lapucca
asked on
What type of AD account do I need to bind to AD root directory using C#?
Hi,
System people gave me an AD admin account. I used that in my code to bind serverlessly to rootDse but I'm getting log error. Saying my userid and password is unknown. Is there a special AD account I would need to bind to the rootDse?
DirectoryEntry deRoot = new DirectoryEntry("LDAP://roo
Also for serverless binding, can I specify a domain to bind to?
Thank you.
System people gave me an AD admin account. I used that in my code to bind serverlessly to rootDse but I'm getting log error. Saying my userid and password is unknown. Is there a special AD account I would need to bind to the rootDse?
DirectoryEntry deRoot = new DirectoryEntry("LDAP://roo
Also for serverless binding, can I specify a domain to bind to?
Thank you.
ASKER
Well, that looks odd. cn is the user id name but just the o attribute may qualify the full path and I'm not sure if that would work but I'm working on finding the full path and give it a try. So just the user id and O is organization right? Where do I see that in AD users and Computers snap in?
What about if I bind to a specific user group / security group instead? so what would the coded look like? Something like
DirectoryEntry deRoot = new DirectoryEntry("LDAP://ful
Would that work for serverless binding?
Thank you.
What about if I bind to a specific user group / security group instead? so what would the coded look like? Something like
DirectoryEntry deRoot = new DirectoryEntry("LDAP://ful
Would that work for serverless binding?
Thank you.
ASKER
If I'm binding to AD using userid and password, do I still need to use impernation C# code before binding?
hi:
To get the full path to the user object, the easier way is to use adsiedit (from my point of view).
Locate where is the user object in the users and computers snap in (right click the domain name and click find) double click the user object and then look at the "object" tab, there you have where is the object stored in AD (if you dont see the "object" tab, then go to the users and computers snap in, on the top, click view,then click advanced features and find the user again; now you should see the "object" tab) .
Now that you know where the user object is stored, start, run, and run adsiedit.msc, navigate to the container or OU where the user object is stored, right click the user object,then click properties, and double click the distinguishedname attribute, then copy the string value. This is the full path to the user object in AD and i think this is what you should type in the admin_id field. I suggest you to use this way to get any path you want to use (users, groups and organizational units or containers)
Yes, I think that should work.
To get the full path to the user object, the easier way is to use adsiedit (from my point of view).
Locate where is the user object in the users and computers snap in (right click the domain name and click find) double click the user object and then look at the "object" tab, there you have where is the object stored in AD (if you dont see the "object" tab, then go to the users and computers snap in, on the top, click view,then click advanced features and find the user again; now you should see the "object" tab) .
Now that you know where the user object is stored, start, run, and run adsiedit.msc, navigate to the container or OU where the user object is stored, right click the user object,then click properties, and double click the distinguishedname attribute, then copy the string value. This is the full path to the user object in AD and i think this is what you should type in the admin_id field. I suggest you to use this way to get any path you want to use (users, groups and organizational units or containers)
Yes, I think that should work.
ASKER
G, Thank you for such detail, precise steps to get to the Object tab and that does work.
I run adsiedit.msc, click menu item "Connect to" button then there was a pop, enter the userid and the password I used to bind in my code and got error. Please see the attached screen shot. does that mean that userid and password needs additional permission to bind?
I then just double click on the root node that has the label "ADSIEdit" then the tree expands up and I see the objects. It's using my windows login id I think.
I was able to get full path of the admin account per your instruction. I put that in my code and now that Logon error or unknown userid or password goest away. I not get System.Directoryservcies.d
ADSIEDIT-ERRO.jpg
I run adsiedit.msc, click menu item "Connect to" button then there was a pop, enter the userid and the password I used to bind in my code and got error. Please see the attached screen shot. does that mean that userid and password needs additional permission to bind?
I then just double click on the root node that has the label "ADSIEdit" then the tree expands up and I see the objects. It's using my windows login id I think.
I was able to get full path of the admin account per your instruction. I put that in my code and now that Logon error or unknown userid or password goest away. I not get System.Directoryservcies.d
ADSIEDIT-ERRO.jpg
ASKER
Attached is a screen shot of error in VS. Thank you.
ADSIEDIT-ERRO2.jpg
ADSIEDIT-ERRO2.jpg
Hi lapucca
Change the "admin_id" when binding. Instead of the "Distinguished name", try "YourDomain\YouAdminAccoun
Change the "admin_id" when binding. Instead of the "Distinguished name", try "YourDomain\YouAdminAccoun
ASKER
So you don't think I got pass the logon error yet? The error message seemed to have changed to " A local error.."
okay will try both your suggestion now. Thank you.
okay will try both your suggestion now. Thank you.
ASKER
"YourDomain\YouAdminAccoun
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Using "YourDomain\YouAdminAccoun
- base {"Logon failure: unknown user name or bad password.\r\n"} System.Runtime.InteropServ
Reverting order to "YouAdminAccountName@yourd
How can I test if this service account has permission to bind to AD? Since I can see the AD snap in and able to use the ADSIEdit, maybe I will try my credential next?
- base {"Logon failure: unknown user name or bad password.\r\n"} System.Runtime.InteropServ
Reverting order to "YouAdminAccountName@yourd
How can I test if this service account has permission to bind to AD? Since I can see the AD snap in and able to use the ADSIEdit, maybe I will try my credential next?
ASKER
"YouAdminAccountName@yourd
Well, if you are getting an unknown user message, try to put the admin_id this way (the full path to the user object in the directory):
"cn=admin_id,o=mycompany"