lwebber
asked on
Query LDAP on a W2003 Active Directory domain from a standalone machine
I'm on contract with a client that runs a large Windows 2003 Active Directory domain. My laptop is not a member of the domain, and I am not permitted to join it to the domain. I do, however, have a direct connection inside the corporate firewall. I can do most things just fine, but I need to be able to query Active Directory users in a VBScript. My script uses LDAP, and executes perfectly from a machine that is joined to the domain. From my laptop, however, it gives me "The specified domain either does not exist or could not be contacted." This happens right at the line shown in the code snippet.
I know that LDAP has no way of figuring out where the domain controller is because I'm not logged into the domain. I know the name and IP of a bunch of domain controllers, including two on my local 10. segment. I can ping them fine. Let's say one of them is called BigDogDC.foo.com. What are the LDAP commands I need to be able run LDAP queries against it?
I know that LDAP has no way of figuring out where the domain controller is because I'm not logged into the domain. I know the name and IP of a bunch of domain controllers, including two on my local 10. segment. I can ping them fine. Let's say one of them is called BigDogDC.foo.com. What are the LDAP commands I need to be able run LDAP queries against it?
' get domain
Dim oRoot
Set oRoot = GetObject("LDAP://rootDSE")
ASKER
A couple of ADO examples would be welcome. In particular, I want to look up users by last name + first name.
Fair enough :)
Here's the VbScript example. It'll search on either the givenName or sN values.
Chris
Const USER_NAME = "domain\user"
Const PASSWORD = "password"
Const LDAP_SERVER = "someserver"
Const BASE_NC = "DC=domain,DC=com"
Function FindUsers(strGivenName, strSN)
Const ADS_SCOPE_SUBTREE = 2
Dim objConnection, objCommand, objRecordSet
Dim strUsername, strDisplayName, strDN
' Create Connection to Target Domain to generate list of Users
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Properties("User ID") = USER_NAME
objConnection.Properties("Password") = PASSWORD
objConnection.Open "Active Directory Provider"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.CommandText = "SELECT givenName, sN, distinguishedName FROM " &_
"'LDAP://" & LDAP_SERVER & "/" & BASE_NC & "' " &_
"WHERE objectClass='user' AND objectCategory='person'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 600
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute
Do While Not objRecordSet.EOF
If objRecordSet.Fields("givenName").Value = strGivenName Or _
objRecordSet.Fields("sN").Value = strSN Then
WScript.Echo objRecordSet.Fields("distinguishedName")
End If
objRecordSet.MoveNext
Loop
objConnection.Close
Set objRecordSet = Nothing
Set objCommand = Nothing
Set objConnection = Nothing
End Function
FindUsers "Bob", "Jones"
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Now we've had that, I wanted to introduce a better idea (okay, that's my opinion, you can judge for yourself :)).
Download and Install PowerShell:
http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx
Download and Install the Quest PowerShell tools (they're free):
http://www.quest.com/powershell/
The discard the script above and we'll introduce some PowerShell.
First, connecting to a remote domain (copy and paste this in):
Connect-QADService -Service (Read-Host "Enter LDAP Server") `
-ConnectionAccount (Read-Host -prompt "Enter Username") `
-ConnectionPassword (Read-Host -prompt `
"Enter Password" -asSecureString)
It'll prompt for the server name, a username (domain\username) and password.
If the connection succeeds you should get this back:
DefaultNamingContext Type
-------------------- ----
DC=domain,DC=com ActiveDirectory
With that you can use Get-QADUser, or any of the other cmdlets. For example:
Get-QADUser -FirstName "Chris"
It's extremely powerful, to see the full set of options run:
Get-Help Get-QADUser -full | more
You can construct simple queries on just about anything, and it'll let you use LDAP filters if you want more advanced things.
Basically, if you're looking for tools to get information from a domain you would be much better off with this. It does take a bit of getting used to, but the time invested there will save hours of modifying VbScripts.
Chris
oops, duplicate posting... always good... Not much difference between the two anyway.
Chris
@Chris: I'm so very proud :)
@OP: As a side note. I am not sure what you mean by large, but if you do have a large domain (50k+) then you would benefit from my recent blog series here.
http://bsonposh.com/archives/tag/s.ds.p
This code could be easily adjusted for authentication.
@OP: As a side note. I am not sure what you mean by large, but if you do have a large domain (50k+) then you would benefit from my recent blog series here.
http://bsonposh.com/archives/tag/s.ds.p
This code could be easily adjusted for authentication.
Switching from VbScript / ASP to PowerShell / VB .NET / C# .NET has been a good choice. Even if it leaves me scratching my head sometimes :)
Chris
ASKER
Thanks, Chris
Hey,
There are a few things in your way here.
The first is finding the domain, that's easily fixed with:
Set oRoot = GetObject("LDAP://foo.com/
Or you can use the full DC name, rather than the Round Robin response on the foo.com name.
But then you have to Authenticate so we'll need OpenDSObject instead of just a simple GetObject as a direct connection.
e.g.
Set objDSO = GetObject("LDAP:")
Set objRootDSE = objDSO.OpenDSObject("LDAP:
Remember that only binds you for that object. If you wish extra object connections you must re-authenticate.
If you're performing large queries you will be better using ADO. Need examples?
Chris