Both the WinNT and LDAP providers can be used to work with Active Directory. Much of the documentation and some of the books available seem to use WinNT. In some ways, it is easier to master. However, the WinNT provider only supports features available in Windows NT domains. It exposes fewer attributes than the LDAP provider. There are many things that can only be done using LDAP. Also, the LDAP provider is faster and more efficient. If possible, I recommend using LDAP. At the same time, I recognize that if you have a program that works, don't fix it without good reason. Sometimes it even makes sense to use both providers in a program.

WinNT supports a flat namespace. It is blind to the hierarchy of Active Directory. For example, it is impossible for WinNT to recognize Organizational Units. It cannot expose nested Global and Universal Security groups, because these are not allowed in NT domains. However, WinNT can certainly be used with Active Directory. On the other hand, the Windows NT SAM database is not LDAP compliant. The LDAP provider cannot be used to access it. The WinNT provider must be used in NT domains and to manage local accounts on computers.

There are two sources of confusion when learning how to use ADSI. One is the "binding string" used to bind to objects in Active Directory. The other is the many "names" used to identify and describe objects. The pages linked below attempt to clarify these issues.

Binding strings with the WinNT provider.

Binding strings with the LDAP provider.

Characters that must be escaped in LDAP binding strings. Requirements in both VBScript and PowerShell.

Name Attributes - WinNT and LDAP.

Some of the sample VBScript programs found on this site demonstrate ways to convert WinNT names or binding strings to LDAP names or binding strings (and the reverse). The "NameTranslate" object is often used to accomplish this. Also, the spreadsheets documenting WinNT and LDAP attributes might prove helpful. These spreadsheets are on the "Links and References" page of this site.