PBM: GetObject with LDAP syntax doesn't work

Vince C. · Oct 7, 2004

Hi,

We have a W2K domain controller; it's a cluster. Users are defined in Active
Directory and I made sure they all have a First Name, a Last Name a Full
Name associated with their Display Name.

For instance, I have the following user:

Account name: jdoe
Full name: John Doe
First name: John
Last name: Doe
Organization Unit: Company
Company DNS: company.local
Object path: company.local/Company/jdoe (as of object properties found in AD
Users and Computers)

I get an error message "(null): an operation error has occurred" if I run
the following script:

var pUser = GetObject("LDAP://CN=jdoe");
// or: var pUser = GetObject("LDAP://CN=John
Doe,OU=Company,DC=company,DC=local");
// or even: var pUser = GetObject("LDAP://CN=John Doe");

Can anyone explain that message and tell me what's wrong?

TIA,
Vince C.

Joe Richards [MVP] · Oct 7, 2004

var pUser = GetObject("LDAP://CN=jdoe");

Not a valid DN.

// or even: var pUser = GetObject("LDAP://CN=John Doe");

Not a valid DN

// or: var pUser = GetObject("LDAP://CN=John
Doe,OU=Company,DC=company,DC=local");

This should be ok. Are you positive that is the DN? Download adfind

http://www.joeware.net/win/free/tools/adfind.htm

and then do something like

adfind -gc -b "" -f "name=john doe" -dn

to see the DN.

Vince C. · Oct 8, 2004

Joe Richards said:
Not a valid DN.

Not a valid DN

This should be ok. Are you positive that is the DN? Download adfind

http://www.joeware.net/win/free/tools/adfind.htm

and then do something like

adfind -gc -b "" -f "name=john doe" -dn

to see the DN.

Thanks again, Joe.

Using -f "name=..." doesn't work. Here's how I used AdFind:
AdFind -gc -b "DC=company,dc=local" -f "CN=jdoe" -dn

It returned:
dn:CN=jdoe,OU=Company,DC=company,DC=local

If I run the following command:
AdFind -gc -b "ou=Company,DC=company,dc=local" -f "" -dn

I get:
dn:CN=jdoe1,OU=Company,DC=company,DC=local
....
dn:CN=John Doe 2,OU=Company,DC=company,DC=local
....
dn:CN=John Doe 3,OU=IT,OU=Company,DC=company,DC=local
....

So all our users do not necessarily belong to the same OU and I can
sometimes get a CN=<logon name> and sometimes a CN=<full name>. There's no
point in searching if I have to know what I'm searching for.

Isn't there a way to retrieve that information knowing only the logon and
domain names, just like we do with WinNT?

TIA,
Vince C.

Joe Kaplan \(MVP - ADSI\) · Oct 8, 2004

You need to search for them. In script, you use ADO to do this. If you
know the logon names, that equates to the samAccountName attribute in AD, so
your search filter would look something like:

(samAccountName=username)

There are plenty of samples of using ADO to seach AD with script in the MSDN
documentation for AD online.

Unfortunately, this isn't quite as easy as the NT provider, but it is much
more powerful.

ADSI also includes the IADsNameTranslate object that you can use to
translate from one name syntax to another (logon name to DN for example),
which might help you out here as well. Docs for that are also online.

Joe K.

Vince C. · Oct 8, 2004

Joe Kaplan (MVP - ADSI) said:
You need to search for them. In script, you use ADO to do this. If you
know the logon names, that equates to the samAccountName attribute in AD, so
your search filter would look something like:

(samAccountName=username)

There are plenty of samples of using ADO to seach AD with script in the MSDN
documentation for AD online.

Unfortunately, this isn't quite as easy as the NT provider, but it is much
more powerful.

ADSI also includes the IADsNameTranslate object that you can use to
translate from one name syntax to another (logon name to DN for example),
which might help you out here as well. Docs for that are also online.

Thanks, Joe. I'll try this.

Vince C.

Joe Richards [MVP] · Oct 9, 2004

Interesting, cn and name are interchangeable for users because the rdn of a user
is the cn and the name follows the rdn, you should have been able to do
name=jdoe as well as cn=jdoe

You can use the WinNT provider against AD, but as JoeK indicated, it is far less
powerful than doing things the LDAP way.

You see in an NT domain, you can only have one jdoe. In AD you can have multiple
(though they would need different sam names and UPNs), they just have to be in
different OUs. This is because the only naming is based on SAM Names in NT where
in AD, SAM name is slowly being deprecated. For instance in NT, you must specify
a SAM name during user create because it is the only way to access the user
account. In 2K AD you have to specify the SAM name during user create though it
isn't the only way to access the user account. In 2K3 AD you don't even need to
specify the SAM Name, it will make up some random value for you. Hopefully in
some future rev we won't even have the SAM name attribute.

joe

Joe Kaplan \(MVP - ADSI\) · Oct 10, 2004

Wow, I had no idea that samAccountName didn't need to be specified on create
on 2K3 AD. It still seems like a good idea to specify something rather than
get a random value, but this used to get a constraint violation.

Ironically, I justed complained to about the omission of setting
samAccountName name for a group creation example in the .NET SDK docs having
no idea that this was version dependent. I'm sure I'll be hearing about
that soon, although I think it would still be good if the docs specified
differences like this in the examples.

Joe K.

Joe Richards [MVP] · Oct 10, 2004

Absolutely, I just sort of stumbled onto it myself and said.... hmmm that's nice.

Vince C. · Oct 15, 2004

Joe Richards said:
Interesting, cn and name are interchangeable for users because the rdn of a user
is the cn and the name follows the rdn, you should have been able to do
name=jdoe as well as cn=jdoe

Well, it doesn't explain why I'm getting errors then. I know it was
initially an NT4 domain that has been migrated to W2K. Could it be the
reason? If so, there should be some users, i.e. users that were created
after the domain migrated, on which the second option you described works,
right?

Vince C.

Joe Richards [MVP] · Oct 16, 2004

If you know the NT4 sam names you can do a search of samaccountname=userid

however it won't be domain specific. You would need to take the domain and
select the proper base or if you know the samID is unique across the forest you
can just search the GC for that samID. Also you could use the nametranslate ADSI
function which JoeK I think mentioned or use dscracknames.

joe

Vince C. · Oct 16, 2004

Joe said:
If you know the NT4 sam names you can do a search of samaccountname=userid

however it won't be domain specific. You would need to take the domain
and select the proper base or if you know the samID is unique across the
forest you can just search the GC for that samID. Also you could use the
nametranslate ADSI function which JoeK I think mentioned or use
dscracknames.

Thanks. I'll try it.

Vince C.

PBM: Property not in the cache when querying a user's first name with GetObject()	2	Oct 7, 2004
ADAM ADSI Create fails with 80072032, "invalid DN syntax"	2	Jun 3, 2004
Samaccount and Ldap	0	Aug 3, 2004
LDAP query for grp membership by logon name	1	Apr 27, 2005
Slow Logons and Can't open files	0	Sep 29, 2009
How to deal with the embedded OU in script	1	Oct 20, 2003
unlock user script	1	Sep 17, 2003
GPO link help...please	2	Feb 2, 2005

PBM: GetObject with LDAP syntax doesn't work

Vince C.

Joe Richards [MVP]

Vince C.

Joe Kaplan \(MVP - ADSI\)

Vince C.

Joe Richards [MVP]

Joe Kaplan \(MVP - ADSI\)

Joe Richards [MVP]

Vince C.

Joe Richards [MVP]

Vince C.

Ask a Question

Similar Threads