ADSI Error Codes and Runtime Error Handling
ADSI requests can fail due to many reasons: The LDAP server is unreachable, the authentication data is incorrect, the user hasn't the required permissions, the object or the used attributes of the script do not exist or can't be accessed in this particular way etc. etc.<
The following contents are available here:
| ADSI Error Codes |
| Converting Error Codes : Decimal <> Hex |
| Handling Runtime Errors for ADSI in Scripts |
ADSI Error Codes
In the following you will find a list of potential error return codes when scripting with ADSI. Fundamental information can be gained from the Microsoft Developer Network (MSDN) and the Knowledge Base:
Win32
error codes for ADSI 2.0
Specific
error codes for ADO usage
Error codes, especially in MSDN, are handled in a hexadecimal syntax. However, during the runtime of a VBScript, error codes are displayed as a negative decimal number. In the next paragraph you will find explanations about the conversion of these two values.
| Error Code (Decimal) | Error Code (Hex) | Explanation |
| -2147467259 | 0x80004005 | ADO_UNSPECIFIED This number doesn't indicate a specific
reason for this error but will always occur if there are problems in
ADO requests, e.g. you forgot to pass the search scope (Subtree, OneLevel
etc.) within your request string. This error can occur even without
using ADO when you have a type mismatch while writing an object attribute
(for example if you use the ADSI method Put to
fill an integer or string attribute in a floating point number). In
this case you better convert the value into a string first. |
| -2147463168 | 0x80005000 | ADS_BAD_PATHNAME This error occurs when the indicated
LDAP path of LDAP BIND requests on objects or ADODB requests are invalid.
Maybe you tried to access a non existing object with a GetObject call
or there was a typing error in the distinguished name of the demanded
object. You can get more information about this in the following SelfADSI tutorial topic: "LDAP Pathnames - Distinguished Names". |
| -2147463160 | 0x80005008 | ADS_BAD_PARAMETER There are different reasons for
this error: One of the parameters used in an ADSI function is invalid
- regarding either the data type or logic. The error occurs e.g. during
a call with the ADSI function Delete for
an object when the indicated object class was incorrect. Or when no
array was used as first parameter for a GetInfoEx call. |
| -2147463156 | 0x8000500C | ADS_TYPE_CANNOT_BE_CONVERTED This error occurs when
you try to access a provider specific attribute without using the necessary
techniques. Some directory services return the values for its attributes
in this strange syntax format. Instead of using the normal access methods
like Get and GetEx, you have to use the ADSI-Function GetPropertyItem. You can find a description of the access methods for provider specific attributes in the SelfADSI tutorial under the topic "Provider Specific Attributes". |
| -2147463155 | 0x8000500d | ADS_PROPERTY_NOT_FOUND This error will occur if
you try to access attributes that aren't located in the so-called property
cache. This cache has been built up with the functions GetObject, GetInfo
or GetInfoEx. It could also be an operational attribute that isn't
automatically built in the cache but has to be requested explicitly
from the directory. Or there is a simple typing error in the specification
of the attribute. |
| -2147217911 | 0x80040e09 | ADO_PERMISSION_DENIED An ADO call failed because
the user account used for a directory BIND authentication had
no appropriate permissions. |
| -2147217900 | 0x80040e14 | ADO_INVALID_SEARCH_FILTER_SYNTAX This error may
occur when trying to perform an ADODB search in
the directory. This search fails when the used ADO search string
is syntactically incorrect. This have to be considered not only for
the LDAP filter which is part of the ADO command string. If you have
any syntax errors in your command string, you will encounter this error
code. |
| -2147217865 | 0x80040e37 | ADO_SEARCH_TABLE_DOES_NOT_EXIST This error can occur
when trying to perform an ADODB search in the
directory. It fails when the specified LDAP server is unreachable
or the passed LDAP path in which objects are searched is non existing.
But there are LDAP server (e.g. Novell NetWare) that return this error
code when the user ID used in the ADO request doesn't exist! |
| -2147024891 | 0x80070005 | ADS_INSUFFICIENT_RIGHTS An ADSI call failed because
the user account used for a directory BIND authentication hadn't
enough permissions. |
| -2147024865 | 0x8007001f | LDAP_OTHER An unspecific error that may have many
different reasons. Often this error occurs when trying to nest AD groups
in other groups without considering the group scope (global groups
may contain groups of other domains; local domain groups can't be nested
in groups from other domains etc.) This error can also occur during the creation of AD objects when special characters (like e.g. \ / = , etc.) occur or rather aren't coded correctly within the relative distinguished name or in other name attributes. |
| -2147023570 | 0x8007052e | LDAP_INVALID_CREDENTIALS This error will occur if
the passed user name during a BIND authentication
in the directory is non existing or if the password is invalid
. It may also be that the server doesn't allow simple clear text authentication. |
| -2147023541 | 0x8007054b | LDAP_DOMAIN_DOESNT_EXIST This error can occur if
you use the ADSI function MoveHere - this function is needed for renaming or moving objects.
MoveHere is called with two parameters: A complete LDAP
pathname and a realtive distinguished name. This error indicates a syntax error in these parameters, it also may be given a non-existing object in the complete LDAP pathname. Please check not only the domain name used in these parameters but also any other part of the LDAP name information. |
| -2147019886 | 0x80071392 | LDAP_ALREADY_EXISTS This error occurs when the ADSI
method Create is applied to a container object
whose distinguished name for the object you want to create does already
exist. Another cause could be a call to the Add method (for AD group memberships) and the object is already a member of the group. |
| -2147016694 | 0x8007200a | LDAP_NO_SUCH_ATTRIBUTE This error occurs when trying
to read a non existing attribute in the property cache of an object
with the ADSI function GetInfoEx. |
| -2147016691 | 0x8007200d | LDAP_ATTRIBUTE_OR_VALUE_EXISTS This error occurs
primarily when you try to add members to groups that have been members
of this group beforehand. |
| -2147016684 | 0x80072014 | LDAP_OBJECT_CLASS_VIOLATION This error can occur
in certain circumstances if you create an object without calling the
SetInfo method and immediately write some attributes to this newly
created object. So the correct order would be to create the object
(with the mandatory attributes), then to call the function SetInfo,
and after that set other attributes. |
| -2147016683 | 0x80072015 | LDAP_ONLY_ALLOWED_ON_LEAFS This error occurs if you try to delete an object which has one or several child objects. In other words: Only empty OUs or containers can be deleted! Although there is an extended LDAP control wich is named "Delete Tree", you cannot use such controls in ADSI scripts. If you want to know what to to when you have to delete non-empty LDAP contaniers, just read the article "Deleting LDAP Directory Objects" here in the SelfADSI tutorial. |
| -2147016682 | 0x80072016 | LDAP_NOT_ALLOWED_ON_RDN This error will occur if
you want to change the relative distinguished name of an object but
this operation, however, is not allowed by the directory server. Alternatively,
you could try to rename the respective object with the ADSI move function. |
| -2147016671 | 0x80072021 | LDAP_PROTOCOL_ERROR This error occurs e.g. when
passing the wrong data type while writing attributes. There are several
attributes existing that require a distinguished name. If you pass
a simple string in the put method it will come to this error code. |
| -2147016661 | 0x8007202b | LDAP_REFERRAL This error code occurs e.g. when passing
an incorrect distinguished name in the OpenDSObject method of a Windows
2000 ADS. Especially, when the name of the naming context is incorrect
(i.e. for example the specification of an invalid domain name). |
| -2147016657 | 0x8007202f | LDAP_CONSTRAINT_VIOLATION An internal requirement
of the directory service wasn't fulfilled. Maybe it was tried to create
an Exchange mailbox with an indefinite SMTP address. Or it was tried
to create an Active Directory user object that doesn't have a login name. Another example: There are attributes that must contain the distinguished name of another directory object (e.g. in recipient redirections of mailboxes). The constraint violations appears when trying to write any text in such an attribute. Another possibility is that it was tried to nest groups within a mixed mode environment but what is impossible here. |
| -2147016656 | 0x80072030 | LDAP_NO_SUCH_OBJECT This error is similar to ADS_BAD_PATHNAME
(0x80005008) - during the BIND process, an LDAP
object path was passed from a non existing object. The peculiarity
with this issue is that the error code ADS_BAD_PATHNAME is always given
back in Active Directory environments, whereas other LDAP server (e.g. Novell eDirectory
environments) return LDAP_No_SUCH-OBJECT. |
| -2147016654 | 0x80072032 | LDAP_INVALID_DN_SYNTAX This error occurs when a distinguished
name used for the creation of objects contains
invalid characters. |
| -2147016651 | 0x80072035 | LDAP_UNWILLING_TO_PERFORM The LDAP server rejects
to perform the requested operation. This error code occurs when trying
to change the password of a an Active Directory user via ADSI but with the password
not complying with the demands of the domain policies (i.e. it is too
short, too simple or used earlier). Or attributes are tried to change
which can only be change by the security account manager (e.g. lastLogon). This error also occurs in the context of Active Directory schema manipulations. Either it wasn't allowed to change the schema or the schema master domain controller wasn't reachable, or another schema extension was active. |
| -2147016649 | 0x80072037 | LDAP_NAMING_VIOLATION This error occurs in the context
of the creation of objects or the access to their attributes. The reason
is the usage of an invalid LDAP path, e.g. when you want to create
an organizational unit with description cn=.... . |
| -2147016646 | 0x8007203a | LDAP_SERVER_DOWN This error code occurs when the
addressed server is unreachable during a BIND authentication
in the directory. This can occur due to underlying network problems.
A firewall may block the used LDAP port, or the LDAP service isn't
active on the destination host. |
| -2146827850 | 0x800a01b6 | METHOD_OR_PROPERTY_NOT_SUPPORTED This error occurs
in LDAP and directory scripting for example when you try to directly
access an object attribute with the syntax "objectname.attributename", or if you try to use Get and Put to access the attributes type. The error
code means that the given attribute doesn't exists for that particular
object class or that the function you use is not valid for the attribute's data type.
You should check that you havn't misspell the attribute name. Maybe you should also try to access the attribute with GetEx or PutEx instead of Get and Put. You can find a description of the access methods for object attributes in the SelfADSI tutorial under the topics 'Reading LDAP object attributes' and 'Writing LDAP object attributes'. |
Conversion of Error Codes : Decimal <> Hex
You can't find an entry for a runtime error code (e.g. -2147217911) in Microsoft's online documentation? Convert the value into hexadecimal - Microsoft refers to the accordant hexadecimal error codes throughout its document. You may find my Error Code Calculator helpful:
Generally, error codes appear as 32 bit DWORDs. In the case of runtime
errors the codes are given as negative decimal numbers - a peculiarity
of the used data type 'Signed Integer'. In MSDN however positive hex values
are documented as error codes. The conversion between decimal and hex values
works as follows: The number 4294967296 has to be added
to the negative decimal number. This is the hex number 0x100000000 -
it represents the lower limit to a negative DWORD number . The calculated
value can now be converted easily into a hex number - this number represents
exactly the official hex error code.
Example:
Runtime Error -2147217911 (dec)
+ 4294967296 (dec)
______________________________
= 2147749385 (dec)
=> 0x80040E09 (hex)
Runtime Error Handling for ADSI in Scripts
In order that a visual basic script in ADSI calls doesn't stop with runtime
error, the function OnError Resume Next is used. In this
case the script keeps on running whereas an error code can be evaluated
in the system variable Err.Number and its system description
with Err.Description.
Every important ADSI call should be protected against runtime
errors in scripts like shown in the following example:
On Error Resume Next
Err.Clear
Set user = GetObjekt("LDAP://dc1.cerrotorre.de/cn=Michael Sandt,ou=Consultants,dc=cerrotorre,dc=de"
If (Err.number <> 0) Then
WScript.Echo "Error: " & Err.Number
WScript.Echo Err.Descritption
Wscript.Quit 2
End If
user.DisplayName = "Lars Bauer (Vancouver)"
Err.Clear
user.Setinfo
If (Err.number <> 0) Then
WScript.Echo "Error: Attribute could not be written"
Wscript.Quit 3
End If
