3 December 2015

Just had an issue crop up where a web tool we created for data gathering could no longer query AD for membership groups of a computer. It only seemed to be happening on new machines added to the enterprise; old ones continued to work fine. After checking with the team that manages AD to see if they changed anything we were stumped. Couldn’t find anything wrong anywhere with permissions or account locks or anything else.

My C# code was using the FindOne method for DirectorySearcher. All of our hostnames are unique and we only have one domain so how could that be a problem? Well, it turns out something has started causing DNS entries in AD (which I wasn’t aware that we were even using that in AD… DHCP and DNS is actually managed by another product) to return back before computer objects. Perhaps the folks imaging and adding machines to the domain have changed a workflow. When querying the older PCs the computer object gets returned first.

Needless to say my DirectorySearcher now asks for a computer object class. So always make your filters as detailed as possible! (I should know this already….)

If anyone finds this and wants to know if multiple objects are being returned you can use the following powershell code (after importing the ActiveDirectory module):

Get-ADObject -LDAPFilter “(name=HOSTNAME)”


There are no comments.



You must be logged in to post a comment.

Links

RSS 2.0 Feed

Support

Brave Rewards
This site supports Brave Rewards. Please consider tipping or adding it to your monthly contributions if you find anything helpful!

For other ways: Support

Support this blog! If you have found it helpfu you can send me crypto. Any amount is appreciated!
ETH: 0xBEaF72807Cb5f4a8CCE23A5E7949041f62e8F8f0 | BTC: 3HTK5VJWr3vnftxbrcWAszLkRTrx9s5KzZ | SHIB: 0xdb209f96dD1BdcC12f03FdDfFAD0602276fb29BE
Brave Users you can send me BAT using the browser.