C# AD Scripting

Bob · 28-03-2008

Hi All,

I'm getting some error messages, while trying to pull back a list of users
from our AD - I'm guessing it's a security issue (because it works correctly
when running as domain admin, so hoping someone can point me in the right
direction.

The code :
DirectoryEntry objDirEntry = new
DirectoryEntry("LDAP://domain/OU=Users,OU=MyOU,DC=domain,DC=local");
DirectorySearcher objSearch = new DirectorySearcher(objDirEntry);
objSearch.Filter = "(&(mailnickname=*)(objectClass=user))";

try
{
SearchResultCollection results = objSearch.FindAll();
}
catch (Exception e)
{
textBoxErr.Text = e.Message.ToString();
}

For some users, will produce the error :

The specified directory service attribute or value does not exist.

and for some users, the even stranger :

Logon failure: unknown user name or bad password.

Even though the users' account is enabled and working fine for everything
else.

The users are members of the same groups, so I can't see why the error would
be different.

What are minimum security requirements I need to set on the OU to allow
users to list all the users?

What are minimum security requirements I need to set on the OU to allow some
users to update the user details?

Joe Kaplan · 28-03-2008

Where is this code running? What is the whole stack trace of the exception
(e.ToString() instead of e.Message.ToString()).

My guess is that the error is more related to authentication than to the
permissions of individual users.

Also, is AD in this case 2000 or 2003 and what FF levels?

Thanks!

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Bob" <Bob@bobsyouruncle.com> wrote in message
news:OQZMhPFkIHA.4940@TK2MSFTNGP02.phx.gbl...
> Hi All,
>
> I'm getting some error messages, while trying to pull back a list of users
> from our AD - I'm guessing it's a security issue (because it works
> correctly when running as domain admin, so hoping someone can point me in
> the right direction.
>
> The code :
> DirectoryEntry objDirEntry = new
> DirectoryEntry("LDAP://domain/OU=Users,OU=MyOU,DC=domain,DC=local");
> DirectorySearcher objSearch = new DirectorySearcher(objDirEntry);
> objSearch.Filter = "(&(mailnickname=*)(objectClass=user))";
>
> try
> {
> SearchResultCollection results = objSearch.FindAll();
> }
> catch (Exception e)
> {
> textBoxErr.Text = e.Message.ToString();
> }
>
>
>
> For some users, will produce the error :
>
> The specified directory service attribute or value does not exist.
>
> and for some users, the even stranger :
>
> Logon failure: unknown user name or bad password.
>
> Even though the users' account is enabled and working fine for everything
> else.
>
> The users are members of the same groups, so I can't see why the error
> would be different.
>
> What are minimum security requirements I need to set on the OU to allow
> users to list all the users?
>
> What are minimum security requirements I need to set on the OU to allow
> some users to update the user details?
>
>

Bob · 28-03-2008

The code is running on a Vista machine that is part of the domain.

Stack trace:
System.Runtime.InteropServices.COMException (0x8007200A): The specified
directory service attribute or value does not exist.

at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
findMoreThanOne)
at System.DirectoryServices.DirectorySearcher.FindAll()
at ActiveDirectoryUpdate.Form1.FindUsers() in
C:\Projects\ADtest\ADtest\Form1.cs:line 48

OR

System.Runtime.InteropServices.COMException (0x8007052E): Logon failure:
unknown user name or bad password.

at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
findMoreThanOne)
at System.DirectoryServices.DirectorySearcher.FindAll()
at ActiveDirectoryUpdate.Form1.FindUsers() in
C:\Projects\ADtest\ADtest\Form1.cs:line 48

It's a 2003 AD. What do you mean by FF levels?

"Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
news:eiyu34FkIHA.6032@TK2MSFTNGP03.phx.gbl...
> Where is this code running? What is the whole stack trace of the
> exception (e.ToString() instead of e.Message.ToString()).
>
> My guess is that the error is more related to authentication than to the
> permissions of individual users.
>
> Also, is AD in this case 2000 or 2003 and what FF levels?
>
> Thanks!
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
> Programming"
> http://www.directoryprogramming.net
> --
> "Bob" <Bob@bobsyouruncle.com> wrote in message
> news:OQZMhPFkIHA.4940@TK2MSFTNGP02.phx.gbl...
>> Hi All,
>>
>> I'm getting some error messages, while trying to pull back a list of
>> users from our AD - I'm guessing it's a security issue (because it works
>> correctly when running as domain admin, so hoping someone can point me in
>> the right direction.
>>
>> The code :
>> DirectoryEntry objDirEntry = new
>> DirectoryEntry("LDAP://domain/OU=Users,OU=MyOU,DC=domain,DC=local");
>> DirectorySearcher objSearch = new DirectorySearcher(objDirEntry);
>> objSearch.Filter = "(&(mailnickname=*)(objectClass=user))";
>>
>> try
>> {
>> SearchResultCollection results = objSearch.FindAll();
>> }
>> catch (Exception e)
>> {
>> textBoxErr.Text = e.Message.ToString();
>> }
>>
>>
>>
>> For some users, will produce the error :
>>
>> The specified directory service attribute or value does not exist.
>>
>> and for some users, the even stranger :
>>
>> Logon failure: unknown user name or bad password.
>>
>> Even though the users' account is enabled and working fine for everything
>> else.
>>
>> The users are members of the same groups, so I can't see why the error
>> would be different.
>>
>> What are minimum security requirements I need to set on the OU to allow
>> users to list all the users?
>>
>> What are minimum security requirements I need to set on the OU to allow
>> some users to update the user details?
>>
>>
>
>

Joe Kaplan · 28-03-2008

By FF, I meant forest functional level. I just wanted to know if were in
any sort of mixed mode. I doubt it would matter.

It does look like the issue could be security, although the errors you are
getting are a little strange. You don't usually get an "unknown user or bad
pwd" error unless you actually supply credentials in your DirectoryEntry
constructor but your code didn't show that. When you don't supply
credentials, ADSI binds as the currently logged on user and that
authentication should succeed if the logged on user is a domain user.

The other error is more obscure but might be related to a failure of ADSI to
read the objectClass attribute of the search root object during the bind
which could be some sort of security issue. Perhaps your AD permissions are
very locked down and by default authenticated users or domain users don't
have read permissions on the root object you are using.

You might consider trying to just search at the domain root level instead of
at a lower OU level in case that helps. You might also try changing your
DirectoryEntry constructor to use (path, null, null,
AuthenticationTypes.Secure | AuthenticationTypes.FastBind) to see if that
makes the 0x8007200A error go away. If you do get it to go away, it may be
the case that the lower privileged users don't actually have permissions to
view any objects, so they may not return any search results.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Bob" <Bob@bobsyouruncle.com> wrote in message
news:%23Mu9GIGkIHA.2396@TK2MSFTNGP05.phx.gbl...
> The code is running on a Vista machine that is part of the domain.
>
> Stack trace:
> System.Runtime.InteropServices.COMException (0x8007200A): The specified
> directory service attribute or value does not exist.
>
> at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
> at System.DirectoryServices.DirectoryEntry.Bind()
> at System.DirectoryServices.DirectoryEntry.get_AdsObject()
> at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
> findMoreThanOne)
> at System.DirectoryServices.DirectorySearcher.FindAll()
> at ActiveDirectoryUpdate.Form1.FindUsers() in
> C:\Projects\ADtest\ADtest\Form1.cs:line 48
>
> OR
>
> System.Runtime.InteropServices.COMException (0x8007052E): Logon failure:
> unknown user name or bad password.
>
> at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
> at System.DirectoryServices.DirectoryEntry.Bind()
> at System.DirectoryServices.DirectoryEntry.get_AdsObject()
> at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
> findMoreThanOne)
> at System.DirectoryServices.DirectorySearcher.FindAll()
> at ActiveDirectoryUpdate.Form1.FindUsers() in
> C:\Projects\ADtest\ADtest\Form1.cs:line 48
>
> It's a 2003 AD. What do you mean by FF levels?
>
>
>
>
> "Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
> news:eiyu34FkIHA.6032@TK2MSFTNGP03.phx.gbl...
>> Where is this code running? What is the whole stack trace of the
>> exception (e.ToString() instead of e.Message.ToString()).
>>
>> My guess is that the error is more related to authentication than to the
>> permissions of individual users.
>>
>> Also, is AD in this case 2000 or 2003 and what FF levels?
>>
>> Thanks!
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> --
>> "Bob" <Bob@bobsyouruncle.com> wrote in message
>> news:OQZMhPFkIHA.4940@TK2MSFTNGP02.phx.gbl...
>>> Hi All,
>>>
>>> I'm getting some error messages, while trying to pull back a list of
>>> users from our AD - I'm guessing it's a security issue (because it works
>>> correctly when running as domain admin, so hoping someone can point me
>>> in the right direction.
>>>
>>> The code :
>>> DirectoryEntry objDirEntry = new
>>> DirectoryEntry("LDAP://domain/OU=Users,OU=MyOU,DC=domain,DC=local");
>>> DirectorySearcher objSearch = new DirectorySearcher(objDirEntry);
>>> objSearch.Filter = "(&(mailnickname=*)(objectClass=user))";
>>>
>>> try
>>> {
>>> SearchResultCollection results = objSearch.FindAll();
>>> }
>>> catch (Exception e)
>>> {
>>> textBoxErr.Text = e.Message.ToString();
>>> }
>>>
>>>
>>>
>>> For some users, will produce the error :
>>>
>>> The specified directory service attribute or value does not exist.
>>>
>>> and for some users, the even stranger :
>>>
>>> Logon failure: unknown user name or bad password.
>>>
>>> Even though the users' account is enabled and working fine for
>>> everything else.
>>>
>>> The users are members of the same groups, so I can't see why the error
>>> would be different.
>>>
>>> What are minimum security requirements I need to set on the OU to allow
>>> users to list all the users?
>>>
>>> What are minimum security requirements I need to set on the OU to allow
>>> some users to update the user details?
>>>
>>>
>>
>>
>

Bob · 31-03-2008

Searching from a higher level sorted out the 0x8007200A error.

The Forrest Functional Level is Windows 2000.

I am still getting the "(0x8007052E): Logon failure: unknown user name or
bad password." for some users though.

I can't see anything wrong with the accounts, they don't have any problems
accessing other areas.

"Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
news:O%23%23UQ$HkIHA.4480@TK2MSFTNGP03.phx.gbl...
> By FF, I meant forest functional level. I just wanted to know if were in
> any sort of mixed mode. I doubt it would matter.
>
> It does look like the issue could be security, although the errors you are
> getting are a little strange. You don't usually get an "unknown user or
> bad pwd" error unless you actually supply credentials in your
> DirectoryEntry constructor but your code didn't show that. When you don't
> supply credentials, ADSI binds as the currently logged on user and that
> authentication should succeed if the logged on user is a domain user.
>
> The other error is more obscure but might be related to a failure of ADSI
> to read the objectClass attribute of the search root object during the
> bind which could be some sort of security issue. Perhaps your AD
> permissions are very locked down and by default authenticated users or
> domain users don't have read permissions on the root object you are using.
>
> You might consider trying to just search at the domain root level instead
> of at a lower OU level in case that helps. You might also try changing
> your DirectoryEntry constructor to use (path, null, null,
> AuthenticationTypes.Secure | AuthenticationTypes.FastBind) to see if that
> makes the 0x8007200A error go away. If you do get it to go away, it may
> be the case that the lower privileged users don't actually have
> permissions to view any objects, so they may not return any search
> results.
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
> Programming"
> http://www.directoryprogramming.net
> --
> "Bob" <Bob@bobsyouruncle.com> wrote in message
> news:%23Mu9GIGkIHA.2396@TK2MSFTNGP05.phx.gbl...
>> The code is running on a Vista machine that is part of the domain.
>>
>> Stack trace:
>> System.Runtime.InteropServices.COMException (0x8007200A): The specified
>> directory service attribute or value does not exist.
>>
>> at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
>> at System.DirectoryServices.DirectoryEntry.Bind()
>> at System.DirectoryServices.DirectoryEntry.get_AdsObject()
>> at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
>> findMoreThanOne)
>> at System.DirectoryServices.DirectorySearcher.FindAll()
>> at ActiveDirectoryUpdate.Form1.FindUsers() in
>> C:\Projects\ADtest\ADtest\Form1.cs:line 48
>>
>> OR
>>
>> System.Runtime.InteropServices.COMException (0x8007052E): Logon failure:
>> unknown user name or bad password.
>>
>> at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
>> at System.DirectoryServices.DirectoryEntry.Bind()
>> at System.DirectoryServices.DirectoryEntry.get_AdsObject()
>> at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
>> findMoreThanOne)
>> at System.DirectoryServices.DirectorySearcher.FindAll()
>> at ActiveDirectoryUpdate.Form1.FindUsers() in
>> C:\Projects\ADtest\ADtest\Form1.cs:line 48
>>
>> It's a 2003 AD. What do you mean by FF levels?
>>
>>
>>
>>
>> "Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
>> news:eiyu34FkIHA.6032@TK2MSFTNGP03.phx.gbl...
>>> Where is this code running? What is the whole stack trace of the
>>> exception (e.ToString() instead of e.Message.ToString()).
>>>
>>> My guess is that the error is more related to authentication than to the
>>> permissions of individual users.
>>>
>>> Also, is AD in this case 2000 or 2003 and what FF levels?
>>>
>>> Thanks!
>>>
>>> --
>>> Joe Kaplan-MS MVP Directory Services Programming
>>> Co-author of "The .NET Developer's Guide to Directory Services
>>> Programming"
>>> http://www.directoryprogramming.net
>>> --
>>> "Bob" <Bob@bobsyouruncle.com> wrote in message
>>> news:OQZMhPFkIHA.4940@TK2MSFTNGP02.phx.gbl...
>>>> Hi All,
>>>>
>>>> I'm getting some error messages, while trying to pull back a list of
>>>> users from our AD - I'm guessing it's a security issue (because it
>>>> works correctly when running as domain admin, so hoping someone can
>>>> point me in the right direction.
>>>>
>>>> The code :
>>>> DirectoryEntry objDirEntry = new
>>>> DirectoryEntry("LDAP://domain/OU=Users,OU=MyOU,DC=domain,DC=local");
>>>> DirectorySearcher objSearch = new DirectorySearcher(objDirEntry);
>>>> objSearch.Filter = "(&(mailnickname=*)(objectClass=user))";
>>>>
>>>> try
>>>> {
>>>> SearchResultCollection results = objSearch.FindAll();
>>>> }
>>>> catch (Exception e)
>>>> {
>>>> textBoxErr.Text = e.Message.ToString();
>>>> }
>>>>
>>>>
>>>>
>>>> For some users, will produce the error :
>>>>
>>>> The specified directory service attribute or value does not exist.
>>>>
>>>> and for some users, the even stranger :
>>>>
>>>> Logon failure: unknown user name or bad password.
>>>>
>>>> Even though the users' account is enabled and working fine for
>>>> everything else.
>>>>
>>>> The users are members of the same groups, so I can't see why the error
>>>> would be different.
>>>>
>>>> What are minimum security requirements I need to set on the OU to allow
>>>> users to list all the users?
>>>>
>>>> What are minimum security requirements I need to set on the OU to allow
>>>> some users to update the user details?
>>>>
>>>>
>>>
>>>
>>
>
>

Joe Kaplan · 31-03-2008

I have no idea what could be causing the 0x8007052E errors if you are using
default credentials. However, I haven't used Win2K AD for a while now and
may not remember a picky detail here.

In general, if the current user running the code is logged in as a domain
user in the domain you are trying to access and you supply null for the
username and password, that authentication should work.

I would be interested to know if a VBScript that attempts to do something
similar like opening the domain root object via GetObject has the same
failure. It should as they both work basically the same way.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Bob" <Bob@bobsyouruncle.com> wrote in message
news:e3ps%23DrkIHA.5260@TK2MSFTNGP03.phx.gbl...
> Searching from a higher level sorted out the 0x8007200A error.
>
> The Forrest Functional Level is Windows 2000.
>
> I am still getting the "(0x8007052E): Logon failure: unknown user name or
> bad password." for some users though.
>
> I can't see anything wrong with the accounts, they don't have any problems
> accessing other areas.
>
>
>
>
> "Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
> news:O%23%23UQ$HkIHA.4480@TK2MSFTNGP03.phx.gbl...
>> By FF, I meant forest functional level. I just wanted to know if were in
>> any sort of mixed mode. I doubt it would matter.
>>
>> It does look like the issue could be security, although the errors you
>> are getting are a little strange. You don't usually get an "unknown user
>> or bad pwd" error unless you actually supply credentials in your
>> DirectoryEntry constructor but your code didn't show that. When you
>> don't supply credentials, ADSI binds as the currently logged on user and
>> that authentication should succeed if the logged on user is a domain
>> user.
>>
>> The other error is more obscure but might be related to a failure of ADSI
>> to read the objectClass attribute of the search root object during the
>> bind which could be some sort of security issue. Perhaps your AD
>> permissions are very locked down and by default authenticated users or
>> domain users don't have read permissions on the root object you are
>> using.
>>
>> You might consider trying to just search at the domain root level instead
>> of at a lower OU level in case that helps. You might also try changing
>> your DirectoryEntry constructor to use (path, null, null,
>> AuthenticationTypes.Secure | AuthenticationTypes.FastBind) to see if that
>> makes the 0x8007200A error go away. If you do get it to go away, it may
>> be the case that the lower privileged users don't actually have
>> permissions to view any objects, so they may not return any search
>> results.
>>
>> Joe K.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> --
>> "Bob" <Bob@bobsyouruncle.com> wrote in message
>> news:%23Mu9GIGkIHA.2396@TK2MSFTNGP05.phx.gbl...
>>> The code is running on a Vista machine that is part of the domain.
>>>
>>> Stack trace:
>>> System.Runtime.InteropServices.COMException (0x8007200A): The specified
>>> directory service attribute or value does not exist.
>>>
>>> at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
>>> at System.DirectoryServices.DirectoryEntry.Bind()
>>> at System.DirectoryServices.DirectoryEntry.get_AdsObject()
>>> at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
>>> findMoreThanOne)
>>> at System.DirectoryServices.DirectorySearcher.FindAll()
>>> at ActiveDirectoryUpdate.Form1.FindUsers() in
>>> C:\Projects\ADtest\ADtest\Form1.cs:line 48
>>>
>>> OR
>>>
>>> System.Runtime.InteropServices.COMException (0x8007052E): Logon failure:
>>> unknown user name or bad password.
>>>
>>> at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
>>> at System.DirectoryServices.DirectoryEntry.Bind()
>>> at System.DirectoryServices.DirectoryEntry.get_AdsObject()
>>> at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
>>> findMoreThanOne)
>>> at System.DirectoryServices.DirectorySearcher.FindAll()
>>> at ActiveDirectoryUpdate.Form1.FindUsers() in
>>> C:\Projects\ADtest\ADtest\Form1.cs:line 48
>>>
>>> It's a 2003 AD. What do you mean by FF levels?
>>>
>>>
>>>
>>>
>>> "Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
>>> news:eiyu34FkIHA.6032@TK2MSFTNGP03.phx.gbl...
>>>> Where is this code running? What is the whole stack trace of the
>>>> exception (e.ToString() instead of e.Message.ToString()).
>>>>
>>>> My guess is that the error is more related to authentication than to
>>>> the permissions of individual users.
>>>>
>>>> Also, is AD in this case 2000 or 2003 and what FF levels?
>>>>
>>>> Thanks!
>>>>
>>>> --
>>>> Joe Kaplan-MS MVP Directory Services Programming
>>>> Co-author of "The .NET Developer's Guide to Directory Services
>>>> Programming"
>>>> http://www.directoryprogramming.net
>>>> --
>>>> "Bob" <Bob@bobsyouruncle.com> wrote in message
>>>> news:OQZMhPFkIHA.4940@TK2MSFTNGP02.phx.gbl...
>>>>> Hi All,
>>>>>
>>>>> I'm getting some error messages, while trying to pull back a list of
>>>>> users from our AD - I'm guessing it's a security issue (because it
>>>>> works correctly when running as domain admin, so hoping someone can
>>>>> point me in the right direction.
>>>>>
>>>>> The code :
>>>>> DirectoryEntry objDirEntry = new
>>>>> DirectoryEntry("LDAP://domain/OU=Users,OU=MyOU,DC=domain,DC=local");
>>>>> DirectorySearcher objSearch = new DirectorySearcher(objDirEntry);
>>>>> objSearch.Filter = "(&(mailnickname=*)(objectClass=user))";
>>>>>
>>>>> try
>>>>> {
>>>>> SearchResultCollection results = objSearch.FindAll();
>>>>> }
>>>>> catch (Exception e)
>>>>> {
>>>>> textBoxErr.Text = e.Message.ToString();
>>>>> }
>>>>>
>>>>>
>>>>>
>>>>> For some users, will produce the error :
>>>>>
>>>>> The specified directory service attribute or value does not exist.
>>>>>
>>>>> and for some users, the even stranger :
>>>>>
>>>>> Logon failure: unknown user name or bad password.
>>>>>
>>>>> Even though the users' account is enabled and working fine for
>>>>> everything else.
>>>>>
>>>>> The users are members of the same groups, so I can't see why the error
>>>>> would be different.
>>>>>
>>>>> What are minimum security requirements I need to set on the OU to
>>>>> allow users to list all the users?
>>>>>
>>>>> What are minimum security requirements I need to set on the OU to
>>>>> allow some users to update the user details?
>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>>
>