HiveBrain v1.2.0
Get Started
← Back to all entries
patternsqlMinor

ADSI Linked Server: Why can I query AD in VBA, but not as a Linked Server?

Submitted by: @import:stackexchange-dba··
0
Viewed 0 times
whycanquerybutadsivbaserverlinkednot

Problem

After all the reading and research I've done, this seems like the most logical place to post this question:

Why can I query Active Directory using VBA, but not a Linked Server in SQL Management Studio 2012?

First, I have been able to do this before, but many moons ago with SQL Server 2005.

Here is the query I am attempting:

SELECT * FROM OpenQuery(
ADSI,
'SELECT displayName, title, department, employeeID, userAccountControl
FROM ''LDAP://dc=testdomain''
WHERE objectCategory = ''Person'' AND
      objectClass = ''user'' AND
      userAccountControl=512')


Here is the error I'm getting:

Msg 7321, Level 16, State 2, Line 1
An error occured while preparing the query "SELECT displayName, title, department, employeeID, userAccountControl
            FROM 'LDAP://dc=testdomain'
            WHERE objectCategory = 'Person' AND
                  objectClass = 'user' AND
            userAccountControl=512" for execution against OLE DB provider "ADsDSOObject" for linked server "ADSI".


The problem with this error message is that it's very generic and seemingly doesn't yield anything useful. Everything I've read appears to be a permission issue or the syntax of the query, and I assume it's meant in the context to my SQL instance login and how the security is set up in the Linked Server. The VBA code below works and is using a query that's very similar and not even the simplest of queries have worked in the Linked Server. I also have access to the Active Directory I am trying to link to and this is proven by the snippet of VBA code I have at the bottom (only there for reference). Thing is, I believe I have all the right privileges in place to for this to be working.

However, a lot of what's being suggested is on different sites involves doing modifications to the SQL instance that are not readily obvious of what the impacts are long term as this server is still being built. I have temporary elevated privileges to build it out.

Here's the details and para

Solution

You should be able to query Active Directory without the need for a linked server. In my experience, having the LDAP:// string precisely correct is key.

I'm able to successfully run your query against our Active Directory infrastructure from SQL Server 2012 using this:

SELECT * FROM OPENROWSET
    (
        'ADSDSOObject'
        , 'adsdatasource'
        , 'SELECT displayName, title, department, employeeID, userAccountControl
FROM ''LDAP://DC=some,DC=name,DC=here''
WHERE objectCategory = ''Person'' 
    AND objectClass = ''user'' 
    AND userAccountControl=512'
);


The DC=some,DC=name,DC=here obviously needs to be modified to suit the actual domain name in use.

For instance if your domain name was microsoft.com, you'd use:

DC=microsoft,DC=com


Notice, in this instance, there are only two components. If your domain name was simply "cancorso", you'd use:

DC=cancorso


Hopefully this helps.

Code Snippets

SELECT * FROM OPENROWSET
    (
        'ADSDSOObject'
        , 'adsdatasource'
        , 'SELECT displayName, title, department, employeeID, userAccountControl
FROM ''LDAP://DC=some,DC=name,DC=here''
WHERE objectCategory = ''Person'' 
    AND objectClass = ''user'' 
    AND userAccountControl=512'
);
DC=microsoft,DC=com
DC=cancorso

Context

StackExchange Database Administrators Q#94389, answer score: 3

Revisions (0)

No revisions yet.