Directory Services

Binding to Active Directory

Programmatic access to Active Directory is provided in Active Directory Service Interfaces (ADSI). Connecting to an object in Active Directory is known as binding.

Binding Functions and Methods

When a directory object has been bound to using ADSI, the directory object is represented as a COM object. All ADSI COM objects that represent directory objects are derived from the IADs interface. A COM object that represents a directory object will also support other interfaces, depending on the type of directory object. For example, a user object will support the IADsUser interface in addition to the IADs interface. The QueryInterface method is used to obtain other interfaces supported by an object.

To bind to an Active Directory object, use one of the following functions or methods:

In general, the Get operations use the security context of the calling thread, which is either the security context of the current user or of a client that the thread impersonates. In contrast, the Open operations allow alternate credentials (user name and password) to be supplied. Similarly, the Get operations use default binding options and the Open operations use explicit binding options.

The Open operations must be used if any of the following requirements apply:

For more information about the ADSI binding functions and methods, see Using ADSI Functions to Bind Directly to an Object.

Binding Strings

All bind functions and methods require a binding string. The form of the binding string depends on the provider. Active Directory is supported by two providers, LDAP and WinNT.

Beginning with Windows® 2000, the LDAP provider is used to access Active Directory. The LDAP binding string can take one of the following forms:

In the examples above, LDAP: specifies the LDAP provider. GC: uses the LDAP provider to bind to the Global Catalog service in order to execute fast queries.

<host name> specifies the server to bind to and is optional. If possible, do not specifiy a server. It is also possible to bind to an object in a different domain. To do this pass the domain naming system (DNS) name of the target domain for <host name>. For example, to bind to the Users container in the domain2 domain of fabrikam.com, the binding string would be "LDAP://domain2.fabrikam.com/CN=Users,DC=domain2,DC=fabrikam,DC=com".

<object name> represents a specific Active Directory object. The <object name> can be a distinguished name or an object GUID.

For more information about LDAP binding strings, see LDAP ADsPath.

For Microsoft Windows NT 4.0, the WinNT provider is used for access to directory data such as users, user groups, computers, services, and other network objects in the Windows NT 4.0 environment. The WinNT provider on Windows 2000 and later systems has limited functionality compared to the LDAP provider. For more information about WinNT binding strings, see WinNT ADsPath.

An ADsPath of "LDAP://" or "GC://" can be used to bind to the root of the namespace. When bound to the root of the namespace, the supplied namespace object contains no properties and contains the domain object for LDAP and a container object containing a partial replica of all domains in the forest for GC.

For more information about binding in Active Directory, see: