[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Query LDAP on a W2003 Active Directory domain from a standalone machine

Posted on 2008-06-20
9
Medium Priority
?
1,069 Views
Last Modified: 2010-04-21
I'm on contract with a client that runs a large Windows 2003 Active Directory domain. My laptop is not a member of the domain, and I am not permitted to join it to the domain. I do, however, have a direct connection inside the corporate firewall. I can do most things just fine, but I need to be able to query Active Directory users in a VBScript. My script uses LDAP, and executes perfectly from a machine that is joined to the domain. From my laptop, however, it gives me "The specified domain either does not exist or could not be contacted." This happens right at the line shown in the code snippet.

I know that LDAP has no way of figuring out where the domain controller is because I'm not logged into the domain. I know the name and IP of a bunch of domain controllers, including two on my local 10. segment. I can ping them fine. Let's say one of them is called BigDogDC.foo.com. What are the LDAP commands I need to be able run LDAP queries against it?
' get domain
    Dim oRoot
    Set oRoot = GetObject("LDAP://rootDSE")

Open in new window

0
Comment
Question by:lwebber
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
9 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21834293

Hey,

There are a few things in your way here.

The first is finding the domain, that's easily fixed with:

Set oRoot = GetObject("LDAP://foo.com/RootDSE")

Or you can use the full DC name, rather than the Round Robin response on the foo.com name.

But then you have to Authenticate so we'll need OpenDSObject instead of just a simple GetObject as a direct connection.

e.g.

Set objDSO = GetObject("LDAP:")
Set objRootDSE = objDSO.OpenDSObject("LDAP://foo.com/RootDSE", strUsername, strPassword)

Remember that only binds you for that object. If you wish extra object connections you must re-authenticate.

If you're performing large queries you will be better using ADO. Need examples?

Chris
0
 
LVL 9

Author Comment

by:lwebber
ID: 21843435
A couple of ADO examples would be welcome. In particular, I want to look up users by last name + first name.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21853647

Fair enough :)

Here's the VbScript example. It'll search on either the givenName or sN values.

Chris

Const USER_NAME = "domain\user"
Const PASSWORD = "password"
 
Const LDAP_SERVER = "someserver"
Const BASE_NC = "DC=domain,DC=com"
 
Function FindUsers(strGivenName, strSN)
	Const ADS_SCOPE_SUBTREE = 2
 
	Dim objConnection, objCommand, objRecordSet
	Dim strUsername, strDisplayName, strDN
 
	' Create Connection to Target Domain to generate list of Users
 
	Set objConnection = CreateObject("ADODB.Connection")
	objConnection.Provider = "ADsDSOObject"
	objConnection.Properties("User ID") = USER_NAME
	objConnection.Properties("Password") = PASSWORD
	objConnection.Open "Active Directory Provider"
		
	Set objCommand = CreateObject("ADODB.Command")
	objCommand.ActiveConnection = objConnection
 
	objCommand.CommandText = "SELECT givenName, sN, distinguishedName FROM " &_
		"'LDAP://" & LDAP_SERVER & "/" & BASE_NC & "' " &_
		"WHERE objectClass='user' AND objectCategory='person'"
 
	objCommand.Properties("Page Size") = 1000
	objCommand.Properties("Timeout") = 600
	objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
	objCommand.Properties("Cache Results") = False
 
	Set objRecordSet = objCommand.Execute
 
	Do While Not objRecordSet.EOF
		If objRecordSet.Fields("givenName").Value = strGivenName Or _
				objRecordSet.Fields("sN").Value = strSN Then
 
			WScript.Echo objRecordSet.Fields("distinguishedName")
 
		End If
 
		objRecordSet.MoveNext
	Loop
	
	objConnection.Close
	
	Set objRecordSet = Nothing
	Set objCommand = Nothing
	Set objConnection = Nothing
End Function
 
FindUsers "Bob", "Jones"

Open in new window

0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 21853826

Now we've had that, I wanted to introduce a better (okay, that's my opinion, you can judge for yourself :)) idea.

Download and Install PowerShell:

http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx

Download and Install the Quest PowerShell tools (they're free):

http://www.quest.com/powershell/

The discard the script above and we'll introduce some PowerShell.

First, connecting to a remote domain (copy and paste this in):

Connect-QADService -Service (Read-Host "Enter LDAP Server") `
      -ConnectionAccount (Read-Host -prompt "Enter Username") `
      -ConnectionPassword (Read-Host -prompt `
            "Enter Password" -asSecureString)

It'll prompt for the server name, a username (domain\username) and password.

If the connection succeeds you should get this back:

DefaultNamingContext                    Type
--------------------                               ----
DC=domain,DC=com                        ActiveDirectory

With that you can use Get-QADUser, or any of the other cmdlets. For example:

Get-QADUser -FirstName "Chris"

It's extremely powerful, to see the full set of options run:

Get-Help Get-QADUser -full | more

You can construct simple queries on just about anything, and it'll let you use LDAP filters if you want more advanced things.

Basically, if you're looking for tools to get information from a domain you would be much better off with this.

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21853835

Now we've had that, I wanted to introduce a better idea (okay, that's my opinion, you can judge for yourself :)).

Download and Install PowerShell:

http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx

Download and Install the Quest PowerShell tools (they're free):

http://www.quest.com/powershell/

The discard the script above and we'll introduce some PowerShell.

First, connecting to a remote domain (copy and paste this in):

Connect-QADService -Service (Read-Host "Enter LDAP Server") `
      -ConnectionAccount (Read-Host -prompt "Enter Username") `
      -ConnectionPassword (Read-Host -prompt `
            "Enter Password" -asSecureString)

It'll prompt for the server name, a username (domain\username) and password.

If the connection succeeds you should get this back:

DefaultNamingContext                    Type
--------------------                               ----
DC=domain,DC=com                        ActiveDirectory

With that you can use Get-QADUser, or any of the other cmdlets. For example:

Get-QADUser -FirstName "Chris"

It's extremely powerful, to see the full set of options run:

Get-Help Get-QADUser -full | more

You can construct simple queries on just about anything, and it'll let you use LDAP filters if you want more advanced things.

Basically, if you're looking for tools to get information from a domain you would be much better off with this. It does take a bit of getting used to, but the time invested there will save hours of modifying VbScripts.

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21853841

oops, duplicate posting... always good... Not much difference between the two anyway.

Chris
0
 
LVL 18

Expert Comment

by:BSonPosh
ID: 21854934
@Chris: I'm so very proud :)

@OP: As a side note. I am not sure what you mean by large, but if you do have a large domain (50k+)  then you would benefit from my recent blog series here.
http://bsonposh.com/archives/tag/s.ds.p

This code could be easily adjusted for authentication.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21855065

Switching from VbScript / ASP to PowerShell / VB .NET / C# .NET has been a good choice. Even if it leaves me scratching my head sometimes :)

Chris
0
 
LVL 9

Author Closing Comment

by:lwebber
ID: 31469295
Thanks, Chris
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question