Name Translation : How to detect the LDAP path of a user
... if you know only the user's logon name. Or: How can i evaluate the full distinguished name (DN) of a user or group?
In this scenario, the name could be a Dabei kann es sich um den conventional NT logon name (this is the so called sAMAccountName or NetBIOS name, for example SELFADSI\philippfoeckeler), or it could be a modern user principal name (UPN, for example email@example.com)
A convenient method can be used in these cases, it is offered by the IADsNameTranslate interface. This means that the names of users in Active Directory domains can be converted from one format into another. Not only login names as in our case, but also display names, GUID strings, or canonical names (eg selfadsi.org / Users / Philipp Foeckeler). This works by the way not just with users but also with groups, contacts, computer accounts or other objects.
The primary format that we want to determine with the IADsNameTranslate conversion for a user is the LDAP path name (or distinguished name), for these we need if we want to access an Active Directory object. In the technical jargon of the IADsNameTranslate interface this LDAP DN is also called "1779 name", as in the original RFC 1779 Distinguished Names have been initially described.
Access a user whose NT logon name is known
This script finds the LDAP path (=distinguished name) of an Active Directory user account by it's NT logon name:
Access a user whose UPN (User Principal Name) name is known
This script finds the LDAP path (=distinguished name) of an Active Directory user account by it's User Principal Name:
Name Translation when you are not logged in at the regarding forest
The IADsNameTranslate interface is very convenient, but it has one drawback: It works only if the script is running at a station where you as a user are logged on at the regarding AD Forest. However, we can also identify the LDAP path "by far", if we use an LDAP search operation (with ADO). The procedure is much more complex:
userName = InputBox("Enter user name","Credentials") 'you could also just use a static username instead, like "EXAMPLE\userXYZ" password = InputBox("Enter password","Credentials") 'you could also just use a static password instead, like "P@ssw0rd" ldapFilter = "(samAccountName=" & logonName & ")" 'you could also search for an UPN here... Set ado = CreateObject("ADODB.Connection") ado.Provider = "ADSDSOObject" ado.Properties("User ID") = userName ado.Properties("Password") = password ado.Properties("Encrypt Password") = True ado.Open "ADSearch" Set objectList = ado.Execute("<LDAP://" & serverName & "/" & searchDN & ">;" & ldapFilter & _ ";distinguishedName,samAccountName,displayname,userPrincipalName;subtree") While Not objectList.EOF userDN = objectList.Fields("distinguishedName") logonName = objectList.Fields("samAccountName") On Error Resume Next displayName = "" : displayName = objectList.Fields("displayname") logonNameUPN = "" : logonNameUPN = objectList.Fields("displayname") On Error Goto 0 WScript.Echo logonName & " " & logonNameUPN & " " & displayName & " " & userDN objectList.MoveNext Wend