LDAP issues

Posted on 2009-04-17
Last Modified: 2013-12-24
Im using some simple VB LDAP code to check list of users in excel, to display their name, location and job etc....

We have 2 DC's where i work and i only seem to be able to LDAP to one of them.
the other DC always returns a null result.

This is odd, as i do have access to view both of the DC's via Active Role Server (the online GUI).

Any reason that this might happen? is it possible to secure a DC against people doing an LDAP query via an AD group for example?
Question by:jamiepryer
    LVL 70

    Expert Comment

    by:Chris Dent

    Can you show us the code?

    > is it possible to secure a DC against people doing an LDAP query via an AD group for example?

    By default all Authenticated Users have read access to (most of) Active Directory. You can revoke that right, but it must be done with care.


    Author Comment

    thanks for the info chris
    very interesting to know about the LDAP and it being hard to revoke....

    The 2 DC's i have are:

    Global.FakeCompany.Com - can query fine....
    strdomain = "DC=Global,DC=Lloydstsb,DC=Com"

    OUTLET.AD.FakeCompany.COM - wont let me query
    strdomain = "DC=OUTLET,DC=AD,DC=FakeCompany,DC=COM"
    Dim objConnection As New ADODB.Connection
    Dim objCommand As New ADODB.Command
    Dim objRecordset As ADODB.Recordset
    'Set up the criteris for the LDAP searches
        objConnection.Provider = "ADsDSOObject"
        objConnection.Open "Active Directory Provider"
    Set objCommand.ActiveConnection = objConnection
        objCommand.Properties("Page Size") = 1000
        objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
     strDomain = "DC=OUTLET,DC=AD,DC=FakeCompany,DC=COM"
        objCommand.CommandText = _
            "SELECT description, userAccountControl, displayname, mail, distinguishedName, physicaldeliveryofficename FROM 'LDAP://" & strDomain & "' WHERE objectCategory='user' " & _
            "AND Name='" & xxUserIDxx & "'"
    Set objRecordset = objCommand.Execute
    If objRecordset.RecordCount > 0 Then
            ActiveSheet.Cells(1, 2) = description
            ActiveSheet.Cells(1, 3) = userAccountControl
            ActiveSheet.Cells(1, 4) = displayname
    End if

    Open in new window

    LVL 70

    Expert Comment

    by:Chris Dent

    This part:


    Is that the actual AD domain name? Because all you're doing is connecting to the "Domain Component" for a specific domain here.

    For example, an AD Domain called would be referred to as "DC=ad,DC=fakecompany,DC=com" on all DCs for that domain.

    To connect to a different DC you would make it:


    When combined with your CommandText that gives you this connection string:


    Search Base could also extend into the AD structure, e.g.


    Which can also be prefixed with the server name or IP to force a connection via a specific DC.


    Author Comment

    sorry for being stupid but my AD/LDAP knowledge is not *that* great

    how do i establish what the correct name should be for the "OUTLET.AD.FakeCompany.COM " AD domain?

    In ARS, when i search on a user that has an ID in the domain "OUTLET.AD.FakeCompany.COM ", their full DN is:
    CN=xxUserIDxx,OU=Outlet Users,DC=OUTLET,DC=AD,DC=FakeCompany,DC=com

    my ID on the other domain (which i can do LDAP on), is:
    CN=xxMexx,OU=Head Office Users,DC=Global,DC=Lloydstsb,DC=Com

    apologies if im totally missing your point...
    LVL 70

    Accepted Solution


    I think the problem is coming because ADSI is being a bit too helpful.

    You see when you do this:

     strdomain = "DC=Global,DC=Domain,DC=Com"

    It creates this connection string:


    You're telling it "what" to connect to, but not "where". Because you're (presumably) running this from a client belonging to the Global domain, or even the server itself it assumes you want a resource on a Domain Controller nearby. In essence it assumes this:


    Where "" will resolve using a tool like NsLookup to an IP address of a server capable of obtaining the information.

    If ADSI didn't make that assumption you would have to tell it where to connect to as well as what.

    I think that's where we're getting hung up. If you were to run the script from the server or a client within the Outlet domain it would quite happily go on with the query. But to run it remotely you must specify where to avoid it's assumptions.

    That makes strDomain into this:

      strDomain = ",DC=AD,DC=FakeCompany,DC=COM"

    And the resulting connection string into this:


    If you don't specify that value it makes an assumption and tries:


    Which won't work because cannot give you answers about[1].

    Does that make any sense?


    [1] There's a caveat there. If both are within the same forest, then it can if you instruct it to connect to the Global Catalog (GC://,DC=ad,DC=fakecompany,DC=com). However, the Global Catalog is read-only and contains a sub-set of attributes so may not necessarily be useful here.

    Author Comment

    Thanks for you help, altho i cant get the 2nd bit to work, using this:
    "  strDomain = ",DC=AD,DC=FakeCompany,DC=COM"
    i did however manage to ping the domain and then use the IP address i got back as StrDomain, this now works.

    Thanks very much for your help and information, ive learnt something today :)

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    This script will sweep a range of IP addresses (class c only, and report to a log the version of office installed. What it does: 1.)      Creates log file in the directory the script is run from (if it doesn't already exist) 2.)      Sweep…
    This article explains all about SQL Server Piecemeal Restore with examples in step by step manner.
    Video by: Steve
    Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now