Hey, Scripting Guy! How Can I Access Active Directory on a Specific Domain Controller?

ScriptingGuy1

Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I access Active Directory on a specific domain controller?

— SD

SpacerHey, Scripting Guy! AnswerScript Center

Hey, SD. You know, one of the cool things about Active Directory is that you usually don’t need to access the directory service on a specific domain controller. Because Active Directory information is replicated between all the domain controllers in a domain, that information will be the same regardless of which domain controller you bind to. Want to know which department a user is in? Then you can just use “serverless binding” like this:

Set objUser = GetObject _    
	(LDAP://CN=Ken Myer,OU=Finance,DC=fabrikam,DC=com)
Wscript.Echo objUser.department

Notice that we don’t bind to a specific domain controller; instead we just bind to Active Directory and let the directory service choose a domain controller for us. It makes no difference: after all, the user’s department will be the same on all domain controllers.

Of course, if that’s the case then why in the world would you ever want to bind to a specific domain controller? Well, here’s one reason. While it’s true that most Active Directory information is replicated between all the domain controllers in a domain there are a few attributes that are not replicated. For example, take the badPwdCount attribute, which tracks the number of times a user has tried to log on using an incorrect password. This value is not replicated between domain controllers; if you need to check this value for a user you’ll have to individually bind to each domain controller and retrieve the value from that machine. You can then add all these individual values to determine the total number of times that the user typed in an incorrect password when trying to log on to the domain.

That’s just one example of why you might want to bind to an individual domain controller instead of binding to any old domain controller.

So how do you bind to a specific domain controller? All you do is include the computer name in your Active Directory binding string. For example, this script binds to Active Directory on the computer atl-dc-01:

Set objUser = GetObject _
	(LDAP://atl-dc-01/CN=Ken Myer,OU=Finance,DC=fabrikam,DC=com)
Wscript.Echo objUser.badPwdCount

Want to bind to Active Directory on the computer red-dc-22? Then use a script like this:

Set objUser = GetObject _
	(LDAP://red-dc-22/CN=Ken Myer,OU=Finance,DC=fabrikam,DC=com)
Wscript.Echo objUser.badPwdCount

That’s all you gotta do.

 

0 comments

Discussion is closed.

Feedback usabilla icon