Hey, Scripting Guy! How do I bind to a user account when the user is in a sub-OU? Code like this doesn’t work: LDAP://CN=Ken Meyer, OU=NA\Human Resources, DC=fabrikam, dc=com.
— RD
Hey, RD. The past few days we’ve done some lengthy answers to questions, so we decided to be a little lazy today (hey, it is Friday!) and take an easy one. In your Active Directory, you have an OU named NA, and inside that OU you have a sub-OU named Human Resources. You’re trying to get at a user account located in the Human Resources OU but, as you’ve discovered, this code won’t do it:
Set objUser = GetObject _ ("LDAP://CN=Ken Meyer, OU=NA\Human Resources, DC=fabrikam, dc=com ")
Why not? Well, you’re trying to take a shortcut here and, in this case at least, ADSI doesn’t like you taking shortcuts. You’re specifying an OU named NA\Human Resources, obviously meaning, “The OU named Human Resources that’s found inside the NA OU.” That makes sense to us, but not to ADSI. Instead, ADSI requires you to separate each part of the distinguished name; no shortcuts. Thus you need to use a binding string like this:
Set objUser = GetObject _ ("LDAP://CN=Ken Meyer, OU=Human Resources, OU=NA, DC=fabrikam, dc=com ")
Notice that ADSI requires you to work backwards when creating a binding string. You start with the actual user account itself (CN=Ken Meyer). Next you go to the OU in which the user account resides: OU= Human Resources. From there you go to the parent OU: OU=NA. What if the NA OU was actually a sub-OU of, say, Headquarters? No problem; in that case, your binding string would look like this:
Set objUser = GetObject _ ("LDAP://CN=Ken Meyer, OU=Human Resources, OU=NA, " & _ "OU=Headquarters, DC=fabrikam, dc=com ")
You then tack on the domain components (DC=fabrikam, DC=com), and you’re off and running.
0 comments