locked
How to use LDAP to AD from domain PC logged in as local administrator RRS feed

  • Question

  • I have a program which utilizes LDAP to enumerate users on our domain and do some fun stuff with them.  This C# program works fine as long as you are logged into the PC as a domain user.  If you are logged in as administrator of the local machine (which is really what we want), it errors out.  The code is shown below.  The error received is "Logon failure: unknown user name or bad password".  Obviously its not doing something right because the credentials are correct and as I said it works fine otherwise.  Can anyone help guide me in the right direction here?  I cannot just simply solve this by logging in as a domain account each time I want to run.  Any help is appreciated.

    string userName = "Administrator";

     

    string passWord = "password";

     

     

    DirectoryEntry usr = new DirectoryEntry("LDAP://DC1.domain.com/dc=domain, dc=COM", userName, passWord, AuthenticationTypes.ServerBind);
     

     

    DirectorySearcher searcher = new DirectorySearcher(usr);

     

    //Line of code below results in usernames
     

    searcher.Filter =

    "(&(objectCategory=person) (objectClass=user) (sAMAccountName=*))";

    searcher.CacheResults =

    false;

    Tuesday, July 12, 2011 7:27 PM

Answers

  • I have done what you are attempting to do while logged in locally to a PC, even as a normal user (not local Administrator). I use alternate credentials in a VBScript program, which looks very similar to your code using DirectoryEntry, using domain user credentials:

    1. I specify the domain user in the form "MyDomain\DomainUser" (it need not be Administrator). It can also be the DN of the user.
    2. I specify the password of the domain user.
    3. I specify ADS_SECURE_AUTHENTICATION as a flag in the OpenDSObject method, which has the value &H1.
    4. Sometimes I need to also specify a DC, in which case I also specify ADS_SERVER_BIND (which has value &H200, which is decimal 512). The two together are

    ADS_SECURE_AUTHENTICATION Or ADS_SERVER_BIND

    which is 513. In general, my VBScript code is similar to below:

     

    Option Explicit

    Dim strUser, strPassword, strDN, objNS, objUser

    Const ADS_SECURE_AUTHENTICATION = &H1
    Const ADS_USE_ENCRYPTION = &H2
    Const ADS_NO_AUTHENTICATION = &H10
    Const ADS_USE_DELEGATION = &H100
    Const ADS_SERVER_BIND = &H200

    ' Specify credentials (you can use either format for username).
    strUser = "cn=Jim Smith,ou=West,dc=MyDomain,dc=com"
    strUser = "MyDomain\JSmith"
    strPassword = "xYZ$123q!"

    ' Specify object to bind to.
    strDN = "dc=MyDomain,dc=com"

    ' Bind with alternate credentials.
    Set objNS = GetObject("LDAP:")
    Set objUser = objNS.OpenDSObject("LDAP://" & strDN, strUser, strPassword, _
        ADS_SECURE_AUTHENTICATION)

     

    This link shows how I use alternate credentials with ADO in VBScript:

    http://www.rlmueller.net/ADOAltCredentials.htm

    Small detail, but your filter doesn't need the last clause, (sAMAccountName=*), since all user objects must have a value for sAMAccountName.

     


    Richard Mueller - MVP Directory Services
    Tuesday, July 12, 2011 10:32 PM

All replies

  • I would think that you need to specify the domain in you user name

    string userName = "<domain>\Administrator";

    You likely have a local user named "Administrator" and its getting confused on which one you are using.  You definately need to be at a minimum a domain user to read AD.

    Tuesday, July 12, 2011 7:34 PM
  • Hi,

    In addition to FlackMonkey's advice, note that this is not a C# forum but rather a scripting forum.

    Bill

    Tuesday, July 12, 2011 9:14 PM
  • Logging into the local computer does absolutely nothing to authenticate you to your domain controllers. 

     The only information they're going to give you is whatever you've allowed anonymous access to.  If you absolutely have to be able to run that query without logging onto the domain, you're going to have to change your domain security to allow anonymous access to the information you're trying to retrieve. 

    You'll need to weigh the need to run this without a domain logon against the wisdom of allowing an anonymous connection to enumerate all the users in your domain and "do fun stuff with them".


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    Tuesday, July 12, 2011 9:44 PM
  • I have done what you are attempting to do while logged in locally to a PC, even as a normal user (not local Administrator). I use alternate credentials in a VBScript program, which looks very similar to your code using DirectoryEntry, using domain user credentials:

    1. I specify the domain user in the form "MyDomain\DomainUser" (it need not be Administrator). It can also be the DN of the user.
    2. I specify the password of the domain user.
    3. I specify ADS_SECURE_AUTHENTICATION as a flag in the OpenDSObject method, which has the value &H1.
    4. Sometimes I need to also specify a DC, in which case I also specify ADS_SERVER_BIND (which has value &H200, which is decimal 512). The two together are

    ADS_SECURE_AUTHENTICATION Or ADS_SERVER_BIND

    which is 513. In general, my VBScript code is similar to below:

     

    Option Explicit

    Dim strUser, strPassword, strDN, objNS, objUser

    Const ADS_SECURE_AUTHENTICATION = &H1
    Const ADS_USE_ENCRYPTION = &H2
    Const ADS_NO_AUTHENTICATION = &H10
    Const ADS_USE_DELEGATION = &H100
    Const ADS_SERVER_BIND = &H200

    ' Specify credentials (you can use either format for username).
    strUser = "cn=Jim Smith,ou=West,dc=MyDomain,dc=com"
    strUser = "MyDomain\JSmith"
    strPassword = "xYZ$123q!"

    ' Specify object to bind to.
    strDN = "dc=MyDomain,dc=com"

    ' Bind with alternate credentials.
    Set objNS = GetObject("LDAP:")
    Set objUser = objNS.OpenDSObject("LDAP://" & strDN, strUser, strPassword, _
        ADS_SECURE_AUTHENTICATION)

     

    This link shows how I use alternate credentials with ADO in VBScript:

    http://www.rlmueller.net/ADOAltCredentials.htm

    Small detail, but your filter doesn't need the last clause, (sAMAccountName=*), since all user objects must have a value for sAMAccountName.

     


    Richard Mueller - MVP Directory Services
    Tuesday, July 12, 2011 10:32 PM
  • Thanks to all of you for responding so quickly.  I wanted to first say that I have already tried the username with DOMAIN\UserName and this still throws the same error.  Any other suggestions for my LDAP string?  Is there another property I need to set for it to work correctly?
    Wednesday, July 13, 2011 3:16 PM
  • Hi,

    Try the last VBScript script Richard posted. Does it work? If not, please post the exact error message.

    Bill

    Wednesday, July 13, 2011 3:26 PM
  • Are you sure the problem is the LDAP string?  From the description of the problem, it sounds like it could also be caused by group policy settings that are getting applied when you do a domain logon, but don't get applied if you do a local logon.


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    Wednesday, July 13, 2011 9:28 PM
  • By default you cannot authenticate on AD with local accounts unless access has been granted.  It is the same as conencting from a non-domain PC.  AD is secured by default.

    Grant anonymous access or explicitly grant teh local account access and you can query AD.

     

     

     


    jv
    Wednesday, July 13, 2011 9:52 PM