End user web based AD attribute viewer

Hi Experts,


Environment: Corp LAN, MS servers and clients, W2k3 and WinXP, 5000 userbase

Goal: To provide the userbase with an intranet URL which displays a page showing an attribute named "houseIdentifier" from their AD user account object. The page must obviously deduce the user account details automatically to look at the right user object in AD.

My expectation: A browser page with a script to interrogate AD for the data

Let me know if you need more.
LVL 6
StinkyPeteAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

StinkyPeteAuthor Commented:
Moderator: Can I change the zones to include a VB script zone pls?
0
jostranderCommented:
Here's a sample .asp that works for me.  It uses the server variable LOGON_USER though, so if anonymous access is required, this won't work.
<HTML>
<HEAD>
<TITLE>House Identifier</TITLE>
</HEAD>

<body>

<%

GetInfo	
	
Sub GetInfo
	strLogonUser = Request.ServerVariables("LOGON_USER")
	
	If Instr(strLogonUser,"\") then
		pos=Instr(strLogonUser,"\")+1
		strUser = mid(strLogonUser,pos)
	Else
		strUser= strLogonUser
	End If
	
	If strUser="" then 
		response.write "Could not find user:  " & strLogonUser
		Exit Sub
	End If
	
	strAdspath = Get_aDsPath(strUser)
	If strAdspath = "" then 
		response.write "Could not find user:  " & strUser
		Exit Sub
	End If
	
	
	Set objUser = GetObject(strAdspath)

	'response.write ("<B>Email:  </B>" & objUser.mail & "<BR>")
	response.write ("<B>House Identifier:  </B>" & objUser.houseIdentifier & "<BR>")


End Sub

Function Get_aDsPath(myUser)
	Const ADS_SCOPE_SUBTREE = 2
	
	Set objRootDSE = GetObject("LDAP://rootDSE")
	strRootDSE = objRootDSE.Get("defaultNamingContext")
	
	Set objConnection = CreateObject("ADODB.Connection")
	Set objCommand =   CreateObject("ADODB.Command")
	objConnection.Provider = "ADsDSOObject"
	objConnection.Open "Active Directory Provider"
	Set objCommand.ActiveConnection = objConnection
	
	objCommand.Properties("Page Size") = 4000
	objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
	
	objCommand.CommandText = _
		"SELECT ADsPath FROM 'LDAP://" & strRootDSE & "' WHERE objectCategory='User' " & _        
			"AND sAMAccountName = '" & myUser & "' "
	
	Set objRecordSet = objCommand.Execute
	
	objRecordSet.MoveFirst
	
	If NOT objRecordSet.EOF then
		ADsPath=objRecordSet.Fields("ADsPath").Value
	End If
	
	Get_aDsPath = ADsPath
End Function


%>



</BODY>
</HTML>

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
StinkyPeteAuthor Commented:
Saved as a html file, opening with MSIE 6.0 - but did not result in any contents on the page.

The Title was correct, and viewing the source showed your code as written above, but no output to the page (?)

The relevant Windows domain account has data in the fields/attributes being requested.


(I cannot code for toffee, so excuse this question - Is the strop/apostrophe on line 36 intentional?)

What should we try next?
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

jostranderCommented:
Please rename the file to .asp

the line with the apostrophe was included (but commented out) for testing only.
0
jostranderCommented:
Also, It requires an IIS web server to run, anonymous access disabled.
0
StinkyPeteAuthor Commented:
Ah thanks Jo.

Will test it tomorrow.


0
StinkyPeteAuthor Commented:
I have enabled asp on an IIS server, and removed the anonymous access, and we are seeing the attached error in the browser.

I am a novice when it comes to IIS


permissions.PNG
browser-error.PNG
0
jostranderCommented:
Try this one instead, it will require a username and password to be set in the file.
ex:
szUsername = "YOURDOMAIN\gooduser"
szPassword = "mypassword"
<HTML>
<HEAD>
<TITLE>House Identifier</TITLE>
</HEAD>

<body>

<%

Dim szUsername
Dim szPassword

szUsername = "MYDOMAIN\gooduser"
szPassword = "gooduser"

GetInfo	
	
Sub GetInfo
	ON ERROR RESUME NEXT
	strLogonUser = Request.ServerVariables("LOGON_USER")
	
	If Instr(strLogonUser,"\") then
		pos=Instr(strLogonUser,"\")+1
		strUser = mid(strLogonUser,pos)
	Else
		strUser= strLogonUser
	End If
	
	If strUser="" then 
		response.write "Could not find user:  " & strLogonUser
		Exit Sub
	End If
	
	strADsPath = Get_ADsPath(strUser)
	If strADsPath = "" then 
		response.write "Could not get ADsPath for user:  " & strUser
		Exit Sub
	End If
	
	Set ons = GetObject("LDAP:")
	Set objUser = ons.OpenDSObject(strADsPath,szUsername,szPassword,0)
	objUser.GetInfo
	strHouseIdentifier=objUser.Get("houseIdentifier")
	
	If strHouseIdentifier="" then
		response.write ("Could not houseIdentifier for user:  " & strADsPath & "<BR>")
	Else
		response.write ("<B>House Identifier:  </B>" & strHouseIdentifier & "<BR>")
	End If

End Sub


Function Get_ADsPath(myUser)
	Const ADS_SCOPE_SUBTREE = 2
	
	
	Set objRootDSE = GetObject("LDAP://rootDSE")
	strRootDSE = objRootDSE.Get("defaultNamingContext")
	
	Set objConnection = CreateObject("ADODB.Connection")
	Set objCommand =   CreateObject("ADODB.Command")
	objConnection.Provider = "ADsDSOObject"
	objConnection.Properties("User ID") = szUsername
	objConnection.Properties("Password") = szPassword
	objConnection.Properties("Encrypt Password") = TRUE
	
	objConnection.Open "Active Directory Provider"
	Set objCommand.ActiveConnection = objConnection
	
	objCommand.Properties("Page Size") = 4000
	objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
	
	objCommand.CommandText = _
		"SELECT ADsPath FROM 'LDAP://" & strRootDSE & "' WHERE objectCategory='User' " & _        
			"AND sAMAccountName = '" & myUser & "' "
	
	Set objRecordSet = objCommand.Execute
	
	objRecordSet.MoveFirst
	
	If NOT objRecordSet.EOF then
		ADsPath=objRecordSet.Fields("ADsPath").Value
	End If
	
	Get_ADsPath = ADsPath
End Function


%>



</BODY>
</HTML>

Open in new window

0
StinkyPeteAuthor Commented:
After testing I see that the credentials required are for a security context for the request to be made of AD.

Good.
I am guessing the answer to this is no, else you would have done it but -
Is it not possible to use the currently logged on account of the server process running the script, for a security context under which to query AD?

I.E. I would like to avoid putting credentials in the clear

0
jostranderCommented:
What OS & version of IIS is this?  You could try changing the Application Protection in the web site properties to run at a different level*.

I replicated your issue by installing IIS 5.1 on an XP OS and copying the asp file over.  When I changed the Application Protection to "Low (IIS Process)", it worked fine (without username/password hard coded).

*Web site properties --> Home / Virtual Directory Tab --> Application Protection (on XP / IIS 5.1)
0
StinkyPeteAuthor Commented:
Thanks. I wont go with the reduction of application protection, but shall use the hard coded user (created a domain a/c and locked it down)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Databases

From novice to tech pro — start learning today.