Printout Header
RSS Feed

ADSI Error Codes and Runtime Error Handling

ADSI requests can fail due to many reasons: The LDAP server is unreachable, the authentication data is incorrect, the user hasn't the required permissions, the object or the used attributes of the script do not exist or can't be accessed in this particular way etc. etc.<

The following contents are available here:

ADSI Error Codes
Converting Error Codes : Decimal <> Hex
Handling Runtime Errors for ADSI in Scripts

ADSI Error Codes

In the following you will find a list of potential error return codes when scripting with ADSI. Fundamental information can be gained from the Microsoft Developer Network (MSDN) and the Knowledge Base:

Common ADSI error codes

Win32 error codes for ADSI

Win32 error codes for ADSI 2.0

Specific error codes for ADO usage

Error codes, especially in MSDN, are handled in a hexadecimal syntax. However, during the runtime of a VBScript, error codes are displayed as a negative decimal number. In the next paragraph you will find explanations about the conversion of these two values.

Error Code (Decimal) Error Code (Hex) Explanation
-2147467259 0x80004005 ADO_UNSPECIFIED This number doesn't indicate a specific reason for this error but will always occur if there are problems in ADO requests, e.g. you forgot to pass the search scope (Subtree, OneLevel etc.) within your request string. This error can occur even without using ADO when you have a type mismatch while writing an object attribute (for example if you use the ADSI method Put to fill an integer or string attribute in a floating point number). In this case you better convert the value into a string first.

-2147463168 0x80005000 ADS_BAD_PATHNAME This error occurs when the indicated LDAP path of LDAP BIND requests on objects or ADODB requests are invalid. Maybe you tried to access a non existing object with a GetObject call or there was a typing error in the distinguished name of the demanded object.

You can get more information about this in the following SelfADSI tutorial topic: "LDAP Pathnames - Distinguished Names".

-2147463160 0x80005008 ADS_BAD_PARAMETER There are different reasons for this error: One of the parameters used in an ADSI function is invalid - regarding either the data type or logic. The error occurs e.g. during a call with the ADSI function Delete for an object when the indicated object class was incorrect. Or when no array was used as first parameter for a GetInfoEx call.

-2147463156 0x8000500C ADS_TYPE_CANNOT_BE_CONVERTED This error occurs when you try to access a provider specific attribute without using the necessary techniques. Some directory services return the values for its attributes in this strange syntax format. Instead of using the normal access methods like Get and GetEx, you have to use the ADSI-Function GetPropertyItem.

You can find a description of the access methods for provider specific attributes in the SelfADSI tutorial under the topic "Provider Specific Attributes".

-2147463155 0x8000500d ADS_PROPERTY_NOT_FOUND This error will occur if you try to access attributes that aren't located in the so-called property cache. This cache has been built up with the functions GetObject, GetInfo or GetInfoEx. It could also be an operational attribute that isn't automatically built in the cache but has to be requested explicitly from the directory. Or there is a simple typing error in the specification of the attribute.

-2147217911 0x80040e09 ADO_PERMISSION_DENIED An ADO call failed because the user account used for a directory BIND authentication had no appropriate permissions.

-2147217900 0x80040e14 ADO_INVALID_SEARCH_FILTER_SYNTAX This error may occur when trying to perform an ADODB search in the directory. This search fails when the used ADO search string is syntactically incorrect. This have to be considered not only for the LDAP filter which is part of the ADO command string. If you have any syntax errors in your command string, you will encounter this error code.

-2147217865 0x80040e37 ADO_SEARCH_TABLE_DOES_NOT_EXIST This error can occur when trying to perform an ADODB search in the directory. It fails when the specified LDAP server is unreachable or the passed LDAP path in which objects are searched is non existing. But there are LDAP server (e.g. Novell NetWare) that return this error code when the user ID used in the ADO request doesn't exist!

-2147024891 0x80070005 ADS_INSUFFICIENT_RIGHTS An ADSI call failed because the user account used for a directory BIND authentication hadn't enough permissions.

-2147024865 0x8007001f LDAP_OTHER An unspecific error that may have many different reasons. Often this error occurs when trying to nest AD groups in other groups without considering the group scope (global groups may contain groups of other domains; local domain groups can't be nested in groups from other domains etc.)

This error can also occur during the creation of AD objects when special characters (like e.g. \ / = , etc.) occur or rather aren't coded correctly within the relative distinguished name or in other name attributes.

-2147023570 0x8007052e LDAP_INVALID_CREDENTIALS This error will occur if the passed user name during a BIND authentication in the directory is non existing or if the password is invalid . It may also be that the server doesn't allow simple clear text authentication.

-2147023541 0x8007054b LDAP_DOMAIN_DOESNT_EXIST This error can occur if you use the ADSI function MoveHere - this function is needed for renaming or moving objects. MoveHere is called with two parameters: A complete LDAP pathname and a realtive distinguished name.

This error indicates a syntax error in these parameters, it also may be given a non-existing object in the complete LDAP pathname. Please check not only the domain name used in these parameters but also any other part of the LDAP name information.

-2147019886 0x80071392 LDAP_ALREADY_EXISTS This error occurs when the ADSI method Create is applied to a container object whose distinguished name for the object you want to create does already exist.

Another cause could be a call to the Add method (for AD group memberships) and the object is already a member of the group.

-2147016694 0x8007200a LDAP_NO_SUCH_ATTRIBUTE This error occurs when trying to read a non existing attribute in the property cache of an object with the ADSI function GetInfoEx.

-2147016691 0x8007200d LDAP_ATTRIBUTE_OR_VALUE_EXISTS This error occurs primarily when you try to add members to groups that have been members of this group beforehand.

-2147016684 0x80072014 LDAP_OBJECT_CLASS_VIOLATION This error can occur in certain circumstances if you create an object without calling the SetInfo method and immediately write some attributes to this newly created object. So the correct order would be to create the object (with the mandatory attributes), then to call the function SetInfo, and after that set other attributes.

-2147016683 0x80072015 LDAP_ONLY_ALLOWED_ON_LEAFS This error occurs if you try to delete an object which has one or several child objects. In other words: Only empty OUs or containers can be deleted! Although there is an extended LDAP control wich is named "Delete Tree", you cannot use such controls in ADSI scripts.

If you want to know what to to when you have to delete non-empty LDAP contaniers, just read the article "Deleting LDAP Directory Objects" here in the SelfADSI tutorial.

-2147016682 0x80072016 LDAP_NOT_ALLOWED_ON_RDN This error will occur if you want to change the relative distinguished name of an object but this operation, however, is not allowed by the directory server. Alternatively, you could try to rename the respective object with the ADSI move function.

-2147016671 0x80072021 LDAP_PROTOCOL_ERROR This error occurs e.g. when passing the wrong data type while writing attributes. There are several attributes existing that require a distinguished name. If you pass a simple string in the put method it will come to this error code.

-2147016661 0x8007202b LDAP_REFERRAL This error code occurs e.g. when passing an incorrect distinguished name in the OpenDSObject method of a Windows 2000 ADS. Especially, when the name of the naming context is incorrect (i.e. for example the specification of an invalid domain name).

-2147016657 0x8007202f LDAP_CONSTRAINT_VIOLATION An internal requirement of the directory service wasn't fulfilled. Maybe it was tried to create an Exchange mailbox with an indefinite SMTP address. Or it was tried to create an Active Directory user object that doesn't have a login name.

Another example: There are attributes that must contain the distinguished name of another directory object (e.g. in recipient redirections of mailboxes). The constraint violations appears when trying to write any text in such an attribute. Another possibility is that it was tried to nest groups within a mixed mode environment but what is impossible here.

-2147016656 0x80072030 LDAP_NO_SUCH_OBJECT This error is similar to ADS_BAD_PATHNAME (0x80005008) - during the BIND process, an LDAP object path was passed from a non existing object. The peculiarity with this issue is that the error code ADS_BAD_PATHNAME is always given back in Active Directory environments, whereas other LDAP server (e.g. Novell eDirectory environments) return LDAP_No_SUCH-OBJECT.

-2147016654 0x80072032 LDAP_INVALID_DN_SYNTAX This error occurs when a distinguished name used for the creation of objects contains invalid characters.

-2147016651 0x80072035 LDAP_UNWILLING_TO_PERFORM The LDAP server rejects to perform the requested operation. This error code occurs when trying to change the password of a an Active Directory user via ADSI but with the password not complying with the demands of the domain policies (i.e. it is too short, too simple or used earlier). Or attributes are tried to change which can only be change by the security account manager (e.g. lastLogon).

This error also occurs in the context of Active Directory schema manipulations. Either it wasn't allowed to change the schema or the schema master domain controller wasn't reachable, or another schema extension was active.

-2147016649 0x80072037 LDAP_NAMING_VIOLATION This error occurs in the context of the creation of objects or the access to their attributes. The reason is the usage of an invalid LDAP path, e.g. when you want to create an organizational unit with description cn=.... .

-2147016646 0x8007203a LDAP_SERVER_DOWN This error code occurs when the addressed server is unreachable during a BIND authentication in the directory. This can occur due to underlying network problems. A firewall may block the used LDAP port, or the LDAP service isn't active on the destination host.

-2146827850 0x800a01b6 METHOD_OR_PROPERTY_NOT_SUPPORTED This error occurs in LDAP and directory scripting for example when you try to directly access an object attribute with the syntax "objectname.attributename", or if you try to use Get and Put to access the attributes type. The error code means that the given attribute doesn't exists for that particular object class or that the function you use is not valid for the attribute's data type.

You should check that you havn't misspell the attribute name. Maybe you should also try to access the attribute with GetEx or PutEx instead of Get and Put.

You can find a description of the access methods for object attributes in the SelfADSI tutorial under the topics 'Reading LDAP object attributes' and 'Writing LDAP object attributes'.


Conversion of Error Codes : Decimal <> Hex

You can't find an entry for a runtime error code (e.g. -2147217911) in Microsoft's online documentation? Convert the value into hexadecimal - Microsoft refers to the accordant hexadecimal error codes throughout its document. You may find my Error Code Calculator helpful:

Error code (Dec):        Error code (Hex)

Generally, error codes appear as 32 bit DWORDs. In the case of runtime errors the codes are given as negative decimal numbers - a peculiarity of the used data type 'Signed Integer'. In MSDN however positive hex values are documented as error codes. The conversion between decimal and hex values works as follows: The number 4294967296 has to be added to the negative decimal number. This is the hex number 0x100000000 - it represents the lower limit to a negative DWORD number . The calculated value can now be converted easily into a hex number - this number represents exactly the official hex error code.


Runtime Error    -2147217911 (dec)
+                         4294967296 (dec)
=                         2147749385 (dec) => 0x80040E09 (hex)

Runtime Error Handling for ADSI in Scripts

In order that a visual basic script in ADSI calls doesn't stop with runtime error, the function OnError Resume Next is used. In this case the script keeps on running whereas an error code can be evaluated in the system variable Err.Number and its system description with Err.Description.

Every important ADSI call should be protected against runtime errors in scripts like shown in the following example:

On Error Resume Next Err.Clear Set user = GetObjekt("LDAP:// Sandt,ou=Consultants,dc=cerrotorre,dc=de" If (Err.number <> 0) Then WScript.Echo "Error: " & Err.Number WScript.Echo Err.Descritption Wscript.Quit 2 End If user.DisplayName = "Lars Bauer (Vancouver)" Err.Clear user.Setinfo If (Err.number <> 0) Then WScript.Echo "Error: Attribute could not be written" Wscript.Quit 3 End If