Scripting Using IADSTools
In the final installment of our seven-part series on AD scripting, we will look at the functionality provided by a dynamic link library installed by the Windows 2000 Support Tools.
by Jim Hudson
This article is derived from Special Edition Using Active Directory, by Jim Hudson and Sean Fullerton (Que Publishing, November 2000).
If you install the Support Tools from the \support\tools folder of the Windows 2000 CD and then look in \program files\support tools on your local hard drive you will find, among other things, two very interesting files. They are iadstools.dll and iadstools.doc. The DLL hosts the functionality exposed by another Support Tool, replmon.exe, the Active Directory Replication Monitor.
This one DLL exposes an enormous amount of functionality. In this section on Active Directory scripting, we are going to use iadstoools.dll to build a troubleshooting tool for Group Policy and an Active Server Page to list troubleshooting information about replication.
Like the previous section, this is hardly an attempt to exhaustively document the capabilities of this COM object, but simply to give a glimpse of its power and use. The iadstools.doc file is a very detailed look at the properties and methods of the iadstools COM object.
The previous section on ADSI assumed only that we were logged on at the console of a Windows 2000 computer as a user with sufficient Active Directory credentials to perform the task. For these scripts to work, iadstools.dll must be registered. This is done automatically when the support tools are installed, or manually by copying the DLL and executing regsvr32 iadstools.dll.
Checking Group Policy Versions
The code in this section checks the version numbers for the Group Policy container and Group Policy template. The container is the information about the Group Policy in Active Directory, and the template is the filesystem objects that actually do the work of a Group Policy. Because we use AD replication to replicate the container, and the File Replication Service to replicate the template, it is possible for these to be out of sync. If that happens, Group Policy can be applied somewhat irregularly. This tool simply identifies any Group Policy objects for a given container and looks to see if the version numbers match. If they do, all is well and the script exits with a success message. If there are Group Policies that are out of sync, the script identifies them by name and returns the respective version numbers.
'instantiate the object set dcf = createobject("IADsTools.DCFunctions") 'set up arguments and variables set oArgs = wscript.arguments Dim numGpos Dim ctr dim flag 'get number of group policies for container numGpos = dcf.GetGPOs(CStr(oArgs(0)), CStr(oArgs(1)), 0) 'iterate through group polices For ctr = 1 To numGpos 'compare version numbers if dcf.GPOSysVolVersion(ctr) <> dcf.GPOVersion(ctr) then 'if they don't match echo version status and set flag wscript.echo dcf.gponame(ctr) & " has a gpoversion of " & dcf.gpoversion(ctr) & " and a sysvol version of " & dcf.gposysvolversion(ctr) flag=1 end if Next 'echo success if flag=0 then wscript.echo "all gpos are in sync"
Pay very close attention to wrapping on this script also. Every command needs to be on its own line, regardless of length.
'instantiate the object
Before we can use the properties and methods of iadstools, we must instantiate the object. The createobject function uses the programmatic identifier (iadstools.dcfunctions) to find the GUID of the object in the registry, load it into memory, and get an instance of the object.
'set up arguments and variables
The arguments will again allow us to pass command-line arguments or parameters to the code. Explicitly declaring the variables is not necessary in VBScript, but it is a good habit. There is no reason to set the datatype for the variables because VBScript supports only variant datatypes.
'get number of group policies for container
The getgpos function returns the number of gpos for the container as a long datatype and also enumerates the Group Policies. This allows us to use other methods that require getgpos be run first, before they can be used. Notice that we are using the cstr function to convert the arguments to string datatypes before we pass them to the getgpos function. This is required if we are using VBScript. The arguments are the name of the organizational unit and the LDAP DN of the domain.
'iterate through group polices
This line simply allows us to run through the Group Policies one a time.
'compare version numbers
Here we are checking the version of the Group Policy template (sysvolversion) versus the container (gpoversion).
'if they don't match echo version status and set flag
Here we simply use the properties of the Group Policy to echo the name and respective versions, if they do not match. Because the flag has not explicitly had its value set it is by default 0. Setting it to 1 even once in this loop will cause the success message not to show.
If all of the version numbers match, then we can exit with a success message. We use wscript.echo in this example, but could also use writeline to send the output to the command line. Listing 2 shows the command-line use of the script, and Figure 1 shows the success message box.
C:\>gpocheck sales dc=fis,dc=local