Discussion:
IADsADSystemInfo (get_ComputerName) returns "Access Denied" (0x80070005)
(too old to reply)
Benjamin Kalytta
2008-04-07 04:54:14 UTC
Permalink
Hello there,

I'm trying to determine the Organization Unit of a given Computer.

I found an Interface that should be capable of doing this which is IADsADSystemInfo.

Creating an Instance works fine, but as soon as I call get_ComputerName the
result is always 80070005 (Access denied). I'm using Windows Vista as Client and
joined a Domain on a Windows 2003 Standard Server. Locally I'm an Administrator
and running this tool as "Administrator" (Run as...).

The code:

CoInitialize(NULL);

HRESULT hr = CoCreateInstance(__uuidof(ADSystemInfo), NULL,
CLSCTX_INPROC_SERVER, __uuidof(IADsADSystemInfo), (void**) &pADsys);

if(SUCCEEDED(hr)) {
BSTR Computer = 0;

hr = pADsys->get_ComputerName(&Computer);
if (SUCCEEDED(hr)) {
// Do something here
SysFreeString(Computer);
} else {
// Print Error code here (80070005 in my case)
}
...
}

CoUninitialize();

What I'am doing wrong here? Is there something that I missed to initialize? This
example can be found in Windows SDK help for example in
ms-help://MS.MSDNQTR.v90.en/adsi/adsi/iadsadsysteminfo_property_methods.htm

Is it required to call CoInitializeSecurity in some way?

Regards,
Benjamin Kalytta
Richard Mueller [MVP]
2008-04-07 13:03:26 UTC
Permalink
Post by Benjamin Kalytta
I'm trying to determine the Organization Unit of a given Computer.
I found an Interface that should be capable of doing this which is IADsADSystemInfo.
Creating an Instance works fine, but as soon as I call get_ComputerName
the result is always 80070005 (Access denied). I'm using Windows Vista as
Client and joined a Domain on a Windows 2003 Standard Server. Locally I'm
an Administrator and running this tool as "Administrator" (Run as...).
CoInitialize(NULL);
HRESULT hr = CoCreateInstance(__uuidof(ADSystemInfo), NULL,
CLSCTX_INPROC_SERVER, __uuidof(IADsADSystemInfo), (void**) &pADsys);
if(SUCCEEDED(hr)) {
BSTR Computer = 0;
hr = pADsys->get_ComputerName(&Computer);
if (SUCCEEDED(hr)) {
// Do something here
SysFreeString(Computer);
} else {
// Print Error code here (80070005 in my case)
}
...
}
CoUninitialize();
What I'am doing wrong here? Is there something that I missed to
initialize? This example can be found in Windows SDK help for example in
ms-help://MS.MSDNQTR.v90.en/adsi/adsi/iadsadsysteminfo_property_methods.htm
Is it required to call CoInitializeSecurity in some way?
You must either be authenticated to the domain, or provide credentials, to
get information from IADsADSystemInfo. If you are logged in as the local
administrator an error is raised.
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
Benjamin Kalytta
2008-04-07 13:56:21 UTC
Permalink
Hi Richard,

You said I must be authenticated to a domain. How do I do this? As you see in
Microsoft Example they are using CoCreateInstance, not ADsOpenObject for example
where I could provide credentials. I mean, IADsADSystemInfo is also a readonly
object.
If you are logged in as the local administrator an error is raised.
But why? I can call each NetXxx API like NetGetJoinInformation as local
administrator without being authenticated to a domain.

So there is NO way to find out in what OU a computer might be without providing
credentials?

Benjamin Kalytta
Joe Kaplan
2008-04-07 14:12:09 UTC
Permalink
You could try to the TranslateName API. I'm still not sure if you'll have
permissions to do what you want, but it is worth a shot. You can input the
plain computer account name and ask for the distinguishedName in return.

DsCrackNames will also allow you to do this type of thing and will allow you
to establish a connection with credentials if need be.

In general, you can't query AD unless you can authenticate to AD.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Post by Benjamin Kalytta
Hi Richard,
You said I must be authenticated to a domain. How do I do this? As you see
in Microsoft Example they are using CoCreateInstance, not ADsOpenObject
for example where I could provide credentials. I mean, IADsADSystemInfo is
also a readonly object.
If you are logged in as the local administrator an error is raised.
But why? I can call each NetXxx API like NetGetJoinInformation as local
administrator without being authenticated to a domain.
So there is NO way to find out in what OU a computer might be without
providing credentials?
Benjamin Kalytta
Richard Mueller [MVP]
2008-04-07 15:12:35 UTC
Permalink
When I use NameTranslate (in a script) while logged in locally an error is
raised when I run the Init method (whether I specify GC, Domain, or Server).
You could use the InitEx method and specify credentials.

Note that you do not need to be administrator in the domain. Any domain
account should be able to read AD, unless permissions have been denied.
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
Post by Joe Kaplan
You could try to the TranslateName API. I'm still not sure if you'll have
permissions to do what you want, but it is worth a shot. You can input
the plain computer account name and ask for the distinguishedName in
return.
DsCrackNames will also allow you to do this type of thing and will allow
you to establish a connection with credentials if need be.
In general, you can't query AD unless you can authenticate to AD.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
Post by Benjamin Kalytta
Hi Richard,
You said I must be authenticated to a domain. How do I do this? As you
see in Microsoft Example they are using CoCreateInstance, not
ADsOpenObject for example where I could provide credentials. I mean,
IADsADSystemInfo is also a readonly object.
If you are logged in as the local administrator an error is raised.
But why? I can call each NetXxx API like NetGetJoinInformation as local
administrator without being authenticated to a domain.
So there is NO way to find out in what OU a computer might be without
providing credentials?
Benjamin Kalytta
Joe Kaplan
2008-04-07 16:20:49 UTC
Permalink
I was actually talking about the TranslateName API function instead of the
IADsNameTranslate ADSI interface (which is a wrapper around DsCrackNames).
They happen to have similar names, so they are easily confused.

TranslateName may allow for some sort of conversion to be done when logged
in locally, although I don't know for sure. That was why I suggested he try
it to see. I'm not really hopeful it will work, but maybe it will in this
case.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Post by Richard Mueller [MVP]
When I use NameTranslate (in a script) while logged in locally an error is
raised when I run the Init method (whether I specify GC, Domain, or
Server). You could use the InitEx method and specify credentials.
Note that you do not need to be administrator in the domain. Any domain
account should be able to read AD, unless permissions have been denied.
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
Post by Joe Kaplan
You could try to the TranslateName API. I'm still not sure if you'll
have permissions to do what you want, but it is worth a shot. You can
input the plain computer account name and ask for the distinguishedName
in return.
DsCrackNames will also allow you to do this type of thing and will allow
you to establish a connection with credentials if need be.
In general, you can't query AD unless you can authenticate to AD.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Post by Benjamin Kalytta
Hi Richard,
You said I must be authenticated to a domain. How do I do this? As you
see in Microsoft Example they are using CoCreateInstance, not
ADsOpenObject for example where I could provide credentials. I mean,
IADsADSystemInfo is also a readonly object.
If you are logged in as the local administrator an error is raised.
But why? I can call each NetXxx API like NetGetJoinInformation as local
administrator without being authenticated to a domain.
So there is NO way to find out in what OU a computer might be without
providing credentials?
Benjamin Kalytta
Gerry Hickman
2008-04-07 19:41:18 UTC
Permalink
Hi,

Doesn't it also depend on the object permissions set on AD? As I
remember it, there was an "Anonymous" user defined in Windows 2000
server that would allow certain look-ups without authentication (e.g.
name and email address), but anything more powerful would require
authentication. They may have changed defaults in Win2003 and R2 to make
it more restrictive. In general, I don't see LocalAdmin as being very
useful when working with AD!
Post by Joe Kaplan
I was actually talking about the TranslateName API function instead of the
IADsNameTranslate ADSI interface (which is a wrapper around DsCrackNames).
They happen to have similar names, so they are easily confused.
TranslateName may allow for some sort of conversion to be done when logged
in locally, although I don't know for sure. That was why I suggested he try
it to see. I'm not really hopeful it will work, but maybe it will in this
case.
Joe K.
--
Gerry Hickman (London UK)
Joe Kaplan
2008-04-07 20:22:37 UTC
Permalink
You are correct in that the default configuration of AD in 2003 does not
allow the anonymous user to perform searches at all. Doing so returns an
LDAP "operations error". Thus, if you accidentally bind to AD as anonymous
as a result of using a local machine user to run a script or something (and
did not specify plaintext credentials), you are likely now to just get an
error instead of seeing nothing due to having few if any permissions as was
the case in AD 2000.

It is possible to disable this new setting in 2003 AD, but most people
don't.

It is true that using non-domain accounts to do stuff in AD is usually not
helpful at all. :)

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Hi,
Doesn't it also depend on the object permissions set on AD? As I remember
it, there was an "Anonymous" user defined in Windows 2000 server that
would allow certain look-ups without authentication (e.g. name and email
address), but anything more powerful would require authentication. They
may have changed defaults in Win2003 and R2 to make it more restrictive.
In general, I don't see LocalAdmin as being very useful when working with
AD!
Post by Joe Kaplan
I was actually talking about the TranslateName API function instead of
the IADsNameTranslate ADSI interface (which is a wrapper around
DsCrackNames). They happen to have similar names, so they are easily
confused.
TranslateName may allow for some sort of conversion to be done when
logged in locally, although I don't know for sure. That was why I
suggested he try it to see. I'm not really hopeful it will work, but
maybe it will in this case.
Joe K.
--
Gerry Hickman (London UK)
Benjamin Kalytta
2008-04-07 20:17:42 UTC
Permalink
Hi Joe,

TranslateName only works if I'm logged in with a Domain user account, but even
then it wont return requested information (OU) within DN.

But now I instantiated a IDirectorySearch object which also only requires Domain
Administrator credentials if I'm NOT logged in with a domain user account. I
think that's the best what I can do for now.

An Anonymous look-up as described by Gerry Hickman of course would be very
helpful here since information requested isn't very secret.

Benjamin Kalytta
Joe Kaplan
2008-04-08 03:02:51 UTC
Permalink
You don't need IDirectorySearch here. IADsNameTranslate or DsCrackNames
would work fine for what you need. You can always parse out the full DN to
discover what container the object is in of you need to.

However, it doesn't look like you can get the info you want without having a
domain account to query with.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Post by Benjamin Kalytta
Hi Joe,
TranslateName only works if I'm logged in with a Domain user account, but
even then it wont return requested information (OU) within DN.
But now I instantiated a IDirectorySearch object which also only requires
Domain Administrator credentials if I'm NOT logged in with a domain user
account. I think that's the best what I can do for now.
An Anonymous look-up as described by Gerry Hickman of course would be very
helpful here since information requested isn't very secret.
Benjamin Kalytta
Benjamin Kalytta
2008-04-09 12:28:26 UTC
Permalink
Hello again,

every one who is interested may test my tool I updated/created the last days.

It is a simple network configuration tool which is capable of setting computer
name, changing workgroup-/domain membership including Organization Unit and IP
address configuration of any network connection.

http://www.kalytta.com/files/knetcfg.zip

Regards,
Benjamin Kalytta

Loading...