Reporting tool

[Kathy]

Can anyone suggest an Active Directory query or reporting
tool? In the active directory computers object is a tab
for Operating System. I would like to run a query or
report of all computers to find out which ones do not have
the latest service pack installed.

 

[Simon Geary]

You need to do an LDAP query for the OperatingSystemServicePack attribute.
There are many LDAP query tools that can find this, here is how to do it
with CSVDE.

csvde -f c:\servicepack.csv -r (objectClass=computer) -l
(OperatingSystemServicePack)

 

[Joe Richards [MVP]]

You can do this with anything that does LDAP queries. Note you can only get SP
info, not hotfix info this way.

For instance you can use adfind from my free win32 tools web page at
www.joeware.net to run a query of all machines that are XP and don't have SP1 like

adfind -b dc=domain,dc=com -f
"&(objectcategory=computer)(operatingsystem=Windows XP
Professional)(!operatingsystemservicepack=Service Pack 1)"
operatingsystem operatingsystemservicepack



Here is an example from test domain checking for SP2 on XP pro

[Tue 05/11/2004 14:50:59.50]
F:\temp>adfind -b dc=joe,dc=com -f
"&(objectcategory=computer)(operatingsystem=Windows XP
Professional)(!operatingsystemservicepack=Service Pack 2)" operatingsystem
operatingsyste
mservicepack

AdFind V01.15.00cpp Joe Richards ([email protected]) April 2004

Using server: 2k3dc01.joe.com

dn:CN=fastmofo,CN=Computers,DC=joe,DC=com

operatingSystem: Windows XP Professional
operatingSystemServicePack: Service Pack 1

1 Objects returned

[Tue 05/11/2004 14:51:03.97]
F:\temp>

 

[Cary Shultz [A.D. MVP]]

Kathy,

Simon and Joe gave you very good answers. I would like to throw in two more
tools that you could use to do this so that you have as much information as
possible so that you can choose the best method for you.

ldifde is an older tool that you can use as well as the ds tools that are
new to WIN2003 ( and can be used in WIN2000 SP3 - IIRC - with a few
limitations ).

Here is an example of what you could do with ldifde to get a list of all the
computers ( well, those that have a computer account object ) with their
respective Service Pack levels in your environment:

ldifde -f computers.ldf -s yourdc.yourdomain.com -t 389 -d
"DC=yourdomain,DC=com" -p subtree -r
"(&(objectCategory=computer)(objectClass=user))" -l
"DN,operatingSystem,operatingSystemVersion,operatingSystemServicePack"

This would give you an .ldf file called 'computers.ldf' with all of the
computer accounts in your domain, regardless of operating system or service
pack level. You would use NotePad to open it.

Now, if you wanted a list of all the computers that do not have WIN2000 Pro
SP4 ( but are running WIN2000 Pro ) then you would simply the following:

ldifde -f notwin2ksp4.ldf -s yourdc.yourdomain.com -t 389 -d
"DC=yourdomain,DC=com" -p subtree -r
"(&(objectCategory=computer)(operatingSystem=Windows 2000
Professional)(!operatingSystemServicePack=Service Pack 4))" -l
"DN,operatingSystem,operatingSystemVersion,operatingSystemServicePack"

That would take care of all computer accounts that are running WIN2000 Pro -
BUT - are not at SP4.

If you have WIN XP Professional systems as well and want to find all of the
computer accounts that are not at SP1 then you would need to alter this a
little bit so that it looks like this:

ldifde -f notwinxpsp1.ldf -s yourdc.yourdomain.com -t 389 -d
"DC=yourdomain,DC=com" -p subtree -r
"(&(objectCategory=computer)(operatingSystem=Windows XP
Professional)(!operatingSystemServicePack=Service Pack 1))" -l
"DN,operatingSystem,operatingSystemVersion,operatingSystemServicePack"

This would take care of all computer accounts that are running WIN XP Pro -
BUT - are not at SP1.

HTH,

Cary