Section C.2. Namespaces, ProgIDs, and ADsPaths

C.2. Namespaces, ProgIDs, and ADsPaths

To reference different types of servers (e.g., Windows NT 4.0, NetWare, etc.) with ADSI, you must use the namespaces that correspond to the ADSI providers used by that directory service. ADSI uses a unique prefix called a ProgID to distinguish between these namespaces. Each ProgID is synonymous with a particular namespace and directory provider.

In a script, you specify the ProgID at the beginning of the object reference. The ProgID is used behind the scenes to correctly connect and bind to the corresponding directory service. For example, you specify WinNT:// to access individual Windows NT 3.51, 4.0, Windows 2000, and Windows Server 2003 systems while you use LDAP:// to access Active Directory and other LDAP directories. When ADSI encounters the ProgID, ADSI loads an appropriate ADSI-provider DLL to correctly process the bind request and method invocations.

ProgIDs are case-sensitive. WinNT:// will work, whereas WINNT:// will not.

Telling ADSI you want to bind via a particular namespace isn't enough. You also need to reference the object that you want to access in that namespace. A unique identifier known as an ADsPath can be used to reference each object in a namespace. Take, for example, the following WinNT namespace ADsPaths.

These two reference JoeB, a user in DOMAIN:

WinNT://DOMAIN/JoeB WinNT://DOMAIN/JoeB, User

These two reference COMP12345, a computer in DOMAIN:

WinNT://DOMAIN/COMP12345 WinNT://DOMAIN/COMP12345, Computer

These two reference Users, a group in DOMAIN:

WinNT://DOMAIN/Users WinNT://DOMAIN/Users, Group

This references JoeB, a user on computer MOOSE in DOMAIN:

WinNT://DOMAIN/MOOSE/JoeB

This references JoeB, a user on computer MOOSE in WORKGROUP:

WinNT://WORKGROUP/MOOSE/JoeB

This references JoeB, a user on computer MOOSE:

WinNT://MOOSE/JoeB

As these examples show, you can reference each object by using only its name or, more properly, by using its name and type, if multiple identically named objects with different types exist.

Each namespace has a unique format for the ADsPath string, so you need to make sure that you're using the correct ADsPath notation. For example, each of these ADsPaths references a unique object.

This one references JoeB, a user in DOMAIN:

WinNT://DOMAIN/JoeB, User

This next one references JoeB, a user in the Finance Organizational Unit (OU) within the rallencorp organization of the IntraNetWare tree called MyNetWareTree:

NDS://MyNetWareTree/O=RALLENCORP/OU=FINANCE/CN=JoeB

This one references JoeB, a NetWare 3.x or 4.x (bindery services) user that exists on server MYSERVER:

NWCOMPAT://MYSERVER/JoeB

Finally, this one references the default WWW service component of IIS running on the local host:

IIS://localhost/w3svc/1

In the preceding examples, NDS: refers to IntraNetWare 5.x and 4.x. (Because IntraNetWare 5.x is LDAP-compliant, you also can use LDAP paths with it.) NWCOMPAT: refers to NetWare 4.x, 3.2, 3.12, and 3.11 servers in bindery-emulation mode. IIS: refers to metabase paths on a host running IIS 3.0 or later.

One of the most commonly used namespaces is the LDAP namespace. You can use LDAP with ADSI to access a variety of directory services, including Active Directory. Although you can use the WinNT namespace to access Active Directory, you need to use the LDAP namespace to fully utilize all of ADSI's methods and properties. For this reason, our primary focus will be on the LDAP namespace.

You can use several formats to refer to LDAP directories. For example, all the following ADsPaths reference the Administrator object within the Users container of the moose directory server in the rallencorp.com zone:

LDAP://cn=administrator,cn=users,dc=rallencorp,dc=com LDAP://moose.rallencorp.com/cn=administrator,cn=users,dc=rallencorp,dc=com LDAP://moose/cn=administrator,cn=users,dc=rallencorp,dc=com LDAP://DC=com/DC=rallencorp/CN=Users/CN=Administrator LDAP://moose.rallencorp.com/DC=com/DC=rallencorp/CN=Users/CN=Administrator

In these examples, CN stands for common name and DC stands for domain component. These examples show that you can specify the LDAP namespace ADsPath going down or up the hierarchical Directory Information Tree (DIT). Most people have adopted the naming style used in the first three examples, where the most specific element of an object is used first. Also note that you can specify a fully qualified domain controller name after LDAP://, using a forward slash character (/) to separate the server name from the rest of the path.

If a name includes some unusual characters, such as a forward slash or a comma, you can use double quotation marks ("") or a single backslash (\) to specify that the character should be interpreted as part of the ADsPath itself. For example, if you have a user called AC/DC on the server, then this is wrong:

LDAP://cn=ac/dc,cn=users,dc=amer,dc=rallencorp,dc=com

This will interpret the path using cn=ac followed by dc followed by cn=users and so on. As dc on its own is not a valid part of the path, the ADsPath is invalid. Here are the two ways to specify the path correctly:

LDAP://cn=ac\/dc,cn=users,dc=amer,dc=rallencorp,dc=com LDAP://"cn=ac/dc",cn=users,dc=amer,dc=rallencorp,dc=com

Obviously, as the backslash is a special character, to use it in a name, you would need to do one of the following for an object called cn=hot\cold:

LDAP://cn=hot\\cold,cn=users,dc=amer,dc=rallencorp,dc=com LDAP://"cn=hot\cold",cn=users,dc=amer,dc=rallencorp,dc=com

The first specifies that the following character is to be interpreted as part of the name, and the latter specifies that the whole first name is a valid string.^[1]

^[1] Unfortunately, the latter, while valid, will not work with VBScript's GetObject function due to the extra quotation marks ("").