Modifying Computer Objects with Active Directory - Finding Computers with a Particular OS

Problem

You want to find computers that have a certain OS version, release, or service pack in a domain.

Solution

Using a graphical user interface

1. Open LDP.
   
2. From the menu, select Connection -> Connect.
   
3. For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
   
4. For Port, enter 389.
   
5. Click OK.
   
6. From the menu, select Connection -> Bind.
   
7. Enter credentials of a user to perform the search.
   
8. Click OK.
   
9. From the Menu, select Browse -> Search.
   
10. For Base DN, enter the base of where you want your search to begin.
    
11. For Filter, enter a filter that contains the OS attribute you want to search on. For example, a query for all computers that are running Windows XP would be the following:
    
      (&(objectclass=computer)(objectcategory=computer)(operatingSystem=Windows XP
      Professional))
    
12. Select the appropriate Scope based on how deep you want to search.
    
13. Click the Options button if you want to customize the list of attributes returned for each matching object.
    
14. Click Run, and the results will be displayed in the right pane.

You can also perform this search using the Active Directory Users and Computers MMC snap-in (dsa.msc), as follows:

1. Open the ADUC MMC snap-in.
   
2. Right-click on the domain, OU, or container that you wish to search, and click Find.
   
3. In the Find drop-down box, select Computers.
   
4. Click on the Advanced tab. Click on Field and select Operating System.
   

5. Select the Condition that you want to search on from one of the following:

   • Starts with

   • Ends with

   • Is (exactly)

   • Is not

   • Present

   • Not present

6. In the Value field, enter the value that you want to search for, such as “Windows Server 2003.”

7. Click Find Now.

Using a command-line interface

You can query for computer objects of a particular operating system using either DSQuery or AdFind. To perform the query with DSQuery, use the following syntax:

  > dsquery * <DomainDN> -scope subtree -attr "*" -filter "(&(objectclass=
  computer)(objectcategory=computer)(operatingSystem=Windows Server 2003))"

To use AdFind, enter the following:

  > adfind –b <DomainDN> -s subtree –f
    "(&(objectclass=computer)(objectcategory=computer)
    (operatingSystem=Windows Server 2003))"

Using VBScript

  ' This code searches for computer objects that have Service Pack 1 installed.
  ' ------ SCRIPT CONFIGURATION ------
  strBase    = "<LDAP://" & "<DomainDN>" & ">;"
  ' ------ END CONFIGURATION ---------

  strFilter = "(&(objectclass=computer)(objectcategory=computer)" & _ 
        "(operatingSystemServicePack=Service Pack 1));"
  strAttrs  = "cn,operatingSystem,operatingSystemVersion," & _
        " operatingSystemServicePack;"
  strScope  = "subtree"

  set objConn = CreateObject("ADODB.Connection")
  objConn.Provider = "ADsDSOObject"
  objConn.Open "Active Directory Provider"
  Set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)
  objRS.MoveFirst
  while Not objRS.EOF
     Wscript.Echo objRS.Fields(0).Value
     Wscript.Echo objRS.Fields(1).Value
     Wscript.Echo objRS.Fields(2).Value
     Wscript.Echo objRS.Fields(3).Value
     Wscript.Echo objRS.Fields(4).Value
     WScript.Echo
     objRS.MoveNext
  wend

Discussion

When a computer joins an Active Directory domain, the operating system attributes are updated for the computer object. There are four of these attributes, which can be used in queries to find computers that match certain OS-specific criteria, like service pack level.

These attributes include the following:

operatingSystem
   Descriptive name of the installed Operating System—
   e.g., Windows Server 2003, Windows 2000 Server,
   and Windows XP Professional

operatingSystemVersion
   Numerical representation of the operating system—
   e.g., 5.0 (2195) and 5.2 (3757)

operatingSystemServicePack
   Current service pack level if one is installed—e.g.,
   Service Pack 2 and Service Pack 3

This recipe typically applies only to Windows-based machines. Other types of machines (e.g., Unix) that have accounts in Active Directory might not automatically update their OS attributes, though some newer Unix- or Linux-based NAS devices have been configured to do. Additionally, theoperatingSystem attribute does not distinguish between Windows NT 4 server and Windows NT 4 workstation.

Next: Binding to the Default Container for Computers >>
 

More Windows Scripting Articles
More By O'Reilly Media

Comments On: Modifying Computer Objects with Active Directory

· This article is an excerpt from the "Active Directory Cookbook, Second Edition,"...   >>> Post your comment now!

Buy this book...

This article is excerpted from chapter eight of the Active Directory Cookbook, Second Edition, written by Robbie Allen and Laura E. Hunter (O'Reilly; ISBN: 059610202X). Check it out today at your favorite bookstore. Buy this book now.