ADSI Linked Server: Why can I query AD in VBA, but not as a Linked Server?

active-directory sql-server-2012 linked-server adsi
13,038

This may happen if you use "Be made without using security context" option in the Security settings page of the Linked server. This results in making an anonymous LDAP call. These days (Server 2008 or later) anonymous LDAP operations are disallowed by default.

My tests show that "Be made using the login's security context" option makes the LDAP call under the credentials of which the SQL server service is running.

I may suggest using either "Be made using the login's security context", map local login to remote user or just enter default credentials (option 4 in the dialog):

enter image description here

In all cases I would suggest to use a dedicated AD User account for the Linked Server.

Please, note that you are querying sensitive attributes like userAccountControl. By default regular domain users cannot read this attribute i.e. your query may not return a full result set. You can overcome this by using dedicated AD account and grant it READ permission on the userAccountControl attribute where applicable.

Also I would suggest not to use serverless binding. At least specify the domain name:

LDAP://mydomain.local/dc=mydomain,dc=local

This can help you to avoid slow LDAP responses and/or data inconsistency.

Share:
13,038

Related videos on Youtube

shrawani karpe
Author by

shrawani karpe

Updated on September 18, 2022

Comments

  • shrawani karpe
    shrawani karpe over 1 year

    After all the reading and research I've done, this seems like the most logical place to post this question:

    Why can I query Active Directory using VBA, but not a Linked Server in SQL Management Studio 2012?

    First, I have been able to do this before, but many moons ago with SQL Server 2005.

    Here is the query I am attempting:

    SELECT * FROM OpenQuery(
ADSI,
'SELECT displayName, title, department, employeeID, userAccountControl
FROM ''LDAP://dc=testdomain''
WHERE objectCategory = ''Person'' AND
      objectClass = ''user'' AND
      userAccountControl=512')

    Here is the error I'm getting:

    Msg 7321, Level 16, State 2, Line 1
An error occured while preparing the query "SELECT displayName, title, department, employeeID, userAccountControl
            FROM 'LDAP://dc=testdomain'
            WHERE objectCategory = 'Person' AND
                  objectClass = 'user' AND
            userAccountControl=512" for execution against OLE DB provider "ADsDSOObject" for linked server "ADSI".

    The problem with this error message is that it's very generic and seemingly doesn't yield anything useful. Everything I've read appears to be a permission issue or the syntax of the query, and I assume it's meant in the context to my SQL instance login and how the security is set up in the Linked Server. The VBA code below works and is using a query that's very similar and not even the simplest of queries have worked in the Linked Server. I also have access to the Active Directory I am trying to link to and this is proven by the snippet of VBA code I have at the bottom (only there for reference). Thing is, I believe I have all the right privileges in place to for this to be working.

    However, a lot of what's being suggested is on different sites involves doing modifications to the SQL instance that are not readily obvious of what the impacts are long term as this server is still being built. I have temporary elevated privileges to build it out.

    Here's the details and parameters in which I've set up the linked server:

    SQL Server 11.0.5058
Linked Server: ADSI
Provider: OLE DB Provider for Microsoft Directory Services
Product name: Active Directory Services 2.5
Data source: adsdatasource
Provider string: ADsDSOObject

Be made using the login's current security context

Ole DB Provider  Options:
Allow in process

    However, the only thing I've found that might set myself apart from all the other blogs about this error is when I attempt to drill down to the linked servers tables and view (Server Objects > Linked Servers > ADSI > Catalogs > default > Tables). Once I click to expand the Tables level I get the following error:

    Failed to retreive data for this request. (Microsoft.SqlServer.Management.Sdk.Sfc)

Additional information:
    An exception occured while executing a Transact-SQL statement or batch.
    (Microsoft.SqlServer.ConnectionInfo)
        Cannot obtain the required interface ("IID_IDBSchemaRowset") from OLE DB provider "ADsDSOObject"
        for linked server "ADSI". (Microsoft SQL Server, Error: 7301)

    This IID_IDBSchemaRowset seems to be my only lead, but that looks to be a deep and dark rabbit hole to down and not sure if that's where I need to go. Help!

    For Reference

    'References: Microsoft ActiveX Data Objects 2.8 Library
Public Sub testADSI()
    On Error Resume Next

    Dim cn As ADODB.Connection
    Dim cmd As ADODB.Command
    Dim rs as ADODB.Recordset
    Dim MySql as String
    Dim n as Integer

    Set cn = New ADODB.Connection
    Set cmd = New ADODB.Command
    Set rs = New ADODB.Recordset

    cn.Provider = "ADsDSOObject"
    cn.Open "Active Directory Provider"

    Set cmd.ActiveConnection = cn

    cmd.Properties("Page Size")= 1000

    MySql = "SELECT displayName, title, department, employeedID, userAccountControl " & _
            "FROM 'LDAP://dc=testdomain' " _ &
            "WHERE objectCategory = 'Person' AND " & _
                  "objectClass = 'user' AND " & _
                  "userAccountControl=512" 

    rs.Open MySql, cn, 1

    If rs.RecordCount > 0 Then
        MsgBox "Sucess! " & rs.RecordCount & " records found!"
    Else
        MsgBox "No records"
    End IF
End Sub
    • Darin Strait
      Darin Strait about 9 years
      I've always found the 'LDAP' portion of these queries hard to grok. I can't tell you why VBA works and your TSQL does, but I can get a similar query to work on my 2008R2 instance if I change 'LDAP://dc=testdomain' to 'LDAP://testdomain'
    • shrawani karpe
      shrawani karpe about 9 years
      Ive tried both variants with each to no avail.
    • raja
      raja about 9 years
      Have you tried SO?
  • shrawani karpe
    shrawani karpe about 9 years
    To be fair, I've tried "Be made using this security context:" using my own credentials and didn't work. I've doing some other research and seems to have something to do with permissions on the agent. At the end of the day, it's still a permission issue and one my admin won't make changes to.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

VBScript Error when calling GetObject("WinNT://JohnDoe,User")
Available fields for ADSI Linked in SQL Server
Using LDAP or ADSI with Delphi for user account management
SQL Server 2012: Add a linked server to PostgreSQL
SQL Availability Group Listener creation fails
IIS application using application pool identity loses primary token?
catastrophic failure trying to select from linked server
What are the other alternative to test a LDAP connection on linux machine
Make sssd respect Acctive Directory nested groups
Joining an Active Directory domain using netdom