Contact Info

contact@activexperts.com +31 74 8507807

Crumbtrail

ActiveXperts.com » Administration » VBScript Collection » Users and Groups » OUs

Scripts to manage OUs

Assigning a New Group Policy Link to an OU
Changing the Manager of an OU
Clearing COM+ Attributes from a User Account
Clearing the COM+ Partition Link Set of an OU
Clearing the General Properties of an OU
Clearing the Group Policy Links Assigned to an OU
Creating an OU
Creating an OU in an Existing OU
Deleting an OU
Enumerating COM+ Partition Sets
Identifying the Owner of an OU
Modifying the COM+ Partition Set Link of an OU
Modifying the General Properties of an OU
Reading COM+ Partition Information for a Domain
Reading the COM+ Properties of an OU
Reading the Security Descriptor for an OU
Reading the System Access Control List of an OU
Removing an OU Manager
Returning the Attributes of the organizationalUnit Class
Returning the General Properties of an OU
Returning Group Policy Information for an OU
Returning Managed By Information for an OU
Returning the Properties of an OU Object

Assigning a New Group Policy Link to an OU


Assigns the Group Policy link Sales Policy to the Sales OU in Active Directory.
On Error Resume Next
Set objContainer = GetObject _
   ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com") 
 
strExistingGPLink = objContainer.Get("gPLink")
 
strGPODisplayName = "Sales Policy"
strGPOLinkOptions = 2
strNewGPLink = "[" & GetGPOADsPath & ";" & strGPOLinkOptions & "]"
 
objContainer.Put "gPLink", strExistingGPLink & strNewGPLink
objContainer.Put "gPOptions", "0"
 
objContainer.SetInfo
 
Function GetGPOADsPath
  Set objConnection = CreateObject("ADODB.Connection")  
  objConnection.Open "Provider=ADsDSOObject;"   
 
  Set objCommand = CreateObject("ADODB.Command")
  objCommand.ActiveConnection = objConnection
 
  objCommand.CommandText = _
  "<LDAP://cn=Policies,cn=System,dc=NA,dc=fabrikam,dc=com>;;" & _
  "distinguishedName,displayName;onelevel"
  Set objRecordSet = objCommand.Execute
 
  While Not objRecordSet.EOF
    If objRecordSet.Fields("displayName") = strGPODisplayName Then
      GetGPOADsPath = "LDAP://" & objRecordSet.Fields("distinguishedName")
      objConnection.Close
      Exit Function
    End If
    objRecordSet.MoveNext
  Wend
  objConnection.Close
End Function

Changing the Manager of an OU


Assigns the user account AkersKim as manager of the Sales OU in Active Directory. 
Set objContainer = GetObject _
  ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
 
objContainer.Put "managedBy", "cn=AkersKim,ou=Sales,dc=NA,dc=fabrikam,dc=com"
objContainer.SetInfo

Clearing COM+ Attributes from a User Account


Removes all information from the msCOM-UserPartitionSetLink attribute of the MyerKen user account in Active Directory.
Const ADS_PROPERTY_CLEAR = 1 
 
Set objUser = GetObject _
    ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
objUser.PutEx ADS_PROPERTY_CLEAR, "msCOM-UserPartitionSetLink", 0
objUser.SetInfo

Clearing the COM+ Partition Link Set of an OU


Removes the COM+ partition link set assigned to the Sales OU in Active Directory. 
Const ADS_PROPERTY_CLEAR = 1 
Set objContainer = GetObject _
  ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
 
objContainer.PutEx ADS_PROPERTY_CLEAR, "msCOM-UserPartitionSetLink", 0
 
objContainer.SetInfo

Clearing the General Properties of an OU


Modifies the attribute values found on the General Properties page in Active Directory Users and Computers for an OU named Sales. 
Const ADS_PROPERTY_CLEAR = 1 
Set objContainer = GetObject _
  ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
 
objContainer.PutEx ADS_PROPERTY_CLEAR, "description", 0
objContainer.PutEx ADS_PROPERTY_CLEAR, "street", 0
objContainer.PutEx ADS_PROPERTY_CLEAR, "l", 0
objContainer.PutEx ADS_PROPERTY_CLEAR, "st", 0
objContainer.PutEx ADS_PROPERTY_CLEAR, "postalCode", 0
objContainer.PutEx ADS_PROPERTY_CLEAR, "c", 0
objContainer.SetInfo

Clearing the Group Policy Links Assigned to an OU


Removes all the Group Policy links assigned to the Sales OU in Active Directory. 
Const ADS_PROPERTY_CLEAR = 1 
 
Set objContainer = GetObject _
  ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
objContainer.PutEx ADS_PROPERTY_CLEAR, "gPLink", 0
objContainer.PutEx ADS_PROPERTY_CLEAR, "gPOptions", 0
objContainer.SetInfo

Creating an OU


Creates a new organizational unit within Active Directory. 
Set objDomain = GetObject("LDAP://dc=fabrikam,dc=com")
Set objOU = objDomain.Create("organizationalUnit", "ou=Management")
objOU.SetInfo

Creating an OU in an Existing OU


Creates a new organizational unit (OU2) in an existing organizational unit (OU1).
Set objOU1 = GetObject("LDAP://ou=OU1,dc=na,dc=fabrikam,dc=com")
Set objOU2 = objOU1.Create("organizationalUnit", "ou=OU2")
objOU2.SetInfo

Deleting an OU


Deletes an organizational unit named HR from the hypothetical domain fabrikam.com. 
Set objDomain = GetObject("LDAP://dc=fabrikam,dc=com")
objDomain.Delete "organizationalUnit", "ou=hr"

Enumerating COM+ Partition Sets


Returns a list of Active Directory COM+ partition sets. 
Set objCOMPartitionSets = GetObject _
  ("LDAP://cn=ComPartitionSets,cn=System,dc=NA,dc=fabrikam,dc=com")
 
For Each objPartitionSet in objCOMPartitionSets
  WScript.Echo objPartitionSet.Name
Next

Identifying the Owner of an OU


Returns the owner of the Sales OU in Active Directory.
Set objContainer = GetObject _
  ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
 
Set objNtSecurityDescriptor = objContainer.Get("ntSecurityDescriptor")
 
WScript.Echo "Owner Tab"
WScript.Echo "Current owner of this item: " & objNtSecurityDescriptor.Owner

Modifying the COM+ Partition Set Link of an OU


Assigns the COM+ partition set PartitionSet1 to the Sales OU in Active Directory.
Set objContainer = GetObject _
  ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
 
objContainer.Put "msCOM-UserPartitionSetLink", _
  "cn=PartitionSet1,cn=ComPartitionSets,cn=System,dc=NA,dc=fabrikam,dc=com"
 
objContainer.SetInfo

Modifying the General Properties of an OU


Modifies the attribute values found on the General Properties page in Active Directory Users and Computers for an OU named Sales.
Const ADS_PROPERTY_UPDATE = 2
Set objContainer = GetObject _
  ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
 
objContainer.Put "street", "Building 43" & vbCrLf & "One Microsoft Way"
objContainer.Put "l", "Redmond"
objContainer.Put "st", "Washington"
objContainer.Put "postalCode", "98053"
objContainer.Put "c", "US"
 
objContainer.PutEx ADS_PROPERTY_UPDATE, _
    "description", Array("Sales staff")
    
objContainer.SetInfo

Reading COM+ Partition Information for a Domain


Returns COM+ partition information for the domain na.fabrikam.com.
Set objCOMPartitionSets = GetObject _
    ("LDAP://cn=ComPartitionSets,cn=System,dc=NA,dc=fabrikam,dc=com")
 
For Each objPartitionSet in objCOMPartitionSets
    WScript.Echo objPartitionSet.Name
Next

Reading the COM+ Properties of an OU


Returns information about the COM+ properties configured for the Sales OU in Active Directory. 
On Error Resume Next
Set objContainer = GetObject _
  ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
 
strMsCOMUserPartitionSetLink = objContainer.Get("msCOM-UserPartitionSetLink")
 
WScript.Echo "ms-COMUserPartitionSetLink: " & strMsCOMUserPartitionSetLink

Reading the Security Descriptor for an OU


Returns the information found on the security descriptor for the Sales OU in Active Directory. 
Const SE_DACL_PROTECTED = &H1000 
 
Set objContainer = GetObject _
  ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
 
Set objNtSecurityDescriptor = objContainer.Get("ntSecurityDescriptor")
 
intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control
 
WScript.Echo "Permissions Tab"
WScript.StdOut.WriteLine "Allow inheritable permissions from the parent to"
WScript.StdOut.Write "propogate to this object and all child objects "
If (intNtSecurityDescriptorControl And SE_DACL_PROTECTED) Then
    Wscript.Echo "is disabled."
Else
    WScript.Echo "is enabled."
End If
WScript.Echo VbCr
 
Set objDiscretionaryAcl = objNtSecurityDescriptor.DiscretionaryAcl
DisplayAceInformation objDiscretionaryAcl, "DACL"
 
Sub DisplayAceInformation(SecurityStructure, strType)
    Const ADS_ACETYPE_ACCESS_ALLOWED = &H0 
    Const ADS_ACETYPE_ACCESS_DENIED = &H1 
    Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5 
    Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6 
    intAceCount = 0
    For Each objAce In SecurityStructure
        strTrustee = Mid(objAce.Trustee,1,12)
        If StrComp(strTrustee, "NT AUTHORITY", 1) <> 0 Then
            intAceCount = intAceCount + 1
            WScript.Echo strType & " permission entry: " & intAceCount
            WScript.Echo "Name: " & objAce.Trustee
 
            intAceType = objAce.AceType
        If (intAceType = ADS_ACETYPE_ACCESS_ALLOWED Or _
            intAceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT) Then
            WScript.Echo "Type: Allow Access"
        ElseIf (intAceType = ADS_ACETYPE_ACCESS_DENIED Or _
            intAceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) Then
            WScript.StdOut.Write "Type: Deny Acess"
        Else
            WScript.Echo "Acess Type Unknown."
        End If
        ReadBitsInAccessMask(objAce.AccessMask)
        WScript.Echo VbCr
      End If
    Next
End Sub
 
Sub ReadBitsInAccessMask(AccessMask)
    Const ADS_RIGHT_DELETE = &H10000
    Const ADS_RIGHT_READ_CONTROL = &H20000
    Const ADS_RIGHT_WRITE_DAC = &H40000
    Const ADS_RIGHT_WRITE_OWNER = &H80000
    Const ADS_RIGHT_DS_CREATE_CHILD = &H1
    Const ADS_RIGHT_DS_DELETE_CHILD = &H2
    Const ADS_RIGHT_ACTRL_DS_LIST = &H4
    Const ADS_RIGHT_DS_SELF = &H8
    Const ADS_RIGHT_DS_READ_PROP = &H10
    Const ADS_RIGHT_DS_WRITE_PROP = &H20
    Const ADS_RIGHT_DS_DELETE_TREE = &H40
    Const ADS_RIGHT_DS_LIST_OBJECT = &H80
    Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
 
    WScript.Echo VbCrLf & "Standard Access Rights"
    If (AccessMask And ADS_RIGHT_DELETE) Then _
        WScript.Echo vbTab & "-Delete an object."
    If (AccessMask And ADS_RIGHT_READ_CONTROL) Then _
        WScript.Echo vbTab & "-Read permissions."
    If (AccessMask And ADS_RIGHT_WRITE_DAC) Then _
        WScript.Echo vbTab & "-Write permissions."
    If (AccessMask And ADS_RIGHT_WRITE_OWNER) Then _
        WScript.Echo vbTab & "-Modify owner."
  
    WScript.Echo VbCrLf & "Directory Service Specific Access Rights"
    If (AccessMask And ADS_RIGHT_DS_CREATE_CHILD) Then _
      WScript.Echo vbTab & "-Create child objects."
    If (AccessMask And ADS_RIGHT_DS_DELETE_CHILD) Then _
        WScript.Echo vbTab & "-Delete child objects."
    If (AccessMask And ADS_RIGHT_ACTRL_DS_LIST) Then _
        WScript.Echo vbTab & "-Enumerate an object."
    If (AccessMask And ADS_RIGHT_DS_READ_PROP) Then _
        WScript.Echo vbTab & "-Read the properties of an object."
    If (AccessMask And ADS_RIGHT_DS_WRITE_PROP) Then _
        WScript.Echo vbTab & "-Write the properties of an object."
    If (AccessMask And ADS_RIGHT_DS_DELETE_TREE) Then _
        WScript.Echo vbTab & "-Delete a tree of objects"
    If (AccessMask And ADS_RIGHT_DS_LIST_OBJECT) Then _
        WScript.Echo vbTab & "-List a tree of objects."
 
    WScript.Echo VbCrLf & "Control Access Rights"
    If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) + _
        (AccessMask And ADS_RIGHT_DS_SELF) = 0 Then
          WScript.Echo "-None"
      Else 
      If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) Then _
          WScript.Echo vbTab & "-Extended access rights."
      If (AccessMask And ADS_RIGHT_DS_SELF) Then
          WScript.Echo vbTab & "-Active Directory must validate a property "
          WScript.Echo vbTab & " write operation beyond the schema definition "
          WScript.Echo vbTab & " for the attribute."
      End If
    End If
End Sub

Reading the System Access Control List of an OU


Returns information found on the System Access Control List (SACL) for the Sales OU in Active Directory. 
Const SE_SACL_PROTECTED = &H2000 
Const ADS_SECURITY_INFO_OWNER = &H1 
Const ADS_SECURITY_INFO_GROUP = &H2
Const ADS_OPTION_SECURITY_MASK =&H3
Const ADS_SECURITY_INFO_DACL = &H4 
Const ADS_SECURITY_INFO_SACL = &H8
 
Set objContainer = GetObject _
  ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
 
objContainer.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_OWNER _
  Or ADS_SECURITY_INFO_GROUP Or ADS_SECURITY_INFO_DACL _
  Or ADS_SECURITY_INFO_SACL
  
Set objNtSecurityDescriptor = objContainer.Get("ntSecurityDescriptor")
 
intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control
 
WScript.Echo "Auditing Tab"
WScript.StdOut.WriteLine "Allow inheritable auditing entries from" & _ 
  "the parent to "
WScript.StdOut.Write "propogate to this object and all child objects "
If (intNtSecurityDescriptorControl And SE_SACL_PROTECTED) Then
  Wscript.Echo "is disabled."
Else
  WScript.Echo "is enabled."
End If
WScript.Echo VbCr
 
Set objSacl = objNtSecurityDescriptor.SystemAcl
DisplayAceInformation objSacl, "SACL"
 
Sub DisplayAceInformation(SecurityStructure, strType)
  Const ADS_ACETYPE_SYSTEM_AUDIT = &H2 
  Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7 
  
  intAceCount = 0
  For Each objAce In SecurityStructure
    strTrustee = Mid(objAce.Trustee,1,12)
    If StrComp(strTrustee, "NT AUTHORITY", 1) <> 0 Then
      intAceCount = intAceCount + 1
      WScript.Echo strType & " permission entry: " & intAceCount
      WScript.Echo "Name: " & objAce.Trustee
 
      intAceType = objAce.AceType
      WScript.Echo "ACETYPE IS: " & intAceType
      If (intAceType = ADS_ACETYPE_SYSTEM_AUDIT or _
       intAceType = ADS_ACETYPE_SYSTEM_AUDIT_OBJECT) Then
        WScript.StdOut.Write "Type: Success or Failure Audit"
      Else
        WScript.StdOut.Write "Audit Type Unknown."
      End If
      ReadBitsInAccessMask(objAce.AccessMask)
      WScript.Echo VbCr
    End If
  Next
End Sub
 
Sub ReadBitsInAccessMask(AccessMask)
  Const ADS_RIGHT_DELETE = &H10000
  Const ADS_RIGHT_READ_CONTROL = &H20000
  Const ADS_RIGHT_WRITE_DAC = &H40000
  Const ADS_RIGHT_WRITE_OWNER = &H80000
  Const ADS_RIGHT_DS_CREATE_CHILD = &H1
  Const ADS_RIGHT_DS_DELETE_CHILD = &H2
  Const ADS_RIGHT_ACTRL_DS_LIST = &H4
  Const ADS_RIGHT_DS_SELF = &H8
  Const ADS_RIGHT_DS_READ_PROP = &H10
  Const ADS_RIGHT_DS_WRITE_PROP = &H20
  Const ADS_RIGHT_DS_DELETE_TREE = &H40
  Const ADS_RIGHT_DS_LIST_OBJECT = &H80
  Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
 
  WScript.Echo VbCrLf & "Standard Access Rights"
  If (AccessMask And ADS_RIGHT_DELETE) Then _
    WScript.Echo vbTab & "-Delete an object."
  If (AccessMask And ADS_RIGHT_READ_CONTROL) Then _
    WScript.Echo vbTab & "-Read permissions."
  If (AccessMask And ADS_RIGHT_WRITE_DAC) Then _
    WScript.Echo vbTab & "-Write permissions."
  If (AccessMask And ADS_RIGHT_WRITE_OWNER) Then _
    WScript.Echo vbTab & "-Modify owner."
  
  WScript.Echo VbCrLf & "Directory Service Specific Access Rights"
  If (AccessMask And ADS_RIGHT_DS_CREATE_CHILD) Then _
    WScript.Echo vbTab & "-Create child objects."
  If (AccessMask And ADS_RIGHT_DS_DELETE_CHILD) Then _
    WScript.Echo vbTab & "-Delete child objects."
  If (AccessMask And ADS_RIGHT_ACTRL_DS_LIST) Then _
    WScript.Echo vbTab & "-Enumerate an object."
  If (AccessMask And ADS_RIGHT_DS_READ_PROP) Then _
    WScript.Echo vbTab & "-Read the properties of an object."
  If (AccessMask And ADS_RIGHT_DS_WRITE_PROP) Then _
    WScript.Echo vbTab & "-Write the properties of an object."
  If (AccessMask And ADS_RIGHT_DS_DELETE_TREE) Then _
    WScript.Echo vbTab & "-Delete a tree of objects"
  If (AccessMask And ADS_RIGHT_DS_LIST_OBJECT) Then _
    WScript.Echo vbTab & "-List a tree of objects."
 
  WScript.Echo VbCrLf & "Control Access Rights"
  If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) + _
    (AccessMask And ADS_RIGHT_DS_SELF) = 0 Then
    WScript.Echo "-None"
  Else 
    If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) Then _
      WScript.Echo vbTab & "-Extended access rights."
    If (AccessMask And ADS_RIGHT_DS_SELF) Then
      WScript.Echo vbTab & "-Active Directory must validate a property "
      WScript.Echo vbTab & " write operation beyond the schema definition "
      WScript.Echo vbTab & " for the attribute."
    End If
  End If
End Sub

Removing an OU Manager


Removes the manager entry for the Active Directory OU named Sales. When this group is run, the OU will no longer have an assigned manager.
Const ADS_PROPERTY_CLEAR = 1 
 
Set objContainer = GetObject _
  ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
objContainer.PutEx ADS_PROPERTY_CLEAR, "managedBy", 0
objContainer.SetInfo

Returning the Attributes of the organizationalUnit Class


Returns both the mandatory and optional attributes or the organizationalUnit class (as found in the Active Directory schema). This script must be run under CScript.
Set objOrganizationalUnitClass = _
  GetObject("LDAP://schema/organizationalUnit")
Set objSchemaClass = GetObject(objOrganizationalUnitClass.Parent)
 
i = 0
WScript.Echo "Mandatory attributes:"
For Each strAttribute in objOrganizationalUnitClass.MandatoryProperties
  i= i + 1
  WScript.StdOut.Write i & vbTab & strAttribute
  Set objAttribute = objSchemaClass.GetObject("Property",  strAttribute)
  WScript.StdOut.Write " (Syntax: " & objAttribute.Syntax & ")"
  If objAttribute.MultiValued Then
    WScript.Echo " Multivalued"
  Else
    WScript.Echo " Single-valued"
  End If
Next
 
WScript.Echo VbCrLf & "Optional attributes:"
For Each strAttribute in objOrganizationalUnitClass.OptionalProperties
  i= i + 1
  WScript.StdOut.Write i & vbTab & strAttribute
  Set objAttribute = objSchemaClass.GetObject("Property",  strAttribute)
  WScript.StdOut.Write " [Syntax: " & objAttribute.Syntax & "]"
  If objAttribute.MultiValued Then
    WScript.Echo " Multivalued"
  Else
    WScript.Echo " Single-valued"
  End If
Next

Returning the General Properties of an OU


Returns information found on the General Properties page in Active Directory Users and Computers for an OU named Sales.
On Error Resume Next
Set objContainer = GetObject _
  ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
 
strStreetAddress = objContainer.Get("street")
strLocalityName = objContainer.Get("l")
strStreetName = objContainer.Get("st")
strPostalCode = objContainer.Get("postalCode")
strCountryName = objContainer.Get("c")
 
strDescription = objContainer.GetEx("description")
 
For Each strValue in strDescription
  WScript.echo "description: " & strValue
Next
 
WScript.echo "streetAddress: " & strStreetAddress
WScript.echo "l: " & strLocalityName
WScript.echo "st: " & strStreetName
WScript.echo "postalCode: " & strPostalCode
WScript.echo "c: " & strCountryName

Returning Group Policy Information for an OU


Returns the values found on the Group Policy page in Active Directory Users and Computers for the Sales OU. 
On Error Resume Next
Set objContainer = GetObject _
  ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
 
strGpLink = objContainer.Get("gPLink")
intGpOptions = objContainer.Get("gPOptions")
 
If strGpLink <> " " Then
  arrGpLinkItems = Split(strGpLink,"]")
  For i = UBound(arrGPLinkItems) to LBound(arrGpLinkItems) + 1 Step -1
    arrGPLink = Split(arrGpLinkItems(i-1),";")
    strDNGPLink = Mid(arrGPLink(0),9)
    WScript.Echo GetGPOName
    Select Case arrGPLink(1)
      Case 0
        WScript.Echo "No Override is cleared and the GPO is enabled."
      Case 1
        WScript.Echo "No Override is cleared and the GPO is disabled."
      Case 2
        WScript.Echo "No Override is checked and the GPO is enabled."
      Case 3
        WScript.Echo "No Override is checked and the GPO is disabled."
    End Select
  Next
  WScript.Echo VbCrLf
End If
 
If intGpOptions = 1 Then
  WScript.Echo "Block Policy Inheritance is checked."
Else
  WScript.Echo "Block Policy Inheritance is not checked."
End If
    
Function GetGPOName
  Set objConnection = CreateObject("ADODB.Connection")  
  objConnection.Open "Provider=ADsDSOObject;"   
 
  Set objCommand = CreateObject("ADODB.Command")
  objCommand.ActiveConnection = objConnection
 
  objCommand.CommandText = _
  "<LDAP://cn=Policies,cn=System,dc=NA,dc=fabrikam,dc=com>;;" & _
  "distinguishedName,displayName;onelevel"
  Set objRecordSet = objCommand.Execute
 
  While Not objRecordSet.EOF
    If objRecordSet.Fields("distinguishedName") = strDNGPLink Then
      GetGPOName = objRecordSet.Fields("displayName")
      objConnection.Close
      Exit Function
    End If
    objRecordSet.MoveNext
  Wend
  objConnection.Close
End Function

Returning Managed By Information for an OU


Returns information about the account assigned as managed of the Sales OU in Active Directory. 
On Error Resume Next
 
Set objContainer = GetObject _
   ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com")
 
strManagedBy = objContainer.Get("managedBy")
 
If IsEmpty(strManagedBy) = TRUE Then
    WScript.Echo "No user account is assigned to manage " & _
    "this OU."
Else
    Set objUser = GetObject("LDAP://" & strManagedBy)
    strPhysicalDeliveryOfficeName = _
      objUser.Get("physicalDeliveryOfficeName")
    strStreetAddress = objUser.Get("streetAddress")
    strLocalityName = objUser.Get("l")
    strStateProvince = objUser.Get("st")
    strCountryName = objUser.Get("c")
    strTelephoneNumber = objUser.Get("telephoneNumber")
    strFacsimileTelephoneNumber = _
      objUser.Get("facsimileTelephoneNumber")
 
    WScript.Echo "managedBy: " & strManagedBy
    WScript.echo "physicalDeliveryOfficeName: " & _
      strPhysicalDeliveryOfficeName  
    WScript.echo "streetAddress: " & strStreetAddress
    WScript.echo "l: " & strLocalityName
    WScript.echo "state/province: " & strStateProvince
    WScript.echo "c: " & strCountryName
    WScript.echo "telephoneNumber: " & strTelephoneNumber
    WScript.echo "facsimileTelephoneNumber: " & _
      strFacsimileTelephoneNumber
End If

Returning the Properties of an OU Object


Returns information found on the Object page in Active Directory Users and Computers for the Sales OU. 
Set objContainer = GetObject _
   ("GC://ou=Sales,dc=NA,dc=fabrikam,dc=com")
 
strWhenCreated = objContainer.Get("whenCreated")
strWhenChanged = objContainer.Get("whenChanged")
 
Set objUSNChanged = objContainer.Get("uSNChanged")
dblUSNChanged = _
    Abs(objUSNChanged.HighPart * 2^32 + objUSNChanged.LowPart)
 
Set objUSNCreated = objContainer.Get("uSNCreated")
dblUSNCreated = _
    Abs(objUSNCreated.HighPart * 2^32 + objUSNCreated.LowPart)
 
objContainer.GetInfoEx Array("canonicalName"), 0
arrCanonicalName = objContainer.GetEx("canonicalName")
 
WScript.echo "CanonicalName of object:"
For Each strValue in arrCanonicalName
    WScript.echo vbTab & strValue
Next
WScript.Echo vbCr
 
WScript.Echo "Object class: " & objContainer.Class & vbCrLf
WScript.echo "whenCreated: " & strWhenCreated & " (Created - GMT)"
WScript.echo "whenChanged: " & strWhenChanged & " (Modified - GMT)"
WScript.Echo VbCrLf
WScript.Echo "uSNChanged: " & dblUSNChanged & " (USN Current)"
WScript.Echo "uSNCreated: " & dblUSNCreated & " (USN Original)"