GetUserNameEx with NameFullyQualifiedDN doesn't return for 3-4 seconds, why?

Question

I have a very weird problem and a question about a possible solution. I need to get a fully qualified distinguished name on a Windows computer from a program written in C++ (using native WinAPIs.) For that I use the following API:

TCHAR buff[256];
DWORD dwSz = 256;
GetUserNameEx(NameFullyQualifiedDN, buff, &dwSz);

The code above works at no time if I run it from a user-mode process (from a user desktop.) But when I call that API from a system service it does not return for 3-4 seconds! (I should say that the code above may be called on a system that is not a member of an Active Directory domain.)

So my first question is, why would calling it from a service be an issue?

And second question, if I call that API when my service starts and later cache the result in a global variable and later on use it instead, what are the chances that a Distinguished Name changes on that system?

Answer 1

If the system isn't a member of the domain, the API call is going to fail.

Exactly what's happening when you run it as local system versus a user context is hard to say - I'd likely start with a network trace and see what is happening.

I wouldn't make any assumption that the user's DN is static. It's something the administrator could change at any time.

Adding DsCrackNames workflow:

1. Call DsBind - pass NULL to the first two parameters to get a handle
2. Call DsCrackNames with the handle from #1, DS_NAME_NO_FLAGS, DS_FQDN_1779_NAME, and the computer's name. You might have to append a $ on the name of the machine.
3. Call DsFreeNameResult so you don't leak the results
4. Call DsUnBind so you don't leak the handle from #1