Life of a techno-guru
Tuesday, October 31, 2006
  Comparing Machine Accounts in Two Directories

The purpose of this script is to pull a registry key from all of our client machines to determine whether it has statically configured DNS servers or not. The challenge I am targeting is that some of our machines are joined to our Active Directory domain and can be authenticated against using my domain user account, however, about half of them are still not and I need to use a local user account on those machines to authenticate with. I approached this challenge, instead of using error handling, by using a Scripting.Dictionary object in which the keys contain the computer names ("Workstation" objects) from eDirectory/ZENworks, and the value contains the same machine name ("computer" objects) in Active Directory IF, and only IF the machine account exists in Active Directory. If Active Directory does not have a corresponding machine account, the value for the key will remain (string) "NULL". By iterating over the Scripting.Dictionary object, I can easily determine whether I should use domain authentication or local authentication based on whether the value for each key contains the same computer name or "NULL". Of course, I'm sure there will be some exceptions that need to be handled via error handling, but at least I'm not using error handling as my primary method of testing authentication. Here is the main logic of the script without the nitty gritty registry stuff:

'Dictionary will hold name of computer from eDirectory AND Active Directory (if applicable). Use this to test for local or domain authentication!
dim computers, cycle
set computers = CreateObject("Scripting.Dictionary")

'Dynamically obtain root of Active Directory domain partition
set rootdse = GetObject("LDAP://RootDSE")
dirRoot = rootdse.Get("defaultNamingContext")


function main()
'Populate computer names from eDirectory
searchDir "o=[YourRootNetwareOrg]","[eDirectoryServerIP]/"
'Populate computer names from Active Directory
searchDir dirRoot, ""

pckeys = computers.keys()
for each key in pckeys
wscript.echo key & " :: " & computers(key)
end function

'Server is OPTIONAL parameter. If connecting to Active Directory from a domain account, just use double quotes.
'Please put a slash after the name/IP if you specify one.
function searchDir(dn, server)
set root = GetObject("LDAP://" & server & dn)

for each dirobj in root
select case dirobj.class
case "ndsContainerLoginProperties"
searchDir & "," & dn, server
case "organizationalUnit"
searchDir dirobj.distinguishedName, ""
case "container"
searchDir dirobj.distinguishedName, ""
case "computer"
'Need to use Right function to cut of "cn=" from the computer's name
pcname = right(,len(
if computers.exists(pcname) then computers.item(pcname) = pcname
case "Workstation"
'Need to use Right function to cut of "cn=" from the computer's name
computers.add right(,len(,"NULL"
end select

end function

Now that you have this much, you can write another function that iterates over the Dictionary object and perform some random operation based on whether or not each computer has a corresponding computer object in Active Directory, or, any directory really. Due to the differences in directories though, you might have to tweak the object classes that the select case statement is testing for. If you have any questions, please feel free to e-mail me!

Trevor Sullivan

Comments: Post a Comment

<< Home
My life of learning various things about technology including network administration, development, and 3D design

Location: Chicago, Illinois, United States
January 2006 / February 2006 / March 2006 / May 2006 / June 2006 / July 2006 / August 2006 / September 2006 / October 2006 / November 2006 / December 2006 / January 2007 / February 2007 / March 2007 / April 2007 / May 2007 / June 2007 / August 2007 / December 2007 / January 2008 / March 2008 / April 2008 / June 2008 / July 2008 / September 2008 / December 2008 / January 2009 / February 2009 / March 2009 / May 2009 /

Powered by Blogger