 |
SelfADSI - The LDAP / ADSI Scripting Tutorial |
   |
ADSI requests can fail due to many reasons: The LDAP server is unreachable, the authentication data is incorrect, the user hasn't the required permissions, the object or the used attributes of the script do not exist or can't be accessed in this particular way etc. etc.
The following contents are available here:
 |
ADSI Error Codes |
|
Converting Error Codes : Decimal <> Hex |
|
Handling Runtime Errors for ADSI in Scripts |
ADSI Error Codes
In the following you will find a list of potential error return codes when scripting with ADSI. Fundamental information can be gained from the Microsoft Developer Network (MSDN) and the Knowledge Base:
Common ADSI error codes
Win32 error codes for ADSI
Win32 error codes for ADSI 2.0
Specific error codes for ADO usage
Error codes, especially in MSDN, are handled in a hexadecimal syntax. However, during the runtime of a VBScript, error codes are displayed as a negative decimal number. In the next paragraph you will find explanations about the conversion of these two values.
| Error Code (Decimal) | Error Code (Hex) | Explanation |
| -2147467259 | 0x80004005 | ADO_UNSPECIFIED This number doesn't indicate a specific reason for this error but will always occur if there are problems in ADO requests, e.g. you forgot to pass the search scope (Subtree, OneLevel etc.) wihtin your request string. This error can occur eben without using ADO when you have a type mismatch while writing an object attribut (for example if you use the ADSI method Put() to fill an integer or string attribute ith a floating point number). In this case you better convert the value into a string first. |
| -2147463168 | 0x80005000 | ADS_BAD_PATHNAME This error occurs when the indicated LDAP path of LDAP BIND requests on objects or ADODB requests are invalid. Maybe you tried to access a nonexisting object with a GetObject() call or there was a typing error in the distinguished
name of the demanded object. |
| -2147463160 | 0x80005008 | ADS_BAD_PARAMETER There are different reasons for this error: One of the parameters used in an ADSI function is invalid - regarding either the data type or logic. The error occurs e.g. during a call with the ADSI function Delete() for an object when the indicated object class was incorrect. Or when no array was used as first parameter for a GetInfoEx() call. |
| -2147463156 | 0x8000500C | ADS_TYPE_CANNOT_BE_CONVERTED This error occurs when you try to access a provider specific attribute without using the neccessary technics. Some directory services return the values for its attributes in this strange syntax format. Instead of using the normal access methods like Get() and GetEx(), you have to use the ADSI-Function GetPropertyItem().
|
| -2147463155 | 0x8000500d | ADS_PROPERTY_NOT_FOUND This error will occur if you try to access attributes that aren't located in the so-called property cache. This cache has been built up with the functions GetObject, GetInfo or GetInfoEx. It could also be an operational attribute that isn't automatically built in the cache but has to be requested explicitly from the directory. Or there is a simple typing error in the specification of the attribute. |
| -2147217911 | 0x80040e09 | ADO_PERMISSION_DENIED An ADO call failed because the user account used for a directory BIND authentication had no appropriate permissions. |
| -2147217900 | 0x80040e14 | ADO_INVALID_SEARCH_FILTER_SYNTAX This error may occur when trying to perform an ADODB search in the directory. This search fails when the used ADO searchstring is syntactically incorrect. This have to be considered not only for the LDAP filter which is part of the ADO command string. If you have any syntax errors in your command string, you will encounter this error code. |
| -2147217865 | 0x80040e37 | ADO_SEARCH_TABLE_DOES_NOT_EXIST This error can occur when trying to perform an ADODB search in the directory. It fails when the specified LDAP server is unreachable or the passed LDAP path in which objects are searched is nonexisting. But there are LDAP server (e.g. Novell NetWare) that return this error code when the user ID used in the ADO request doesn't exist! |
| -2147024891 | 0x80070005 | ADS_INSUFFICIENT_RIGHTS An ADSI call failed because the user account used for a directory BIND authentication hadn't enough permissions. |
| -2147024865 | 0x8007001f | LDAP_OTHER An unspecific error that may have many different reasons. Often this error occurs when trying to nest AD groups in other groups without considering the group scope (global groups may contain groups of other domains; local domain groups can't be nested in groups from other domains etc.) This error can also occur during the creation of AD objects when special characters (like e.g. \ / = , etc.) occur or rather aren't coded correctly within the relative distinguished name or in other name attributes. |
| -2147023570 | 0x8007052e | LDAP_INVALID_CREDENTIALS This error will occur if the passed user name during a BIND authentication in the directory is nonexisting or if the password is invalid . It may also be that the server doesn't allow simple cleartext authentication. |
| -2147019886 | 0x80071392 | LDAP_ALREADY_EXISTS This error occurs when the ADSI method Create() is applied to a container object whose distinguished name for the object you want to create does already exist. |
| -2147016694 | 0x8007200a | LDAP_NO_SUCH_ATTRIBUTE This error occurs when trying to read a nonexisting attribute in the property cache of an object with the ADSI function GetInfoEx(). |
| -2147016691 | 0x8007200d | LDAP_ATTRIBUTE_OR_VALUE_EXISTS This error occurs primarily when you try to add members to groups that have been members of this group beforehand. |
| -2147016682 | 0x80072016 |
LDAP_NOT_ALLOWED_ON_RDN This error will occur if you want to change the relative distinguished name of an object but this operation, however, is not allowed by the directory server. Alternatively, you could try to rename the respective object with the ADSI move function. |
| -2147016671 | 0x80072021 |
LDAP_PROTOCOL_ERROR This error occurs e.g. when passing the wrong data type while writing attributes. There are several attributes existing that require a distinguished name. If you pass a simple string in the put method it will come to this error code. |
| -2147016661 | 0x8007202b |
LDAP_REFERRAL This error code occurs e.g. when passing an incorrect distinguished name in the OpenDSObject method of a Windows 2000 ADS. Especially, when the name of the naming context is incorrect (i.e. for example the specification of an invalid domain name). |
| -2147016657 | 0x8007202f | LDAP_CONSTRAINT_VIOLATION An internal requirement of the directory service wasn't fulfilled. Maybe it was tried to create an Exchange mailbox with an indefinite SMTP address. Or it was tried to create an ADS user object
that doesn't have a login name. Another possibility is that it was tried to nest groups within a mixed mode environment but what is imposssible here. |
| -2147016656 | 0x80072030 | LDAP_NO_SUCH_OBJECT This error is similar to ADS_BAD_PATHNAME (0x80005008) - during the BIND process, an LDAP object path was passed from a nonexisting object. The pecularity with this issue is that the error code ADS_BAD_PATHNAME is always given back in ADS environments, whereas other LDAP server (e.g. Novell eDirectory environments) return LDAP_No_SUCH-OBJECT. |
| -2147016654 | 0x80072032 | LDAP_INVALID_DN_SYNTAX This error occurs when a distinguished name used for the creation of objects contains invalid characters. |
| -2147016651 | 0x80072035 | LDAP_UNWILLING_TO_PERFORM The LDAP server rejects to perform the requested operation. This error code occurs when trying to change the password of a an ADS user via ADSI but with the password not complying with the demands of the domain policies (i.e. it is too short, too simple or used earlier). Or attributes are tried to change which can only be change by the security account
manager (e.g. lastLogon). |
| -2147016649 | 0x80072037 | LDAP_NAMING_VIOLATION This error occurs in the context of the creation of objects or the access to their attributes. The reason is the usage of an invalid LDAP path, e.g. when you want to create an organizational unit with description cn=.... . |
| -2147016646 | 0x8007203a | LDAP_SERVER_DOWN This error code occurs when the addressed server is unreachable during a BIND authentication in the directory. This can occur due to underlying network problems. A firewall may block the used LDAP port, or the LDAP service isn't active on the destination host. |
| -2146827850 | 0x800a01b6 | METHOD_OR_PROPERTY_NOT_SUPPORTED This error occurs in LDAP and directory scripting for example when you try to directly access an object attribute with the syntax "objectname.attributename". If you misspell the attribute name, you get this errorcode. The errorcode means that the given attribute doesnt exists for that particular object class. |
Conversion of Error Codes : Decimal <> Hex
You can't find an entry for a runtime error code (e.g. -2147217911) in Microsoft's online documentation? Convert the value into hexadecimal - Microsoft refers to the accordant hexadecimal error codes throughout its document. You may find my Error Code Calculator helpful:
Generally, error codes appear as 32 bit DWORDs. In the case of runtime errors the codes are given as negative decimal numbers - a peculiarity of the used data type 'Signed Integer'. In MSDN however positive hex values are documented as error codes. The conversion between decimal and hex values works as follows: The number 4294967296 has to be added to the negative decimal number. This is the hex number 0x100000000 - it represents the lower limit to a negative DWORD number . The calculated value can now be converted easily into a hex number - this number represents exactly the official hex error code.
Example:
Runtime Error -2147217911 (dec)
+ 4294967296 (dec)
______________________________
= 2147749385 (dec) => 0x80040E09 (hex)
Runtime Error Handling for ADSI in Scripts
In order that a visual basic script in ADSI calls doesn't stop with runtime error, the function OnError Resume Next is used. In this case the script keeps on running whereas an error code can be evaluated in the system variable Err.Number and its system description with Err.Description.
Every important ADSI call should be protected against runtime errors in scripts like shown in the following example:
On
Error Resume Next Err.Clear |