Printout Header
RSS Feed

Table of Content > Extended Handling of AD Objects > Name Translation : How to detect the LDAP path of a user

Name Translation : How to detect the LDAP path of a user

... if you know only the user's logon name.

In this scenario, the name could be a Dabei kann es sich um den conventional NT logon name (this is the so called sAMAccountName or NetBIOS name, for example SELFADSI\philippfoeckeler), or it could be a modern user principal name (UPN, for example philippfoeckeler@selfadsi.org)

A convenient method can be used in these cases, it is offered by the IADsNameTranslate interface. This means that the names of users in Active Directory domains can be converted from one format into another. Not only login names as in our case, but also display names, GUID strings, or canonical names (eg selfadsi.org / Users / Philipp Foeckeler). This works by the way not just with users but also with groups, contacts, computer accounts or other objects.

IADsNameTranslate reference in the MSDN


The primary format that we want to determine with the IADsNameTranslate conversion for a user is the LDAP path name (or distinguished name), for these we need if we want to access an Active Directory object. In the technical jargon of the IADsNameTranslate interface this LDAP DN is also called "1779 name", as in the original RFC 1779 Distinguished Names have been initially described.


Access a user whose NT logon name is known


This script finds the LDAP path (=distinguished name) of an Active Directory user account by it's NT logon name:

logonName = "SELFADSI\philippfoeckeler"                      'insert the name of the regarding user here

Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1

Set nto = CreateObject("NameTranslate")                      'initialize name translate object and convert the name
nto.Init ADS_NAME_INITTYPE_GC, ""
nto.Set ADS_NAME_TYPE_NT4, logonName
userDN = nto.Get(ADS_NAME_TYPE_1779)                         'userDN contains the complete LDAP path now...

WScript.Echo userDN

Set user = GetObject("LDAP://" & userDN)                     '...dieser kann zum Zugriff auf das Benutzerobjekt verwendet werden
WScript.Echo user.logonCount

If you don't know the NetBIOS name of your own domain, then this SelfADSI article can help you: 'How to detect the Name of the own Active Directory Domain'.


Access a user whose UPN (User Principal Name) name is known


This script finds the LDAP path (=distinguished name) of an Active Directory user account by it's User Principal Name:

logonName = "philippfoeckeler@selfadsi.org"                  'insert the name of the regarding user here

Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_USER_PRINCIPAL_NAME = 9
Const ADS_NAME_TYPE_1779 = 1

Set nto = CreateObject("NameTranslate")                      'initialize name translate object and convert the name
nto.Init ADS_NAME_INITTYPE_GC, ""
nto.Set ADS_NAME_TYPE_NT4, logonName
userDN = nto.Get(ADS_NAME_TYPE_1779)                         'userDN contains the complete LDAP path now...

WScript.Echo userDN

Set user = GetObject("LDAP://" & userDN)                     '...dieser kann zum Zugriff auf das Benutzerobjekt verwendet werden
WScript.Echo user.logonCount


Name Translation, wenn man nicht am Forest angemeldet ist


The IADsNameTranslate interface is very convenient, but it has one drawback: It works only if the script is running at a station where you as a user are logged on at the regarding AD Forest. However, we can also identify the LDAP path "by far", if we use an LDAP search operation (with ADO). The procedure is much more complex:

logonName = "philippfoeckeler"                            'insert the name of the regarding user here

searchDomain = "DC=selfadsi,DC=de"                        'insert the domain DN here
serverName = "192.168.0.66"                               'insert your own DC's name or address

userName = InputBox("Enter user name","Credentials")      'you could also just use a static username instead, like "EXAMPLE\userXYZ"
password = InputBox("Enter password","Credentials")       'you could also just use a static password instead, like "P@ssw0rd"

ldapFilter = "(samAccountName=" & logonName & ")"         'you could also search for an UPN here...

Set ado = CreateObject("ADODB.Connection")
ado.Provider = "ADSDSOObject"
ado.Properties("User ID") = userName
ado.Properties("Password") = password
ado.Properties("Encrypt Password") = True
ado.Open "ADSearch"
Set objectList = ado.Execute("<LDAP://" & serverName & "/" & searchDN & ">;" & ldapFilter & _
                             ";distinguishedName,samAccountName,displayname,userPrincipalName;subtree")

While Not objectList.EOF
    userDN = objectList.Fields("distinguishedName")
    logonName = objectList.Fields("samAccountName")

    On Error Resume Next
    displayName = "" : displayName = objectList.Fields("displayname")
    logonNameUPN = "" : logonNameUPN = objectList.Fields("displayname")
    On Error Goto 0

    WScript.Echo logonName & " " & logonNameUPN & " " & displayName & " " & userDN
Wend 


< back to SelfADSI home
Tweet