Re: LDAP query returns data in parent domain but not from child do



"Richard Mueller [MVP]" wrote:

If you ran the query I suggested, using the GC provider and querying for the
member attribute of one group, then RecordCount would be one. However you
must enumerate the retrieved member attribute as an array. You don't say
what language or tool you are using, but the following should work in
VBScript (I use LDAP syntax rather than SQL, but that should not matter):
============
Option Explicit

Dim adoCommand, adoConnection, strBase, strFilter, strAttributes

Dim objRootDSE, strDNSDomain, strQuery, adoRecordset

Dim arrMembers, strMember



' Setup ADO objects.

Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection



' Search entire Active Directory domain.

Set objRootDSE = GetObject("LDAP://RootDSE";)

strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<GC://" & strDNSDomain & ">"


' Filter on a specific group.
strFilter =
"(distinguishedName=CN=GatdWillHamatyU,CN=Users,DC=child,DC=company,DC=com)"



' Comma delimited list of attribute values to retrieve.
strAttributes = "member"



' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False



' Run the query.
Set adoRecordset = adoCommand.Execute


' Enumerate the resulting recordset.
Do Until adoRecordset.EOF

' Retrieve values and display.

arrMembers = adoRecordset.Fields("member").Value

If IsNull(arrMembers) Then

Wscript.Echo "No members"

Else

For Each strMember In arrMembers

Wscript.Echo "Member: " & strMember

Next

End If
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop



' Clean up.

adoRecordset.Close

adoConnection.Close

===============

I don't have a multi-domain setup to experiment with, so I'm not sure why
your query of a child domain doesn't work. You may need to post some code.
You can also use Joe Richards' free utility adfind to run queries.



http://joeware.net/freetools/tools/adfind/index.htm

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--



"Howard Bullock" <HowardBullock@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:EB84CA8A-6534-4B68-AD33-A54C72D4208E@xxxxxxxxxxxxxxxx

Using the GC did not seem to work. Although the ADO object RecordCount
reports one row was returned, I could not retrieve any data from the
object.
It appears to be empty.

This acts like my failed query; no error just no data.

There still seems to be a simple issue that should be resolvable. If the
query of the parent domain works:
select objectSid from 'LDAP://dc=company,dc=com' where memberof
='CN=somegroup,CN=Users,DC=company,DC=com'

Then why wouldn't the same query construct, pointed to a child AD domain,
not work as well?

This fails:
select objectSid from 'LDAP://dc=child,dc=company,dc=com' where memberof
=
'CN=GatdWillHamatyU,CN=Users,DC=child,DC=company,DC=com'

The groups in question could be any group type.

Are there other binding options that make sense?
Do LDAP queries to child domains default to using the parent domain's
available GC entries?




.

Relevant Pages