Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Enumerating NT4 users in LDAP groups

Status
Not open for further replies.
krinid

krinid

Programmer
Jun 10, 2003
356
CA
How can I enumerate WinNT domain user and/or group members in an LDAP group object?

The problem I have is that when I try the above, I loop through the members of an LDAP group, and when I get to a WinNT domain object (user or group), the name of the object is displaying as the SID instead of the actual (canonical) name of the object itself. If I view the group via ADUC, it shows up fine.

eg:
- there's two domains LDAPdomain1 (an Active Directory domain), and WinNTdomain2 (a WinNT domain)
- there's a group LDAPdomain1\group1 which has members:
- LDAPdomain1\user1
- WinNTdomain2\user2
- WinNTdomain2\group2

Usually I'd use the following code to enumerate NT4 domain users:
Set objUser = GetObject("WinNT://WinNTdomain2/user2,user")

and the following for dealing with LDAP groups:
Set objGroup = GetObject ("LDAP://cn=group1,ou=...,dc=LDAPdomain1,...")
For Each objMember In objGroup.members
WScript.Echo "MEMBER: " & objMember.name
WScript.Echo "Canonical name: " & objMember.canonicalName
Next

NOTE: the 'canonical name' used in the code above is always blank, regardless of whether the object is LDAP or WinNT. Am I using the wrong property name? It's not generating an error, so it appears to be valid, but not populated.

And this works fine for LDAP members (user and/or groups) but when a WinNT domain user or group comes along, the result is not the actual user or group name, but a SID, which seems to come from the foreign security principal. eg: instead of displaying the name 'user2' when it's processing WinNTdomain2\user2, it displays CN=S-1-2-34-5678901234-5678901234-5678901234-56789. However, note that when I view the group LDAPdomain1\group1 in ADUC, it displays fine (ie: I can see the member inside the group; the header bar when I double click the WinNT object iself still shows up as the SID, but the canonical name on the Object tab shows up correctly).
 
Sort by date Sort by votes
Where are you running this script? I am asking because if the machine from which you are running this script cannot resolve both domains from DNS/WINS, then it will only resolved sids to names for users in your domain.

Just as a quick test, try to ping both domains from the machine that you are running the scripts from.
 
Upvote 0 Downvote
The domains can both be resolved fine. I can access both domains fine, just not the NT4 objects embedded in LDAP objects (ie: when they're group members).
 
Upvote 0 Downvote
you can use the WinNT provider to return any AD or NTDomain user group membershipt info.

sounds like youhave a security setting in the way or a replication problem
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

bdwilcox
  • Question
Trying to adapt VBScript to search if machine is in an AD group 6
Replies
8
Views
797
SoftwareRT
SoftwareRT
Z3braa
  • Locked
  • Question
Remove specific computer name in Logon Workstation from from all users in AD, with VBScript
Replies
0
Views
122
Z3braa
Z3braa
lunter
  • Locked
  • Question
How to create vbArray+vbByte (8209) in *.vbs stript
Replies
0
Views
155
lunter
lunter
Michastro
  • Locked
  • Question
Send an order to an IP power in VBS
Replies
0
Views
144
Michastro
Michastro
Don Child
  • Locked
  • Question
Oracle connection works while debugging in VBSEdit, but not when run from the command line. 1
Replies
2
Views
168
Don Child
Don Child

Part and Inventory Search

Sponsor

Back
Top