Query subtree remote forest/domain

[markdmac]

I've long been using the following awesome function posted in an FAQ by K0b3. This works great when the user is in the same domain as you. But not when they are not.

Public Function SearchDistinguishedName(ByVal vSAN)
    ' Function:     SearchDistinguishedName
    ' Description:  Searches the DistinguishedName for a given SamAccountName
    ' Parameters:   ByVal vSAN - The SamAccountName to search
    ' Returns:      The DistinguishedName Name
    Dim oRootDSE, oConnection, oCommand, oRecordSet

    Set oRootDSE = GetObject("LDAP://rootDSE")
    Set oConnection = CreateObject("ADODB.Connection")
    oConnection.Open "Provider=ADsDSOObject;"
    Set oCommand = CreateObject("ADODB.Command")
    oCommand.ActiveConnection = oConnection
    oCommand.CommandText = "<LDAP://" & oRootDSE.get("defaultNamingContext") & _
        ">;(&(objectCategory=User)(samAccountName=" & vSAN & "));distinguishedName;subtree"
    Set oRecordSet = oCommand.Execute
    On Error Resume Next
    SearchDistinguishedName = oRecordSet.Fields("DistinguishedName")
    On Error GoTo 0
    oConnection.Close
    Set oRecordSet = Nothing
    Set oCommand = Nothing
    Set oConnection = Nothing
    Set oRootDSE = Nothing
End Function

I've just started working at a government job for a county in Arizona. They have several forests and each forest has several domains. My user ID has access rights throughout the enterprise. I tried editing the above code as follows by hard coding the LDAP path, but I don't get any results returned.

Public Function SearchDistinguishedName(ByVal vSAN)
    Dim oConnection, oCommand, oRecordSet
    Set oConnection = CreateObject("ADODB.Connection")
    oConnection.Open "Provider=ADsDSOObject;"
    Set oCommand = CreateObject("ADODB.Command")
    oCommand.ActiveConnection = oConnection
    oCommand.CommandText = "<LDAP://DC=public_defender,DC=county,DC=gov" & _
        ">;(&(objectCategory=User)(samAccountName=" & vSAN & "));distinguishedName;subtree"
    Set oRecordSet = oCommand.Execute
    On Error Resume Next
    SearchDistinguishedName = oRecordSet.Fields("DistinguishedName")
    On Error GoTo 0
    oConnection.Close
    Set oRecordSet = Nothing
    Set oCommand = Nothing
    Set oConnection = Nothing
End Function

My user ID is located under DC=root,DC=county,DC=gov.

Anyone have any idea why this would fail or how to get it to work? Ideally I would prefer to not have to hard code at all and have the entire enterprise searched no matter what forest or domain the user exists in.

Any help is greatly appreciated.

 

[ITPangaeaArchitect]

Try changing the command text to something similar to search the GC instead...also, looks like ou forgot to add .value to your distinguished name record set field result attempt:

const ADS_SCOPE_SUBTREE = 2

object = "user"
ask = "<samaccountname goes here>"

set ADconn = createobject("ADODB.connection")
set ADcmd = createobject("ADODB.command")
ADconn.open("PROVIDER=ADsDSOObject")
set ADcmd.activeconnection = ADconn
ADcmd.commandtext = "Select Name, distinguishedName from 'GC://DC=domain,DC=com' where objectCategory=" & "'" & object & "'" & " and sAMAccountName = " & "'" & ask & "'"
ADcmd.properties("Page Size") = 1000
ADcmd.properties("Searchscope") = ADS_SCOPE_SUBTREE

set recSet = ADcmd.execute
recSet.movefirst
do until recSet.EOF
SearchDistinguishedName = oRecordSet.Fields("DistinguishedName").value
recSet.movenext
loop

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (

http://it-pangaea.com)

 

[markdmac]

Thanks for the reply Brandon, I will give this a try today and report back if it is successful or not.

Regards,

Mark

 

[markdmac]

Regrettably this did not solve the problem either. Seems the problem is that there are only one way trusts enabled between the domains. What I don't understand though is why ADUC can find users if I select Entire Directory as the location. If I could figure out what the actual query is that ADUC uses then I could get this to work.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[ITPangaeaArchitect]

Wait if there are one way trusts only, then either these things are not in the same forest, or else somebody has configured that environment to be in an unsupportable configuration that should be corrected...

So all in the same forest or no?

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (

http://it-pangaea.com)

 

[markdmac]

The structure is flat, with multiple forests and domains in each forest. Regrettably it cannot be changed. The structure apparently evolved over time as different departments of the government were forced to join together from a technology perspective.

When I was shown the Visio diagram of the trusts I almost fell over. Seriously, I didn't know Visio could keep track of so many lines in a single diagram. It is scary.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[ITPangaeaArchitect]

ah ok. the entire directory selection really is a reference to a single forest. I would expect that this problem does not exist from the forest root to child domains within the same forest.

I don't know of a way to get around your problem other than to correct the trusts to be 2 way and nest your enterprise admin level account inside of enterprise admins inside of all other forest roots and any individual one off domains....then opening the ports for LDAP and GC functions...

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (

http://it-pangaea.com)