Printout Header
RSS Feed

Name Translation : How to detect the LDAP path of a user


... if you know only the user's logon name. Or: How can i evaluate the full distinguished name (DN) of a user or group?

In this scenario, the name could be a Dabei kann es sich um den conventional NT logon name (this is the so called sAMAccountName or NetBIOS name, for example SELFADSI\philippfoeckeler), or it could be a modern user principal name (UPN, for example philippfoeckeler@selfadsi.org)

A convenient method can be used in these cases, it is offered by the IADsNameTranslate interface. This means that the names of users in Active Directory domains can be converted from one format into another. Not only login names as in our case, but also display names, GUID strings, or canonical names (eg selfadsi.org / Users / Philipp Foeckeler). This works by the way not just with users but also with groups, contacts, computer accounts or other objects.

IADsNameTranslate reference in the MSDN


The primary format that we want to determine with the IADsNameTranslate conversion for a user is the LDAP path name (or distinguished name), for these we need if we want to access an Active Directory object. In the technical jargon of the IADsNameTranslate interface this LDAP DN is also called "1779 name", as in the original RFC 1779 Distinguished Names have been initially described.


Access a user whose NT logon name is known


This script finds the LDAP path (=distinguished name) of an Active Directory user account by it's NT logon name:

logonName = "SELFADSI\philippfoeckeler" 'insert the name of the regarding user here Const ADS_NAME_INITTYPE_GC = 3 Const ADS_NAME_TYPE_NT4 = 3 Const ADS_NAME_TYPE_1779 = 1 Set nto = CreateObject("NameTranslate") 'initialize name translate object and convert the name nto.Init ADS_NAME_INITTYPE_GC, "" nto.Set ADS_NAME_TYPE_NT4, logonName userDN = nto.Get(ADS_NAME_TYPE_1779) 'userDN contains the complete LDAP path now... WScript.Echo userDN Set user = GetObject("LDAP://" & userDN) '...this path can be used to access the object WScript.Echo user.logonCount
If you don't know the NetBIOS name of your own domain, then this SelfADSI article can help you: 'How to detect the Name of the own Active Directory Domain'.


Access a user whose UPN (User Principal Name) name is known


This script finds the LDAP path (=distinguished name) of an Active Directory user account by it's User Principal Name:

logonName = "philippfoeckeler@selfadsi.org" 'initialize name translate object and convert the name Const ADS_NAME_INITTYPE_GC = 3 Const ADS_NAME_TYPE_USER_PRINCIPAL_NAME = 9 Const ADS_NAME_TYPE_1779 = 1 Set nto = CreateObject("NameTranslate") 'initialize name translate object and convert the name nto.Init ADS_NAME_INITTYPE_GC, "" nto.Set ADS_NAME_TYPE_NT4, logonName userDN = nto.Get(ADS_NAME_TYPE_1779) 'userDN contains the complete LDAP path now... WScript.Echo userDN Set user = GetObject("LDAP://" & userDN) '...this path can be used to access the object WScript.Echo user.logonCount

Name Translation when you are not logged in at the regarding forest


The IADsNameTranslate interface is very convenient, but it has one drawback: It works only if the script is running at a station where you as a user are logged on at the regarding AD Forest. However, we can also identify the LDAP path "by far", if we use an LDAP search operation (with ADO). The procedure is much more complex:

logonName = "philippfoeckeler" 'insert the name of the regarding user here searchDomain = "DC=selfadsi,DC=de" 'insert the domain DN here serverName = "192.168.0.66" 'insert your DC's name or address

userName = InputBox("Enter user name","Credentials") 'you could also just use a static username instead, like "EXAMPLE\userXYZ" password = InputBox("Enter password","Credentials") 'you could also just use a static password instead, like "P@ssw0rd" ldapFilter = "(samAccountName=" & logonName & ")" 'you could also search for an UPN here... Set ado = CreateObject("ADODB.Connection") ado.Provider = "ADSDSOObject" ado.Properties("User ID") = userName ado.Properties("Password") = password ado.Properties("Encrypt Password") = True ado.Open "ADSearch" Set objectList = ado.Execute("<LDAP://" & serverName & "/" & searchDN & ">;" & ldapFilter & _  ";distinguishedName,samAccountName,displayname,userPrincipalName;subtree") While Not objectList.EOF userDN = objectList.Fields("distinguishedName") logonName = objectList.Fields("samAccountName") On Error Resume Next displayName = "" : displayName = objectList.Fields("displayname") logonNameUPN = "" : logonNameUPN = objectList.Fields("displayname") On Error Goto 0 WScript.Echo logonName & " " & logonNameUPN & " " & displayName & " " & userDN objectList.MoveNext Wend