Solved

Query LDAP on a W2003 Active Directory domain from a standalone machine

Posted on 2008-06-20
9
1,032 Views
Last Modified: 2010-04-21
I'm on contract with a client that runs a large Windows 2003 Active Directory domain. My laptop is not a member of the domain, and I am not permitted to join it to the domain. I do, however, have a direct connection inside the corporate firewall. I can do most things just fine, but I need to be able to query Active Directory users in a VBScript. My script uses LDAP, and executes perfectly from a machine that is joined to the domain. From my laptop, however, it gives me "The specified domain either does not exist or could not be contacted." This happens right at the line shown in the code snippet.

I know that LDAP has no way of figuring out where the domain controller is because I'm not logged into the domain. I know the name and IP of a bunch of domain controllers, including two on my local 10. segment. I can ping them fine. Let's say one of them is called BigDogDC.foo.com. What are the LDAP commands I need to be able run LDAP queries against it?
' get domain
    Dim oRoot
    Set oRoot = GetObject("LDAP://rootDSE")

Open in new window

0
Comment
Question by:lwebber
  • 6
  • 2
9 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21834293

Hey,

There are a few things in your way here.

The first is finding the domain, that's easily fixed with:

Set oRoot = GetObject("LDAP://foo.com/RootDSE")

Or you can use the full DC name, rather than the Round Robin response on the foo.com name.

But then you have to Authenticate so we'll need OpenDSObject instead of just a simple GetObject as a direct connection.

e.g.

Set objDSO = GetObject("LDAP:")
Set objRootDSE = objDSO.OpenDSObject("LDAP://foo.com/RootDSE", strUsername, strPassword)

Remember that only binds you for that object. If you wish extra object connections you must re-authenticate.

If you're performing large queries you will be better using ADO. Need examples?

Chris
0
 
LVL 9

Author Comment

by:lwebber
ID: 21843435
A couple of ADO examples would be welcome. In particular, I want to look up users by last name + first name.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21853647

Fair enough :)

Here's the VbScript example. It'll search on either the givenName or sN values.

Chris

Const USER_NAME = "domain\user"
Const PASSWORD = "password"
 
Const LDAP_SERVER = "someserver"
Const BASE_NC = "DC=domain,DC=com"
 
Function FindUsers(strGivenName, strSN)
	Const ADS_SCOPE_SUBTREE = 2
 
	Dim objConnection, objCommand, objRecordSet
	Dim strUsername, strDisplayName, strDN
 
	' Create Connection to Target Domain to generate list of Users
 
	Set objConnection = CreateObject("ADODB.Connection")
	objConnection.Provider = "ADsDSOObject"
	objConnection.Properties("User ID") = USER_NAME
	objConnection.Properties("Password") = PASSWORD
	objConnection.Open "Active Directory Provider"
		
	Set objCommand = CreateObject("ADODB.Command")
	objCommand.ActiveConnection = objConnection
 
	objCommand.CommandText = "SELECT givenName, sN, distinguishedName FROM " &_
		"'LDAP://" & LDAP_SERVER & "/" & BASE_NC & "' " &_
		"WHERE objectClass='user' AND objectCategory='person'"
 
	objCommand.Properties("Page Size") = 1000
	objCommand.Properties("Timeout") = 600
	objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
	objCommand.Properties("Cache Results") = False
 
	Set objRecordSet = objCommand.Execute
 
	Do While Not objRecordSet.EOF
		If objRecordSet.Fields("givenName").Value = strGivenName Or _
				objRecordSet.Fields("sN").Value = strSN Then
 
			WScript.Echo objRecordSet.Fields("distinguishedName")
 
		End If
 
		objRecordSet.MoveNext
	Loop
	
	objConnection.Close
	
	Set objRecordSet = Nothing
	Set objCommand = Nothing
	Set objConnection = Nothing
End Function
 
FindUsers "Bob", "Jones"

Open in new window

0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 21853826

Now we've had that, I wanted to introduce a better (okay, that's my opinion, you can judge for yourself :)) idea.

Download and Install PowerShell:

http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx

Download and Install the Quest PowerShell tools (they're free):

http://www.quest.com/powershell/

The discard the script above and we'll introduce some PowerShell.

First, connecting to a remote domain (copy and paste this in):

Connect-QADService -Service (Read-Host "Enter LDAP Server") `
      -ConnectionAccount (Read-Host -prompt "Enter Username") `
      -ConnectionPassword (Read-Host -prompt `
            "Enter Password" -asSecureString)

It'll prompt for the server name, a username (domain\username) and password.

If the connection succeeds you should get this back:

DefaultNamingContext                    Type
--------------------                               ----
DC=domain,DC=com                        ActiveDirectory

With that you can use Get-QADUser, or any of the other cmdlets. For example:

Get-QADUser -FirstName "Chris"

It's extremely powerful, to see the full set of options run:

Get-Help Get-QADUser -full | more

You can construct simple queries on just about anything, and it'll let you use LDAP filters if you want more advanced things.

Basically, if you're looking for tools to get information from a domain you would be much better off with this.

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21853835

Now we've had that, I wanted to introduce a better idea (okay, that's my opinion, you can judge for yourself :)).

Download and Install PowerShell:

http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx

Download and Install the Quest PowerShell tools (they're free):

http://www.quest.com/powershell/

The discard the script above and we'll introduce some PowerShell.

First, connecting to a remote domain (copy and paste this in):

Connect-QADService -Service (Read-Host "Enter LDAP Server") `
      -ConnectionAccount (Read-Host -prompt "Enter Username") `
      -ConnectionPassword (Read-Host -prompt `
            "Enter Password" -asSecureString)

It'll prompt for the server name, a username (domain\username) and password.

If the connection succeeds you should get this back:

DefaultNamingContext                    Type
--------------------                               ----
DC=domain,DC=com                        ActiveDirectory

With that you can use Get-QADUser, or any of the other cmdlets. For example:

Get-QADUser -FirstName "Chris"

It's extremely powerful, to see the full set of options run:

Get-Help Get-QADUser -full | more

You can construct simple queries on just about anything, and it'll let you use LDAP filters if you want more advanced things.

Basically, if you're looking for tools to get information from a domain you would be much better off with this. It does take a bit of getting used to, but the time invested there will save hours of modifying VbScripts.

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21853841

oops, duplicate posting... always good... Not much difference between the two anyway.

Chris
0
 
LVL 18

Expert Comment

by:BSonPosh
ID: 21854934
@Chris: I'm so very proud :)

@OP: As a side note. I am not sure what you mean by large, but if you do have a large domain (50k+)  then you would benefit from my recent blog series here.
http://bsonposh.com/archives/tag/s.ds.p

This code could be easily adjusted for authentication.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21855065

Switching from VbScript / ASP to PowerShell / VB .NET / C# .NET has been a good choice. Even if it leaves me scratching my head sometimes :)

Chris
0
 
LVL 9

Author Closing Comment

by:lwebber
ID: 31469295
Thanks, Chris
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question