Binding to Objects via Authentication
Whenever we need to access the properties of an object in Active Directory, we bind to it using VBScript's GetObject
function or the ADSI method IADsOpenDSOb-ject::OpenDSObject
. The circumstances in which each method should be used to access Active Directory are very clear-cut but deserve to be outlined here, as it will be important whenever you construct ASPs.
When to Use VBScript's GetObject Function
By default, many of the objects and properties within Active Directory can be read by any authenticated user of the forest. As an example, here is some code to connect to an Organizational Unit called Sales under the root of the domain. This code works under the WSH:
Set objSalesOU = GetObject("LDAP://ou=Sales,dc=mycorp,dc=com") Wscript.Echo objSalesOU.Description
Here is the same script incorporated into an ASP:
<HTML> <HEAD> <TITLE>Binding to an existing Organizational Unit</TITLE> </HEAD> <BODY> <% Set objSalesOU = GetObject("LDAP://ou=Sales,dc=mycorp,dc=com") Response.Write "The Sales OU description is: " & objSalesOU.Description %> </BODY> </HTML>
This mechanism works perfectly when you wish to have read-only access to properties of objects that can be read without special privileges. Using GetObject
is not appropriate in the following cases:
You want to write properties of an object.
The object you are attempting to bind to requires elevated privileges to access.
While it may make little sense, it is perfectly feasible to restrict read access ...
Get Active Directory, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.