Solved

Query LDAP on a W2003 Active Directory domain from a standalone machine

Posted on 2008-06-20
9
1,011 Views
Last Modified: 2010-04-21
I'm on contract with a client that runs a large Windows 2003 Active Directory domain. My laptop is not a member of the domain, and I am not permitted to join it to the domain. I do, however, have a direct connection inside the corporate firewall. I can do most things just fine, but I need to be able to query Active Directory users in a VBScript. My script uses LDAP, and executes perfectly from a machine that is joined to the domain. From my laptop, however, it gives me "The specified domain either does not exist or could not be contacted." This happens right at the line shown in the code snippet.

I know that LDAP has no way of figuring out where the domain controller is because I'm not logged into the domain. I know the name and IP of a bunch of domain controllers, including two on my local 10. segment. I can ping them fine. Let's say one of them is called BigDogDC.foo.com. What are the LDAP commands I need to be able run LDAP queries against it?
' get domain

    Dim oRoot

    Set oRoot = GetObject("LDAP://rootDSE")

Open in new window

0
Comment
Question by:lwebber
  • 6
  • 2
9 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21834293

Hey,

There are a few things in your way here.

The first is finding the domain, that's easily fixed with:

Set oRoot = GetObject("LDAP://foo.com/RootDSE")

Or you can use the full DC name, rather than the Round Robin response on the foo.com name.

But then you have to Authenticate so we'll need OpenDSObject instead of just a simple GetObject as a direct connection.

e.g.

Set objDSO = GetObject("LDAP:")
Set objRootDSE = objDSO.OpenDSObject("LDAP://foo.com/RootDSE", strUsername, strPassword)

Remember that only binds you for that object. If you wish extra object connections you must re-authenticate.

If you're performing large queries you will be better using ADO. Need examples?

Chris
0
 
LVL 9

Author Comment

by:lwebber
ID: 21843435
A couple of ADO examples would be welcome. In particular, I want to look up users by last name + first name.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21853647

Fair enough :)

Here's the VbScript example. It'll search on either the givenName or sN values.

Chris


Const USER_NAME = "domain\user"

Const PASSWORD = "password"
 

Const LDAP_SERVER = "someserver"

Const BASE_NC = "DC=domain,DC=com"
 

Function FindUsers(strGivenName, strSN)

	Const ADS_SCOPE_SUBTREE = 2
 

	Dim objConnection, objCommand, objRecordSet

	Dim strUsername, strDisplayName, strDN
 

	' Create Connection to Target Domain to generate list of Users
 

	Set objConnection = CreateObject("ADODB.Connection")

	objConnection.Provider = "ADsDSOObject"

	objConnection.Properties("User ID") = USER_NAME

	objConnection.Properties("Password") = PASSWORD

	objConnection.Open "Active Directory Provider"

		

	Set objCommand = CreateObject("ADODB.Command")

	objCommand.ActiveConnection = objConnection
 

	objCommand.CommandText = "SELECT givenName, sN, distinguishedName FROM " &_

		"'LDAP://" & LDAP_SERVER & "/" & BASE_NC & "' " &_

		"WHERE objectClass='user' AND objectCategory='person'"
 

	objCommand.Properties("Page Size") = 1000

	objCommand.Properties("Timeout") = 600

	objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

	objCommand.Properties("Cache Results") = False
 

	Set objRecordSet = objCommand.Execute
 

	Do While Not objRecordSet.EOF

		If objRecordSet.Fields("givenName").Value = strGivenName Or _

				objRecordSet.Fields("sN").Value = strSN Then
 

			WScript.Echo objRecordSet.Fields("distinguishedName")
 

		End If
 

		objRecordSet.MoveNext

	Loop

	

	objConnection.Close

	

	Set objRecordSet = Nothing

	Set objCommand = Nothing

	Set objConnection = Nothing

End Function
 

FindUsers "Bob", "Jones"

Open in new window

0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 21853826

Now we've had that, I wanted to introduce a better (okay, that's my opinion, you can judge for yourself :)) idea.

Download and Install PowerShell:

http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx

Download and Install the Quest PowerShell tools (they're free):

http://www.quest.com/powershell/

The discard the script above and we'll introduce some PowerShell.

First, connecting to a remote domain (copy and paste this in):

Connect-QADService -Service (Read-Host "Enter LDAP Server") `
      -ConnectionAccount (Read-Host -prompt "Enter Username") `
      -ConnectionPassword (Read-Host -prompt `
            "Enter Password" -asSecureString)

It'll prompt for the server name, a username (domain\username) and password.

If the connection succeeds you should get this back:

DefaultNamingContext                    Type
--------------------                               ----
DC=domain,DC=com                        ActiveDirectory

With that you can use Get-QADUser, or any of the other cmdlets. For example:

Get-QADUser -FirstName "Chris"

It's extremely powerful, to see the full set of options run:

Get-Help Get-QADUser -full | more

You can construct simple queries on just about anything, and it'll let you use LDAP filters if you want more advanced things.

Basically, if you're looking for tools to get information from a domain you would be much better off with this.

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21853835

Now we've had that, I wanted to introduce a better idea (okay, that's my opinion, you can judge for yourself :)).

Download and Install PowerShell:

http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx

Download and Install the Quest PowerShell tools (they're free):

http://www.quest.com/powershell/

The discard the script above and we'll introduce some PowerShell.

First, connecting to a remote domain (copy and paste this in):

Connect-QADService -Service (Read-Host "Enter LDAP Server") `
      -ConnectionAccount (Read-Host -prompt "Enter Username") `
      -ConnectionPassword (Read-Host -prompt `
            "Enter Password" -asSecureString)

It'll prompt for the server name, a username (domain\username) and password.

If the connection succeeds you should get this back:

DefaultNamingContext                    Type
--------------------                               ----
DC=domain,DC=com                        ActiveDirectory

With that you can use Get-QADUser, or any of the other cmdlets. For example:

Get-QADUser -FirstName "Chris"

It's extremely powerful, to see the full set of options run:

Get-Help Get-QADUser -full | more

You can construct simple queries on just about anything, and it'll let you use LDAP filters if you want more advanced things.

Basically, if you're looking for tools to get information from a domain you would be much better off with this. It does take a bit of getting used to, but the time invested there will save hours of modifying VbScripts.

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21853841

oops, duplicate posting... always good... Not much difference between the two anyway.

Chris
0
 
LVL 18

Expert Comment

by:BSonPosh
ID: 21854934
@Chris: I'm so very proud :)

@OP: As a side note. I am not sure what you mean by large, but if you do have a large domain (50k+)  then you would benefit from my recent blog series here.
http://bsonposh.com/archives/tag/s.ds.p

This code could be easily adjusted for authentication.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21855065

Switching from VbScript / ASP to PowerShell / VB .NET / C# .NET has been a good choice. Even if it leaves me scratching my head sometimes :)

Chris
0
 
LVL 9

Author Closing Comment

by:lwebber
ID: 31469295
Thanks, Chris
0

Join & Write a Comment

Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now