Vbscript equivilent to dsquery? - inactive switch question?

Forums

My Profile

Inbox

Address Book

My Subscription

My Forums

Vbscript equivilent to dsquery? - inactive switch question?

Logged in as: Guest

arrSession:exec spGetSession 2,2,61653

	Active Users: There are 0 members and 0 guests.
	Users viewing this topic: none

Printable Version

All Forums >> [Scripting] >> WSH & Client Side VBScript >> Vbscript equivilent to dsquery? - inactive switch question?
Do you like VisualBasicScript.com? Link to us and help spread the word about our forum. Thanks!

Page: [1]

Message

<< Older Topic Newer Topic >>

Vbscript equivilent to dsquery? - inactive switch quest... - 6/20/2008 12:15:47 AM

Stumpedtechy

Posts: 41
Score: 0
Joined: 11/30/2007
Status: offline

Okay I had been doing a dsquery computer OU -inactive X weeks (in this case I will say dsquery computer OU=Computers,DN=Domain,DN=Com -inactive 48). I have 2 problems 1) This query shows me enabled and disabled accounts when I only want to affect enabled computers 2) This does not pipe well to dsmove I have to use another side "tweak" to do that.

So I decided I would us VBScript to loop though a LDAP query - I know that userAccountControl of 4096 gives me all enabled accounts. This will mean all disabled accounts won't be touched/modified which is exactly what I had a problem with with my DSquery. What I want to do is find the ones that are 48 weeks old but I don't know what field in the computer account the inactive queries against. I read that pwdLastSet isn't reliable because it can be different on different controllers? What exactly does the - inactive switch on dsquery check against?

Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCOmmand.ActiveConnection = objConnection
objCommand.CommandText = _
   "Select Name, Location from 'LDAP://OU=ComputersL,DC=Domain,DC=Com' WHERE objectClass='computer' " & _
   "AND userAccountControl='4096'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 30
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
'What I need to look for and run on the rest of the enabled accounts.
   objRecordSet.MoveNext
Loop

Ultimately I need to query LDAP and then LDAP query all active PC's and if the PC's are enabled and over X weeks old (in this case 48) then have it change the description field to indicate it was moved from the old "location" which I shall get from the location field then have it do a move and put it into another OU being OU=Disabled Computers,DC=Domain,DC=Com

Post #: 1

RE: Vbscript equivilent to dsquery? - inactive switch q... - 6/20/2008 1:39:42 AM

dm_4ever

Posts: 2665
Score: 46
Joined: 6/29/2006
From: Orange County, California
Status: offline

Maybe try the lastlogontimestamp or pwdlastset and see if it returns the same machines dsquery returns. I believe that the only way to get accurate info using a query is to query all DC's, get the latest date/time for each machine, and then do your comparision....or you could run you dsquery and then query those machines to see if they are disabled.

_____________________________

dm_4ever

My philosophy: K.I.S.S - Keep It Simple Stupid
Read Me: http://www.visualbasicscript.com/m_24727/tm.htm
Frequently Asked Stuff: http://www.visualbasicscript.com/m_47117/tm.htm

(in reply to Stumpedtechy)

Post #: 2

RE: Vbscript equivilent to dsquery? - inactive switch q... - 6/20/2008 5:29:27 AM

Stumpedtechy

Posts: 41
Score: 0
Joined: 11/30/2007
Status: offline

Okay I have this and it should work but its not in one spot -

' ************************************************************************
' ************************************************************************
' ***               ***
' *** This script is to be used to check all currently enabled       ***
' ***   computer accounts in the designated OU and its SubOUs for      ***
' *** old/inactive computer accounts.           ***
' *** It will check the accounts last active date vrs the date the   ***
' *** the script is ran and if the difference is over the specified ***
' ***   number of weeks it will first ping the computer and then, if   ***
' *** the ping does not reply, the script will then perform the      ***
' ***   following steps -                                              ***
' ***               ***
' *** - Put a description in the computer account indicating,         ***
' ***    Number of weeks inactive,           ***
' ***    Time and date of script run,           ***
' ***    Where the machines LDAP location was before it was moved.     ***
' *** - Disable the computer account.           ***
' *** - Move the computer account from the OU it is in to the         ***
' ***    designated disabled computer accounts OU.         ***
' ***               ***
' ***               ***
' ***   Lines to be modified -            ***
' *** strWeeks = Change this to be the number of weeks not active    ***
' ***     on the domain. Do not make this too short as        ***
' ***     traveling users might not use their machines on the ***
' ***     domain for a few weeks at a time.         ***
' *** strMainLDAP = LDAP location of the OU and SubOUs you want to   ***
' ***        scan for old inactive machine accounts.          ***
' *** strDisableLDAP = Dump location you want the disabled accounts ***
' ***                    to go into once disabled.         ***
' ***               ***
' *** WARNINGS-WARNINGS-WARNINGS-WARNINGS-WARNINGS-WARNINGS-WARNINGS ***
' *** 1) This script does not make any LDAP locations. They have to   ***
' *** already exist.             ***
' *** 2) This script will overwrite existing computer descriptions.   ***
' ***               ***
' ***               ***
' ***   Authored by: Eric Theisen           ***
' ***     Date:        February 21, 2008                               ***
' ************************************************************************
' ************************************************************************
strDate = Replace(Date,"/","-")
strTime = Replace(Time,":","-")
strWeeks = "29"
strMainLDAP = "LDAP://OU=Computer,DC=DOMAIN,DC=COM"
strDisableLDAP = "LDAP://OU=Disabled Computers,DC=Domain,DC=Com"
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCOmmand.ActiveConnection = objConnection
objCommand.CommandText = _
   "Select Name, ADsPath from '"&strMainLDAP&"' WHERE objectClass='computer' " & _
   "AND userAccountControl='4096'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 30
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
    strADsPath = objRecordSet.Fields("ADsPath").Value
strDeviceName = objRecordSet.Fields("Name").Value
Set objChange = GetObject(strADsPath)
Set objLastLogon = objChange.Get("lastLogonTimestamp")
intLastLogonTime = objLastLogon.HighPart * (2^32) _
+ objLastLogon.LowPart
intLastLogonTime = intLastLogonTime / (60 * 10000000)
intLastLogonTime = intLastLogonTime / 1440
StrTime = intLastLogonTime + #1/1/1601#
dtmEndingDate = strTime
intWeeks = DateDiff("WW",dtmEndingDate,now)
wscript.echo intWeeks
wscript.echo strWeeks
If intWeeks > strWeeks then
    If IsAlive(strDeviceName) = False then
    objChange.Put "description" , "Machine over "&strWeeks&" weeks inactive. Disabled "&strDate&" @ "&strTime&" by script. Moved from"&strADsPath&"."
    objChange.Put "userAccountControl", "4098"
    objChange.SetInfo
    Set objOU = GetObject(""&strDisableLDAP&"")
objOU.MoveHere strADsPath, vbNullString
    End if
End If
   objRecordSet.MoveNext
Loop
MsgBox "Execution completed successfully." , vbInformation, "Execution completed"
Function IsAlive(strDeviceName)
'---------- Test to see if host or url alive through ping -----------------
' Returns True if Host responds to ping
'
' Though there are other ways to ping a computer, Win2K,
' XP and different versions of PING return different error
' codes. So the only reliable way to see if the ping
' was sucessful is to read the output of the ping
' command and look for "TTL="
'
' strRComputer is a hostname or IP
   Const OpenAsASCII = 0
    Const FailIfNotExist = 0
    Const ForReading = 1
    Dim objShell, objFSO, sTempFile, fFile
   Set objShell = CreateObject("WScript.Shell")
    Set objFSO = CreateObject("Scripting.FileSystemObject")
   sTempFile = objFSO.GetSpecialFolder(2).ShortPath & "\" & objFSO.GetTempName
   objShell.Run "%comspec% /c ping.exe -n 2 -w 500 " & strDeviceName & " >" & sTempFile, 0 , True
   Set fFile = objFSO.OpenTextFile(sTempFile, ForReading, FailIfNotExist, OpenAsASCII)
   Select Case InStr(fFile.ReadAll, "TTL=")
        Case 0
           IsAlive = False
        Case Else
           IsAlive = True
   End Select
   ffile.close
    objFSO.DeleteFile(sTempFile)
   Set objFSO = Nothing
   Set objShell = Nothing
End Function

It is failing at -

intWeeks = DateDiff("WW",dtmEndingDate,now)
wscript.echo intWeeks
wscript.echo strWeeks
If intWeeks > strWeeks then

intWeeks is giving me back 26 as the number. But if I change strWeeks to 20 or 29 it does not run. just as a test I remmed out intWeeks = DateDiff("WW",dtmEndingDate,now) and I put in intWeeks = "26" and it works just fine. Could it be something wrong with how intWeeks is giving me back the number 26?

(in reply to Stumpedtechy)

Post #: 3

RE: Vbscript equivilent to dsquery? - inactive switch q... - 6/20/2008 7:43:14 AM

dm_4ever

Posts: 2665
Score: 46
Joined: 6/29/2006
From: Orange County, California
Status: offline

What if you made

strWeeks = 26 ' or 29 or any number without the quotes; with the quotes you're defining it as a string

Maybe to make sure you're comparing numerical values

If CInt(intWeeks) > CInt(strWeeks) then

_____________________________

dm_4ever

My philosophy: K.I.S.S - Keep It Simple Stupid
Read Me: http://www.visualbasicscript.com/m_24727/tm.htm
Frequently Asked Stuff: http://www.visualbasicscript.com/m_47117/tm.htm

(in reply to Stumpedtechy)

Post #: 4

RE: Vbscript equivilent to dsquery? - inactive switch q... - 6/23/2008 1:44:29 AM

Stumpedtechy

Posts: 41
Score: 0
Joined: 11/30/2007
Status: offline

DM thank you for your help on this, it is much apreciated. Your suggestion was 100 correct. I never thought about one being a string and the other being an interger but now I see its like trying to compare apples to pears. Anyhow I know I probably could have turned the interget part into a function and called it but I figured this is good enough to get me everything I need. I figured you might want to see the final product. I added in a popup for machines the script can't read the last login time so people will run and go fix them. Hopefully they will heed the errors rather than just click okay each time. As always you have been a champ leading me on the small nuances I can't quite seem to grasp with coding.

' ************************************************************************
' ************************************************************************
' ***               ***
' *** This script is to be used to check all currently enabled       ***
' ***   computer accounts in the designated OU and its SubOUs for      ***
' *** old/inactive computer accounts.           ***
' *** It will check the accounts last active date vrs the date the   ***
' *** the script is ran and if the difference is over the specified  ***
' ***   number of weeks it will first ping the computer and then, if   ***
' *** the ping does not reply, the script will then perform the      ***
' ***   following steps -                                              ***
' ***               ***
' ***  - Put a description in the computer account indicating,         ***
' ***    Number of weeks inactive,           ***
' ***    Time and date of script run,           ***
' ***    Where the machines LDAP location was before it was moved.     ***
' ***    (this last bit was implemented to make restoration easy)      ***
' ***  - Disable the computer account.           ***
' ***  - Move the computer account from the OU it is in to the         ***
' ***    designated disabled computer accounts OU.         ***
' ***               ***
' ***               ***
' ***   Lines to be modified -            ***
' *** strWeeksInactive = Change this to be the number of weeks not   ***
' ***  active on the domain. Do not make this too short as    ***
' ***  traveling users might not use their machines on the    ***
' ***  domain for a few weeks at a time.         ***
' *** strWeeksNoPassChg = Change this to be the number of weeks no   ***
' ***  password has changed on the domain. This number should ***
' ***  be a fair amount smaller than strWeeksInactive to      ***
' ***  increase the reliability of the script.         ***
' *** strMainLDAP = LDAP location of the OU and SubOUs you want to   ***
' ***  scan for old inactive machine accounts.         ***
' *** strDisableLDAP = Dump location you want the disabled accounts  ***
' ***           to go into once disabled.                 ***
' ***               ***
' *** This scripts is distributed with defaults is 3 months of no    ***
' ***   password changes and 6 months of inactivity                ***
' ***               ***
' ***  WARNINGS-WARNINGS-WARNINGS-WARNINGS-WARNINGS-WARNINGS-WARNINGS  ***
' ***               ***
' ***  1) This script does not make any LDAP locations. They have to   ***
' *** already exist.             ***
' ***  2) This script will overwrite existing computer descriptions.   ***
' ***  3) Sometimes there is a slight delay between the script being   ***
' ***  run and when ADUC shows results. This varies depending upon the ***
' ***  server ADUC is pointed to and the where the script runs against.***
' ***               ***
' ***               ***
' ***   Authored by: Eric Theisen           ***
' ***     Date:        June 23, 2008                                   ***
' ************************************************************************
' ************************************************************************
'Variables to change
strWeeksInactive = 26
strWeeksNoPassChg = 12
strMainLDAP = "[link=http://www.visualbasicscript.com/ldap://OU=Computers,DC=DOMAIN,DC=COM]LDAP://OU=Computers,DC=DOMAIN,DC=COM[/link]"
strDisableLDAP = "[link=http://www.visualbasicscript.com/ldap://OU=Disabled]LDAP://OU=Disabled[/link] Computers,DC=Domain,DC=Com"
'Variables not to change
strDate = Replace(Date,"/","-")
strTime = Replace(Time,":","-")
strCount = 0
'Queries AD and creates a recordset for only already Enabled machine accounts.
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCOmmand.ActiveConnection = objConnection
objCommand.CommandText = _
   "Select Name, ADsPath from '"&strMainLDAP&"' WHERE objectClass='computer' " & _
   "AND userAccountControl='4096'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 30 
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
objCommand.Properties("Cache Results") = False 
Set objRecordSet = objCommand.Execute
'If recordset is empty
If objRecordSet.EOF then
MsgBox "All machines in "&strMainLDAP&" have been active more than "&strWeeksInactive&" weeks and have had a password changed within "&strWeeksNoPassChg&" weeks." , vbInformation, "Execution completed"
Else
'If recordset is not empty
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
       
       'Gather each records variables
        strADsPath = objRecordSet.Fields("ADsPath").Value
 strDeviceName = objRecordSet.Fields("Name").Value
 Set objChange = GetObject(strADsPath)
 
'Some Machines have old/bad accounts that the query cannot gather information for.
Err.Clear
On error resume next
Set objLastLogon = objChange.Get("lastLogonTimestamp")
 If (Err.Number <> 0) Then
 Msgbox "There was a problem with "&strDeviceName&". The last login cannot be gathered from AD. Machine should be removed from the domain, the account should be deleted, and then lastly readded to the domain." , vbInformation, "Machine account error notification"
 objRecordSet.MoveNext
 Else
 
'Manipulate 64 bit interger to a date/time and compares to current date/time.
intLastLogonTime = objLastLogon.HighPart * (2^32) _
+ objLastLogon.LowPart
intLastLogonTime = intLastLogonTime / (60 * 10000000)
intLastLogonTime = intLastLogonTime / 1440
StrTime = intLastLogonTime + #1/1/1601#
dtmEndingDate = strTime
intWeeks = DateDiff("WW",dtmEndingDate,now)
    Set objpwdLastSet = objChange.Get("pwdLastSet")
intpwdLastSetTime = objpwdLastSet.HighPart * (2^32) _
+ objpwdLastSet.LowPart
intpwdLastSetTime = intpwdLastSetTime / (60 * 10000000)
intpwdLastSetTime = intpwdLastSetTime / 1440
StrpwdTime = intLastLogonTime + #1/1/1601#
dtmpwdEndingDate = strpwdTime
intpwdWeeks = DateDiff("WW",dtmpwdEndingDate,now)
'Check and only mainpute the machine names with the proper date contraints
If CInt(intpwdWeeks) >= CInt(strWeeksNoPassChg) and CInt(intWeeks) >= CInt(strWeeksInactive) then
    If IsAlive(strDeviceName) = False then
    strCount = strCount + 1
    objChange.Put "description" , "Machine over "&strWeeksInactive&" weeks inactive. Password not set for at least "&strWeeksNoPassChg&" weeks. Disabled "&strDate&" @ "&strTime&" by script. Moved from"&strADsPath&"."
    objChange.Put "userAccountControl", "4098"
    objChange.SetInfo
    Set objOU = GetObject(""&strDisableLDAP&"")
 objOU.MoveHere strADsPath, vbNullString
    End if
End If
End If
   objRecordSet.MoveNext
Loop
MsgBox "There were "&strCount&" computers disabled in "&strMainLDAP&" and its SubOUs that were inactive "&strWeeksInactive&" weeks or more and had a password changed over "&strWeeksNoPassChg&" weeks." , vbInformation, "Execution completed"
End If
Function IsAlive(strDeviceName) 
'---------- Test to see if host or url alive through ping -----------------
' Returns True if Host responds to ping
' 
' Though there are other ways to ping a computer, Win2K,
' XP and different versions of PING return different error
' codes. So the only reliable way to see if the ping
' was sucessful is to read the output of the ping
' command and look for "TTL="
' 
' strRComputer is a hostname or IP 
   Const OpenAsASCII = 0 
    Const FailIfNotExist = 0 
    Const ForReading =  1 
    Dim objShell, objFSO, sTempFile, fFile 
   Set objShell = CreateObject("WScript.Shell") 
    Set objFSO = CreateObject("Scripting.FileSystemObject") 
   sTempFile = objFSO.GetSpecialFolder(2).ShortPath & "\" & objFSO.GetTempName 
   objShell.Run "%comspec% /c ping.exe -n 2 -w 500 " & strDeviceName & " >" & sTempFile, 0 , True 
   Set fFile = objFSO.OpenTextFile(sTempFile, ForReading, FailIfNotExist, OpenAsASCII) 
   Select Case InStr(fFile.ReadAll, "TTL=") 
        Case 0
           IsAlive = False 
        Case Else
           IsAlive = True 
   End Select 
   ffile.close 
    objFSO.DeleteFile(sTempFile)
   Set objFSO = Nothing
   Set objShell = Nothing
End Function

(in reply to Stumpedtechy)

Post #: 5

RE: Vbscript equivilent to dsquery? - inactive switch q... - 6/23/2008 1:55:25 AM

dm_4ever

Posts: 2665
Score: 46
Joined: 6/29/2006
From: Orange County, California
Status: offline

I am glad to hear you got this all sorted out....see you around.

_____________________________

dm_4ever

My philosophy: K.I.S.S - Keep It Simple Stupid
Read Me: http://www.visualbasicscript.com/m_24727/tm.htm
Frequently Asked Stuff: http://www.visualbasicscript.com/m_47117/tm.htm

(in reply to Stumpedtechy)

Post #: 6

If you found our site useful please link to us <a href="http://www.visualbasicscript.com">VisualBasicScript.com</a>.

All Forums >> [Scripting] >> WSH & Client Side VBScript >> Vbscript equivilent to dsquery? - inactive switch question?

Page: [1]

Jump to:

New Messages	No New Messages
Hot Topic w/ New Messages	Hot Topic w/o New Messages
Locked w/ New Messages	Locked w/o New Messages

Post New Thread

Reply to Message

Post New Poll

Submit Vote

Delete My Own Post

Delete My Own Thread

Rate Posts