Tree Structure in Active Directory

Similar Messages

• Tree structure of system directory

  HI
  I am using swing on that JPanel
  and
  i got the drives of system in my combo box
  can u tell me how to show selected drive`s folders in a tree structure
  using JTree
  how i can show the the directories(folder`s) of a drive into the JTree box
  directory to be selected from ComboBox showing drives

  tigerkumar wrote:
  ok
  sorry for that
  i will take care of that
  Please help me in this problemI have given you an answer in the swing forum and you keep on
  multi-posting and ignoring the people who help you.
  read the solution here.
  http://forum.java.sun.com/thread.jspa?threadID=5217925&tstart=0
  I think this is the 4th time you keep on posting the same problem.
  next time there would be no help.

• Structure of our Active Directory

  Hi All,
  We have following active directory structure in our organization. I am not sure, if this is a flat or deep hierarchy.
  We have domain(forest)as xyz.com. we have a group created SAP under OU=Applications,DC=xyz,DC=com. All our users accessing Portal will be member of the group SAP. So our Grouppath is OU=SAP,OU=Applications,DC=xyz,DC=com
  About User accounts, we have our users scattered in the forest xyz.com. For testing purpose, we are taking few users from account group Dallas. The structure is OU=Dallas-SAP,OU=Dallas-Contractors,OU=Dallas,DC=xyz,DC=com.
  These users will be member of group SAP. Since users can be a member of any group (for example SAP group), i presume they represent flat hierarchy structure.
  groups and user accounts are stored in tree structure as mentioned above, so they represent deep hierarchy structure.
  So i am confused, what should be our Data source configuration? Is it flat or deep or mixed?
  FYI : An admin user is created in SAP group.
  Any help is highly appreciated.
  Thanks & Regards,
  Gowri

  Ok, correct me if I am wrong with the structure.
  Active Directory Users and Computers  GROUPS
  |_Xyz.com
           |_Applications
                  |_Any Program
                  |_Excel
                  |_SAP
                          |_Group1
                          |_Group2
                          |_Group3
                          |_Group4
                  |_Word
                  |_Data
                  |_Other Stuff
  Active Directory Users and Computers  USERS
  |_Xyz.com
         |_Applications
                    |_Any Program
                    |_Excel
                    |_SAP
                          |_Group1
                          |_Group2
                          |_Group3
                          |_Group4
                    |_Word
          |_Data
          |_Dallas
                    |_Dallas-Contractors
                          |_Dallas-SAP
                                 |_User1
                                 |_User2
                                 |_User3
                    |_Dallas-Sales
                    |_Dallas-Travel
           |_New York
        |_Other Stuff

• Active directory Schema - Multiple password policies

  Hi All,
  I am new to AD and would need some suggestion to configure AD. I want to set up AD(2008 R2) for three categories of users: individual, dealers and organisations. Each dealer and each organisation will have further sub-categories based
  on their location. I want to set up separate password policies for the above three categories using AD. I wanted to create them as separate OUs. So I would have multiple OUs for each dealer per location (e.g. individual, dealer1loc1, dealer1loc2,
  dealer2loc3 and so on)
  I know the concept of PSO(Password Settings Object) and that it can only be applied to OU using shadow groups and batch file (to copy users from OU to Shadow Groups). The issue is that the OUs would keep getting added as per requirement (would
  be  creating new OUs using C#) and then the management of PSO or shadow groups or batch file would be very complicated, not sure if it can be automated.
  Also, I have budet constraints to add new servers for each domain and separate password policies.
  What could be the possible solution to separate password policies and set up this user structure in Active Directory. I am using W2k8 R2.
  Thanks.

  Thanks Mahdi. In this case, the OUs would get created at run time, so the script needs to get updated at run time as well. I guess this will be not easy to automate.
  Also, can you confirm if I can set up separate password policies by creating sub domain(e.g. example.com will be divided into sales.example.com and admin.example.com and this would further be divided as melourne.sales.example.com and sydney.sales.example.com)
  and I can set separate password policies for sales.example.com and admin.example.com.
  By adding child domains,it is like you are killing a mosquito with a rocket launcher, if you know what I mean. adding child domains increase the cost and administration and also adds complexity to your environment.
  From technical perspective it is OK to have child domains, but if I were you I would not add that much complexity to my environment because of a script. I would spend enough time or get help form a skilled script writer to edit the script. Also I am saying
  that editing your script to a fully automated script is not impossible, it just needs enough time and skills.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Active Directory Structure Questions

  I recently started working for a company that offers cloud services for our clients where we host our software as a service and we also migrate any other applications the client is using onto the servers that we host for them.
  My concern is that every client we have is in our domain. The structure of our servers is that our domain is the top of the organization and each client has their own dc and that dc is listed as an organizational unit in our AD. I have never seen anything
  like it. Most of the clients have their own domains and web sites but we do not migrate that portion of their IT into our cloud. We do however bring everything else over and we offer O365 to many of them.
  Imagine if you will opening ad users and computers and under the root all the OU's are named after clients and actually represent their servers all of which are dc's.
  I was wondering what if any precedent would support this type of configuration? I am just asking.
  Thanks
  Richard Tamboli

  No Special hardware is required for Active Directory
  Active Directory is builtin feature for most of the Windows Servers such as Windows Server 2003, 2008,2008R2,2012.
  It is a feature and part of Windows Server.
  Hope this may answer your questions.
  http://en.wikipedia.org/wiki/Active_Directory

• Read directory structure into tree structure

  Hi ya,
  I want to be able to write a command line program that either takes a root node(directory root) or just takes the directory root from where the program is run reads in the directory tree into a tree structure. Then I want to analyse the tree.
  I would like to know what are the best ways to do this and what are the most useful classes.
  Thanks a lot for the help,
  Martin

  Here is a quickie du(1) (disk usage) clone that should give some hints. The Getopt class is something I wrote so you won't be able to compile this as such.
  import java.io.File;
  public class Du
      public static void main(String args[])
          boolean sum_mode = false;
          Getopt getopt = new Getopt(args, "sk");
          while (getopt.next()) {
              switch (getopt.option()) {
                case 's':
                    sum_mode = true;
                    break;
                case 'k':
                    break;
                default:
                    System.err.println("du: unknown option \"-" + getopt.optionName() + "\"");
                    System.exit(1);
          if (getopt.parameterCount() == 0) {
              du(new File("."), ".", sum_mode, true);
          } else {
              for (int n = 0; n < getopt.parameterCount(); n++) {
                  String name = getopt.parameter(n);
                  du(new File(name), name, sum_mode, true);
      private static long du(File file, String path, boolean sum_mode, boolean topmost_file)
          long bytes = 0;
          if (file.isDirectory()) {
              File files[] = file.listFiles();
              String sub_path = path + "/" + file.getName();
              for (File f : files)
                  bytes += du(f, sub_path, sum_mode, false);
              if (!sum_mode || topmost_file)
                  System.out.println((bytes / 1024) + "\t" + path + "/" + file.getName());
          } else {
              bytes = file.length();
              if (topmost_file)
                  System.out.println((bytes / 1024) + "\t" + path + "/" + file.getName());
          return bytes;
  }

• How to do provisioning in Active Directory multiple lavel OU structure from FIM 2010 R2 with Country basis.

  Hi,
  I want to do provisioning in Active Directory multiple level Organization Unit(OU) from FIM 2010 R2  with country name basis.
  Suppose i have Asia,Europe,UK,USA region OU and they have another OU in Asia OU like India,china etc if country name is India then Users should be go in India OU and if  if country name is China then Users should be go
  in China OU.so please give me any idea on this this would be very helpful for me
  Regards
  Anil Kumar

   
  Do you have Region attribute in your user object? If yes, then you can do something like this
  "CN="+displayname+
  ",OU="+country+
  ",OU="+region+
  ",DC=mycompany,DC=local"
  If you don’t have region attribute, then you have to write own IIF statement for every county
  IIF(Eq(contry,"China",",OU=China,OU=Asia","")
  You can also parse your dn for synchronization rule in some other place (e.g. metaverse extension), but if you want to do it codeless, IIFs are the way to go.

• Adding a user in Active Directory

  Hi fellows,
  I am having a serious problem in creating a new user in active directory. i am using LDAP JNDI code. I can delete and update users attributes, but fail to create users.
  ctx.createSubcontext("newuser,full domain", attributes);
  when i specify a new user in "newuser" it gives exception invalidnameexception. I don't understand how to create a new entry within the directory structure of predefined tree. by the way, i can create users by active directory explorer but java application is giving exceptions.
  Any help will be highly appreciated.

  A DistinguishedName is of the form e.g. "cn=username, ou=Users,dc=hostname,dc=com". In other words it contains attribute names and values for each name component. Evidently your DN doesn't do that.

• Active Directory user passwords on mobile account with File Vault

  Hi all,
  I enabled file vault when I moved to my MacBook Pro. I joined the computer to the domain (after enabling file vault), and logged in with my domain account, creating a managed, mobile account so that I could use the computer when not connected to the domain.
  Active Directory has forced a change in my password for the domain account but I cannot get the password on the Mac to change the password and sync with the domain.
  My account (the one with the changed network password) on the Mac is a standard user account. When I open system preferences, go to Security & Preferences, General, click on the lock to unlock and allow change and then click Change Password  ..., I receive the following error message after going through the steps to change the password:
  The password for the account "user" was not changed. There was a problem with your password. It's possible your system administrator doesn't allow you to change your password. Contact your system administrator for help.
  For Old Password, I used the old network password, the one that I use to log into the Mac. For New Password, I used my new, current password.
  The same result happens when I attempt to change the password from the Users & Groups section of the System Preferences.
  I have logged out and logged in with the user account that is identified as the admin and get a similar (same ?) error when attempting to change the password.
  Any suggestions? How do I get the passwords to be one so that I can forget the old password?

  Thanks for your insights.
  The Tech Tool report happened after AppleJack, and never showed up before that. Restarting again just now, it showed up again.
  I had not emptied the trash, but did now, and the 'get info' on my hard drive still shows that I have used nearly all of my 160 GB.
  Re Disk Warrior: I do have it and just ran it. I emptied trash again and checked to see available disk space: I have 2.47 GB, so the problem still exists.
  Here is the disk warrior report for the first part of its tests:
  DiskWarrior has successfully built a new optimized directory for the disk named "Hildegarde." The new directory is
  ready to replace the original directory.
  There is not enough contiguous free space for a fail-safe replacement of the directory. It is highly recommended that
  you create 204 MB of contiguous free space before replacing the original directory.
  All file and folder data was easily located.
  Comparison of the original and replacement directories indicates that there will be changes to the number, the
  contents and/or the attributes of the files and folders. It is recommended that you preview the replacement
  directory and examine the items listed below. All files and folders were compared and a total of 14,627,488
  comparison tests were performed.
  • Errors, if any, in the directory structure such as tree depth, header node, map nodes, node size, node counts, node
  links, indexes and more have been repaired.
  • 1 folder had a directory entry with an incorrect custom icon flag that was repaired.
  Disk Information:
  Files: 552,652
  Folders: 131,014
  Free Space: 2.47 GB
  Format: Mac OS Extended
  Block Size: 4 K
  Disk Sectors: 321,410,736
  Media: HDT722516DLAT80
  Time: 11/28/08 6:54:19 PM
  DiskWarrior Version: 4.1

• OIM 9.1.0 Integration with Active Directory 2008 R2

  Hi,
  My customer is running Root/Child AD structure based on windows 2003 w/SP2, OIM 9.1.0 deployed under one of the child domains, and integrated with child domains controllers which runs windows server 2003 as well.
  My customer has decided to upgrade his AD to Windows Server 2008 R2 domain controllers across the entire AD Forest and still wants to integrate the current OIM v9.1.0 with AD for all of his Users provisioning and password synchronizations.
  Am not sure if current OIM version of OIM 9.1.0 is compatible and supported by OIM v9.1.0 under active directory version 2008 / R2, and not sure if it can be integrated with such AD version.
  Any guidance is really appreciated.
  Also I was thinking of such scenario but also not sure of its support ability and if OIM will keep working on such scenario, the scenario is to upgrade only the AD root domain to Windows 2008 R2 while keeping the child domain holding the OIM 9.1.0 at Windows 2003 version.
  Is this a working and supported scenario by OIM v9.1.0 ?

  I believe you question should be if the connector supports this architecture. Check out the versions supported for the connector you are using and you should be good.
  -Bikash

• Active Directory, single sign-on and  SRM Users

  We are in the process of installing SRM 7.0. using the Classic Scenario. I am seeking clarification around the creation of users in that system given the following:
  - My Basis colleagues are in the process of implementing single sign-on using Active Directory for our SAP Portal, SAP Business Warehouse and SRM systems.
  - Single sign-on will not  at this point be used for our SAP ECC 6.0 system
  My questions are:
  1. If active directory is being used do we need to create actual users within the SRM system?
  2. If actual users in the SRM system are not required, does this have any impact on the creation of the Organizational structure in SRM from the SAP ECC HR hierarchy?
  Many Thanks

  Hi Claire,
  The Single Sign On work only if user exist on every systemes.
  For example :
  If you connect trough portal to access ECC and SRM, your user id must exist in ECC and SRM.
  For Active Directory you can synchronize your user table to AD by using LDAP option.
  The best way is to configure a CUA for ECC and SRM, use the UME of Portal on ECC and synchronize the CUA to Active Directory.
  Finally use the SSO certificate between Portal ECC and SRM.
  Regards,
  Gilles SEBBAG
  Sap Technical Consultant.

• Cannot login with Active Directory Account

  Hello,
  I am testing SnowLeopard (10.6.1) for deployment in my labs for the Spring 2010 semester. We use local home directories. This is a brand new fresh install of SL, on a freshly formatted Hard Drive.
  When bound to Active Directory I can get any AD account that I've tested (5 different accounts) to authenticate except one, which happens to be my own personal AD account.
  The secure.log shows these entries when I attempt to login:
  Oct 9 14:18:29 mac-0017f20fc40 SecurityAgent[209]: User info context values set for ctarbox
  Oct 9 14:18:29 mac-0017f20fc40 authorizationhost[208]: Failed to authenticate user <ctarbox> (tDirStatus: -14090).
  Considering that I could log in with other accounts, and after resetting my AD password then still not being able to authenticate, I came to the conclusion that I had a corrupt OU in Active Directory.
  I contacted one of our AD admins and had him delete both of my AD accounts: ctarbox and ctarbox1 then recreate both accounts. I still cannot login to AD with my ctarbox account.
  I can still login to my current lab machines anywhere on campus running 10.5.8 with ctarbox.
  I am baffled by this. I have been authenticating to Active Directory since 10.1 and have never seen anything like this.
  Any idea, anyone?
  Cheryl Tarbox
  Macintosh Support Specialist
  Binghamton University

  I have found the solution to my problem. I have accounts in two different domains in our AD tree. I'll called these domains Domain A and Domain B.
  Domain A is the primary domain for authentication to our public computing labs.
  Domain B is a secondary domain for authentication to shared resources for faculty/staff.
  Both accounts have the same user ID, but different passwords. In my Directory Utility>Advanced>Administrative window I have the option "Allow authentication from any domain in the forest' checked.
  With this option checked Directory Utility in 10.6.1 will allow me to authenticate Domain B, but not Domain A.
  With this option checked in Directory Utility in 10.5.8 just the opposite is taking place, I can authenticate to Domain A, but not Domain B.
  It seems that somewhere in the upgrade to 10.6.1 the search policy for Active Directory has changed. My workaround is to uncheck this option and specifically choose Domain A in the search policy.

• Active Directory Diagnostics not running in PerfMon

  Hello all!
  I am trying to run Active Directory Diagnostics in Performance Monitor to address an lsass issue in which lsass consumes too much CPU. 
  I opened PerfMon from an elevated Command Prompt and expanded the tree: Data Collector Sets -> System -> Active Directory Diagnostics.  I right-clicked Active Directory Diagnostics and selected "Start."  The diagnostic is supposed
  to run for 300 seconds and then generate a report.  Problem is, nothing happened after that.  If I right-click Active Directory Diagnostics again, the "Start" option is greyed out. 
  Under Reports -> System -> Active Directory Diagnostics, there are no items to show.
  I consulted the following Microsoft Document:
  http://support.microsoft.com/kb/971714 and found the following file path where the reports should be located: %systemdrive%\Perflogs\ADDS\<var>date report generation run</var>\*.  But there is no ADDS folder and the Admin folder that
  is there is empty.
  Has anyone seen this before?  If so, how did you resolve it?
  Thanks.

  Have you tried reload the AD DS perf counters?
  http://technet.microsoft.com/en-us/library/cc961948.aspx
  Enfo Zipper
  Christoffer Andersson – Principal Advisor
  http://blogs.chrisse.se - Directory Services Blog

• How do I create Local Network Home Folders for Users from an Active Directory binding?

  My situation is this... I run an iMac lab at my school.  I have a server set up to manage the network user accounts in the lab.  Currently, I can sucessfully create Local Network Users and log in to them from any of the iMacs.  My school has an Active Directory set up for all the students on campus.  What I'd like to be able to do is configure the server to allow the students to use their user names and passwords from their school accounts to log in to the iMacs and have it automatically build a network user folder on the server for them to use during the lab. 
  So far, I have been able to configure access for the Active Directory accounts to use the services on the server, mainly File Sharing, but I cannot figure out how to allow them to log into a user account on the client's machines using their same Active Directory credentials.  I have even attempted to allow the user accounts to create mobile accounts, but that's not working out either.  Entering indivual network user accounts into the server for every student every semester will be a nightmare.  I'm sure there's a way to do it automatically using the exisitng Active Directory structure.
  The live server is running 10.8.5 Server still, but I've also got a clone running OS X Server in case it matters.  Please help!

  ok reinstalled everything dns seems to be working have done sudo changeip -checkhostname and it says that both names match but then i started open directory and can't seem to get Kerberos started, i've tried changing it to stand alone then back again but it does nothing. I'm wondering why this would happen? i've tried adding a kerberos record but it doesn't do it just does nothing so i don't know what i'm doing wrong. I wondered if it might be a problem with the two network cards and dns as on ethernet one it is getting the dns name xserve.xxxx.ac.uk (which matches what the college server wants to call us) but on ethernet 2 gets xserve-2.local because it tells me that it already exists on ethernet one and renames it to this. I need to set up NAT so have ethernet coming in on port one and out again on port two. I wonder if my dns is backwards as its got the 192. address the NAT uses but its linked to the ethernet port one dns maybe this is the problem. would this cause open directory not to start kerberos?

• How to add a new schema in active directory by jndi?

  I can add new objectclass schema and new attribute into eDirectory from JNDI. But I failed doing the same to active directory. I search all topic in this forums and seems like there is no such answer. So for active directory, the only way to add new schema is by using MS MMC + AD schema snap-in?

  You can update the schema via LDAP. Any tool that uses LDAP, such as Active Directory Services Interface (ADSI), Java/JNDI, LDAP Data Interchange Format (LDIF) can be used. You are not restricted to the Active Directory Schema Management snap-in.
  I strongly recomend that you read the following article http://windowssdk.msdn.microsoft.com/en-us/library/ms677995.aspx as schema extensions are not to be undertaken lightly.
  Also, if you are extending the schema, DO NOT use other organization's schema OID's. Imagine how directories would become inoperable because you defined hat size as an integer value with an OID of 1.2.3 and someone else defined Social Security Number as a string with an OID of 1.2.3 ! You can obtain your own OID branch from either Microsoft (http://msdn.microsoft.com/certification/ad-registration.asp) or from a standards organization such as ANSI.
  I'm kind of hoping that seeing as though you have mentioned that you have extended the schema for e-Directory, that you understand LDAP schemas and that you have your own valid OID. Do not use my shoe size OID !
  The following snippet illustrates how to extend the schema using JNDI.....
  String attrName = "cn=ms-ShoeSize,cn=Schema,cn=Configuration,dc=antipodes,dc=com";
  LdapContext ctx = new InitialLdapContext(env,null);
  Attributes attr = new BasicAttributes(true);
  attr.put("cn","ms-ShoeSize");
  attr.put("objectClass","attributeSchema");
  attr.put("ldapDisplayName","msShoeSize");
  attr.put("isSingleValued","TRUE");
  attr.put("attributeID","1.2.840.113556.1.4.7000.141");
  attr.put("attributeSyntax","2.5.5.9");
  Context newattr = ctx.createSubcontext(attrName,attr);Having created a new attribute, you could then either add it to an existing class, or create another abstract class, add it to the new abstract class, and add the the new abstract class as an auxilliary class to an existing structural class. For example create a new auxilliary class called "clothes Sizes", add the attribute "Shoe Size" as a mayContain attribute, and then add "Clothes Sizes" as an auxilliary class to inetOrgPerson.
  Note that you need to wait for the schema cache to refresh, before adding attribute or class definitions to one another, and before instantianting new objects with the new classes & attribute definitions. You can either wait for teh schema cache to refresh itself, or you can force a refresh by writing the value of 1, to the attribute "schemaUpdateNow" on the RootDSE.
  As I mentioned at the start of this response, I personally prefer to use LDIF, simply because it enables end-users/customers to review the schema extensions and understand their potential impact before applying them. A sample that accomplishes the above would look something like:dn: CN=ms-ShoeSize,CN=Schema,CN=Configuration,DC=Antipodes,dc=com
  changetype: add
  objectClass: attributeSchema
  cn: ms-ShoeSize
  ldapDisplayName: msShoeSize
  attributeID: 1.2.840.113556.1.4.7000.141
  attributeSyntax: 2.5.5.9
  isSingleValued: TRUE
  dn:
  changetype: modify
  replace: schemaupdatenow
  schemaupdatenow: 1
  dn: CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=Antipodes,dc=com
  changetype: modify
  add: mayContain
  mayContain: mSShoeSize
  dn:
  changetype: modify
  replace: schemaupdatenow
  schemaupdatenow: 1
  -