ADS user details - subdomain - from vbs file

Question

I managed to get ADS users without specifying authentication details from my ADS domain(ex,mydomain.com). I used ADODB.Connection and ADODB.Command.

I also have sub-domains like test.mydomain.com. How to get user details from sub-domain, by specifying authentication details of a user belonging to test.mydomain.com .

Answer 1

You can query records from trusted domains by using their LDAP name as the search base. However, since the DC of the parent domain doesn't contain the information about objects in the child domain it will generate a referral. The ADODB.Command object won't automatically chase that referral, because the respective named property "Chase referrals" defaults to 0x00 (ADS_CHASE_REFERRALS_NEVER). You have to set the property to one of the following two values

• ADS_CHASE_REFERRALS_SUBORDINATE (0x20)
• ADS_CHASE_REFERRALS_ALWAYS (0x60)

to make your query follow the referral. Example:

base   = "<LDAP://dc=test,dc=example,dc=org>"
filter = "(&(objectCategory=computer)(name=foo*))"
attr   = "name,description"
scope  = "subtree"

Set conn = CreateObject("ADODB.Connection")
conn.Provider = "ADsDSOObject"
conn.Open "Active Directory Provider"

Set cmd = CreateObject("ADODB.Command")
Set cmd.ActiveConnection = conn
cmd.CommandText = base & ";" & filter & ";" & attr & ";" & scope
cmd.Properties("Chase referrals") = &h60  ' <-- here

Set rs = cmd.Execute

I wrote a wrapper class (ADQuery) to encapsulate the boilerplate code for Active Directory queries (because I got fed up with writing it over and over again). With that you could simplify the above to something like this:

Set qry = New ADQuery
qry.SearchBase = "dc=test,dc=example,dc=org"
qry.Filter     = "(&(objectCategory=computer)(name=foo*))"
qry.Attributes = Array("name", "description")

Set rs = qry.Execute

Either way you may still need to run the script on a DC, though.