects and deal with them, I recommend Joe
> Richards' free oldcmp utility:
>
> http://www.joeware.net/freetools/tools/oldcmp/index.htm
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
>
>

I don't use dsquery, so didn't realize it has this problem. In my test
domain I find that dsquery properly escapes the following characters:

, \

It does not escape the following characters that require it in VBScript (and
ADSI):

# + < > ; " = /

I find that ADO, NameTranslate, and AD object attributes and methods (like
the member and memberOf multi-valued attributes, and the Members method of
groups and the Groups method of users) return DN values properly escaped,
except that the "/" character is never escaped. AD and LDAP do not require
that "/" be escaped, but ADSI does. These characters should be rare, and
it's easy to recommend that they not be used, buy the fact is they are
allowed in AD.

I also note that Joe Richards' free adfind utility properly escapes all
characters required by AD and LDAP. Again, it does not escape "/" because
escaping that character is only required by ADSI. If you want to try adfind,
which is easier to use and more powerful, see this link:

http://www.joeware.net/freetools/tools/adfind/index.htm

If you use Joe Richards' free admod utility, it should work great with
adfind. Since Joe does not use ADSI, admod does not require that "/" be
escaped:

http://www.joeware.net/freetools/tools/admod/index.htm

In all of my VBScript programs I try to remember to replace "/" with "\/"
when I retrieve DN values before I use the value to bind. I may be the only
nutty person to use these characters, but I don't want my scripts to fail
for crazy reasons just because someone uses a perfectly valid character.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"UselessUser" <UselessUser@xxxxxx> wrote in message
news:F0D242E4-9663-49B7-BC7E-48F8F5D87DC5@xxxxxx

> Hi Richard,
>
> Thanks for your prompt reply. I shall read your links and make changes
> accordingly, thank you very much!
>
> I obtained the list simply by running the following:
>
> dsquery computer -stalepwd 90 limit 0 > C:\computers.txt
>
> I then opened it up in notepad and did a F+R on " to nothing.
>
> So clearly dsquery just returns the DN without making any changes...
>
> To be honest I am little disappointed with the ds suite as they seem to be
> a
> simply brilliant idea and the information they give is fast and accurate
> however when it comes to wanting to do the simplest things with the gained
> information ie a dsquery piped into a dsmove, they just fall over with no
> readily apparent explanation.
>
> But at least we have people like you on the forums...
>
> Thanks again
>
> "Richard Mueller [MVP]" wrote:
>

>>
>> "UselessUser" <UselessUser@xxxxxx> wrote in message
>> news:86D8D269-6620-4142-A7FF-5CAC72F4A2B6@xxxxxx

>> > Hi,
>> >
>> > I have run a dsquery against my AD for computer accounts with a stale
>> > password of 90 days. I now have this list of computers in a text file.
>> > I
>> > have
>> > noted the problems with piping the output from a dsquery direct to
>> > dsmove
>> > so
>> > I wrote a very basic vbscript (Not a good vbscripter) to read the list
>> > and
>> > do
>> > the move.
>> >
>> > Now before anyone replies I know I could probably have done a bind to
>> > AD
>> > and
>> > returned the adspath worked on that but I had no idea how to work the
>> > pwdlastset attribute to return 90 days ago (Any ideas?)... also I have
>> > seen a
>> > for delims script which looked interesting and I shall investigate it
>> > further
>> > but want to know whats wrong with my own script!!
>> >
>> > Here is my script...
>> >
>> > option explicit
>> >
>> > dim objOU, objFSO, objFile
>> > dim strComputerDN
>> >
>> > const ForReading = 1
>> > set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local")
>> >
>> > set objFSO = CreateObject("Scripting.FileSystemObject")
>> > Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt",
>> > ForReading)
>> >
>> > Do Until objFile.AtEndOfStream
>> > strComputerDN = objFile.ReadLine
>> > objOU.MoveHere "LDAP://" & strComputerDN, vbNullString
>> > Loop
>> >
>> > wscript.echo "All Computers Moved"
>> >
>> > To get this to work I had to do a find and replace on the text file to
>> > remove the " marks also... (Why is this?)
>> >
>> > Now this worked fine and moved all computers except 2. I discovered
>> > that
>> > these two computers had a distinguished name which contained two
>> > instances
>> > of
>> > the / character. I renamed the 2 OU's in question to not contain /
>> > (replaced
>> > them with a -) and edited my computers text file to put the - in and it
>> > runs
>> > fine..
>> >
>> > So my question is... I am not sure what the problem is with the slashes
>> > in
>> > the DN and would binding to the adspath have caused the same issue?

>>
>> As you have discovered, double quotes and forward slashes in DN values
>> need
>> special handling. However, they can be escaped with the backslash, "\",
>> escape character. See this link for details, and a list of all characters
>> that need to be escaped:
>>
>> http://www.rlmueller.net/CharactersEscaped.htm
>>
>> For Example:
>> ======
>> Do Until objFile.AtEndOfStream
>> strComputerDN = Trim(objFile.ReadLine)
>> If (strComputerDN <> = "") Then
>> strComputerDN = Replace(strComputerDN, """", "\""")
>> strComputerDN = Replace(strComputerDN, "/", "\/")
>> objOU.MoveHere "LDAP://" & strComputerDN, vbNullString
>> End If
>> Loop
>> ====
>> I Trim blanks and skip blank lines, since it is so easy to have a blank
>> line
>> at the end of a text file. Notice that the " character must be doubled
>> inside a quoted string. However, I'm surprised that your list of computer
>> DN's does not already escape the " character. Did you manually create the
>> list? Most ADSI methods display DN values with all of the characters
>> escaped, except the forward slash character, "/". I find this is the only
>> character I need to escape in my VBScript programs.
>>
>> I have an example VBScript program that disables and moves computer
>> objects
>> where the password as not been changed in a specified number of days. The
>> program is linked here:
>>
>> http://www.rlmueller.net/MoveOldComputers.htm
>>
>> The program demonstrates how to handle the pwdLastSet attribute. It uses
>> ADO
>> to retrieve computer DN values. ADO escapes all characters except the
>> "/".
>> The program includes a line to replace "/" with "\/". Details on
>> converting
>> Integer8 attributes like pwdLastSet to date/time values linked here:
>>
>> http://www.rlmueller.net/Integer8Attributes.htm
>>
>> Finally, to find unused computer objects and deal with them, I recommend
>> Joe
>> Richards' free oldcmp utility:
>>
>> http://www.joeware.net/freetools/tools/oldcmp/index.htm
>>
>> --
>> Richard Mueller
>> MVP Directory Services
>> Hilltop Lab - http://www.rlmueller.net
>> --
>>
>>
>>

Hi again!

I appreciate your testing efforts to clarify the situation. However I am now
a tad confused by what you mean by this:

"It does not escape the following characters that require it in VBScript (and
ADSI):"

"AD and LDAP do not require that "/" be escaped, but ADSI does"

Do you mean if I wrote a standard LDAP query or filter I would not need to
escape the / (Or any of the other characters for that matter) but in vbscript
(Which is the method of using ADSI) I do? Is it vbscript that is taking the
characters out or the method I am attempting to implement?

Sorry I think I have got a bit lost in the terminology...

Thanks again!

"Richard Mueller [MVP]" wrote:

> I don't use dsquery, so didn't realize it has this problem. In my test
> domain I find that dsquery properly escapes the following characters:
>
> , \
>
> It does not escape the following characters that require it in VBScript (and
> ADSI):
>
> # + < > ; " = /
>
> I find that ADO, NameTranslate, and AD object attributes and methods (like
> the member and memberOf multi-valued attributes, and the Members method of
> groups and the Groups method of users) return DN values properly escaped,
> except that the "/" character is never escaped. AD and LDAP do not require
> that "/" be escaped, but ADSI does. These characters should be rare, and
> it's easy to recommend that they not be used, buy the fact is they are
> allowed in AD.
>
> I also note that Joe Richards' free adfind utility properly escapes all
> characters required by AD and LDAP. Again, it does not escape "/" because
> escaping that character is only required by ADSI. If you want to try adfind,
> which is easier to use and more powerful, see this link:
>
> http://www.joeware.net/freetools/tools/adfind/index.htm
>
> If you use Joe Richards' free admod utility, it should work great with
> adfind. Since Joe does not use ADSI, admod does not require that "/" be
> escaped:
>
> http://www.joeware.net/freetools/tools/admod/index.htm
>
> In all of my VBScript programs I try to remember to replace "/" with "\/"
> when I retrieve DN values before I use the value to bind. I may be the only
> nutty person to use these characters, but I don't want my scripts to fail
> for crazy reasons just because someone uses a perfectly valid character.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
> "UselessUser" <UselessUser@xxxxxx> wrote in message
> news:F0D242E4-9663-49B7-BC7E-48F8F5D87DC5@xxxxxx

> > Hi Richard,
> >
> > Thanks for your prompt reply. I shall read your links and make changes
> > accordingly, thank you very much!
> >
> > I obtained the list simply by running the following:
> >
> > dsquery computer -stalepwd 90 limit 0 > C:\computers.txt
> >
> > I then opened it up in notepad and did a F+R on " to nothing.
> >
> > So clearly dsquery just returns the DN without making any changes...
> >
> > To be honest I am little disappointed with the ds suite as they seem to be
> > a
> > simply brilliant idea and the information they give is fast and accurate
> > however when it comes to wanting to do the simplest things with the gained
> > information ie a dsquery piped into a dsmove, they just fall over with no
> > readily apparent explanation.
> >
> > But at least we have people like you on the forums...
> >
> > Thanks again
> >
> > "Richard Mueller [MVP]" wrote:
> >

> >>
> >> "UselessUser" <UselessUser@xxxxxx> wrote in message
> >> news:86D8D269-6620-4142-A7FF-5CAC72F4A2B6@xxxxxx
> >> > Hi,
> >> >
> >> > I have run a dsquery against my AD for computer accounts with a stale
> >> > password of 90 days. I now have this list of computers in a text file.
> >> > I
> >> > have
> >> > noted the problems with piping the output from a dsquery direct to
> >> > dsmove
> >> > so
> >> > I wrote a very basic vbscript (Not a good vbscripter) to read the list
> >> > and
> >> > do
> >> > the move.
> >> >
> >> > Now before anyone replies I know I could probably have done a bind to
> >> > AD
> >> > and
> >> > returned the adspath worked on that but I had no idea how to work the
> >> > pwdlastset attribute to return 90 days ago (Any ideas?)... also I have
> >> > seen a
> >> > for delims script which looked interesting and I shall investigate it
> >> > further
> >> > but want to know whats wrong with my own script!!
> >> >
> >> > Here is my script...
> >> >
> >> > option explicit
> >> >
> >> > dim objOU, objFSO, objFile
> >> > dim strComputerDN
> >> >
> >> > const ForReading = 1
> >> > set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local")
> >> >
> >> > set objFSO = CreateObject("Scripting.FileSystemObject")
> >> > Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt",
> >> > ForReading)
> >> >
> >> > Do Until objFile.AtEndOfStream
> >> > strComputerDN = objFile.ReadLine
> >> > objOU.MoveHere "LDAP://" & strComputerDN, vbNullString
> >> > Loop
> >> >
> >> > wscript.echo "All Computers Moved"
> >> >
> >> > To get this to work I had to do a find and replace on the text file to
> >> > remove the " marks also... (Why is this?)
> >> >
> >> > Now this worked fine and moved all computers except 2. I discovered
> >> > that
> >> > these two computers had a distinguished name which contained two
> >> > instances
> >> > of
> >> > the / character. I renamed the 2 OU's in question to not contain /
> >> > (replaced
> >> > them with a -) and edited my computers text file to put the - in and it
> >> > runs
> >> > fine..
> >> >
> >> > So my question is... I am not sure what the problem is with the slashes
> >> > in
> >> > the DN and would binding to the adspath have caused the same issue?
> >>
> >> As you have discovered, double quotes and forward slashes in DN values
> >> need
> >> special handling. However, they can be escaped with the backslash, "\",
> >> escape character. See this link for details, and a list of all characters
> >> that need to be escaped:
> >>
> >> http://www.rlmueller.net/CharactersEscaped.htm
> >>
> >> For Example:
> >> ======
> >> Do Until objFile.AtEndOfStream
> >> strComputerDN = Trim(objFile.ReadLine)
> >> If (strComputerDN <> = "") Then
> >> strComputerDN = Replace(strComputerDN, """", "\""")
> >> strComputerDN = Replace(strComputerDN, "/", "\/")
> >> objOU.MoveHere "LDAP://" & strComputerDN, vbNullString
> >> End If
> >> Loop
> >> ====
> >> I Trim blanks and skip blank lines, since it is so easy to have a blank
> >> line
> >> at the end of a text file. Notice that the " character must be doubled
> >> inside a quoted string. However, I'm surprised that your list of computer
> >> DN's does not already escape the " character. Did you manually create the
> >> list? Most ADSI methods display DN values with all of the characters
> >> escaped, except the forward slash character, "/". I find this is the only
> >> character I need to escape in my VBScript programs.
> >>
> >> I have an example VBScript program that disables and moves computer
> >> objects
> >> where the password as not been changed in a specified number of days. The
> >> program is linked here:
> >>
> >> http://www.rlmueller.net/MoveOldComputers.htm
> >>
> >> The program demonstrates how to handle the pwdLastSet attribute. It uses
> >> ADO
> >> to retrieve computer DN values. ADO escapes all characters except the
> >> "/".
> >> The program includes a line to replace "/" with "\/". Details on
> >> converting
> >> Integer8 attributes like pwdLastSet to date/time values linked here:
> >>
> >> http://www.rlmueller.net/Integer8Attributes.htm
> >>
> >> Finally, to find unused computer objects and deal with them, I recommend
> >> Joe
> >> Richards' free oldcmp utility:
> >>
> >> http://www.joeware.net/freetools/tools/oldcmp/index.htm
> >>
> >> --
> >> Richard Mueller
> >> MVP Directory Services
> >> Hilltop Lab - http://www.rlmueller.net
> >> --
> >>
> >>
> >>

>
>
>

What I am told is that the only characters that must be escaped in AD are:

, \ # + < > ; " =

All LDAP API's properly escape these characters. However, ADSI does not know
how to handle the "/" character, so ADSI methods also require this character
to be escaped. When you bind to an object in VBScript (or VB) you invoke
IADs interfaces provided by ADSI. If a utility like adfind uses LDAP API's,
it should escape the characters required in AD, but not "/".

For some reason dsquery only escapes the characters "," and "\". I have no
explanation for that, except they are the most common characters requiring
it. I would think this behaviour is a bug.

Bottom line, in VBScript the only character I need to worry about is the "/"
character. All others will be properly escaped, unless I manually enter the
DN. Actually, you can see this using ADSI Edit. While ADUC will show you a
user with Common Name "Last, First", in ADSI Edit you will see the value of
the cn attribute is actually "Last\, First". You can also see that "/" is
not escaped in AD, but a VBScript program will raise an error if the ADsPath
does not have this character escaped.

I'm not sure in what environment you create your LDAP queries. In VBScript I
use ADO and the resulting recordsets always escape all characters that AD
requires to be escaped. However, because ADSI requires that "/" also be
escaped, I replace "/" with "\/" before binding to an object with the DN (or
ADsPath or cn) retrieved from the ADO recordset. The same goes for DN values
retrieved using IADsNameTranslate.

I hope I haven't confused you further.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"UselessUser" <UselessUser@xxxxxx> wrote in message
news:8FEB1584-1DDC-43E3-8C56-8934C295A4F1@xxxxxx

> Hi again!
>
> I appreciate your testing efforts to clarify the situation. However I am
> now
> a tad confused by what you mean by this:
>
> "It does not escape the following characters that require it in VBScript
> (and
> ADSI):"
>
> "AD and LDAP do not require that "/" be escaped, but ADSI does"
>
> Do you mean if I wrote a standard LDAP query or filter I would not need to
> escape the / (Or any of the other characters for that matter) but in
> vbscript
> (Which is the method of using ADSI) I do? Is it vbscript that is taking
> the
> characters out or the method I am attempting to implement?
>
> Sorry I think I have got a bit lost in the terminology...
>
> Thanks again!
>
> "Richard Mueller [MVP]" wrote:
>

>> I don't use dsquery, so didn't realize it has this problem. In my test
>> domain I find that dsquery properly escapes the following characters:
>>
>> , \
>>
>> It does not escape the following characters that require it in VBScript
>> (and
>> ADSI):
>>
>> # + < > ; " = /
>>
>> I find that ADO, NameTranslate, and AD object attributes and methods
>> (like
>> the member and memberOf multi-valued attributes, and the Members method
>> of
>> groups and the Groups method of users) return DN values properly escaped,
>> except that the "/" character is never escaped. AD and LDAP do not
>> require
>> that "/" be escaped, but ADSI does. These characters should be rare, and
>> it's easy to recommend that they not be used, buy the fact is they are
>> allowed in AD.
>>
>> I also note that Joe Richards' free adfind utility properly escapes all
>> characters required by AD and LDAP. Again, it does not escape "/" because
>> escaping that character is only required by ADSI. If you want to try
>> adfind,
>> which is easier to use and more powerful, see this link:
>>
>> http://www.joeware.net/freetools/tools/adfind/index.htm
>>
>> If you use Joe Richards' free admod utility, it should work great with
>> adfind. Since Joe does not use ADSI, admod does not require that "/" be
>> escaped:
>>
>> http://www.joeware.net/freetools/tools/admod/index.htm
>>
>> In all of my VBScript programs I try to remember to replace "/" with "\/"
>> when I retrieve DN values before I use the value to bind. I may be the
>> only
>> nutty person to use these characters, but I don't want my scripts to fail
>> for crazy reasons just because someone uses a perfectly valid character.
>>
>> --
>> Richard Mueller
>> MVP Directory Services
>> Hilltop Lab - http://www.rlmueller.net
>> --
>>
>> "UselessUser" <UselessUser@xxxxxx> wrote in message
>> news:F0D242E4-9663-49B7-BC7E-48F8F5D87DC5@xxxxxx

>> > Hi Richard,
>> >
>> > Thanks for your prompt reply. I shall read your links and make changes
>> > accordingly, thank you very much!
>> >
>> > I obtained the list simply by running the following:
>> >
>> > dsquery computer -stalepwd 90 limit 0 > C:\computers.txt
>> >
>> > I then opened it up in notepad and did a F+R on " to nothing.
>> >
>> > So clearly dsquery just returns the DN without making any changes...
>> >
>> > To be honest I am little disappointed with the ds suite as they seem to
>> > be
>> > a
>> > simply brilliant idea and the information they give is fast and
>> > accurate
>> > however when it comes to wanting to do the simplest things with the
>> > gained
>> > information ie a dsquery piped into a dsmove, they just fall over with
>> > no
>> > readily apparent explanation.
>> >
>> > But at least we have people like you on the forums...
>> >
>> > Thanks again
>> >
>> > "Richard Mueller [MVP]" wrote:
>> >
>> >>
>> >> "UselessUser" <UselessUser@xxxxxx> wrote in message
>> >> news:86D8D269-6620-4142-A7FF-5CAC72F4A2B6@xxxxxx
>> >> > Hi,
>> >> >
>> >> > I have run a dsquery against my AD for computer accounts with a
>> >> > stale
>> >> > password of 90 days. I now have this list of computers in a text
>> >> > file.
>> >> > I
>> >> > have
>> >> > noted the problems with piping the output from a dsquery direct to
>> >> > dsmove
>> >> > so
>> >> > I wrote a very basic vbscript (Not a good vbscripter) to read the
>> >> > list
>> >> > and
>> >> > do
>> >> > the move.
>> >> >
>> >> > Now before anyone replies I know I could probably have done a bind
>> >> > to
>> >> > AD
>> >> > and
>> >> > returned the adspath worked on that but I had no idea how to work
>> >> > the
>> >> > pwdlastset attribute to return 90 days ago (Any ideas?)... also I
>> >> > have
>> >> > seen a
>> >> > for delims script which looked interesting and I shall investigate
>> >> > it
>> >> > further
>> >> > but want to know whats wrong with my own script!!
>> >> >
>> >> > Here is my script...
>> >> >
>> >> > option explicit
>> >> >
>> >> > dim objOU, objFSO, objFile
>> >> > dim strComputerDN
>> >> >
>> >> > const ForReading = 1
>> >> > set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local")
>> >> >
>> >> > set objFSO = CreateObject("Scripting.FileSystemObject")
>> >> > Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt",
>> >> > ForReading)
>> >> >
>> >> > Do Until objFile.AtEndOfStream
>> >> > strComputerDN = objFile.ReadLine
>> >> > objOU.MoveHere "LDAP://" & strComputerDN, vbNullString
>> >> > Loop
>> >> >
>> >> > wscript.echo "All Computers Moved"
>> >> >
>> >> > To get this to work I had to do a find and replace on the text file
>> >> > to
>> >> > remove the " marks also... (Why is this?)
>> >> >
>> >> > Now this worked fine and moved all computers except 2. I discovered
>> >> > that
>> >> > these two computers had a distinguished name which contained two
>> >> > instances
>> >> > of
>> >> > the / character. I renamed the 2 OU's in question to not contain /
>> >> > (replaced
>> >> > them with a -) and edited my computers text file to put the - in and
>> >> > it
>> >> > runs
>> >> > fine..
>> >> >
>> >> > So my question is... I am not sure what the problem is with the
>> >> > slashes
>> >> > in
>> >> > the DN and would binding to the adspath have caused the same issue?
>> >>
>> >> As you have discovered, double quotes and forward slashes in DN values
>> >> need
>> >> special handling. However, they can be escaped with the backslash,
>> >> "\",
>> >> escape character. See this link for details, and a list of all
>> >> characters
>> >> that need to be escaped:
>> >>
>> >> http://www.rlmueller.net/CharactersEscaped.htm
>> >>
>> >> For Example:
>> >> ======
>> >> Do Until objFile.AtEndOfStream
>> >> strComputerDN = Trim(objFile.ReadLine)
>> >> If (strComputerDN <> = "") Then
>> >> strComputerDN = Replace(strComputerDN, """", "\""")
>> >> strComputerDN = Replace(strComputerDN, "/", "\/")
>> >> objOU.MoveHere "LDAP://" & strComputerDN, vbNullString
>> >> End If
>> >> Loop
>> >> ====
>> >> I Trim blanks and skip blank lines, since it is so easy to have a
>> >> blank
>> >> line
>> >> at the end of a text file. Notice that the " character must be doubled
>> >> inside a quoted string. However, I'm surprised that your list of
>> >> computer
>> >> DN's does not already escape the " character. Did you manually create
>> >> the
>> >> list? Most ADSI methods display DN values with all of the characters
>> >> escaped, except the forward slash character, "/". I find this is the
>> >> only
>> >> character I need to escape in my VBScript programs.
>> >>
>> >> I have an example VBScript program that disables and moves computer
>> >> objects
>> >> where the password as not been changed in a specified number of days.
>> >> The
>> >> program is linked here:
>> >>
>> >> http://www.rlmueller.net/MoveOldComputers.htm
>> >>
>> >> The program demonstrates how to handle the pwdLastSet attribute. It
>> >> uses
>> >> ADO
>> >> to retrieve computer DN values. ADO escapes all characters except the
>> >> "/".
>> >> The program includes a line to replace "/" with "\/". Details on
>> >> converting
>> >> Integer8 attributes like pwdLastSet to date/time values linked here:
>> >>
>> >> http://www.rlmueller.net/Integer8Attributes.htm
>> >>
>> >> Finally, to find unused computer objects and deal with them, I
>> >> recommend
>> >> Joe
>> >> Richards' free oldcmp utility:
>> >>
>> >> http://www.joeware.net/freetools/tools/oldcmp/index.htm
>> >>
>> >> --
>> >> Richard Mueller
>> >> MVP Directory Services
>> >> Hilltop Lab - http://www.rlmueller.net
>> >> --
>> >>
>> >>
>> >>

>>
>>
>>

Hi

Thank you very much I believe I finally understand!

Thanks for everything!

"Richard Mueller [MVP]" wrote:

> What I am told is that the only characters that must be escaped in AD are:
>
> , \ # + < > ; " =
>
> All LDAP API's properly escape these characters. However, ADSI does not know
> how to handle the "/" character, so ADSI methods also require this character
> to be escaped. When you bind to an object in VBScript (or VB) you invoke
> IADs interfaces provided by ADSI. If a utility like adfind uses LDAP API's,
> it should escape the characters required in AD, but not "/".
>
> For some reason dsquery only escapes the characters "," and "\". I have no
> explanation for that, except they are the most common characters requiring
> it. I would think this behaviour is a bug.
>
> Bottom line, in VBScript the only character I need to worry about is the "/"
> character. All others will be properly escaped, unless I manually enter the
> DN. Actually, you can see this using ADSI Edit. While ADUC will show you a
> user with Common Name "Last, First", in ADSI Edit you will see the value of
> the cn attribute is actually "Last\, First". You can also see that "/" is
> not escaped in AD, but a VBScript program will raise an error if the ADsPath
> does not have this character escaped.
>
> I'm not sure in what environment you create your LDAP queries. In VBScript I
> use ADO and the resulting recordsets always escape all characters that AD
> requires to be escaped. However, because ADSI requires that "/" also be
> escaped, I replace "/" with "\/" before binding to an object with the DN (or
> ADsPath or cn) retrieved from the ADO recordset. The same goes for DN values
> retrieved using IADsNameTranslate.
>
> I hope I haven't confused you further.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
> "UselessUser" <UselessUser@xxxxxx> wrote in message
> news:8FEB1584-1DDC-43E3-8C56-8934C295A4F1@xxxxxx

> > Hi again!
> >
> > I appreciate your testing efforts to clarify the situation. However I am
> > now
> > a tad confused by what you mean by this:
> >
> > "It does not escape the following characters that require it in VBScript
> > (and
> > ADSI):"
> >
> > "AD and LDAP do not require that "/" be escaped, but ADSI does"
> >
> > Do you mean if I wrote a standard LDAP query or filter I would not need to
> > escape the / (Or any of the other characters for that matter) but in
> > vbscript
> > (Which is the method of using ADSI) I do? Is it vbscript that is taking
> > the
> > characters out or the method I am attempting to implement?
> >
> > Sorry I think I have got a bit lost in the terminology...
> >
> > Thanks again!
> >
> > "Richard Mueller [MVP]" wrote:
> >

> >> I don't use dsquery, so didn't realize it has this problem. In my test
> >> domain I find that dsquery properly escapes the following characters:
> >>
> >> , \
> >>
> >> It does not escape the following characters that require it in VBScript
> >> (and
> >> ADSI):
> >>
> >> # + < > ; " = /
> >>
> >> I find that ADO, NameTranslate, and AD object attributes and methods
> >> (like
> >> the member and memberOf multi-valued attributes, and the Members method
> >> of
> >> groups and the Groups method of users) return DN values properly escaped,
> >> except that the "/" character is never escaped. AD and LDAP do not
> >> require
> >> that "/" be escaped, but ADSI does. These characters should be rare, and
> >> it's easy to recommend that they not be used, buy the fact is they are
> >> allowed in AD.
> >>
> >> I also note that Joe Richards' free adfind utility properly escapes all
> >> characters required by AD and LDAP. Again, it does not escape "/" because
> >> escaping that character is only required by ADSI. If you want to try
> >> adfind,
> >> which is easier to use and more powerful, see this link:
> >>
> >> http://www.joeware.net/freetools/tools/adfind/index.htm
> >>
> >> If you use Joe Richards' free admod utility, it should work great with
> >> adfind. Since Joe does not use ADSI, admod does not require that "/" be
> >> escaped:
> >>
> >> http://www.joeware.net/freetools/tools/admod/index.htm
> >>
> >> In all of my VBScript programs I try to remember to replace "/" with "\/"
> >> when I retrieve DN values before I use the value to bind. I may be the
> >> only
> >> nutty person to use these characters, but I don't want my scripts to fail
> >> for crazy reasons just because someone uses a perfectly valid character.
> >>
> >> --
> >> Richard Mueller
> >> MVP Directory Services
> >> Hilltop Lab - http://www.rlmueller.net
> >> --
> >>
> >> "UselessUser" <UselessUser@xxxxxx> wrote in message
> >> news:F0D242E4-9663-49B7-BC7E-48F8F5D87DC5@xxxxxx
> >> > Hi Richard,
> >> >
> >> > Thanks for your prompt reply. I shall read your links and make changes
> >> > accordingly, thank you very much!
> >> >
> >> > I obtained the list simply by running the following:
> >> >
> >> > dsquery computer -stalepwd 90 limit 0 > C:\computers.txt
> >> >
> >> > I then opened it up in notepad and did a F+R on " to nothing.
> >> >
> >> > So clearly dsquery just returns the DN without making any changes...
> >> >
> >> > To be honest I am little disappointed with the ds suite as they seem to
> >> > be
> >> > a
> >> > simply brilliant idea and the information they give is fast and
> >> > accurate
> >> > however when it comes to wanting to do the simplest things with the
> >> > gained
> >> > information ie a dsquery piped into a dsmove, they just fall over with
> >> > no
> >> > readily apparent explanation.
> >> >
> >> > But at least we have people like you on the forums...
> >> >
> >> > Thanks again
> >> >
> >> > "Richard Mueller [MVP]" wrote:
> >> >
> >> >>
> >> >> "UselessUser" <UselessUser@xxxxxx> wrote in message
> >> >> news:86D8D269-6620-4142-A7FF-5CAC72F4A2B6@xxxxxx
> >> >> > Hi,
> >> >> >
> >> >> > I have run a dsquery against my AD for computer accounts with a
> >> >> > stale
> >> >> > password of 90 days. I now have this list of computers in a text
> >> >> > file.
> >> >> > I
> >> >> > have
> >> >> > noted the problems with piping the output from a dsquery direct to
> >> >> > dsmove
> >> >> > so
> >> >> > I wrote a very basic vbscript (Not a good vbscripter) to read the
> >> >> > list
> >> >> > and
> >> >> > do
> >> >> > the move.
> >> >> >
> >> >> > Now before anyone replies I know I could probably have done a bind
> >> >> > to
> >> >> > AD
> >> >> > and
> >> >> > returned the adspath worked on that but I had no idea how to work
> >> >> > the
> >> >> > pwdlastset attribute to return 90 days ago (Any ideas?)... also I
> >> >> > have
> >> >> > seen a
> >> >> > for delims script which looked interesting and I shall investigate
> >> >> > it
> >> >> > further
> >> >> > but want to know whats wrong with my own script!!
> >> >> >
> >> >> > Here is my script...
> >> >> >
> >> >> > option explicit
> >> >> >
> >> >> > dim objOU, objFSO, objFile
> >> >> > dim strComputerDN
> >> >> >
> >> >> > const ForReading = 1
> >> >> > set objOU = GetObject("LDAP://ou=Disabled,dc=home,dc=local")
> >> >> >
> >> >> > set objFSO = CreateObject("Scripting.FileSystemObject")
> >> >> > Set objFile = objFSO.OpenTextFile("C:\scripts\Computers.txt",
> >> >> > ForReading)
> >> >> >
> >> >> > Do Until objFile.AtEndOfStream
> >> >> > strComputerDN = objFile.ReadLine
> >> >> > objOU.MoveHere "LDAP://" & strComputerDN, vbNullString
> >> >> > Loop
> >> >> >
> >> >> > wscript.echo "All Computers Moved"
> >> >> >
> >> >> > To get this to work I had to do a find and replace on the text file
> >> >> > to
> >> >> > remove the " marks also... (Why is this?)
> >> >> >
> >> >> > Now this worked fine and moved all computers except 2. I discovered
> >> >> > that
> >> >> > these two computers had a distinguished name which contained two
> >> >> > instances
> >> >> > of
> >> >> > the / character. I renamed the 2 OU's in question to not contain /
> >> >> > (replaced
> >> >> > them with a -) and edited my computers text file to put the - in and
> >> >> > it
> >> >> > runs
> >> >> > fine..
> >> >> >
> >> >> > So my question is... I am not sure what the problem is with the
> >> >> > slashes
> >> >> > in
> >> >> > the DN and would binding to the adspath have caused the same issue?
> >> >>
> >> >> As you have discovered, double quotes and forward slashes in DN values
> >> >> need
> >> >> special handling. However, they can be escaped with the backslash,
> >> >> "\",
> >> >> escape character. See this link for details, and a list of all
> >> >> characters
> >> >> that need to be escaped:
> >> >>
> >> >> http://www.rlmueller.net/CharactersEscaped.htm
> >> >>
> >> >> For Example:
> >> >> ======
> >> >> Do Until objFile.AtEndOfStream
> >> >> strComputerDN = Trim(objFile.ReadLine)
> >> >> If (strComputerDN <> = "") Then
> >> >> strComputerDN = Replace(strComputerDN, """", "\""")
> >> >> strComputerDN = Replace(strComputerDN, "/", "\/")
> >> >> objOU.MoveHere "LDAP://" & strComputerDN, vbNullString
> >> >> End If
> >> >> Loop
> >> >> ====
> >> >> I Trim blanks and skip blank lines, since it is so easy to have a
> >> >> blank
> >> >> line
> >> >> at the end of a text file. Notice that the " character must be doubled
> >> >> inside a quoted string. However, I'm surprised that your list of
> >> >> computer
> >> >> DN's does not already escape the " character. Did you manually create
> >> >> the
> >> >> list? Most ADSI methods display DN values with all of the characters
> >> >> escaped, except the forward slash character, "/". I find this is the
> >> >> only
> >> >> character I need to escape in my VBScript programs.
> >> >>
> >> >> I have an example VBScript program that disables and moves computer
> >> >> objects
> >> >> where the password as not been changed in a specified number of days.
> >> >> The
> >> >> program is linked here:
> >> >>
> >> >> http://www.rlmueller.net/MoveOldComputers.htm
> >> >>
> >> >> The program demonstrates how to handle the pwdLastSet attribute. It
> >> >> uses
> >> >> ADO
> >> >> to retrieve computer DN values. ADO escapes all characters except the
> >> >> "/".
> >> >> The program includes a line to replace "/" with "\/". Details on
> >> >> converting
> >> >> Integer8 attributes like pwdLastSet to date/time values linked here:
> >> >>
> >> >> http://www.rlmueller.net/Integer8Attributes.htm
> >> >>
> >> >> Finally, to find unused computer objects and deal with them, I
> >> >> recommend
> >> >> Joe
> >> >> Richards' free oldcmp utility:
> >> >>
> >> >> http://www.joeware.net/freetools/tools/oldcmp/index.htm
> >> >>
> >> >> --
> >> >> Richard Mueller
> >> >> MVP Directory Services
> >> >> Hilltop Lab - http://www.rlmueller.net
> >> >> --
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>

>
>
>