Smart questions
Smart answers
Smart people
Join Tek-Tips Forums
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login




Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.
Jobs from Indeed

Link To This Forum!

Partner Button
Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

spaulding (TechnicalUser) (OP)
3 Feb 04 16:48
I'm trying to write an ASP page that will return a list of Active Directory User accounts that are disabled.  I've written several ASP pages and am reasonably comfortable with that, but I've yet to use LDAP in the query.  Below is the script I've started to put together.  Part of it is from Microsoft TechNet and part is from a thread on this forum.  Unfortunately, it doesn't work and returns the following error:
Provider error '80040e14'

One or more errors occurred during processing of command.

The message refers to line 13 which is the command.execute line.  I figure this means my command.text line is out of whack, but I don't know enough about the syntax to figure it out.

I'd appreciate any help I can get.



<%@language=vbscript%>
<%
Const ADS_UF_ACCOUNTDISABLE = 2

Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider="ADsDSOObject"

objConnection.Open "Active Directory Provider"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.CommandText = "select distinguishedName, userAccountControl from 'LDAP://DC=FISD, DC=org' where objectCategory=User"  
Set objRecordset = Server.CreateObject("ADODB.Recordset")
Set objRecordSet = objCommand.Execute

intCounter = 0
While Not objRecordset.EOF
    intUAC=objRecordset.Fields("userAccountControl")
    If intUAC And ADS_UF_ACCOUNTDISABLE Then
        response.write objRecordset.Fields("distinguishedName") & " is disabled."
        intCounter = intCounter + 1
    End If
    objRecordset.MoveNext
Wend

response.write  "A total of " & intCounter & " accounts are disabled."

objConnection.Close

 %>
Helpful Member!  spaulding (TechnicalUser) (OP)
5 Feb 04 18:15
Done a bunch more research and have modified the portion of the script setting up the connection as follows:

Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider="ADsDSOObject"

objConnection.Open "ADs Provider"


CommandText = "<LDAP://dc=adm-dc01,dc=PISD,dc=org>;(&(objectClass=user));cn,userAccountControl"
  
Set objRecordset = objConnection.Execute(CommandText)

I've got a recordset output loop after that just to list the fields.  But when I run the page, I get the following error:

Provider error '80040e37'

Table does not exist.

The error occurs on the Set recordset line.
Active Directory runs on our server named adm-dc01.PISD.org  (capitalization is correct).  I'm running Integrated Authentication on our intranet website (I've tried Anonymous also, no change) and am logged in as an administrator, so I don't think it's permissions.  I'm stumped and I'd really appreciate some help.
Helpful Member!(3)  zcolton (IS/IT--Management)
9 Feb 04 8:01
<%@ Language=VBScript %>
<%
Option Explicit
response.buffer = true
Dim con,rs,Com,objADsPath,objDomain,objADOU,intUAC
Const ADS_UF_ACCOUNTDISABLE = 2
%>
<html>
<head>
</head>
<body topmargin="0" leftmargin="0" bgcolor="#CCCCCC">
<%
 Set objDomain = GetObject ("GC://rootDSE")
 objADsPath = objDomain.Get("defaultNamingContext")
 Set objDomain = Nothing
 Set con = Server.CreateObject("ADODB.Connection")
 con.provider ="ADsDSOObject"
 con.open "Active Directory Provider"
 Set Com = CreateObject("ADODB.Command")
 Set Com.ActiveConnection = con
 Com.CommandText ="select userAccountControl,name from 'GC://"+objADsPath+"' WHERE objectCategory='person'"
 Set rs = Com.Execute
 While not rs.eof
  intUAC=rs.fields("userAccountControl")
  If intUAC AND ADS_UF_ACCOUNTDISABLE Then
    response.write rs.fields("name")&" is disabled.<br>"
  End If
 rs.movenext
Wend
 rs.close
 set rs=nothing
 con.close
 set con=nothing
%>
</body>
</html>
spaulding (TechnicalUser) (OP)
10 Feb 04 9:13
zcolton, Thanks for the help.  Unfortunately, I'm getting an error at the same point in the script.  In this particular instance, I get this message

Provider error '80004005'

Unspecified error

/test/test1test.asp, line 23
 Line 23 is the "Set rs = Com.Execute"

As I read your script, it looks like I should be able to run that without modification on my network, is that correct?
If so, and since I can get a list of disabled accounts if I use a WinNT binding (albeit slow), I'm wondering if there is something preventing this in the setup of our network.

We're running W2K Server, I'm logged in to the domain controller, my intranet server (where the asp page is located) and my client machine with the same network administrator account.  We migrated from WinNT about 18 months ago,  is there some way we might have disabled LDAP (on not enabled it)?   
zcolton (IS/IT--Management)
10 Feb 04 9:23
You won't need to change the script. Is the web server a domain controller, or atleast a domain member?
You may need to update MDAC on the web server.
You will also need to confirm that at least one of the domain controllers houses the global catalog. If your not sure change GC:// to LDAP://
Besure that anonymous access is either disabled for this asp page, or the account used for anonymous access is a domain account that has the correct rights to search active directory.
spaulding (TechnicalUser) (OP)
10 Feb 04 14:57
The web server is a domain member and is running MDAC version 2.8.  I've tried changing the GC:// to LDAP:// and the anonymous access is disabled for the page.  Still no change.  

The error message is still:

Provider error '80004005'

Unspecified error

/test/test1test.asp, line 23

The entire script is included below (just in case)

Line 23 is still the Set RS=com.execute
<%@ Language=VBScript %>
<%
Option Explicit
response.buffer = True
Dim con,rs,Com,objADsPath,objDomain,objADOU,intUAC
Const ADS_UF_ACCOUNTDISABLE = 2
%>
<html>
<head>
</head>
<body topmargin="0" leftmargin="0" bgcolor="#CCCCCC">
<%
 Set objDomain = GetObject ("LDAP://rootDSE")
 response.write "Test 2"
 objADsPath = objDomain.Get("defaultNamingContext")
 Set objDomain = Nothing
 Set con = Server.CreateObject("ADODB.Connection")
 con.provider ="ADsDSOObject"
 con.open "Active Directory Provider"
 Set Com = CreateObject("ADODB.Command")
 Set Com.ActiveConnection = con
 Com.CommandText ="select userAccountControl,name from 'LDAP://"+objADsPath+"' WHERE objectCategory='person'"
 Set rs = Com.Execute
 While Not rs.eof
  intUAC=rs.fields("userAccountControl")
  If intUAC And ADS_UF_ACCOUNTDISABLE Then
    response.write rs.fields("name")&" is disabled.<br>"
  End If
 rs.movenext
Wend
 rs.close
 Set rs=nothing
 con.close
 Set con=nothing
%>
</body>
</html>

Again, I appreciate your help.
gtwood (Programmer)
9 Mar 04 12:17
spaulding,

     Did you ever get an answer to this problem?  I am having the exact same issue.

Thanks,
zcolton (IS/IT--Management)
9 Mar 04 12:25
The problem is security.
Change the security access of the asp page (or the directory it is in) to basic or set it to anonymous using a domain account that can access active directory. First try basic and login using a domain account. If your IIS server is not a domain controller Integrated Authentication will not work. I can explain why but try the basic setting for now. The asp page I have posted on Feb 9 will work on any system.
spaulding (TechnicalUser) (OP)
9 Mar 04 16:52
zcolton,
That worked!  I'm still trying to get a handle on the security/authentication issues with respect to ASP and Active Directory though.  Like most projects, this one has evolved.  We are now trying to give a regular user the capability to unlock these accounts.  As my script is now written with your suggestions, I have to authenticate with an administrator account/password to unlock the account.  If I use a user account, I get the general access denied error.  
I'm trying to figure out how to address the problem and I think these are my options:  1) Figure out a way to give a regular user elevated permissions in Active Directory - a scary thought or 2) Figure out how to pass the administrator permissions through the ASP page. Can (and should) I pass the account and password when I do my binding?
I'd appreciate your advice on how to proceed from here.
zcolton (IS/IT--Management)
9 Mar 04 17:09
To give you a basic (very basic) description of security with respects to IIS and Active Directory - action of authentication is as follows:
IIS has it authentication methods per site/folder/file configured in IIS. Security tokens generated from Intergrated Authentication are god for the local machine resources of the server running IIS. Active Directory is a remote resource if ther server running IIS is only a domain member and not a controller. The remote resource will request credentials. If a specific domain username and password are not passed, IIS uses a machine anonymous account. SO then authentication will fail. Microsoft has a knowledgebase article that will explain this double-hop scenario much better with more detail.
Give me a detailed description of your scenario and what you want to accomplish, and I can whip out an asp page and I will let you know what security issues that you may need to address.
spaulding (TechnicalUser) (OP)
9 Mar 04 17:40
zcolton,
I really appreciate the offer.  I'm the net admin for a small school district.  The students are forever forgetting their passwords or deliberately mistyping other's passwords and locking their accounts.  What I'd like to do is have a web page with access controlled by NTFS permissions on the IIS server (not a domain controller) where an authorized user can go, see a list of locked accounts, select an account and unlock it.  In my research so far, I've found a script and adapted it to do exactly that.  With your suggestion earlier today, it works when I enter an administrator id and password on script execution. But giving an administrator account to the user is something I'm not willing to do (I'm funny that way).  In the above post, you say
" If a specific domain username and password are not passed, IIS uses a machine anonymous account. SO then authentication will fail."
That's the crux of my problem, how do I pass the specific domain username and password?  I'll look for the MS KB article.
zcolton (IS/IT--Management)
9 Mar 04 20:59
spaulding,
I, too am the net admin for a small school district (but a big network.)1 high school, 1 middle, 3 elementary separated by grade levels. 1600 workstations 210 networked printers, 525 staff (all network users) 2300 student accounts for grades 5 and up.
Question: who do you want to grant access to have the ability to enable accounts: all staff? teachers? 1 person?
spaulding (TechnicalUser) (OP)
10 Mar 04 9:20
zcolton,
Our numbers are very similar.  I'm probably looking at a person in the office at each campus and the computer lab teachers (<10 total).  I'm using this script as a learning exercise, because we have AD setup to release the lock out after a few minutes.  If I can make this work, it'll be a nice to have item for the labs, but...The next phase of this project will be to build a page that allows an office worker to enable (not create) a student account when all the paperwork requirements are complete.  This will save me a lot of administrivial work and get the student's account turned on a lot faster.  Hence, my interest.
zcolton (IS/IT--Management)
10 Mar 04 10:56
Quick question: If the accounts are getting locked from user intentionaly inputting invalid passwords, and all you want to do is unlock the accounts, are you using the lockout policy as a security measure? If not, you can disable the lockout security policy.
Quick note: an account being locked-out is not the same as an account being disabled.
spaulding (TechnicalUser) (OP)
10 Mar 04 11:05
zcolton,
I'm feeling good, in that I knew both of those items.  We want the lockout policy in effect to try to delay people figuring out other account passwords.  It would just be nice to have the capability to unlock the account if circumstances warrant.  Also, I figure if I can get the permissions right to do this, I can get them set for the enabling accounts which is a bigger pain for me.  I did realize the difference and I've found some scripts which should accomplish the enabling account function (if I can get permissions right)
zcolton (IS/IT--Management)
10 Mar 04 12:11
Give me a little time and I'll find the security answer. Could you post the asp pages that you have. I would like to take a look.
spaulding (TechnicalUser) (OP)
10 Mar 04 12:57
Here's the code for the unlock script:


<!-- #INCLUDE FILE="./COMMON/HEADER.INC" -->
<!-- #INCLUDE FILE="./COMMON/FUNCTIONS.INC" -->
<!-- #INCLUDE FILE="./COMMON/UserFlags.INC" -->

<!-- Chapter 4. UnlockAccount.asp -->

<html>
<body>
<H2> Account Unlocker </H2>
<HR>

<%

Dim GroupObj, Member, UserObj, Flags
'On Error Resume Next

If Request.Form("AccountName") = "" Then
   Set GroupObj = GetObject("WinNT://server/Users")
   If Err Then adsiErr()
   Response.Write "The following accounts have been locked out <BR>"

%>
   <FORM METHOD=POST ACTION="UnlockAccount.asp">
   <SELECT NAME="AccountName" >
   <OPTION> ** Select an Account **
<%
   For Each Member In GroupObj.Members
       If Member.Class = "User" Then
'       response.write Member.Name & "<br>"
          Set UserObj = GetObject(Member.ADsPath)
          Flags = UserObj.get("UserFlags")
          If (Flags And UF_LOCKOUT) <> 0 Then
             Response.Write  "<OPTION Value='" & Member.ADsPath & "'>"  & Member.Name
          End If
       End If
   Next

%>
   </SELECT>
   <INPUT TYPE=SUBMIT VALUE="UnLock This Account">
   </FORM>

<%
   Response.End
End If

If Request.Form("AccountName") <> "" Then
   Set UserObj = GetObject(Request.Form("AccountName"))
   If Err Then adsiErr()
   Response.Write "Unlocking the account for <B>" & UserObj.Name & "</B>... <BR>"

   Flags = UserObj.get("UserFlags")
   Response.Write "User Flags On Entry" & HEX(Flags) & "<BR>"

   UserObj.Put "UserFlags", Flags Xor UF_LOCKOUT
   If Err Then adsiErr()
   Response.Write "User Flags Applied <BR>"

   UserObj.SetInfo
   If Err Then adsiErr()
   Response.Write "Set Info Applied <BR>"

   Flags = UserObj.get("UserFlags")
   Response.Write "New User Flags Retrieved: " & HEX(Flags) & "<BR>"

   If (Flags And UF_LOCKOUT) <> 0 Then
      Response.Write  "Account Locked: " & HEX(Flags)
   Else
      Response.Write  "Account Unlocked : " & HEX(Flags)
   End If

End If

%>
</body>
</html>


I got it out of a book called "ADSI ASP" by Steven Hahn.
zcolton (IS/IT--Management)
10 Mar 04 14:52
Security:
Without screwing around too much, the user accounts that you want to grant access to manipulate user accounts could just be added to the domain security group "Account Operators"
But this action will provide more access to the user account than just enable/disable
zcolton (IS/IT--Management)
15 Mar 04 7:16
I found this at Microsoft.com:

How To Delegate the Unlock Account Right
http://support.microsoft.com/default.aspx?scid=kb;en-us;294952&Product=win2000
Gitcho (Programmer)
17 May 04 12:48
Hi all ... found this thread off google a while ago, and have been following closely ... thanks zcolton for your willingness to contribute ...  I've followed all that was said, and am now running into a different security problem.

I'm trying to do a simple search for a user(s) based on sAMAccountName. My script will work in DOS from my own workstation, but not on remote IIS server ...

note: script combination of code from this forum & Hilltop Labs (http://www.rlmueller.net/ADOSearchTips.htm)

Here's my working DOS script for sAMAccountName search:

CODE

Option Explicit

Dim objRootDSE, strDNSDomain, objCommand, objConnection, strQuery
Dim objRecordSet, strName, strDN
Dim strBase, strFilter, strAttributes
Dim oArgs

Set oArgs = WScript.Arguments

' Determine DNS domain name from RootDSE object.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use ADO to search Active Directory.
Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Properties("User ID") = "DOMAIN\Account"
objConnection.Properties("Password") = "xxxxxx"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection

' Search for all user objects. Sort recordset by DisplayName.
strBase = "<LDAP://" & strDNSDomain & ">"
strFilter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=" & oArgs(0) & "*))"
strAttributes = "distinguishedName,displayName,mail"
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"

objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
objCommand.Properties("Sort On") = "displayName"
Set objRecordSet = objCommand.Execute

If objRecordSet.EOF Then
    Wscript.Echo "User not found"
    Wscript.Quit
End If

' Loop through results
Do Until objRecordSet.EOF
    Wscript.Echo "Display Name: " & objRecordSet.Fields("displayName")
    Wscript.Echo "Email Address: " & objRecordSet.Fields("mail")
    Wscript.Echo "Distinguished Name: " & objRecordSet.Fields("distinguishedName")
    objRecordSet.MoveNext
Loop

' Clean up.
objConnection.Close
Set objRootDSE = Nothing
Set objCommand = Nothing
Set objConnection = Nothing
Set objRecordSet = Nothing
</font>

And here's my ASP function :

CODE


Function getUserInfo(ntUsername)
    
    Dim objRootDSE, strDNSDomain, objCommand, objConnection, strQuery
    Dim objRecordSet, strName, strDN
    Dim strBase, strFilter, strAttributes
    
    ' Determine DNS domain name from RootDSE object.
    Set objRootDSE = GetObject("LDAP://RootDSE")
    strDNSDomain = objRootDSE.Get("defaultNamingContext")
    
    ' Use ADO to search Active Directory.
    Set objCommand = CreateObject("ADODB.Command")
    Set objConnection = CreateObject("ADODB.Connection")
    objConnection.Provider = "ADsDSOObject"
    objConnection.Properties("User ID") = "DOMAIN\account"
    objConnection.Properties("Password") = "xxxxxx"
    objConnection.Open "Active Directory Provider"
    objCommand.ActiveConnection = objConnection
    
    ' Search for all user objects. Sort recordset by DisplayName.
    strBase = "<LDAP://" & strDNSDomain & ">"
    strFilter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=" & ntUsername & "*))"
    strAttributes = "distinguishedName,displayName,mail"
    strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
    
    objCommand.CommandText = strQuery
    objCommand.Properties("Page Size") = 100
    objCommand.Properties("Timeout") = 30
    objCommand.Properties("Cache Results") = False
    objCommand.Properties("Sort On") = "displayName"    
    Set objRecordSet = objCommand.Execute
    
    If objRecordSet.EOF Then
        Response.Write "User not found"
        Exit Function
    End If
    

    ' Loop through results
    Do Until objRecordSet.EOF
        Response.Write "Display Name: " & objRecordSet.Fields("displayName")
        Response.Write "Email Address: " & objRecordSet.Fields("mail")
        Response.Write "Distinguished Name: " & objRecordSet.Fields("distinguishedName")
        objRecordSet.MoveNext
    Loop
    
    ' Clean up.
    objConnection.Close
    Set objRootDSE = Nothing
    Set objCommand = Nothing
    Set objConnection = Nothing
    Set objRecordSet = Nothing
        
End Function


This will work from DOS, but I get "Provider (0x80004005)
Unspecified error" from my page - it's choking on the "objCommand.Execute" line.

The IIS Server is NOT a domain controller, and I believe it's set to basic authentication (pretty sure). I've hard coded the username/pass, but it's not working.

Any ideas ?

Thanks much ...
zcolton (IS/IT--Management)
18 May 04 11:26
The error you are receiving is from a security issue.
Remove the hard-coded username and password from the ASP.
In IIS, on the directory with this ASP, disable all security access except anonymous. Change the anonymous account used for that directory from the normal IIS anonymous account (IUSR_machinename) to a domain account (DOMAIN\username) with the password. Uncheck "Allow IIS to control password". The domain account needs to beable to read items in the active directory. I believe any domain account in the default user group ("Domain Users") has that access unless you have made custom changes to active directory security. It may also help to apply application setting for that directory. On the "Directory" tab under "Application Setting" select create. Execute permissions would be scripts only and appliction protection would be medium. These setting are not required, buit have helped out a few people.
Note: The account used for anonymous access will need access to the directory. Make sure that you check the ACLS for the folder and files containd within.
Note: Searching the global catalog (GC://) is faster then searching ldap (LDAP://) You will need to do some testing to make sure that all of the info you will need to retrieve is available in the global catalog. M$ has a few knowledgebase articles explaining how to see which active directory fields are also sycronized to the gc - plus ways to add fields if you them included.
--- 99% of the time when connections to remote resources are done from IIS, security settings/configurations cause the most problems.

-zcolton
zcolton (IS/IT--Management)
18 May 04 11:32
For more info check out this thread:
It's title:
Example of ASP LDAP query string?

http://www.tek-tips.com/viewthread.cfm?SQID=356151&SPID=774&page=1
spaulding (TechnicalUser) (OP)
25 May 04 10:41
Well, I stepped back and took another look at the problem and think I found the answer.  I wanted to be able to delegate several important but menial administrative duties to other, non-administrator, users.  What I ended up doing, is reworking my Active Directory OUs to include an additional sublayer of OUs with specific group policies applied to them (e.g. a no-Internet OU with a GPO that points to a non-existent proxy server etc.). Then I made the people I wanted to give the administrative duties account operators.  Next I wrote two scripts. One to display a list of users in each sub-OU complete with a checkbox and submit button.  This called the second script which uses the MoveHere method to move the checked users from one sub-OU to the other thereby changing the policy. On my IIS server, I set the authentication method for these scripts to basic (it's an Intranet so clear text is a little less of a problem). Finally, I put the scripts in folders on my IIS server with access permissions for only the specified users.

I just got this working, so now we're testing this, but can anyone see any obvious flaws?

Scripts
moveuser.asp script
<%
On Error Resume Next

Set RootDse=GetObject ("LDAP://RootDse")

Path="LDAP://" & RootDse.get("DefaultNamingContext")




Response.write "HS-Students:<br>"
Set ou=GetObject("LDAP://OU=AllStudents,OU=HS-Users,OU=High School,OU=Campuses,DC=FISD,DC=org")
count=0
response.write "<form method='post' action='moveuser_execute.asp'>"
For Each obj In ou

    count=count+1
    response.write count & " <INput type='checkbox' name='users' value='" & obj.Name & "'>" & obj.FullName & "<br>"

Next
response.write "<input type='submit' value='Enable accounts'></form>"
%>

moveusers_execute.asp

<%Option Explicit%>

<%

Dim userid       'individual user cn
Dim srccontainer    'source OU distinguished name
Dim dcon  'destination container object
Dim ldapdst 'LDAP destination string
Dim ldapuser 'LDAP user string
Dim rootdse
Dim path

Set RootDse=GetObject ("LDAP://RootDse")

Path="LDAP://" & RootDse.get("DefaultNamingContext")


srccontainer="OU=AllStudents,OU=HS-Users,OU=High School,OU=Campuses,DC=FISD,DC=org"



For Each userid In request.form("users")



    ldapuser="LDAP://" & userid & "," & srccontainer
    
    Set dcon=GetObject("LDAP://OU=NoInternet,OU=HS-Users,OU=High School,OU=Campuses,DC=FISD,DC=org")
    
    dcon.MoveHere ldapuser, userid
    Response.write userid & " account moved."
    Set dcon = Nothing


Next

%>
almoes (Programmer)
16 Jun 04 8:47
Hi,

I am trying to run this code on an asp file but get an error.


function exeQuery(queryStr) {

try
    {var oConn = new ActiveXObject("ADODB.Connection");}
  catch(err)
    {Response.write("Err: " + err.number.toString(16) + " desc: " + err.description);}
try
    {oConn.Open (cst);}
  catch(err)
    {Response.write("Err: " + err.number.toString(16) + " desc: " + err.description);}
try
    {oConn.Execute(queryStr);}
  catch(err)
    {Response.write("Err: " + err.number.toString(16) + " desc: " + err.description);}

try
    {oConn.Close();}
  catch(err)
    {Response.write("Err: " + err.number.toString(16) + " desc: " + err.description);}
}

var cst="Provider=ADSDSOObject;User ID=Directory Manager;Password=pwd;"

var str="SELECT cn FROM 'LDAP://172.17.17.115:8404/o=mydomain.com' WHERE objectClass='User'";

I get 'Table does not exist' error. Its not an Active Directory server, but this string should work doesn't it?
thanxs.
alej


exeQuery(str);
almoes (Programmer)
16 Jun 04 11:30
Now I tried the example from http://www.4guysfromrolla.com/webtech/041800-1.shtml. Its possible to connect and it retrieves the info because I can count the records, however if I use the loop from the example to print the field, I get the following error:

Multiple-step OLE DB operation generated errors. Check each OLE DB status value, if available. No work was done.

Any ideas?? thanxs.
alej
extremadura (MIS)
29 Jul 04 15:18
I wrote this piece of code on a w2k server with IWA on
and am getting results.However my qn is I have to specify
the field names to be retreived.Many of them are commonly known like ADSPath,MAIL, the sapcostcenter is probably something of a custom attribute.Is there a way in the query that I can supply and get the field collection and use some sort of upperbound controls(enumeration) like recordset.fields("0").Name like wise.Our AD consists of a large number of fields and I am not getting results if I try UID,UserID which Ithink are quite valid attributes.

CODE

<HTML>
<HEAD>

</HEAD>
<BODY>

<% Response.Write("ASP" & " is available") %>

<%

Set objConnection = Server.CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"

Set objCommand = Server.CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection

Response.write "hello"
objCommand.CommandText ="<LDAP://ou=users,ou=BARTLESVILLE,dc=conoco,dc=net>;(objectClass=*);"&_
"ADSPath,MAIL,sapcostcenter,CN;subtree"



' Set search preferences.
objCommand.Properties("Page Size") = 5000
objCommand.Properties("Timeout") = 60 'seconds

Set objRecordSet = objCommand.Execute
Response.Write  "****************************************"& "<BR>"
While Not objRecordSet.EOF
 Response.Write  i & "&nbsp"
 Response.Write  "CN--"  &objRecordSet.Fields("CN")& "&nbsp"
  Response.Write  "SAP--"& objRecordSet.Fields("SAPCOSTCENTER")& "&nbsp"

 Response.Write  "<BR>"
 i =i+1
 objRecordSet.MoveNext
 Wend

 objConnection.Close

%>


Came back
</BODY>
</HTML>
rescueswimmer (MIS)
29 Jul 04 16:30
Good thread guys!
in spaulding's last post it looks like he was connecting to AD in the ASP code just as he would in a straight vbscript - did you have success with this?  when i tried, i got a 80072020 error - (couldn't really find anythin gon that one).
I'm trying to create security groups from information entered on a form.  
any thoughts?
RhythmAddict112 (Programmer)
11 Aug 04 11:15
Fantastic Thread.
I'm having a different sort of problem concerning querying my AD Server via ASP.
I'm in the process of moving an existing application from a SQL Server to Oracle.  This also means that I am changing web server.  The application queries our AD server, and works without issue.  On the new server, this is not the case.  I receive the following error:

Error Type:
Provider (0x80040E37)
Table does not exist.

As I mentioned the code is identical and works on the old server.  My questions are basically, what could cause this error?  What other items do I need to have in place in order to LDAP to work?  I have a user account hard coded into my ASP code that I use to hit the AD server, what kind f privleges does that account need to have in order to retrieve information from the AD server?  I have to assume that my problem lies in the applicatition configuration in IIS or with the user account I am using to query the server.  Your help and suggestions are appreciated, thank you.
appnair (Programmer)
11 Aug 04 15:39
The query will work only on servers on which Integrated Windows authentication is turned on.Lot of references available how to do this in this area

CODE

objCommand.CommandText ="<LDAP://ou=users,ou=BARTLESVILLE,dc=conoco,dc=net>;(objectClass=*);"&_
"ADSPath,MAIL,sapcostcenter,CN;subtree"

Observe this I was running this from a computer
that was called powbd150.conoco.net on the Domain Component and querying for organizational users ,users and Bartlesville .This IIS 5 webserver had  had IWA on
This is the theory that makes it work I think.I am a novice.Also the ADSI interfaces need to be present as can be evidenced by theServer.CreateObject called.iI it is not there those lines will fail.I think since you are getting an error code that appears to have excuted the ADSI try a well known attribute like cn or something

Always acknowledge a fault. This will throw those in authority off their guard and give you an opportunity to commit more.
Mark Twain

appnair

WillShakespeare (MIS)
19 Aug 04 7:40
I have to agree with RythmAddict... this is a good thread!

ANyway, I am new to using LDAP, but am in a critical situation where I NEED to do this. The situation is that I need to Query our Domain controller in our network, from a Web Server, and pass back from the DC (Win2K3) a single number which is a value which will be used by our web server for a bespoke app.
We are storing this number in the home-phone field in a newly created "client" AD object.
Now, I started on this thread and am trying zcolton's "works anywhere" script. Initially I got the unspecified error, and as I know my IIS and web server security inside out, I tried changing GC: to LDAP:
I made progress! However, the script stopped on line objDomain = GetObject (the RootDSE line), saying that the domain could not be found. So I entered the domain manually:
Set objDomain = GetObject ("LDAP://mydomain")

But then it gets stuck on the next line:
objADsPath = objDomain.Get("defaultNamingContext")

saying:
The_directory_property_cannot_be_found_in_the_cache

Now, admittedly I am testing this script on my workstation with IIS (so my workstation is the web server for now), which of course is on the network with the DC... could this be the trouble?

Can anyone help?

TIA,

Will
zcolton (IS/IT--Management)
19 Aug 04 8:32
Will,

It seems the machine hosting IIS to test your asp page can not access the domain. I'm assuming your machine is a domain member and you are logging onto the domain and not the local machine. If so, to test your script, save it has a vbscipt file and run it locally. Have the script display the data you want to retrieve in a message box. This may help you in test the script itself. When you know the script is functional, then try having it run in an asp page. Post your script here and I can take a look at it.

Zac
netquestions (Programmer)
14 Oct 04 19:31
I am kind of having the same IIS/ASP/Active Directory security issue.
I am looking at the initial posts of this thread and saw that IIS will not work with IIS integration.

Strange "IIS Integrated authentication" works for me but when i change IIS server date to one day after the Active Directory data, i am getting error

Provider error '80040e14'
Table does not exist

Not sure why is this happening ? IIS server is domain member and i am logged in as domain member.
zcolton (IS/IT--Management)
14 Oct 04 22:01
"... i change IIS server date to one day after the Active Directory data "


?????

Zac
WillShakespeare (MIS)
18 Oct 04 7:05
Wow! It has been so long since last reply, I had moved on to other things!

I also got it working... originally I was thinking about security of my local machine as web server, and of the directory, etc., but then it dawned on me that the page's script was accessing the AD! After I realised this, I looked at using an account that had permission for AD (as you orignally stated, and I misread!), and voila! It all came together!

Thanks for all your help! ;)

Will
ebroo (MIS)
25 Oct 04 14:51
Hi all, I've been reading through this thread and as I attempt to implement somthing similar to what everyone is posting about (Win2k3 environment trying to do a simple ASP page to query Active Directory) I keep running into  error '8007007f' -

For example: (as posted by zcoltan I believe)

<%@ Language=VBScript %>
<%
Option Explicit
Dim con,rs,Com,objADsPath,objDomain
%>
<html>
<head>
</head>
<body bgcolor="#CCCCCC">
<%
Set objDomain = GetObject ("GC://RootDSE")
objADsPath = objDomain.Get("defaultNamingContext")
Set objDomain = Nothing
Set con = Server.CreateObject("ADODB.Connection")
con.provider ="ADsDSOObject"
con.open "Active Directory Provider"
Set Com = CreateObject("ADODB.Command")
Set Com.ActiveConnection = con
Com.CommandText ="select department from 'GC://"+objADsPath+"' WHERE department ='*'"
Set rs = Com.Execute

Do While Not rs.EOF Or rs.BOF

Response.Write rs("department") & "<BR>"

rs.MoveNext
Loop
rs.Close

con.Close
Set rs = Nothing
Set con = Nothing
%>
</body>
</html>

This results in an error such as:

error '8007007f'
/2/7.asp, line 16


Any thoughts appreciated!

Edward
ebroo@phillips.com
spaulding (TechnicalUser) (OP)
25 Oct 04 15:32
When I started this thread, I had run into that error and what little information I could find on the net said to try upgrading to MDAC version 2.8.  You might give that a shot.
zcolton (IS/IT--Management)
25 Oct 04 15:35
I agree with spaulding
ebroo (MIS)
25 Oct 04 17:16
First think I tried :)
asapjim (Programmer)
7 Jan 05 20:33
Hi, I have a number of web pages that have been using LDAP to check if a user was a member of particular group.  This was working until our network admin upgraded the domain controller to Windows 2003.  Now I am getting an error when I try to create an ADODB connection.  Following is the implementation up to the point of failure.  Any ideas??  Any help would be greatly appreciated as this is a production site and a number of my users are being blocked from a number of functions.

Set oRootDSE         = GetObject("LDAP://RootDSE")
    
sDomainADsPath        = "LDAP://" & oRootDSE.Get("defaultNamingContext")
Set oRootDSE         = Nothing

Set oCon         = Server.CreateObject("ADODB.Connection")    
if oCon is nothing then
    response.write "failed to create the connection object"
    response.end
end if    

oCon.Provider         = "ADsDSOObject"

if err.number <> 0 then
    response.write "error setting provider <br>"
    response.write err.number
    response.write err.description
    response.end
    'the error that I am getting is 424 Object required
end if        


toadlife (Programmer)
4 Feb 05 16:54
I am trying something similar, only my IIS webserver is not a member of the domain I am trying to query. Joining the webserver to the domain is not an option, as it would open would be a serious security problem.

Using the scripts posted here, I cannot get anything to work.

Here is a script that I am using to try and access my AD:

CODE

<%@ Language=VBScript %>
<%
Option Explicit
response.buffer = true
Dim con,rs,Com,objADsPath,objDomain,objADOU,intUAC
%>
<html>
<head>
</head>
<%
 Set objDomain = GetObject ("LDAP://coadc02.whccd.com")
 objADsPath = "dc=whccd,dc=com"
 Set objDomain = Nothing
 Set con = Server.CreateObject("ADODB.Connection")
 con.provider ="ADsDSOObject"
 con.open "Active Directory Provider"
 Set Com = CreateObject("ADODB.Command")
 Set Com.ActiveConnection = con
 Com.CommandText ="select name from 'LDAP://dc=whccd,dc=com'"
 Set rs = Com.Execute
 While not rs.eof
    response.write rs.fields("name") &"<br>"
 rs.movenext
Wend
 rs.close
 set rs=nothing
 con.close
 set con=nothing
%>
</body>
</html>

I have IIS6 setup to use a local account named "domainquery" and have created a domain account called "domainquery" - both with the same password, hoping that this would allow IIS to query our AD.'
'
With the above page, I get the error:

Provider error '80040e37'

Table does not exist.

/login/index.asp, line 20
toadlife (Programmer)
4 Feb 05 17:34
Hello again. I have an update on my post above. We have a test webserver, which is bascially a mirror (software-wise) of our live webserver. I joined our testserver to our domain and the script I posted above works perfectly. So I know the script above is not flawed. THe problem is our live webserver is not and never will be a member of our domain. If anyone can tell me how to make the above script work on a server that is not a member of the domain, please do tell. This is frustrating me to no end.
WillShakespeare (MIS)
7 Feb 05 8:06
I would have thought you'd need to open the LDAP ports through to the domain controller.
Have a look at this web site:
LDAP from ADO and Web Pages

hth,

Will
toadlife (Programmer)
7 Feb 05 13:38
Thanks for the tip, but this code gives me:

Provider error '80040e09'

Permission denied.

I'm using the correct password, and I'm pretty sure the credentials are being passed correctly.

CODE

<%@ Language=VBScript %>
<%
Option Explicit
response.buffer = true
Dim conn,rs,Com,objADsPath,objDomain,objADOU,intUAC,SQLStmt
%>
<html>
<head>
</head>
<%
SQLStmt = "SELECT cn " & _
          "FROM 'LDAP://myldapserver.mydomain.com:389/o=mydomain.com' " & _
          "WHERE objectClass='*'"
Set Conn = CreateObject("ADODB.Connection")
Conn.Provider = "ADSDSOObject"
Conn.Open "ADs Provider","cn=administrator,ou=domainadmins,ou=useraccounts,o=whccd.com","password"
Set rs = Conn.Execute(SQLStmt)
Do While Not rs.EOF Or rs.BOF
   ReturnValue = rs.Fields(0)
   If IsArray(ReturnValue) Then
        For I = LBound(ReturnValue) To UBound(ReturnValue)
            If ReturnValue(I) <> "" Then
                Response.Write ReturnValue(I) & "<BR>"
            End If
        Next
   Else
        Response.Write ReturnValue & "<BR>"
   End If
   rs.MoveNext
Loop
%>
</body>
</html>
toadlife (Programmer)
7 Feb 05 13:41
BTW: On the script above I removed "whccd.com" (our domain name) to make the script generic, but I forgot to remove it on one line. I *do* have the correct domain on every line in my code. ;)

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close