Logoncount Attribute on Computer objects in Active Directory
Hello,
I have one question about the logoncount Attribute on Active Directory objects. As I understood on user objects this attribute counts the number of logons per DC (because it is not replicating).
My question is:
What exactly is count here on computer objects?
I can see that on a Domain Controller computer object the logoncount is high for the DC itself and low on the other DC objects.
Thank you.
Regards
Dennis
Here is an old thread. You will see some of the explanation from our own Richard :)
http://www.techtalkz.com/windows-server-2003/500367-attributes-update-during-computer-logon.html
Santhosh Sivarajan | Houston, TX | www.sivarajan.com
ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
Blogs: Blogs
Twitter: Twitter
LinkedIn: LinkedIn
Facebook: Facebook
Microsoft Virtual Academy:
Microsoft Virtual Academy
This posting is provided AS IS with no warranties, and confers no rights.
Similar Messages
-
Size limitation for all attributes in user objects in Active Directory????
hi geeks , i wanna know maximum size limit of an user objects attribute in active directory ... like max amount of character first name attribute can hold ... Thank in advance..
You can use ADSI Edit to view the properties of the attributes in the Schema container of your AD. In the Schema container you can select an attribute, like Company, right click, select properties, and find the rangeUpper property of the attribute. This
is the maximum length in characters (or bytes). You can also use dsquery to retrieve rangeUpper for an attribute. For example:
dsquery * "cn=Schema,cn=Configuration,dc=MyDomain,dc=com" -filter "(LDAPDisplayName=streetAddress)" -attr rangeUpper
where your domain is MyDomain.com. This finds the maximum length for the "street address" attribute. A few values in my test domain (the values can be modified, so these are the defaults):
company 64
streetAddress 1024
physicalDeliveryOfficeName 128
initials 6
st 128
postOfficeBox 40
name 255
cn 64
You can use the first two spreadsheets on this page to help identify attributes in AD (with no Exchange):
http://www.rlmueller.net/UserAttributes.htm
The first spreadsheet documents the attributes corresponding to the fields on most of the tabs of ADUC. For example, "st" is the attribute for state, "physicalDeliveryOfficeName" for the field labeled "office". You need the
LDAPDisplayName's of the attributes, like I used in the dsquery command above. The second spreadsheet documents all attributes in AD with more information, like the syntax and which class each applies to.
Richard Mueller - MVP Directory Services -
Hello.
We have two domain controllers - node1 (Windows 2008 R2) and node2 (Windows 2012 R2). When administrator connects to node2 and tries to rename some object in AD (for example, user) AD Domain Services crashes and reboot server after 60 seconds.
In Events I can see these messages:
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 04.03.2014 12:37:58
Event ID: 1173
Task Category: Internal Processing
Level: Warning
Keywords: Classic
User: domain\admin
Computer: NODE2.domain.example
Description:
Internal event: Active Directory Domain Services has encountered the following exception and associated parameters.
Exception:
c0000005
Parameter:
0
Additional Data
Error value:
7ffc7c38e45d
Internal ID:
0
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
<EventID Qualifiers="32768">1173</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>9</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2014-03-04T06:37:58.116264800Z" />
<EventRecordID>881</EventRecordID>
<Correlation />
<Execution ProcessID="572" ThreadID="2580" />
<Channel>Directory Service</Channel>
<Computer>NODE2.domain.example</Computer>
<Security UserID="S-1-5-21-3794920928-4165619442-305938157-2047" />
</System>
<EventData>
<Data>c0000005</Data>
<Data>7ffc7c38e45d</Data>
<Data>0</Data>
<Data>0</Data>
</EventData>
</Event>
Log Name: Application
Source: Microsoft-Windows-Wininit
Date: 04.03.2014 12:37:58
Event ID: 1015
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: NODE2.domain.example
Description:
A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
<EventID Qualifiers="49152">1015</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-03-04T06:37:58.000000000Z" />
<EventRecordID>189578</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>NODE2.domain.example</Computer>
<Security />
</System>
<EventData>
<Data>C:\Windows\system32\lsass.exe</Data>
<Data>c0000005</Data>
</EventData>
</Event>
Log Name: Application
Source: Application Error
Date: 04.03.2014 12:37:58
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: NODE2.domain.example
Description:
Faulting application name: lsass.exe, version: 6.3.9600.16384, time stamp: 0x5215e25f
Faulting module name: ntdsai.dll, version: 6.3.9600.16421, time stamp: 0x524fcaed
Exception code: 0xc0000005
Fault offset: 0x000000000019e45d
Faulting process id: 0x23c
Faulting application start time: 0x01cf3773fe973e1b
Faulting application path: C:\Windows\system32\lsass.exe
Faulting module path: C:\Windows\system32\ntdsai.dll
Report Id: 85cfbe32-a367-11e3-80cc-00155d006724
Faulting package full name:
Faulting package-relative application ID:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-03-04T06:37:58.000000000Z" />
<EventRecordID>189576</EventRecordID>
<Channel>Application</Channel>
<Computer>NODE2.domain.example</Computer>
<Security />
</System>
<EventData>
<Data>lsass.exe</Data>
<Data>6.3.9600.16384</Data>
<Data>5215e25f</Data>
<Data>ntdsai.dll</Data>
<Data>6.3.9600.16421</Data>
<Data>524fcaed</Data>
<Data>c0000005</Data>
<Data>000000000019e45d</Data>
<Data>23c</Data>
<Data>01cf3773fe973e1b</Data>
<Data>C:\Windows\system32\lsass.exe</Data>
<Data>C:\Windows\system32\ntdsai.dll</Data>
<Data>85cfbe32-a367-11e3-80cc-00155d006724</Data>
<Data>
</Data>
<Data>
</Data>
</EventData>
</Event>
In node2 we installed all available updates and hotfixes.Hi Azamat Hackimov,
Regarding to error messages, it seems that the
ntdsai.dll file caused the issue. Based on current situation, please use
sfc /scannow command to scan protected system files and check if find error and repair. Meanwhile, you can also navigate to the location of this DLL file and confirm details.
In addition, Windows Server 2012 R2 has reboot unexpectedly. Please check if you get some dump file and then analysis it. It may help us to find the root reason. Please refer
to the following KB.
How to read the small dump memory dump file that is created by Windows if a crash occurs.
http://support.microsoft.com/kb/315263/en-us
By the way, it is not effective for us to debug the crash dump file here in the forum. If this issues is a state of emergency for you. Please contact Microsoft Customer Service
and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.
To obtain the phone numbers for specific technology request, please refer to the web site listed below:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
Hope this helps.
Best regards,
Justin Gu -
Setting the logonHours attribute for a user in Active Directory
Hi Anyone,
I'm a brasilian guy and I need your help. How can I set the logonHours attribute on my Active Directory?
I have this code but it doesn't works good:
public void setLogonHours(boolean[] logonHoursBits){
int i;
int j;
int k;
int index21 = 0;
int index24 = 0;
byte[] byteLogonHour = new byte[21];
byte byte8Hours = 0;
for(i=0; i <= 6; i++){
for(j=1; j <= 3; j++){
for(k=7; k >= 0; k--){
if (i < 6){
if (logonHoursBits[i] == (boolean)(index24 == 0) ? true : false){
byte8Hours += (byte)Math.pow(2,k);
else{
if (logonHoursBits[0] == (boolean)(index24 == 0) ? true : false){
byte8Hours += (byte)Math.pow(2,k);
index24++;
byteLogonHour[index21] = byte8Hours;
index21++;
index24 = 0;
try{
String nome = "CN=Dryelle,OU=Pesquisa,DC=cifya,DC=com,DC=br";
ctx = new InitialLdapContext(env,null);
ModificationItem logonHours[] = new ModificationItem[1];
logonHours[0]= new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("logonHours",byteLogonHour));
ctx.modifyAttributes(name,logonHours);
System.out.println("Atributo logonHours alterado com sucesso.");
catch (NamingException e) {
System.err.println("Problema na altera??o " + e);
}the code set the attribute but wrong. Can anyone help-me? It's making me crazy.
Sorry about my poor english.
Tks.
Edited by: th_slopes on Aug 15, 2008 5:50 PMDirContext ctx = new InitialDirContext(pr);
BasicAttributes entry = new BasicAttributes(true);
String entryDN = "cn=CharbelHad,ou=test users,dc=test,dc=dev";
Attribute cn = new BasicAttribute("cn", "ChHad");
Attribute street = (new BasicAttribute("streetAddress", "Ach"));
Attribute loginPreW2k = (new BasicAttribute("sAMAccountName", "[email protected]"));
Attribute login = (new BasicAttribute("userPrincipalName", "[email protected]"));
Attribute sn = (new BasicAttribute("sn", "Chl"));
Attribute pwd = new BasicAttribute("unicodePwd", "\"Ch@341\"".getBytes("UTF-8"));
Attribute userAccountControl = new BasicAttribute("userAccountControl", "512");
Attribute oc = new BasicAttribute("objectClass");
oc.add("top");
oc.add("person");
oc.add("organizationalPerson");
oc.add("user");
// build the entry
entry.put(cn);
entry.put(street);
entry.put(sn);
entry.put(userAccountControl);
entry.put(pwd);
entry.put(login);
entry.put(loginPreW2k);
entry.put(oc);
ctx.createSubcontext(entryDN, entry); -
Found DAG object in Active Directory
Dear Friends,
Today i have detected an Object called 'DAG' in Active Directory. I am not aware of these objects. Please some one could elaborate? It might be a silly question. But still i am feeling free to learn.
Regards, Jay.Hi,
This object is the Cluster Name Object(CNO) for a DAG.
In Exchange 2010 when using the Database Availability Group (DAG), we leverage the cluster services in Windows 2008 and Windows 2008 R2. This requires that a machine account be created within the directory for association with this cluster name resource.
This is known as the CNO or cluster name object.
For more information about CNO, you can refer to the following article.
Exchange 2010 – Pre-staging the Cluster Name Object (CNO) to support a Database Availability Group (DAG)
http://blogs.technet.com/b/timmcmic/archive/2010/01/05/exchange-2010-pre-staging-the-cluster-name-object-cno-to-support-a-database-availability-group-dag.aspx
Best regards,
Belinda
Belinda Ma
TechNet Community Support -
Disabling computer account in Active Directory will still allows the workstation to login
I have a special scenario. A Widows 7 workstation was in lock mode (waiting for CTRL+ALT+DEL). As an administrator, I disabled the computer account, user account and even reset the password for that user and the workstation. My requirement
is that the user can not login to the workstation again.
However, the user able to login to the workstation.
What AD registry parameter could lock down the computer completely? or is there any parameter in GPO that could lock down the computer?
Thanks in advance.
Pingala
SPHello Karen,
I am testing with the DOMAIN Account, not local account. With your instructions,
Control Panel\All Control Panel Items\User Accounts\Manage your credentials
Select the corresponding credential and click Remove.
I am able to see local accounts and not the DOMAIN account locally cached.
BTW, I am not seeing "Manage your credentials", instead, I am seeing "Manage Your Accounts" in User Accounts.
Secondly, I am looking for a setup with AD GPO so that, for most of the Enterprise Windows 7 workstations, I would like to apply the policy across the board - "Once a workstation is disabled by the administrator, the domain
user for that workstation can not login again - especially when the workstation is in lock mode.
The article you cited did not give any technical details that could help me to clean both local and domain credential caching.
Please help me with the steps how I can disable the caching for local and domain credentials on the workstation to check this manually first.
Eventually, I would like to disable a "computer" in Active Directory that should lockdown the targeted workstation for further use. Or let me know what steps are needed to lockdown a workstation immediately when a user is fired before further
damage occurs to the enterprise resources.
Thanks,
Pingala
SP -
OBIEE+ Problems trying to import objects from Active Directory
Hi
I'm trying to import my users from my Active Directory using the Administration Tool.
If I give the Base DN to point to the Users entry and I get that It doesn't have any objects to import.
If I give the Base DN to point to the parent folder of Users and Groups entry I get
LDAP server referral not supported.
Any configurations that I have to take in consideration?Henrik,
I've found other problems where OWB adds a space between all characters returned from SQL*Server which is what is happening in your case, although it is being displayed as a square box.
In one of these cases the problem was fixed by using the 11.2.0.2 OWB so would it be possible for you to try with that version ?
Also, as the problem is not with the gateway itself as you can select successfully using a database link then it would be better to follow up in the OWB forum -
Forum: Warehouse Builder
Warehouse Builder
as they will be able to help with the OWB side of the problem.
Regards,
Mike -
Hide all except one object in Active Directory Users and Computers.
Hello,
I have a question.. I need to allow to one group of "administrators" creating users in one OU and adding computers to the domain, nothing else. I allowed them to log on DC using the GPO "Allow log on locally", because I don't want to give
them administrator rights, I allowed them to do these operations on one OU through delegation wizard and now I need to make all OUs, groups etc. invisible to them except this OU. What is the best way how to achieve this? Thank you...
d.I would disable the ability to allow them to login. I suggest to create a Computers OU that you can delegate to the "admins" to add computers, and don't use the default Computers container.
I assume the admins are using Windows 7 or newer. You can customize an RSAT installation to just provide the ADAC.
Description of Remote Server Administration Tools for Windows 7:
http://support.microsoft.com/default.aspx/kb/958830
Remote Server Administration Tools for Windows 7:
http://technet.microsoft.com/en-us/library/ee449475(WS.10).aspx
Remote Server Administration Tools for Windows 7
http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en
Customizing - Installing Remote Server Administration Tools (RSAT) for Windows 7
http://www.petri.co.il/remote-server-administration-tools-for-windows-7.htm
Or if you want to chop it down and control it further, create a custom ADUC with just that OU you've delegated. I've done this in the past and worked fine for my customer:
Delegate an Organizational Unit (OU) in Active Directory Users and Computers (ADUC), then create a custom MMC or customized RSAT
http://blogs.msmvps.com/acefekay/2014/09/04/delegate-an-organizational-unit-ou-in-active-directory-users-and-computers-aduc-then-create-a-custom-mmc-or-customized-rsat/
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
An organization with on premise AD is deploying Office 365. We plan to use DirSync to replicate (no passwords) internal users
with Azure AD for users to login and will use a third party FIM solution.
What I'm wondering is though this synchronization is one way (except a couple of fields - no passwords):
Can an authorized user change attributes of a synched AD object directly on Azure AD?
If yes, how would such a change be handled during the next synchronization operation?
Would the value be overwritten to the one in source of truth on premise AD
Would the value be ignored since there was no ‘change’ in the value at the source of truth on premise AD system?
Prompt responses would be much appreciated!
ThanksHi Mike,
Thank you for your response. I understand that the master is the on-premise AD. Let me rephrase my question.
As part of object synchronization, An object X with its 50 attributes is synchronized to Azure AD.
Is there any way for an administrator/other role to access and modify any attribute of the synchronized object on Azure AD directly. I understand
that re-synchronization schedule
is every 4 hours and at the time of such a synchronization the modified values (if any) will be overwritten restoring 'order'. -
"managed by" attribute of computer object
Hi all,
I am working on a script to manage the computer's attribute "managed-by" through power shell. I have found the command Set-ADComputer "AAECNBJ003403L" -ManagedBy "dn_path_of_user" which does not seem to be a solution in
my ad environment.
In our environment, all the client machines are in one domain (machine.domain.com) and users from different domains (user1.domain.com ; user2.domain.com) logon to these machines ( all domains in same forest ). when I provide the DN path of the users which
is "cn=user,dc=user1,dc=domain,dc=com" in the command Set-ADComputer "AAECNBJ003403L" -ManagedBy "dn_path_of_user" I get the error as follows
Identity info provided in the extended attribute: 'ManagedBy' could not be resolved. Reason: 'Cannot find an object with identity: 'cn=user,dc=user1,dc=domain,dc=com under: 'DC=machine,DC=domain,DC=com'.
SO it is searching for the user object in machine.domain.com where the object does not exist. Please tell me if I can specify a user domain name in the command.I need to dig into my customer's environment to know why it works for them when they add the user of a different domain. Yes, we were in the process of domain migration which has been delayed due to some incompatible applications.
We have also been using a script which is taking the input from a csv file and updating the managed by attribute of the machine. In the script we are specifying the domain "user.domain.com" and it works for us when we need to update the attribute
in bulk. But we also need the command for updating the attribute of the individual machine as per the end user request. Please see the script below if this can be taken into reference.
Import-CSV C:\Users\W9a0n3p9\Desktop\comp.csv |%{
#Specify the search criteria
$Computer = $_.Computername
$samname = $_.Username
$domain = "user.domain.com"
#Get a list of domains in the forest and grab the DN of the one matching the above parameter.
$forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$domain = $forest.Domains | ? {$_.Name -eq $domain}
$domainDN = $domain.GetDirectoryEntry().distinguishedName
Write-Output "Found the remote domain, the full LDAP distinguished name is $DomainDN"
#Create an LDAP searcher object and pass in the DN of the domain we wish to query
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]"LDAP://$domainDN")
#Pass in the ceriteria we are searching for.
#In this case we're looking for users with a particular SAM name.
$Searcher.filter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName= $samname))"
$results = $Searcher.Findall()
#Loop through the results
Foreach($result in $results){
$User = $result.GetDirectoryEntry()
$userDN = $user.DistinguishedName
Write-Output "Set the Owner for Computer $computer as $userDN"
$A= Get-adcomputer $computer
$A.managedby = "$userdn"
Set-adcomputer -instance $A
Regards,
Maddy -
I'm trying to remove Exchange 2007 from an SBS 2008 server
(Server 2008 Standard FE). My ultimate goal is to completely remove the SBS 2008 Server from the network environment.
We have an Exchange 2010 Coexistence Scenario and Mailboxes/Public Folders/etc have been moved over to the 2010 mail server, on Server 2008 R2.
I have moved all Shares, FSMO roles, DHCP, DNS, etc over to their respective servers. We have two full blown DC's in the environment.
I'm ready to remove Exchange 2007 from SBS 2008 and DCPROMO the server. I can NOT seem to find a TechNet article that shows me how
to proceed in this kind of scenario. I am trying to use the TechNet article:
http://technet.microsoft.com/en-us/library/dd728003(v=ws.10).aspx
This article references Disabling Mailboxes, Removing OAB, Removing Public Folder Databases, then uninstalling Exchange using the Setup Wizard.
When I go to Disable Mailboxes I get the following error:
Microsoft Exchange Error
Action 'Disable' could not be performed on object 'Username (edited)'.
Username (edited)
Failed
Error:
Object cannot be saved because its ExchangeVersion property is 0.10 (14.0.100.0), which is not supported by the current version 0.1 (8.0.535.0). You will need a later version of Exchange.
OK
I really don't see why I need to Disable Mailboxes, Remove OAB and Public Folder Databases since they have been moved to 2010. I just want
to remove Exchange 2007 and DCPROMO this server (actually I just want to remove any lingering Exchange AD Objects referring to the SBS 2008 Server, using the easiest and cleanest method possible).
Can someone point me in the right direction?
Thanks!Hi,
Based on your description, it seems that you are in a migration process (migrate SBS 2008 to Windows Server
2008 R2). Now, you want to remove Exchange Server and demote server. If anything I misunderstand, please don’t hesitate to let me know.
On current situation, please refer to following articles and check if can help you.
Transition
from Small Business Server to Standard Windows Server
Removing SBS 2008 –
Step 1: Exchange 2007
Removing SBS 2008 – Step 2:
ADCS
Removing
SBS 2008 – Step 3: remove from domain / DCPROMO
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft
does not guarantee the accuracy of this information.
Hope this helps.
Best regards,
Justin Gu -
Action Object and Active Directory?
Hi,
As I understand the documentation, there is no way to use Action Object in Storage Manager for AD.
Is that correct?
Is it possible to work around that when having IDM implemented?
Many of our customers uses provisioning and self-provisioning through the UA-portal, and it seems rather difficult to integrate this to the NTFS in AD using Storage Manager.
When customers is running OES and NSS it is a lot easier to customize and maintain a useful dynamic file system.
Does anyone has any ideas or experience that could help us out?
Thank you in advance
MartinMoldin,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://forums.novell.com/ -
How to modify user attributes in Microsoft IAS or Active Directory??
Anyone have an idea?? What I'm trying to do is to authenticate management access to an ACE 4710 against a Microsoft IAS server.
According to the document below:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/security/guide/aaa.html#wp1519045
it sounds like I need to be able to modify user attributes similar to what I know is doable in ACS. I base my assumption on this because of the following statement in the link above:
"Step 3 Go to the User Setup section of the Cisco Secure ACS HTML interface and double-click the name of an existing user that you want to define a user profile attribute for virtualization. The User Setup page appears.
Step 4 Under the TACACS+ Settings section of the page, configure the following settings:
â¢Click the Shell (exec) check box.
â¢Click the Custom attributes check box.
â¢In the text box under the Custom attributes, enter the user role and associated domain for a specific context in the following format:
shell:<contextname>=<role> <domain1> <domain2>...<domainN>"
Is something like this possible in IAS??
I have the authentication piece working for the ACE however when I login, I'm assigned an ACE defined default role of 'network-monitor' which gives me only read-only access. The way I'm interpreting what needs to be done to resolve this is to have the authentication server send an attribute value that states that the user is in the role 'Admin' in which case I'll have unlimited access to my ACE.
Make sense?? Any thoughts??
Thanks in advance.
-LloydLloyd,
It is possible via Radius and not TACACS. On the same link if you scroll down, you will see option of doing it via Radius.
"Defining Private Attributes for Virtualization Support in a RADIUS Serve"
Find attached the doc that explains about setting up user attributes on IAS.
Regards,
~JG
Do rate helpful posts -
[Forum FAQ] Using PowerShell to assign permissions on Active Directory objects
As we all know, the
ActiveDirectoryAccessRule class is used to represent an access control entry (ACE) in the discretionary access control list (DACL) of an Active Directory Domain Services object.
To set the permissions on Active Directory objects, the relevant classes and their enumerations are listed as below:
System.DirectoryServices.ActiveDirectoryAccessRule class:
http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryaccessrule(v=vs.110).aspx
System.DirectoryServices.ActiveDirectoryRights
class:
http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights(v=vs.110).aspx
System.Security.AccessControl.AccessControlType class:
http://msdn.microsoft.com/en-us/library/w4ds5h86(v=vs.110).aspx
System.DirectoryServices.ActiveDirectorySecurityInheritance class:
http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectorysecurityinheritance(v=vs.110).aspx
In this article, we introduce three ways to get and set the ACE on an Active Directory object. In general,
we use Active Directory Service Interfaces (ADSI) or
Active Directory module cmdlets
with the Get-Acl and Set-Acl cmdlets to assign simple permissions on Active Directory objects. In addition, we can use the extended rights and GUID settings to execute
more complex permission settings.
Method 1: Using ADSI
1. Get current permissions of an organization unit (OU)
We can use the PowerShell script below to get current permissions of an organization unit and you just need to define the name of the OU.
$Name = "OU=xxx,DC=com"
$ADObject = [ADSI]"LDAP://$Name"
$aclObject = $ADObject.psbase.ObjectSecurity
$aclList = $aclObject.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])
$output=@()
foreach($acl in $aclList)
$objSID = New-Object System.Security.Principal.SecurityIdentifier($acl.IdentityReference)
$info = @{
'ActiveDirectoryRights' = $acl.ActiveDirectoryRights;
'InheritanceType' = $acl.InheritanceType;
'ObjectType' = $acl.ObjectType;
'InheritedObjectType' = $acl.InheritedObjectType;
'ObjectFlags' = $acl.ObjectFlags;
'AccessControlType' = $acl.AccessControlType;
'IdentityReference' = $acl.IdentityReference;
'NTAccount' = $objSID.Translate( [System.Security.Principal.NTAccount] );
'IsInherited' = $acl.IsInherited;
'InheritanceFlags' = $acl.InheritanceFlags;
'PropagationFlags' = $acl.PropagationFlags;
$obj = New-Object -TypeName PSObject -Property $info
$output+=$obj}
$output
In the figure below, you can see the results of running the script above:
Figure 1.
2. Assign a computer object with Full Control permission on an OU
We can use the script below to delegate Full Control permission to the computer objects within an OU:
$SysManObj = [ADSI]("LDAP://OU=test….,DC=com") #get the OU object
$computer = get-adcomputer "COMPUTERNAME" #get the computer object which will be assigned with Full Control permission within an OU
$sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
$identity = [System.Security.Principal.IdentityReference] $SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType #set permission
$SysManObj.psbase.ObjectSecurity.AddAccessRule($ACE)
$SysManObj.psbase.commitchanges()
After running the script above, you can check the computer object in Active Directory Users and Computers (ADUC) and it is under the Security tab in OU Properties.
Method 2: Using Active Directory module with the Get-Acl and Set-Acl cmdlets
You can use the script below to get and assign Full Control permission to a computer object on an OU:
$acl = get-acl "ad:OU=xxx,DC=com"
$acl.access #to get access right of the OU
$computer = get-adcomputer "COMPUTERNAME"
$sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
# Create a new access control entry to allow access to the OU
$identity = [System.Security.Principal.IdentityReference] $SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
# Add the ACE to the ACL, then set the ACL to save the changes
$acl.AddAccessRule($ace)
Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
Method 3: Using GUID setting
The scripts above can only help us to complete simple tasks, however, we may want to execute more complex permission settings. In this scenario, we can use GUID settings to achieve
that.
The specific ACEs allow an administrator to delegate Active Directory specific rights (i.e. extended rights) or read/write access to a property set (i.e. a named collection of attributes) by
setting ObjectType field in an object specific ACE to the
rightsGuid of the extended right or property set. The delegation can also be created to target child objects of a specific class by setting the
InheritedObjectType field to the schemaIDGuid of the class.
We choose to use this pattern: ActiveDirectoryAccessRule(IdentityReference, ActiveDirectoryRights, AccessControlType, Guid, ActiveDirectorySecurityInheritance, Guid)
You can use the script below to
assign the group object with the permission to change user password on all user objects within an OU.
$acl = get-acl "ad:OU=xxx,DC=com"
$group = Get-ADgroup xxx
$sid = new-object System.Security.Principal.SecurityIdentifier $group.SID
# The following object specific ACE is to grant Group permission to change user password on all user objects under OU
$objectguid = new-object Guid
00299570-246d-11d0-a768-00aa006e0529 # is the rightsGuid for the extended right User-Force-Change-Password (“Reset Password”)
class
$inheritedobjectguid = new-object Guid
bf967aba-0de6-11d0-a285-00aa003049e2 # is the schemaIDGuid for the user
$identity = [System.Security.Principal.IdentityReference] $SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
$type = [System.Security.AccessControl.AccessControlType]
"Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType,$inheritedobjectguid
$acl.AddAccessRule($ace)
Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
The figure below shows the result of running the script above:
Figure 2.
In addition, if you want to assign other permissions, you can change the GUID values in the script above. The common GUID values are listed as below:
$guidChangePassword
= new-object Guid ab721a53-1e2f-11d0-9819-00aa0040529b
$guidLockoutTime
= new-object Guid 28630ebf-41d5-11d1-a9c1-0000f80367c1
$guidPwdLastSet
= new-object Guid bf967a0a-0de6-11d0-a285-00aa003049e2
$guidComputerObject
= new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2
$guidUserObject
= new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidLinkGroupPolicy
= new-object Guid f30e3bbe-9ff0-11d1-b603-0000f80367c1
$guidGroupPolicyOptions
= new-object Guid f30e3bbf-9ff0-11d1-b603-0000f80367c1
$guidResetPassword
= new-object Guid 00299570-246d-11d0-a768-00aa006e0529
$guidGroupObject
= new-object Guid BF967A9C-0DE6-11D0-A285-00AA003049E2
$guidContactObject
= new-object Guid 5CB41ED0-0E4C-11D0-A286-00AA003049E2
$guidOUObject
= new-object Guid BF967AA5-0DE6-11D0-A285-00AA003049E2
$guidPrinterObject
= new-object Guid BF967AA8-0DE6-11D0-A285-00AA003049E2
$guidWriteMembers
= new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2
$guidNull
= new-object Guid 00000000-0000-0000-0000-000000000000
$guidPublicInformation
= new-object Guid e48d0154-bcf8-11d1-8702-00c04fb96050
$guidGeneralInformation
= new-object Guid 59ba2f42-79a2-11d0-9020-00c04fc2d3cf
$guidPersonalInformation = new-object Guid 77B5B886-944A-11d1-AEBD-0000F80367C1
$guidGroupMembership
= new-object Guid bc0ac240-79a9-11d0-9020-00c04fc2d4cf
More information:
Add Object Specific ACEs using Active Directory Powershell
http://blogs.msdn.com/b/adpowershell/archive/2009/10/13/add-object-specific-aces-using-active-directory-powershell.aspx
Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.The ActiveDirectoryAccessRule has more than one constructor, but yes, you've interpreted the one that takes six arguments correctly.
Those GUIDs are different (check just before the first dash). Creating that ACE will create an empty GUID for InheritedObjectType, though, because you're telling it to apply to the Object only ([System.DirectoryServices.ActiveDirectorySecurityInheritance]::None).
Since the ACE will only apply to the object, there's no need to worry about what types of objects will inherit it.
If you've got time, check out
this module. It will let you view the security descriptors in a much friendlier format. Try both version 3.0 and the version 4.0 preview:
Sample version 3.0:
# This is going to be kind of slow, and it will take a few seconds the first time
# you run it because it has to build the list of GUID <--> Property/Class/etc objects
Get-ADGroup GroupY |
Get-AccessControlEntry -ObjectAceType member -InheritedObjectAceType group -ActiveDirectoryRights WriteProperty
# Same as the previous command, except limit it to access granted to GroupX
Get-ADGroup GroupY |
Get-AccessControlEntry -ObjectAceType member -InheritedObjectAceType group -ActiveDirectoryRights WriteProperty -Principal GroupX
Here's version 4.0. It's way faster than 3.0, but it's missing the -ObjectAceType and -InheritedObjectAceType parameters on Get-AccessControlEntry (don't worry, when they come back they'll be better than in 3.0):
Get-ADGroup GroupY |
Get-AccessControlEntry
Get-ADGroup GroupY |
Get-AccessControlEntry -ActiveDirectoryRights WriteProperty
Get-ADGroup GroupY |
Get-AccessControlEntry -ActiveDirectoryRights WriteProperty -Principal GroupX
# You can do a Where-Object filter until the parameters are added back to Get-AccessControlEntry:
Get-ADGroup GroupY |
Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
where { $_.AccessMask -match "All Prop|member Prop" }
Get-ADGroup GroupY |
Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
where { $_.ObjectAceType -in ($null, [guid]::Empty, "bf9679c0-0de6-11d0-a285-00aa003049e2") }
Get-ADGroup GroupY |
Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
where { $_.AccessMask -match "All Prop|member Prop" -and $_.AppliesTo -match "group"}
That's just for viewing. Version 3.0 can add and remove access, or you can use New-AccessControlEntry to replace your call to New-Object, and you can still use Get-Acl and Set-Acl. The benefit to New-AccessControlEntry is that you can do something like this:
New-AccessControlEntry -Principal GroupX -ActiveDirectoryRights WriteProperty -ObjectAceType member -InheritedObjectAceType group #-AppliesTo Object
-
Creating computer Names with small letters and they appear as capitals in Active Directory Domain
Hello,
When I try to create computer objects in Active Directory - namely when i change computer name with small letters, in active directory users and computers they appear as capital letters and in DNS console as well.
I know that it's not a problematic issue and technically all goes fine but, i want to know the reason.
Is it possible to change computer name with small letters while joining in the domain and than in AD it appear with small letters also ?
Thanks in advance,If you are asking about during the client join process, I believe the machines do all caps and you have to accept that as default. I'm guessing it is a legacy issue for older clients that has hung on such as possibly related to WINS.
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security, BS CSci
2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
Please no e-mails, any questions should be posted in the NewsGroup.
This posting is provided AS IS with no warranties, and confers no rights.
Maybe you are looking for
-
HT1699 i dont know how to connect my new ipod touch to itunes to set it up
i dont know how to connect my new ipod touch to itunes to set it up
-
How to install SQL SERVER 2008 r2 in window 7 home premimum 64bit
how to install SQL SERVER 2008 r2 in home premimum 64bit os. can any say that weather it will support or not in window 7 home premimum os. my server log file: Final result: SQL Server installation failed. To continue, investigate the
-
Using SQL Server Reporting Services Standard edtion on the Web/App server
I would like some clarification of when is it a supported configuration to use SQL Reporting Services Standard Edtion with BPC 7.0M. If you have a standard Multi-server installation with WEB/APP/RS/IS on one server and SQL/AS on the other server, is
-
Advanced Relationship search capabilities?
Hello, Does anyone know of a way (either standard functionality or not) we can search for accounts based on relationship category, including the BP the relationship is with? The standard account search only allows you to search for accounts that, fo
-
ITunes stops responding when I connect my iPod.
Background info: when I disconnected my iPod awhile ago, all of the music disappeared. I *did* safely remove it. However, while it was disconnecting, I somehow unlocked it (the hold button....do you know what I am talking about?), and then it said