Any help with this problem would be greatly appreciated.
I've developed a simple MS Access application to help manage the
migration of users to a new system in a large enterprise (~50,000 user
objects). One of the ways I'm doing this is to run a VBA routine to
update an extensionAttribute in AD to indicate which migration batch
the user belongs to. When I run the code below, the search component
only works the way it's written below. But the part about updating
the user's extensionAttribute fails unless I logon to my machine with
the administrator's account. So why would the search action use the
administrator credentials but the update action use integrated
credentials? What should I change? I'm trying to code this so non-
administrators can use this application.
Thanks.
'This code will update extensionAttribute15 in Active Directory for
everyone that is a part of the batch
Dim db As Database
Dim qdf As QueryDef
Dim rs As Recordset
Dim strSamAccountName As String
Dim strADSearch As String
Dim strDN As String
Dim Conn As ADODB.Connection
Dim Com As ADODB.Command
Dim rsAD As ADODB.Recordset
'Get batch number from form.
Set Com = CreateObject("ADODB.Command")
Set Conn = CreateObject("ADODB.Connection")
With Conn
.Provider = "ADSDSOObject"
.Properties("User ID") = "ad\(ADMININSTRATOR ACCOUNT)"
.Properties("Password") = "(ADMINISTRATOR PASSWORD)"
.Properties("Encrypt Password") = True
.Properties("ADSI Flag") = 0
.Mode = adModeReadWrite
End With
Conn.Open "Active Directory Provider"
Com.ActiveConnection = Conn
Set iADRootDSE = GetObject("LDAP://RootDSE")
strDefaultNamingContext = iADRootDSE.Get("defaultNamingContext")
strServerDomainName = "ad.cbp.dhs.gov:636"
'From the table get the user samAccountName for the migration batch
strSQL = "SELECT tb_UserMaster.Ha****D, tb_UserMaster.BatchNumber
FROM tb_UserMaster WHERE (((tb_UserMaster.BatchNumber)='" & strBatch &
"'));"
Set db = CurrentDb
Set rs = db.OpenRecordset(strSQL)
'Get the User Object from Active Directory (THIS PART WORKS BECAUSE IT
USES THE ADMINISTRATOR CREDENTIALS EXPLICITLY GIVEN ABOVE)
While rs.EOF = False
strSamAccountName = rs(0).Value
strADSearch = "Select AdsPath From 'LDAP://" &
strDefaultNamingContext & "' where objectClass='user' and
objectcategory='person' and SamAccountName='" & strSamAccountName &
"'"
Com.CommandText = strADSearch
Debug.Print Com.ActiveConnection.State
Set rsAD = Com.Execute
'Update the User Object with the Batch Information (THIS PART FAILS
BECAUSE IT USES MY INTEGRATED WINDOWS LOGON, NOT THE ADMINISTRATOR
ACCOUNT CREDENTIALS)
If (rsAD.EOF And rsAD.BOF) = False Then
strDN = rsAD(0)
'Debug.Print strDN
Set usr = GetObject(rsAD.Fields("AdsPath").Value)
'Debug.Print usr.Mail
usr.Put "extensionAttribute14", "Pilot 1"
usr.SetInfo
End If
rs.MoveNext
Wend
End If
