Hey, Scripting Guy! How can I tell if an OU has any user accounts in it?
Hey, RL. As a matter of fact, there is a way to determine whether or not an OU contains any user accounts: all you have to do is search just that OU for nothing but user accounts. When you perform a search, any “hits” (in this case, any user accounts that are found) come back as part of a recordset. When you get the recordset back, all you have to do is check the value of the RecordCount property. If the value is 0, then there aren’t any user accounts in the OU; if the value is anything other than 0, then that’s how many user accounts were found. In other words, if the RecordCount is 17, then there are 17 user accounts in that OU. Child’s play.
Here’s what the script looks like:
On Error Resume Next
Const ADS_SCOPE_ONELEVEL = 1
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_ONELEVEL
objCommand.CommandText = _
"SELECT Name FROM 'LDAP://OU=finance,dc=fabrikam,dc=com' WHERE objectCategory='user'"
Set objRecordSet = objCommand.Execute
Wscript.Echo “Number of user accounts: “ & objRecordSet.RecordCount
We can’t provide a detailed explanation of how an Active Directory search script works in this column; if you’re interested in knowing more about searching Active Directory, you might want to look at a Webcast we did on this topic a few months ago. However, there are three things that we will point out.
First, note that we begin by defining a constant named ADS_SCOPE_ONELEVEL and setting it to 1. This constant tells the script to search only the target container; if there are any OUs nested within this OU, they won’t get searched. If you want to search child OUs as well, then use the constant ADS_SCOPE_SUBTREE and set the value to 2.
Second, make sure that you start the search in the target OU. Notice that our CommandText says SELECT Name FROM 'LDAP://OU=finance,dc=fabrikam,dc=com'. We don’t want to start in the domain root (dc=fabrikam,dc=com), we want to start in the Finance OU.
Finally, we’re searching only for user accounts; hence the clause WHERE objectCategory='user'. What if you wanted to know if there were any computer accounts in the OU? Then just change the WHERE clause to this:
What if you just wanted to know if anything was in the OU? (For example, perhaps you want to delete the OU, but only if it’s empty.) In that case, you wouldn’t use a WHERE clause at all, but would instead use this CommandText:
SELECT Name FROM 'LDAP://OU=finance,dc=fabrikam,dc=com'
Active Directory searching is extremely powerful and extremely useful, and we’d like to see people make more and better use of it. If that’s the case, then shouldn’t we Scripting Guys be doing something to make it easier for people to get started with Active Directory searching? Funny you should mention that; we just might have something for you in a week or two. Stay tuned!