ADsEnumerateNext failing enumerating Global Catalog

Posted on 2008-10-19
Last Modified: 2013-12-19
Hi all

I've been searching for a day now for information on why ADsEnumerateNext can fail enumerating the global catalog.  

I've a client whose debug log files show me that this function is failing with S_FALSE.  The code is below.

I just get a debug trace back with enumerated 0 objects.

The process is a system service, running in an account which has domain administrator privileges.

I'm wondering what the possible failure modes for this are, e.g.

1. There is nothing in the GC (is this even possible)?
2. Service does not have permission to enumerate the GC (but can connect to it?)
3. There's some referral required?
4. User is in wrong domain without proper trust relation to the forest

Any ideas to check?
IADsContainer *pCont = NULL;

HRESULT rc = ADsOpenObject( L"GC:", NULL, NULL, ADS_SECURE_AUTHENTICATION, IID_IADsContainer, (void**)&pCont);

if( S_OK == rc )


	IEnumVARIANT *pEnum = NULL;

	FileTrace("[*] GetIADs -> Opened IID_IADsContainer");

	rc = ADsBuildEnumerator(pCont, &pEnum);

	if(S_OK == hResult) 


		FileTrace("[*] GetIADs -> Built enumeration VARIANT");

		IDispatch *pDisp = NULL;

		ULONG lFetch = 0;

		VARIANT var;

		VariantInit( &var );

		// Now enumerate. There is only one child of the GC: object.

		rc = ADsEnumerateNext(pEnum, 1, &var, &lFetch);

		if (( rc == S_OK ) && ( lFetch == 1 ) )     


			FileTrace("[*] GetIADs -> Enumerated 1 object");

			pDisp = V_DISPATCH(&var);

			rc = pDisp->QueryInterface( IID_IADs, (void**)&pIADS); 

			if (pDisp)(pDisp)->Release();




			FileTrace("[*] GetIADs -> Enumerated %d objects (hResult: %x)",lFetch,rc);


		// clean up the variant.


		if (pEnum) ADsFreeEnumerator(pEnum);




		FileTrace("[*] GetIADs -> ADsBuildEnumerator failed (rc: %x)", hResult);


	if( pCont ) pCont->Release( );




	FileTrace("[*] GetIADs -> ADsOpenObject failed (hResult: %x)", rc);


Open in new window

Question by:Adrien de Croy

Expert Comment

Comment Utility
According to MSDN website: S_FALSE means The call succeeded, but the number of items returned is less than those requested.
Maybe this helps you:

Accepted Solution

Adrien de Croy earned 0 total points
Comment Utility

was already aware of that, since I was only asking for 1 item, to return S_FALSE would still mean there are no items.

Turns out the problem was to do with the client's AD configuration, they reinstalled their OS, and the problem went away

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now