Richard
Thu May 17 13:00:14 CDT 2007
Craig wrote:
> Hi I'm quite new to scripting. I'm trying to write code so the user
> can do an LDAP query so the user can run the query with alternative
> login credentials (as the user may not be logged into the domain when
> running the query). I've seen different examples of how to do this
> including from the Scripting Guys and have tried different approaches
> but can't get it to work. Can you advise me on the easiest way of
> doing this - ie
> Is it easier to gave the query in a separate script and execute this
> script using 'runas'?
> Or to include login credentials in the query somehow? If so, how do
> you do this?
> Any links to relevant examples would be much appreciated. Like I say,
> I've been trawling the net looking for the answer and have tried
> different approaches otherwise I would post the problem code.
You can pass alternate credentials in several ways, but I find I must use a
server bind (specify a specific DC) if the user is not authenticated to the
domain (if the user is logged in locally). Of course, the client must be
authenticated to the domain. I have used code similar to below to query AD,
even though I am logged in locally. In this example, I use the RootDSE
object to retrieve the DNS name of the domain, but you could also hard code
this:
================
Option Explicit
Dim objRootDSE, strDNSDomain, adoCommand, adoConnection
Dim strBase, strFilter, strAttributes, strQuery, adoRecordset
Dim strDN, strUser, strPassword, objNS, strServer
Const ADS_SECURE_AUTHENTICATION = &H1
Const ADS_SERVER_BIND = &H200
' Specify server.
strServer = "MyServer"
' Specify or prompt for credentials.
strUser = "MyDomain\TestUser"
strPassword = "xyz12345"
' Determine DNS domain name.
Set objNS = GetObject("LDAP:")
Set objRootDSE = objNS.OpenDSObject("LDAP://" & strServer & "/RootDSE", _
strUser, strPassword, _
ADS_SERVER_BIND Or ADS_SECURE_AUTHENTICATION)
strDNSDomain = objRootDSE.Get("defaultNamingContext")
' Use ADO to search Active Directory.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Properties("User ID") = strUser
adoConnection.Properties("Password") = strPassword
adoConnection.Properties("Encrypt Password") = True
adoConnection.Properties("ADSI Flag") = ADS_SERVER_BIND Or
ADS_SECURE_AUTHENTICATION
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection
' Search entire domain.
strBase = "<LDAP://" & strServer & "/" & strDNSDomain & ">"
' Search for all users.
strFilter = "(&(objectCategory=person)(objectClass=user))"
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"
' Construct the LDAP query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
' Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute
' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values.
strDN = adoRecordset.Fields("distinguishedName").Value
Wscript.Echo strDN
adoRecordset.MoveNext
Loop
' Clean up.
adoRecordset.Close
adoConnection.Close
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab -
http://www.rlmueller.net
--