1

我有以下 VBA 代码,用于搜索特定用户并从 Active Directory 输出全名、电子邮件和部门:

 Public Type LDAPUserInfo
    FullName As String
    Email As String
    Department As String
    AccountStatus As String
 End Type


Function FindUser(ByVal username) As LDAPUserInfo
 On Error GoTo Err

 Dim objRoot As Variant
 Dim LDAPdomainName As String
 Dim cn As Variant
 Dim cmd As Variant
 Dim rs As Variant
 Dim LDAPUserInfo As LDAPUserInfo

 Set cn = CreateObject("ADODB.Connection")
 Set cmd = CreateObject("ADODB.Command")
 Set rs = CreateObject("ADODB.Recordset")

 Set objRoot = GetObject("LDAP://RootDSE")
 LDAPdomainName = objRoot.Get("defaultNamingContext") 'Contains the distinguished name for the domain of which this directory server is a member.
'http://msdn.microsoft.com/en-us/library/windows/desktop/ms684291(v=vs.85).aspx

 cn.Open "Provider=ADsDSOObject;"

 cmd.activeconnection = cn
 'cmd.commandtext = "SELECT ADsPath FROM 'LDAP://" & Domain & "' WHERE sAMAccountName = '" & UserName & "'"
 'To see all attributes names available, connect with Active Directory Explorer and add to Select.
 cmd.commandtext = "SELECT cn, mail, physicalDeliveryOfficeName, userAccountControl  FROM 'LDAP://" & LDAPdomainName & "' WHERE sAMAccountName = '" & username & "'"
 Set rs = cmd.Execute

    Debug.Print rs("cn") & " E-mail: " & rs("mail") & " Dept: " & rs("physicalDeliveryOfficeName")
    LDAPUserInfo.FullName = Nz(rs("cn"), "")
    LDAPUserInfo.Email = Nz(rs("mail"), "")
    LDAPUserInfo.Department = Nz(rs("physicalDeliveryOfficeName"), "")

   FindUser = LDAPUserInfo


If Not rs Is Nothing Then rs.Close
If Not cn Is Nothing Then cn.Close

Exit_Err:

 Set rs = Nothing
 Set cmd = Nothing
 Set cn = Nothing
 Set objRoot = Nothing
 Exit Function

Err:

 If Err <> 0 Then
    MsgBox "Error connecting to Active Directory Database: " & Err.Description & vbCrLf & _
            "User: " & username, , "Error: " & Err.Number
 Else
    If Not rs.BOF And Not rs.EOF Then
        rs.MoveFirst
        MsgBox rs(0)
    Else
        MsgBox "Not Found"
    End If
 End If
 Resume Exit_Err

End Function

它适用于主域中的用户。有没有办法改变LDAPdomainName它可以在所有子域中搜索?

4

1 回答 1

1

答案将根据您的特定林配置略有不同。

一般来说,如果你也想搜索子域,你可以要求 ADSI 做所谓的追逐推荐。如果您搜索 ADSI + 追逐推荐,您将获得大量点击...并且取决于您最终使用的 API,每个都有一个答案。一些信息在这里:http ://technet.microsoft.com/en-us/library/cc978014.aspx

也就是说,有一些细微差别:

  • 如果您有多个域,从命名空间的角度来看,您的林中的所有域都没有一个父域(例如:想象有一个具有 foo.com、bar.foo.com 和 blech.com 的林......没有一个涵盖所有内容的父级),那么您要么必须进行多次搜索,要么使用所谓的幻根控件(您可以在其中传递不存在的最顶层父级,指示 AD 搜索所有人)
  • 请记住,此搜索将在您的整个森林中找到 DC……您追逐的每个域都有一个。如果您只搜索一组有限的属性,您可能希望访问全局目录服务器,它可以从该服务器提供有关您所有域的信息(即搜索速度更快,因为它都是本地的)。为此,您需要连接到全局编录端口,通常是 3268/3269(后者是 LDAPS)。
于 2012-08-31T22:42:14.947 回答