Search code examples
windowswinapiactive-directoryldap

How to get the IADsGroup object for a group in the domain using ADsGetObject?

Short Version

How do i get the IADsGroup interface of the group STACKOVERFLOW\ITOps?

Long Version

I am trying to get ahold of the IADsGroup interface for a group in the domain using the ADsGetObject function.

The only information i have:

  • GroupName: e.g. ITOps
  • DomainName: e.g. STACKOVERFLOW

The function takes an LDAP path to an object:

HRESULT ADsGetObject(
  [in]  LPCWSTR lpszPathName,
  [in]  REFIID  riid,
  [out] VOID    **ppObject
);

The real difficulty is in coming up with the actual LDAP path for a group in the domain. For example:

  • LDAP://STACKOVERFLOW/ITOps fails ("An invalid dn syntax has been specified")
  • LDAP://CN=ITOps,DN=STACKOVERFLOW fails 0x80072020 ("An operations error occurred")
  • LDAP://CN=ITOps,DC=STACKOVERFLOW fails 0x8007202B ("A referral was returned from the server")

The question

Given:

  • a group name (e.g. "ITOps")
  • a domain name (e.g. "STACKOVERFLOW")

How do i get the IADsGroup interface of the group STACKOVERFLOW\ITOps?

Bonus Reading

Solution

  • There are several unique identifiers for objects in AD, and they can't all be used in the same way, which makes things a bit confusing.

    This is documentation you need for that path (which you already linked to): LDAP ADsPath

    That shows that the LDAP path should look like:

    LDAP://HostName[:PortNumber][/DistinguishedName]

    The HostName, PortNumber and DistinguishedName are all optional, depending on what you're trying to do. If you need to bind to a specific object - which is what you're trying to do - then the DistinguishedName is mandatory.

    The distinguished name is the distinguishedName attribute of the object, which is why Luke suggested that you use AD Explorer to browse to the object in your directory and inspect the value of the distinguishedName attribute. The DN is a concatenation of the common name (CN), each organizational unit (OU) and the domain DNS name (e.g. stackoverflow.com) split into each of its domain components (DC). That will look something like this:

    CN=ITOps,OU=Groups,DC=stackoverflow,DC=com

    The format STACKOVERFLOW\ITOps is the domain's short name (officially called the NetBIOS name), combined with the sAMAccountName attribute of the object. This format is often used for authenticating with user accounts, but cannot be used in an LDAP path.

    If you're hard coding this group into your code, then just look up the distinguishedName and use that. If you will be given the STACKOVERFLOW\ITOps format by the user and need to bind to it, then you can either:

    1. Use IADsNameTranslate to translate from ADS_NAME_TYPE_NT4 to ADS_NAME_TYPE_1779, or
    2. Perform a search on the domain using the search filter (sAMAccountName=ITOps). To perform an LDAP search in C++, see the documentation for IDirectorySearch. You still have to provide an LDAP path for the search, but you can just provide the domain DNS name (e.g. LDAP://stackoverflow.com). That allows you to specify which attributes it wants you to return, so you can tell it that you want the distinguishedName. Or if your purpose in binding to the object is to read some other attribute, then you can specify those attributes and read those attributes from the search result, and then you can skip the next step of binding directly to the object.

    It seems like you plan to use C++, but you didn't specifically say that. Are you using C++?