Platform SDK: Active Directory, ADSI, and Directory Services

Binding

Accessing Active Directory™ is simply a matter of finding a Microsoft® Windows® 2000 domain controller and binding to an object in the directory. Use the ADSI LDAP provider to access Active Directory in a Windows 2000 environment.

For Microsoft® Windows NT® 4.0, Microsoft Corporation provides the WinNT provider for access to directory information such as users, user groups, computers, services, and other network objects in the Windows NT 4.0 environment.

Do not use the WinNT provider to access Active Directory in Windows 2000—unless you want to use the limited functionality of the WinNT provider.

When you bind to a directory object using ADSI, the directory object is represented as a COM object. This way, the binding operations require you to specify the COM interface that you want to use to access the directory object. All ADSI COM objects that represent directory objects have an IADs interface. A COM object representing a directory object also has other interfaces available, depending on the type of directory object. For example, a user object has an IADsUser interface in addition to an IADs interface. As with all COM objects, you can call the QueryInterface method to get pointers to the other interfaces supported on an object.

To bind to an object on a directory server, use one of the following functions or methods:

ADsGetObject function (C/C++ only)
ADsOpenObject function (C/C++ only)
GetObject method (Visual Basic and VBScript only)
IADsOpenDSObject::OpenDSObject method (VB and VBScript)

In general, the Get operations use the security context of the calling thread, which is either the security context of the current user or of a client that the thread is impersonating. In contrast; the Open operations enable you to supply specific user credentials. Similarly, the Get operations use default binding options and the Open operations use explicit binding options.

You would use the Open operations in the following cases:

If your application needs to bind using a user context that is different from the primary or impersonation context of the calling thread.
If your application needs to enforce secure authentication (your application requires binding with the specified account, or as the user that is logged on)
If your application needs encryption to protect the data exchange over the network between your application and the directory server
If your application needs to explicitly bypass authentication and bind as Everyone or Guest.

If your application is written in C/C++, use ADsGetObject or ADsOpenObject.

If your application is written in Visual Basic, use the GetObject function provided by COM or the OpenDSObject method of the IADsOpenDSObject.

All these operations require the ADsPath binding string. The binding string has the following form:

LDAP://hostname/ObjectName

GC://hostname/ObjectName

In this example, LDAP: specifies the LDAP provider, which is the provider for Active Directory. GC: uses the LDAP provider to bind to the global catalog service in order to execute fast queries.

The hostname is optional. Avoid specifying a specific machine to bind to.

The ObjectName represents a specific Active Directory object. The ObjectName can be a distinguished name or an object GUID.

You can use an ADsPath of LDAP or GC to bind to the root of the namespace. When you bind to the root of the namespace, you get a pointer to a namespace object which contains no properties and contains the domain object for LDAP and a container object containing a partial replica of all domains in the forest for GC.

Remember the following key points when binding:

Active Directory uses the ADSI LDAP provider.
Use serverless binding and rootDSE to eliminate dependencies on hardcoded server and domain names. The rootDSE is the root of the directory information tree on a directory server. The rootDSE has properties that contain information about the directory server itself.
Bind to the global catalog service for fast search. The global catalog service contains selected properties for all objects within Active Directory tree or forest.
If you want to access objects within the directory in a manner that is protected from renaming or movement of an object, you need to access the object using the object's objectGUID.
When possible, bind using the security context of the calling thread, that is, do not specify explicit user credentials.
Use the encryption option to use an SSL encrypted channel to communicate between your application and Active Directory.