Binding to Active Directory objects with the LDAP provider

To access the properties and methods of an object, you need to bind to it. This creates a reference to the object. You bind to Active Directory objects in VBScript with a "Set" statement, using the GetObject method. GetObject requires a "binding string", which is a text string that uniquely specifies the object in Active Directory. This is also referred to as the AdsPath of the object. Below are examples of statements that bind to objects with the LDAP provider. The binding string is the string in quotes.

Set objUser = GetObject("LDAP://cn=Joe Smith,ou=East,dc=MyDomain,dc=com")
Set objComputer = GetObject("LDAP://cn=Test2,cn=Users,dc=MyDomain,dc=com")
Set objGroup = GetObject("LDAP://cn=Engr,ou=East,dc=MyDomain,dc=net")
Set objOU = GetObject("LDAP://ou=Sales,ou=East,dc=MyDomain,dc=MyFirm,dc=com")

where:

LDAP: The provider (case sensitive)
objUser, objComputer, objGroup, objOU Variable referring to the object
cn=Joe Smith,ou=East,dc=MyDomain,dc=net Distinguished Name of user "Joe Smith"
cn=Joe Smith Relative Distinguished Name of user "Joe Smith"
dc=MyDomain,dc=com DNS domain name (MyDomain.com)
cn=Users Relative Distinguished Name of container "Users"
ou=East Organizational Unit where user "Joe Smith" resides
cn Common Name
ou Organizational Unit
dc Domain Component

The AdsPath of an object in Active Directory (the binding string) consists of the provider moniker (LDAP://) appended to the Distinguished Name of the object. The Distinguished Name specifies not just the name of the object, but also its location in the Active Directory hierarchy. The Distinguished Name consists of a series of components separated by commas. Each component consists of a moniker, an equals sign, and the name of the component. For example, the component "ou=Sales" is an organizational unit whose name is "Sales". The moniker "ou" means organizational unit. The component "cn=Test2" is an object whose Common Name is "Test2". The moniker "cn" means Common Name. Similarly, the moniker "dc" means domain component. The component "dc=MyDomain" is a domain component with the name "MyDomain".

As an example, the Distinguished Name "cn=Joe Smith,ou=East,dc=MyDomain,dc=com" has four components. The first (lowest level) component of the Distinguished Name is the Relative Distinguished Name (RDN) of the object. In this case, the RDN is "cn=Joe Smith". The RDN of an object is the name of the object in its container. The remainder of the components are the Distinguished Name of the container, which is the parent of the object. In this case, the object "cn=Joe Smith" is in the container whose Distinguished Name is "ou=East,dc=MyDomain,dc=com". In this case, the parent container is an organizational unit. The parent of the "ou=East" organizational unit is the domain "MyDomain.com". This domain has domain components "dc=MyDomain" and "dc=com". The full DNS name of the domain is "dc=MyDomain,dc=com".

Container objects can be containers, organizational units, or domains. Container objects are objects that can "contain" other objects, such as user objects, group objects, and computer objects. Group objects are not containers. Groups can have members, but the members are not children of the group object.

In some cases it might be necessary to include a server name in the LDAP binding string. Usually, this is to refer to the copy of the object on a particular Domain Controller. However, it sometimes is necessary on NT or Win9x clients where DSClient has not been installed. In the example above, we bind to the copy of the "cn= Joe" object that is on the domain controller "MySvr".

Set objUser = GetObject("LDAP://MySvr/cn=Joe,cn=users,dc=MyDom,dc=com")

The server name can also be specified as a DNS host name. For example, the above could be:

Set objUser = GetObject("LDAP://MySvr.MyDom.com/cn=Joe,cn=users,dc=MyDom,dc=com")

The binding strings described so far have been in "Little-Endian" form. This is by far the most common. However, there is also a "Big-Endian" form, with elements in the binding string reversed and separated by slashes instead of commas:

Set objUser = GetObject("LDAP://MyDC/dc=com/dc=MyDom/OU=Sales/cn=Test3")

Different classes of objects in Active Directory use different monikers in their Relative Distinguished Names. This moniker is the attribute that names the object. The following table shows the naming attribute for common classes of objects in Active Directory.

Object Class Naming attribute
user cn (Common Name)
group cn (Common Name)
computer cn (Common Name)
container cn (Common Name)
organizational unit ou (Organizational Unit)
domain dc (Domain Component)