• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1073
  • Last Modified:

Query LDAP on a W2003 Active Directory domain from a standalone machine

I'm on contract with a client that runs a large Windows 2003 Active Directory domain. My laptop is not a member of the domain, and I am not permitted to join it to the domain. I do, however, have a direct connection inside the corporate firewall. I can do most things just fine, but I need to be able to query Active Directory users in a VBScript. My script uses LDAP, and executes perfectly from a machine that is joined to the domain. From my laptop, however, it gives me "The specified domain either does not exist or could not be contacted." This happens right at the line shown in the code snippet.

I know that LDAP has no way of figuring out where the domain controller is because I'm not logged into the domain. I know the name and IP of a bunch of domain controllers, including two on my local 10. segment. I can ping them fine. Let's say one of them is called BigDogDC.foo.com. What are the LDAP commands I need to be able run LDAP queries against it?
' get domain
    Dim oRoot
    Set oRoot = GetObject("LDAP://rootDSE")

Open in new window

0
lwebber
Asked:
lwebber
  • 6
  • 2
1 Solution
 
Chris DentPowerShell DeveloperCommented:

Hey,

There are a few things in your way here.

The first is finding the domain, that's easily fixed with:

Set oRoot = GetObject("LDAP://foo.com/RootDSE")

Or you can use the full DC name, rather than the Round Robin response on the foo.com name.

But then you have to Authenticate so we'll need OpenDSObject instead of just a simple GetObject as a direct connection.

e.g.

Set objDSO = GetObject("LDAP:")
Set objRootDSE = objDSO.OpenDSObject("LDAP://foo.com/RootDSE", strUsername, strPassword)

Remember that only binds you for that object. If you wish extra object connections you must re-authenticate.

If you're performing large queries you will be better using ADO. Need examples?

Chris
0
 
lwebberAuthor Commented:
A couple of ADO examples would be welcome. In particular, I want to look up users by last name + first name.
0
 
Chris DentPowerShell DeveloperCommented:

Fair enough :)

Here's the VbScript example. It'll search on either the givenName or sN values.

Chris

Const USER_NAME = "domain\user"
Const PASSWORD = "password"
 
Const LDAP_SERVER = "someserver"
Const BASE_NC = "DC=domain,DC=com"
 
Function FindUsers(strGivenName, strSN)
	Const ADS_SCOPE_SUBTREE = 2
 
	Dim objConnection, objCommand, objRecordSet
	Dim strUsername, strDisplayName, strDN
 
	' Create Connection to Target Domain to generate list of Users
 
	Set objConnection = CreateObject("ADODB.Connection")
	objConnection.Provider = "ADsDSOObject"
	objConnection.Properties("User ID") = USER_NAME
	objConnection.Properties("Password") = PASSWORD
	objConnection.Open "Active Directory Provider"
		
	Set objCommand = CreateObject("ADODB.Command")
	objCommand.ActiveConnection = objConnection
 
	objCommand.CommandText = "SELECT givenName, sN, distinguishedName FROM " &_
		"'LDAP://" & LDAP_SERVER & "/" & BASE_NC & "' " &_
		"WHERE objectClass='user' AND objectCategory='person'"
 
	objCommand.Properties("Page Size") = 1000
	objCommand.Properties("Timeout") = 600
	objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
	objCommand.Properties("Cache Results") = False
 
	Set objRecordSet = objCommand.Execute
 
	Do While Not objRecordSet.EOF
		If objRecordSet.Fields("givenName").Value = strGivenName Or _
				objRecordSet.Fields("sN").Value = strSN Then
 
			WScript.Echo objRecordSet.Fields("distinguishedName")
 
		End If
 
		objRecordSet.MoveNext
	Loop
	
	objConnection.Close
	
	Set objRecordSet = Nothing
	Set objCommand = Nothing
	Set objConnection = Nothing
End Function
 
FindUsers "Bob", "Jones"

Open in new window

0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Chris DentPowerShell DeveloperCommented:

Now we've had that, I wanted to introduce a better (okay, that's my opinion, you can judge for yourself :)) idea.

Download and Install PowerShell:

http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx

Download and Install the Quest PowerShell tools (they're free):

http://www.quest.com/powershell/

The discard the script above and we'll introduce some PowerShell.

First, connecting to a remote domain (copy and paste this in):

Connect-QADService -Service (Read-Host "Enter LDAP Server") `
      -ConnectionAccount (Read-Host -prompt "Enter Username") `
      -ConnectionPassword (Read-Host -prompt `
            "Enter Password" -asSecureString)

It'll prompt for the server name, a username (domain\username) and password.

If the connection succeeds you should get this back:

DefaultNamingContext                    Type
--------------------                               ----
DC=domain,DC=com                        ActiveDirectory

With that you can use Get-QADUser, or any of the other cmdlets. For example:

Get-QADUser -FirstName "Chris"

It's extremely powerful, to see the full set of options run:

Get-Help Get-QADUser -full | more

You can construct simple queries on just about anything, and it'll let you use LDAP filters if you want more advanced things.

Basically, if you're looking for tools to get information from a domain you would be much better off with this.

Chris
0
 
Chris DentPowerShell DeveloperCommented:

Now we've had that, I wanted to introduce a better idea (okay, that's my opinion, you can judge for yourself :)).

Download and Install PowerShell:

http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx

Download and Install the Quest PowerShell tools (they're free):

http://www.quest.com/powershell/

The discard the script above and we'll introduce some PowerShell.

First, connecting to a remote domain (copy and paste this in):

Connect-QADService -Service (Read-Host "Enter LDAP Server") `
      -ConnectionAccount (Read-Host -prompt "Enter Username") `
      -ConnectionPassword (Read-Host -prompt `
            "Enter Password" -asSecureString)

It'll prompt for the server name, a username (domain\username) and password.

If the connection succeeds you should get this back:

DefaultNamingContext                    Type
--------------------                               ----
DC=domain,DC=com                        ActiveDirectory

With that you can use Get-QADUser, or any of the other cmdlets. For example:

Get-QADUser -FirstName "Chris"

It's extremely powerful, to see the full set of options run:

Get-Help Get-QADUser -full | more

You can construct simple queries on just about anything, and it'll let you use LDAP filters if you want more advanced things.

Basically, if you're looking for tools to get information from a domain you would be much better off with this. It does take a bit of getting used to, but the time invested there will save hours of modifying VbScripts.

Chris
0
 
Chris DentPowerShell DeveloperCommented:

oops, duplicate posting... always good... Not much difference between the two anyway.

Chris
0
 
BSonPoshCommented:
@Chris: I'm so very proud :)

@OP: As a side note. I am not sure what you mean by large, but if you do have a large domain (50k+)  then you would benefit from my recent blog series here.
http://bsonposh.com/archives/tag/s.ds.p

This code could be easily adjusted for authentication.
0
 
Chris DentPowerShell DeveloperCommented:

Switching from VbScript / ASP to PowerShell / VB .NET / C# .NET has been a good choice. Even if it leaves me scratching my head sometimes :)

Chris
0
 
lwebberAuthor Commented:
Thanks, Chris
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now