IDirectorySearch.ExecuteSearch not behaving correctly?

Toggle sidebar Toggle sidebar
H

Huw

Distinguished
May 29, 2004
8
0
18,510
Archived from groups: microsoft.public.adsi.general,microsoft.public.active.directory.interfaces,microsoft.public.win2000.active_directory (More info?)

Hi there,

Could anyone help me with this?

I'm performing the following steps in C++..

1) Bind to a gc using AdsGetObject
2) QI for the IDirectorySearch interface
3) Call ExecuteSearch, looking for a user with search criteria
"displayName=whatever"
4) Call GetFirstRow and check for S_ADS_NOMORE_ROWS error.

If I call the code above with a nicely prived user, then it works just fine
and I get my user back. But, if I call this using a user that does not have
enough permissions, then the searhc returns no results (S_ADS_NOMORE_ROWS
returned from GetFirstRow). I thought the ExecuteSearch would at least
fail.

I tried calling AdsGetLastError to see if that would give any clues, but no
error is returned.

So my question is, how do I tell when the search failed or is worked but
there were no results?

Any ideas?

Thanks,
Huw
 
G

Guest

Guest
Archived from groups: microsoft.public.adsi.general,microsoft.public.active.directory.interfaces,microsoft.public.win2000.active_directory (More info?)

The way LDAP behaves with searches and security is that if you don't have
permissions to see an object or some of its attributes, they aren't even
returned. Thus, the directory does not disclose that those objects actually
exist.

So, I think this is the correct behavior.

There is a bit more detail here:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/effects_of_security_on_queries.asp?frame=true

Joe K.

"Huw" <huw@nospam.com> wrote in message
news:uPUSgTrDFHA.3972@TK2MSFTNGP15.phx.gbl...
> Hi there,
>
> Could anyone help me with this?
>
> I'm performing the following steps in C++..
>
> 1) Bind to a gc using AdsGetObject
> 2) QI for the IDirectorySearch interface
> 3) Call ExecuteSearch, looking for a user with search criteria
> "displayName=whatever"
> 4) Call GetFirstRow and check for S_ADS_NOMORE_ROWS error.
>
> If I call the code above with a nicely prived user, then it works just
> fine
> and I get my user back. But, if I call this using a user that does not
> have
> enough permissions, then the searhc returns no results (S_ADS_NOMORE_ROWS
> returned from GetFirstRow). I thought the ExecuteSearch would at least
> fail.
>
> I tried calling AdsGetLastError to see if that would give any clues, but
> no
> error is returned.
>
> So my question is, how do I tell when the search failed or is worked but
> there were no results?
>
> Any ideas?
>
> Thanks,
> Huw
>
>
 
H

Huw

Distinguished
May 29, 2004
8
0
18,510
Archived from groups: microsoft.public.adsi.general,microsoft.public.active.directory.interfaces,microsoft.public.win2000.active_directory (More info?)

Thanks, I guess that does make sense. Do you know if there's any way of
finding out if a user exists then when I've only got the display name?

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:u4H7YgsDFHA.3732@TK2MSFTNGP14.phx.gbl...
> The way LDAP behaves with searches and security is that if you don't have
> permissions to see an object or some of its attributes, they aren't even
> returned. Thus, the directory does not disclose that those objects
actually
> exist.
>
> So, I think this is the correct behavior.
>
> There is a bit more detail here:
>
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/effects_of_security_on_queries.asp?frame=true
>
> Joe K.
>
> "Huw" <huw@nospam.com> wrote in message
> news:uPUSgTrDFHA.3972@TK2MSFTNGP15.phx.gbl...
> > Hi there,
> >
> > Could anyone help me with this?
> >
> > I'm performing the following steps in C++..
> >
> > 1) Bind to a gc using AdsGetObject
> > 2) QI for the IDirectorySearch interface
> > 3) Call ExecuteSearch, looking for a user with search criteria
> > "displayName=whatever"
> > 4) Call GetFirstRow and check for S_ADS_NOMORE_ROWS error.
> >
> > If I call the code above with a nicely prived user, then it works just
> > fine
> > and I get my user back. But, if I call this using a user that does not
> > have
> > enough permissions, then the searhc returns no results
(S_ADS_NOMORE_ROWS
> > returned from GetFirstRow). I thought the ExecuteSearch would at least
> > fail.
> >
> > I tried calling AdsGetLastError to see if that would give any clues, but
> > no
> > error is returned.
> >
> > So my question is, how do I tell when the search failed or is worked but
> > there were no results?
> >
> > Any ideas?
> >
> > Thanks,
> > Huw
> >
> >
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.adsi.general,microsoft.public.active.directory.interfaces,microsoft.public.win2000.active_directory (More info?)

I don't think you can if you don't have permissions to see their user
object. Your query won't return it. I could be wrong here, but I don't
think so.

Is it feasible to ensure that you have a user with sufficient permissions?
Unless the directory has been locked down beyond the defaults, a member of
the domain users group can usually do what you want.

Joe K.

"Huw" <huw@nospam.com> wrote in message
news:esQP8o0DFHA.3536@TK2MSFTNGP15.phx.gbl...
> Thanks, I guess that does make sense. Do you know if there's any way of
> finding out if a user exists then when I've only got the display name?
>
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom