Cross domain ADSI Linked Server Queries Failing


  • So I've been digging around trying to find an answer to this, but I think our scenario is slightly different from what I've been reading.

    We have a SQL 2005 server sitting in domain  Services are started under a globalspec domain user service account.
    Our AD 2008 R2 Servers are also sitting in

    We have created a linked server for ADSI access using a forced security context of Globalspec\IntranetServices

    When I log in to SQL Management Studio as a local user, I can run an openquery and everything works just fine.

    However, when I log into SQL Management Studio as a user in the IHS domain and try to run an openquery, i get the following error:

    Msg 7399, Level 16, State 1, Line 1
    The OLE DB provider "ADSDSOObject" for linked server "ADSI" reported an error. The provider indicates that the user did not have the permission to perform the operation.
    Msg 7321, Level 16, State 2, Line 1
    An error occurred while preparing the query "
    select  givenName,
    from    'LDAP://dc=globalspec,dc=net'
    where   objectCategory = 'Person'
            objectClass = 'user'
    " for execution against OLE DB provider "ADSDSOObject" for linked server "ADSI". 

    To me, this makes no sense, since I'm forcing the LDAP lookup to use a globalspec domain account.

    So I create a new ADSI2 linked server, but changed the security user to an IHS account.  When I query this, I only get the Message 7321, Level 16, State 2, Line 1 as above.

    I've gone to the domain and delegated read access to the IHS user, as well as the IHS service account.  I have verified that both these accounts can read from the Active Directory.

    Any help is greatly appreciated!


    Thursday, August 01, 2013 8:57 PM


  • Hi GlobalSpecMax,

    Based on the error message, this issue can occur if IHS user doesn’t have permission to execute the command on the linked server. I suggest logging on the linked server with IHS user account directly, execute the commands and check whether we can get the desired result. Additionally, we can map the current IHS user to another user on the linked server who has permission to execute the commands. For more detail information, you can refer to the following link:

    sp_addlinkedsrvlogin (Transact-SQL)

    If you have any feedback on our support, please click here.

    Allen Li
    TechNet Community Support

    Monday, August 05, 2013 1:12 AM