Serverless binding is at the mercy of the security context of the currently executing thread. The formula seems to be that it works if the current thread is a domain account and silently finds nothing if it is a local machine account.
You rarely get surprised by this with WScript and other things where you created the process explicitly as it will get the security token of the whoever ran it. You don't really have impersonation in scripting scenarios, so the account for the process is the only thing that matters. Thus, if you are logged in with your domain account and run the script, serverless binding is going to just work. Things tend to be more surprising and less predictable in web applications because the execution is so much more complex and there are so many more options involved. For example, IIS has both a process identity and possibly an authenticated identity that can be impersonated on each request thread. The process could be SYSTEM, or possibly NETWORK SERVICE or even a totally different account. SYSTEM and NETWORK SERVICE will both use the machine account for network credentials, so then it matters whether the web server is a domain member or not. If another process runs the request, then its account identity matters. Add on that the authenticated account might be impersonated and might be local machine or domain depending on various IIS settings, who actually authenticated if anyone, etc., and the results can tend to vary wildly. There are just so many moving parts! You can actually predict what is going to happen very well if you know what type of account is going to be on your thread, but it is very easy not to know this. Regarding ASP itself, I'm with you all the way. I hate it hate it hate it. I think my hatred stems from the fact that the whole model resists all attempts at being designed. It wants you to write spaghetti code. I also don't think VBScript is a very good scripting language, but I like websites to be compiled anyway. Everything is better in .NET :) Speaking of scripting, all the cool kids in my circle seem to be getting in to Python these days. Anyone played with it here (AD scripting or otherwise)? Joe K. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 26, 2005 4:52 PM To: [email protected] Subject: RE: [ActiveDir] OT: limiting ldap query to single domain I would like to add that ASP is funny. I have seen occasions where serverless binding acts hokey but if you specify a server it works just fine. In fact in the Notes from the Field book there is a cool website by Dave Trulli called dsinfo that does a serverless bind to a DC of a domain and retrieves the rootdse, it then uses the dnshostname returned in that query to do the rest of the work. Overall, I never really liked the ASP scripting model and tended to call out to perl CGI scripts to the work. Too often you hear about vbs that works great until it hits an ASP page. Then you have to start debugging access rights and even if those are fine the scripting engines I think are different. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, January 26, 2005 4:17 PM To: [email protected] Subject: RE: [ActiveDir] OT: limiting ldap query to single domain To do what you're after, you'll want to use ADSI with the LDAP provider vs. the WINNT provider. Joe gives a lot of great advice as a way to do what you're after. The query would look something like this with ado: "<LDAP://yourdomaincontroller_for_that_domain/dc=domain,dc=com>;(&(objec tCla ss=Person)(objectCategory=User));distinguishedName,name,telephonenumber; subt ree" in your code. Here's an interesting article on getting the domain controllers: http://www.microsoft.com/technet/scriptcenter/resources/qanda/dec04/hey1 216. mspx If you're using ASP.NET, this might be of interest: http://www.15seconds.com/issue/020730.htm For just plain old ordinary script ripping though, this one looks pretty like a pretty decent example http://cwashington.netreach.net/depo/view.asp?Index=1011&ScriptType=vbsc ript (note the strLDAPpath variable and how it's syntax is written; note: don't use the whole script unless you want them to e able to disable the user accounts :) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Wednesday, January 26, 2005 2:49 PM To: '[email protected]' Subject: RE: [ActiveDir] OT: limiting ldap query to single domain It's a webpage ASP, since we are only reading, permissions shouldn't be a problem. jb -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, January 26, 2005 2:39 PM To: [email protected] Subject: RE: [ActiveDir] OT: limiting ldap query to single domain Sure. Is this VBSCRIPT? What about permissions? Do you have to worry about that? Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Wednesday, January 26, 2005 2:20 PM To: '[email protected]' Subject: RE: [ActiveDir] OT: limiting ldap query to single domain We are working on a phonelist using AD. Because we have multiple domains and domain name spaces, I want to be able to filter each search request by the domain. I want to have drop down the list the domains(a.com,b.com,c.com) they are not subdomains it is a flat forest. Right now we can use the GC and pull information from the entire forest, but we cannot get ldap to work for each domain. A quick domain list A.com Server1.a.com (DC) Server2.a.com (GC) B.com Server1.b.com (DC) Server2.b.com (GC) I need to be able to list users from each domain seperately for the phone list. Hope this clears things up a little. jb -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, January 26, 2005 1:50 PM To: [email protected] Subject: RE: [ActiveDir] OT: limiting ldap query to single domain It would probably be better if you'd tell us what information you're after and how you're going about getting it in your script. If you can post the logic or the whole script that would be helpful. Keep in mind that the GC has a subset of information in it, so there are times when you may need to go to the individual DC's to get the necessary information. al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Wednesday, January 26, 2005 1:36 PM To: '[email protected]' Subject: [ActiveDir] OT: limiting ldap query to single domain We have a large flat AD forest, with separate name spaces (a.com,b.com,c.com,etc) I have a few script questions. First is there a way to retrieve each domain name, using winnt: doesn't work Second, if I use GC, I can read information on all objects, but how can I limit it so I can query only 1 domain at a time. If I use DC I have to query a different DC for each domain. Thanks,jb List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
