How to Query Distinguished Name in AD

Bodman · January 21, 2011

OK, that produced the same result as in post #19

water · January 21, 2011

Another try:

#include <ad.au3>
$iAD_Debug = 2
$iResult = _AD_Open()
$aResult = _AD_GetObjectsInOU("","(objectclass=user)",2,"samAccountName")
$iError = @error
$iExtended = @extended
If IsArray($aResult) Then   
    $R = _AD_GetObjectProperties($aResult[1])
    _ArrayDisplay($R)
Else
    MsgBox(16, "_AD_GetObjectsInOU", "Result: " & $aResult & @CRLF & "Error: " & $iError & @CRLF & "Extended: " & $iExtended)
EndIf
_AD_Close()

This script gets all users in your AD (hopefully not too much). If successful it displays all properties of the first user.

Can you post the resulting array. Mainly I'm interested in the line with property "mail".

Edited January 22, 2011 by water

Bodman · January 21, 2011

I still get the same result as in post #19

however if I change line 3 to

$aResult = _AD_GetObjectsInOU("OU=Users,OU=C3048038,OU=PRU,OU=GB,OU=EU,DC=ecdomain,DC=net","(objectclass=user)",2,"samAccountName")

I gives me all the properties for the first user in the OU=C3048038

I have tried just

$aResult = _AD_GetObjectsInOU("DC=ecdomain,DC=net","",2,"samAccountName")

But that still gives me the same as in post #19

//Bod

water · January 21, 2011

Is my understanding correct that it's a big company you're working for? So the AD might be spread over many locations and many domain controllers?

Maybe the problem is caused by some limitations of the domain or the domain controller you access.

Could you please run the _AD_GetSystemInfo.au3 example script? Entry 8 tells the site of the current computer.

Could you then please run _AD_ListDomainControllers?

I'm interested in the number of Domain controllers (returned by _AD_ListDomainControllers) and the number of sites (returned by _AD_GetSystemInfo).

Bodman · January 21, 2011

Hi yes you are correct I am on 1 site of a large company with many sites spread over many DC's (we have a local DC which I have full read access to)

Number of DC's - 160

Number of Sites - 147

water · January 21, 2011

Fine. Now we need to know the Base Domain naming Context that is available on the domain controller you are connected to. Could you please run this script?

#include <ad.au3>
_AD_Open()
Global $aTemp = _AD_ListRootDSEAttributes()
_ArrayDisplay($aTemp)
_AD_Close()

The lines "defaultNamingContext" and "rootDomainNamingContext" should be different. Could you please post them (sensible parts replaced with "***")?

Edit 1:

Another thing to try: There is a known bug with password encryption and LDAP/SSL. Could you please set line 159 in AD.au3 to

Global Const $ADS_USE_ENCRYPTION = 0x0

and line 355 to

;       $oAD_Connection.Properties("Encrypt Password") = True ; Encrypts userid and password

Edit 2: There might be a bug with version 0.42 in _AD_Open(). To verify this I can post version 0.41

Edited January 21, 2011 by water

Bodman · January 21, 2011

Hi the lines you asked for are

[3]|defaultNamingContext|DC=ecdomain,DC=net

[16]|rootDomainNamingContext|DC=ecdomain,DC=net

Ive changed the excryption lines and re ran the script in post #22 but I unfortunatley still get the same as post #19

http://www.autoitscript.com/forum/index.php?app=core&module=attach&section=attach&attach_rel_module=post&attach_id=32963

Can you please point me to ver 0.41 and ill try that

Thanks again

Bod

water · January 22, 2011

Ok, I've been thinking all the time about this very, very strange problem

Here are a few things to try. Maybe we get additional information to solve the problem:

I've inserted line $iAD_Debug = 2 in post #22. This should give additional debugging information - if any. Could you please re-run the script?
Could you please insert the following line into AD.au3
"ConsoleWrite("*" & $oAD_Command.CommandText & "*" & @CRLF)"
after line 1199 ("$oAD_Command.CommandText = "<LDAP://" & $sAD_HostServer ...") and re-run the script from post #22?
As you stated in post #23 when you change line 3 to:
$aResult = _AD_GetObjectsInOU("OU=Users,OU=C3048038,OU=PRU,OU=GB,OU=EU,DC=ecdomain,DC=net","(objectclass=user)",2,"samAccountName")
then you get the desired results.
Could you please replace line 3 with the each of the following lines, rerun the test script from post #22 and report how long you get valid results:
$aResult = _AD_GetObjectsInOU("OU=C3048038,OU=PRU,OU=GB,OU=EU,DC=ecdomain,DC=net","(objectclass=user)",2,"samAccountName")
$aResult = _AD_GetObjectsInOU("OU=PRU,OU=GB,OU=EU,DC=ecdomain,DC=net","(objectclass=user)",2,"samAccountName")
$aResult = _AD_GetObjectsInOU("OU=GB,OU=EU,DC=ecdomain,DC=net","(objectclass=user)",2,"samAccountName")
$aResult = _AD_GetObjectsInOU("OU=EU,DC=ecdomain,DC=net","(objectclass=user)",2,"samAccountName")
$aResult = _AD_GetObjectsInOU("DC=ecdomain,DC=net","(objectclass=user)",2,"samAccountName")
Attached you find version 0.41 of the UDF (Edit: removed to save space). Please copy the AD.au3 into the include directory of AutoIt (overwriting the 0.42 version) and re-run the script from post #22
What's your client OS (Windows XP, Windows 7 ...)?
Could you please run the example script _AD_ListRootDSEAttributes.au3 and post the values of domainControllerFunctionality, domainFunctionality and forestFunctionality?

If this doesn't help you could download adfind.exe. I will post a query so we can make sure the problem is caused by the UDF and isn't a general problem with AD or the LDAP query.

Thanks a lot!

Edited January 24, 2011 by water

Bodman · January 24, 2011

Hi Water,

I have

1. Re ran and got the same result as in post #19

2. This was output to the console

*<LDAP://s0000664.ecdomain.net/DC=ecdomain,DC=net>;(objectclass=user);samAccountName*

Then the Post #19 Output

3.This was output to the console

*<LDAP://s0000664.ecdomain.net/OU=C3048038,OU=PRU,OU=GB,OU=EU,DC=ecdomain,DC=net>;(objectclass=user);samAccountName*

*<LDAP://s0000664.ecdomain.net/OU=PRU,OU=GB,OU=EU,DC=ecdomain,DC=net>;(objectclass=user);samAccountName*

*<LDAP://s0000664.ecdomain.net/OU=GB,OU=EU,DC=ecdomain,DC=net>;(objectclass=user);samAccountName*

*<LDAP://s0000664.ecdomain.net/OU=EU,DC=ecdomain,DC=net>;(objectclass=user);samAccountName*

*<LDAP://s0000664.ecdomain.net/DC=ecdomain,DC=net>;(objectclass=user);samAccountName*

Then the Post #19 Output

4. Post #19 Output

5. Windows XP

6._AD_ListRootDSEAttributes.au3

domainControllerFunctionality - 2

domainFunctionality - 2

forestFunctionality - 2

Bod

water · January 24, 2011

Hi Bod,

Unfortunately no new information

I interpret your reply to question 3 that with the first string you get the desired results displayed in an array and with the last you only get the error message?

Could you please unzip the following file into one directory, run the GetObjectsInOU.bat and post the results?

The exe (the above mentioned adfind) should return the number of users found. It is run twice with two different base DN.

So we can make sure that the problem isn't related to the AD UDF.

Thomas

Edited January 24, 2011 by water

Bodman · January 24, 2011

Whoops sorry I read that part wrong

Question 3

WORKED and got info in the array - $aResult = _AD_GetObjectsInOU("OU=Users,OU=C3048038,OU=PRU,OU=GB,OU=EU,DC=ecdomain,DC=net","(objectclass=user)",2,"samAccountName")

WORKED and got info in the array - $aResult = _AD_GetObjectsInOU("OU=C3048038,OU=PRU,OU=GB,OU=EU,DC=ecdomain,DC=net","(objectclass=user)",2,"samAccountName")

WORKED and got info in the array - $aResult = _AD_GetObjectsInOU("OU=PRU,OU=GB,OU=EU,DC=ecdomain,DC=net","(objectclass=user)",2,"samAccountName")

Failed (post #19 output) - $aResult = _AD_GetObjectsInOU("OU=GB,OU=EU,DC=ecdomain,DC=net","(objectclass=user)",2,"samAccountName")

If I run the BAT file I get

74111 Objects Returned

Bod

water · January 24, 2011

If I run the BAT file I get 74111 Objects Returned

Could you please post the complete output of the bat-file?

The adfind exe is run twice in the bat-file. The first run should give you the mentioned 74111 objects. The second run should return an error message.

Bodman · January 24, 2011

Here you go, i thought a screen shot was easier

water · January 24, 2011

I really don't get it

Adfind is able to access both base DN and return results whereas the UDF can only access one of them.

I will have to think about this problem .....

water · January 24, 2011

OK. As you get >74000 records timing or the size of the reply might be an issue.

Could you please comment (deactivate) the lines

$oAD_Command.Properties("TimeOut") = 20
$oAD_Command.Properties("Sort On") = $sAD_SortBy

in function _AD_GetObjectsInOU in AD.au3? Edited January 24, 2011 by water

Bodman · January 24, 2011

I think your onto something here. I commented out those 2 lines and ran post 22 script again it now completes and I get the array with the first object in

water · January 24, 2011

I think your onto something here. I commented out those 2 lines and ran post 22 script again it now completes and I get the array with the first object in

Fine!

Could you please run this script to verify that we solved the problem?

#include <ad.au3>
$iAD_Debug = 2
$iResult = _AD_Open()
$ti = TimerInit()
$aResult = _AD_GetObjectsInOU("","(objectclass=user)",2,"samAccountName")
$iError = @error
$iExtended = @extended
MsgBox(16, "_AD_GetObjectsInOU", "_AD_GetObjectsInOU took: " & TimerDiff($ti) & " milliseconds")
If IsArray($aResult) Then
    MsgBox(16, "_AD_GetObjectsInOU", "Records returned: " & $aResult[0])
Else
    MsgBox(16, "_AD_GetObjectsInOU", "Result: " & $aResult & @CRLF & "Error: " & $iError & @CRLF & "Extended: " & $iExtended)
EndIf
_AD_Close()

Then please activate (remove the commend) line "$oAD_Command.Properties("Sort On") = $sAD_SortBy" and rerun the script.

Bodman · January 24, 2011

Shots 1 & 2 are before (commented out)

Shosts 3 & 4 are after (Line back in again)

//Bod

water · January 24, 2011

Wow! Does it really take 8 1/2 minutes to query the AD for 74000 records? Did the adfind bat file run that long too?

So for you the solution is to remove this two lines.

In the AD UDF I will remove the TimeOut and make sure that you can suppress sorting.

Bodman · January 24, 2011

Wow! Does it really take 8 1/2 minutes to query the AD for 74000 records? Did the adfind bat file run that long too?
So for you the solution is to remove this two lines.
In the AD UDF I will remove the TimeOut and make sure that you can suppress sorting.

Yeah that does seem a little long, Ill do some more testing tomorrow

I must say thank you again for all your help. I wish I could repay the favor.

Bod

How to Query Distinguished Name in AD

Recommended Posts

Link to comment

Share on other sites

Top Posters In This Topic

Top Posters In This Topic

Posted Images

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members