Active Directory Attributes
Can the universe designer read in Active Directory attributes? I'm trying to apply row-level security to allow members of one group (by department ID, which is stored in an attribute in AD) permission to only view their department's information. Any help would be greatly appreciated. Thank you.
Chris
Hi Chris,
You need to have configured AD authentication in the CMC. You can then import the AD group(s) with its users and use the group(s) in the Designer to apply row level restictions.
Hope this helps
Jacques
Similar Messages
-
Hey Scripting Guys,
I have been in and out of Powershell last few years, not that great at it tbh !!! I'm looking for advice on how I can as in Title, Create a Powershell script to Scan Active Directory Attributes for Country and Department ,Then add to Group then add to Distribution
list based on Region/Country
I was thinking along the lines of get-aduser -LDAPFilter "(department=SALES France) and adding a where clause for country.
Any help would be great.
DecSo I have tried a few variations but get errors on both
get-aduser -LDAPFilter "(&(department=SALES)(c=us))" | Add-ADPrincipalGroupMembership -MemberOf "testgroup"
get-aduser -LDAPFilter "(&(department=SALES)(c=fr))" | Add-ADGroupMember -identity "testgroup"
Add-ADPrincipalGroupMembership : Object reference not set to an instance of an
object.
At line:1 char:86
+ get-aduser -LDAPFilter "(&(department=SALES)(c=fr))" | Add-ADPrincipalGroupMe
mbership <<<< -MemberOf "testgroup"
+ CategoryInfo : NotSpecified: (:) [Add-ADPrincipalGroupMembershi
p], NullReferenceException
+ FullyQualifiedErrorId : Object reference not set to an instance of an ob
ject.,Microsoft.ActiveDirectory.Management.Commands.AddADPrincipalGroupMem
bership -
Making LDAP calls to update Active directory attributes
Hi,
I see a lot of postings about authenticating using LDAP, Ibut I am trying to make LDAP calls to update Active directory attributes
How can I do this from my BPEL process ? My input xml file will have a list of users whose attributes need to be updated.
I need to query by making LDAP calls and update as needed.
I am a novice to a step by step guidance will be very helpful.
Thanks much!This is really an AD question. Basically the easist way is to expose a web service to do this then BPEL calls that web service. I think later versions of AD do this out of the box.
Otherwise there are many examples on Google using differnt technology.
cheers
James -
Word 2013 and Active Directory attribut
Hi,
I'm working with WS2008R2 SP1 AD and Office standard 2013 and W7 SP1 x64. Our compagny wants to create .dotm/.dotx with automatic fields.
For example, we want that when a user opens a .dotx his name appears automatically. This one is easy it's the {AUTHOR \*MERGEFORMAT}.
But What we want to do is to do the same for the:
- street adress
- email adress
- the job title
All informations are in our Active Directory, but it seems that Word does not read directly the Active Directory info but some cached info on the computer.
So, is there a way or workaround to create some .dotx with the possibility to extrat some AD fields attribut attached with some user and at the end to build a semi automatic doc with the information of the user who has open this .dotx/.dotm?
So far, clues say that I have to write some vba script and 2 kind of solution/workaround:
The first lead is:
To retrieve the user account properties from Active Directory, we have to turn to some VBA scripts, no way to achieve this via any built-in features.
As far as I know, you can bind to the user account object by using the
GetObject function and the LDAP provider.
Then use the GetInfo method to initialize the local cache with attributes of the user account object. This step will ensure that the most up-to-date attribute values of the ADSI object are retrieved.
For example:
Set objUser = GetObject _
("LDAP://...")
objUser.GetInfo
If you want to get this attributes when you create a new document based on a template (.dotx/.dotm), you'll need to use the
AutoNew macro.
the second lead is:
http://heureuxoli.developpez.com/office/word/creermodele/#L2-G
Thank you in advance for any king od answer.
best regardsHello,
Have you tried these two methods? What is the result and what is your decision?
If you're familiar with Visual Studio IDE and .Net Framework, I would recommend that you create a application-level or document-level Add-In for word. Because it's easy to access the AD with managed code, and it's suitable in your case. You can check the
MSDN document here for the related objects you need to use in .Net Framework to access AD:
https://msdn.microsoft.com/en-us/library/gg145037(v=vs.110).aspx
But if you just want to use VBA for Word, this kb article tells you how to do this via ADO connection:
https://support.microsoft.com/kb/187529/en-us?wa=wsignin1.0
If you want to know something about Active Directory itself, then it's not the correct forum, you can open up new thread in the AD forums for help.
Thanks for your understanding.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Windows 2003 Active Directory Attribute Editor Tab
My Active Directory does not have an Attribute Editor Tab....how do I add it?
My Active Directory does not have an Attribute Editor Tab....how do I add it?
Bradheld is correct, attribute editor tab was introduced in windows 2008. To view the attribute editor tab from vista/windows 2008 & above for 2000/2003 forest, refer below article.
http://social.technet.microsoft.com/Forums/windowsserver/en-US/6e6ef6bd-b5c9-4f16-b346-097832e3b93c/rsat-and-the-missing-attribute-editor-tab-solution?forum=winserverManagement
Awinish Vishwakarma - MVP
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
Portal Active directory attributes mapping
Hi All.
I am trying to map additional fields from the Active Directory to fields located within the Portal User Administration area.
I added the new fields within the XML file dataSourceConfiguration_ads_readonly_db.xml, and then uploaded this file using the config tool.I then configured SAP Portal to use the newly uploaded XML file. I then restarted the SAP Server.
Here is how I added new fields Zip and City to the XML file:
<?xml version="1.0" encoding="UTF-8"?>
<!-- $Id: //shared_tc/com.sapall.security/630_SP_COR/src/_deploy/dist/configuration/shared/dataSourceConfiguration_ads_readonly_db.xml#6 $ from $DateTime: 2004/08/20 09:55:24 $ ($Change: 17140 $) -->
<dataSources>
<dataSource id="PRIVATE_DATASOURCE"
className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence"
isReadonly="false"
isPrimary="true">
<homeFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</homeFor>
<notHomeFor/>
<responsibleFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</responsibleFor>
<privateSection>
</privateSection>
</dataSource>
<dataSource id="CORP_LDAP"
className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
isReadonly="true"
isPrimary="true">
<homeFor/>
<responsibleFor>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="j_user"/>
<attribute name="logonalias"/>
<attribute name="j_password"/>
<attribute name="userid"/>
</nameSpace>
<nameSpace name="com.sap.security.core.authentication">
<attribute name="principal"/>
<attribute name="realm"/>
<attribute name="domain"/>
</nameSpace>
</principal>
<principal type="user">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="firstname" populateInitially="true"/>
<attribute name="displayname" populateInitially="true"/>
<attribute name="lastname" populateInitially="true"/>
<attribute name="fax"/>
<attribute name="email"/>
<attribute name="title"/>
<attribute name="department"/>
<attribute name="description"/>
<attribute name="mobile"/>
<attribute name="telephone"/>
<attribute name="streetaddress"/>
<attribute name="uniquename" populateInitially="true"/>
<attribute name="Zip"/>
<attribute name="City"/>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
</nameSpace>
<nameSpace name="$usermapping$">
<attribute name="REFERENCE_SYSTEM_USER"/>
</nameSpace>
</principal>
<principal type="group">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="displayname" populateInitially="true"/>
<attribute name="description" populateInitially="true"/>
<attribute name="uniquename"/>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE"/>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attribute name="dn"/>
</nameSpace>
</principal>
</responsibleFor>
<attributeMapping>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="j_user">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="logonalias">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="j_password">
<physicalAttribute name="unicodepwd"/>
</attribute>
<attribute name="userid">
<physicalAttribute name="*null*"/>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.authentication">
<attribute name="principal">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="realm">
<physicalAttribute name="*null*"/>
</attribute>
<attribute name="domain">
<physicalAttribute name="*null*"/>
</attribute>
</nameSpace>
</principal>
<principal type="user">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="firstname">
<physicalAttribute name="givenname"/>
</attribute>
<attribute name="displayname">
<physicalAttribute name="displayname"/>
</attribute>
<attribute name="lastname">
<physicalAttribute name="sn"/>
</attribute>
<attribute name="fax">
<physicalAttribute name="facsimiletelephonenumber"/>
</attribute>
<attribute name="uniquename">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="loginid">
<physicalAttribute name="*null*"/>
</attribute>
<attribute name="email">
<physicalAttribute name="mail"/>
</attribute>
<attribute name="mobile">
<physicalAttribute name="mobile"/>
</attribute>
<attribute name="telephone">
<physicalAttribute name="telephonenumber"/>
</attribute>
<attribute name="department">
<physicalAttribute name="ou"/>
</attribute>
<attribute name="description">
<physicalAttribute name="description"/>
</attribute>
<attribute name="streetaddress">
<physicalAttribute name="postalAddress"/>
</attribute>
<attribute name="pobox">
<physicalAttribute name="postofficebox"/>
</attribute>
<attribute name="Zip">
<physicalAttribute name="postalCode"/>
</attribute>
<attribute name="City">
<physicalAttribute name="l"/>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="memberof"/>
</attribute>
</nameSpace>
<nameSpace name="$usermapping$">
<attribute name="REFERENCE_SYSTEM_USER">
<physicalAttribute name="sapusername"/>
</attribute>
</nameSpace>
</principal>
<principal type="group">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="displayname">
<physicalAttribute name="displayname"/>
</attribute>
<attribute name="description">
<physicalAttribute name="description"/>
</attribute>
<attribute name="uniquename" populateInitially="true">
<physicalAttribute name="cn"/>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE">
<physicalAttribute name="member"/>
</attribute>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="memberof"/>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attribute name="dn">
<physicalAttribute name="*null*"/>
</attribute>
</nameSpace>
</principal>
</attributeMapping>
<privateSection>
<ume.ldap.access.server_type>MSADS</ume.ldap.access.server_type>
<ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>
<ume.ldap.access.authentication>simple</ume.ldap.access.authentication>
<ume.ldap.access.flat_group_hierachy>true</ume.ldap.access.flat_group_hierachy>
<ume.ldap.access.user_as_account>true</ume.ldap.access.user_as_account>
<ume.ldap.access.dynamic_groups>false</ume.ldap.access.dynamic_groups>
<ume.ldap.access.ssl_socket_factory>com.sap.security.core.server.https.SecureConnectionFactory</ume.ldap.access.ssl_socket_factory>
<ume.ldap.access.objectclass.user>User</ume.ldap.access.objectclass.user>
<ume.ldap.access.objectclass.uacc>User</ume.ldap.access.objectclass.uacc>
<ume.ldap.access.objectclass.grup>Group</ume.ldap.access.objectclass.grup>
<ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user>
<ume.ldap.access.auxiliary_naming_attribute.user>samaccountname</ume.ldap.access.auxiliary_naming_attribute.user>
<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>
<ume.ldap.access.auxiliary_naming_attribute.uacc>samaccountname</ume.ldap.access.auxiliary_naming_attribute.uacc>
<ume.ldap.access.naming_attribute.grup>cn</ume.ldap.access.naming_attribute.grup>
</privateSection>
</dataSource>
</dataSources>
I am not able to see the values for Zip and City inside the User Administration section of the Portal.
Please advise,
Thanks in advanceHi,
Apart from doing the XML file configuration, you would need to add the custom attributes to the UME.
Kindly read the following link for the same:
http://help.sap.com/saphelp_nw70/helpdata/EN/44/0316d50bbe025ce10000000a1553f7/frameset.htm
Thanks,
GLM -
Modify Active Directory attributes
I have a strange query here -
I am working with a small base of active directory users. Their account properties in active directory has all the information like phone, email, webpage etc. Only recently all of the users migrated to Gmail which means that their username remains same for
ex. firstname.lastname but their email part changed to Gmail.com.
So earlier it was [email protected] & now it
[email protected]
Is there a way I can change just the domain part of their email through Powershell? In otherwords, can I change AD attribute, in this case email without going through them manually.
Thanks in advance.Assuming you need to modify the mail attribute, this PowerShell V1 script should work. However, I have not tested this:
$Searcher
= New-Object System.DirectoryServices.DirectorySearcher
$Searcher.SearchRoot
= "LDAP://dc=MyDomain,dc=com"
$Searcher.PageSize
= 200
$Searcher.SearchScope
= "subtree"
# Retrieve all objects with an email address using @xyz.com.
$Searcher.Filter =
"(mail=*xyz.com)"
$Searcher.PropertiesToLoad.Add("distinguishedName") >
$Null
$Searcher.PropertiesToLoad.Add("mail") >
$Null
$Results =
$Searcher.FindAll()
ForEach ($Result
In $Results)
$DN
= $Result.Properties.Item("distinguishedName")[0]
$Email
= $Result.Properties.Item("mail")[0]
# Modify email address.
$Email
= $Email.Replace("@xyz.com",
"gmail.com")
# Bind to the user object.
$User
= [ADSI]"LDAP://$DN"
# Assign new value.
$User.mail
= $Email.ToString()
$User.SetInfo()
Richard Mueller - MVP Directory Services
Richard,
I need a script which is almost identical to this in Powershell V2 format... are you able to help? -
Handling Active Directory attributes and negativeFilter like !memberof
Hello,
I connected the portal-UME with an active directory. Because of two different pathes I configured two ADs.
The point I don't get is how AD works and how it is used normally.
How can I add an attribute to the user like "active employee"? Is it only possible to use the predefined attributnames or can I choose an own?
Is it possible configure the negativeUser-Filter in a way that I can say that I just want those users that are in group X?
like !memberof?
Thx, VanessaHello SG,
sorry, I don't get the point. I would like to maintain my users and groups via LDAP. When I have to maintain the blocked users in the UME-configuration too, this is to much work and there can be too much mistakes.
I would like to have a AD-group with my portalusers and everybody that is not in this group should be blocked (/not transfered).
Can I do this with the blocked users?
Thx, Vanessa -
Find Active Directory Attributes that are Not Set
I'm trying to generate a report that lists all accounts where the thumbnailPhoto attribute in Active Directory is not set. I've tried using WHERE thumbnailPhoto < 0, WHERE IsNULL({thumbnailPhoto}) and several others with no success. Can anyone point me in the right direction?
Hi,
1) What version of Crystal Reports are you using?
2) Are you using a SQL Query to report against the Active Directory?
3) What is the datatype of the 'thumbnailPhoto' field?
-Abhilash -
IDM / Active Directory : Attributes not geting updated
I am trying to update attributes in my Active Directory Resource, via IDM. But, they are not getting updated.
Before we installed the IDM system in our organization, the Active Directory's "*Department*" field contained previous (old) information.
Now, we want to use IDM to update this information for ALL our employees.
I used the "*Default*" syntax in the IDM User Form, as follows :
*<Field name = 'global.department'>*
*<Display class='Text'>*
*<Property name='Title' value='Department'/>*
*</Display>*
*<Default>*
*<s>Sales Department</s>*
*</Default>*
*</Field>*
Next, I mapped this attribute to the Active Directory "*Department*" field.
However, the new value "*Sales Department*" is not being sent to Active Directory. The old values still remain.
When I tried to do the update directly in AD...........I simply DELETED the old value. And then, I went to IDM to update the employee's account (thereby, I tried to PUSH the new value into AD). But, it did not work. Instead, IDM displayed the following info :
Old value : "empty space"
New value : "old data"
The new data........"*Sales Department*"..........was not being sent to AD.
Next, I simply repeated the update process in AD. But this time, I erased the old data, and wrote "*Sales Department*". Then it worked. AD accepted the new data, and also sent it BACK to idm.
I found this very strange
*(a) why does AD not get updated with the new value from IDM?*
*(b) why does AD reject the new value if the field itself (in AD) is left blank?*
*(c) how can I UPDATE all the employees in Active directory with the new DEFAULT data : "Sales Department"*MichaelSt wrote:
I want IDM to update AD (meaning, the data-flow is from IDM to AD), not the other way round.
Using "*accounts[AD].department*" means that IDM will take its data FROM active directory. I want AD to take info FROM idmSorry but that's incorrect. The global namespace simply maps an attribute to the equivalent accounts[...].attribute name. So global.department would translate to accounts[AD].department and accounts[LDAP].department and accounts[Some Resource].department. (Incidentally, global.department would get set by the first resource IDM reads with a department attribute so it is very possible to read the attribute from AD. AD may simply not be the first one that IDM comes across.)
Setting the individual resource value, as redindian suggested, is a perfectly valid way of pushing attributes to the resource. (Assuming of course you have the attribute marked as writable in the resource configuration.) So technically if you so desired, you could set different values for accounts[LDAP].department and accounts[AD].department and accounts[Some Resource].department which you cannot do if you use the global namespace.
I do this all the time for some of my attributes. For example, some of my resources (usually the really old legacy ones) require an upper case email address while others require lower case addresses. I set different values for accounts[Legacy Resource].email and accounts[Newer Resource].email when I want to push the attribute down to the resource. I also avoid the global namespace like the plague. I've had so many problems with it mapping data incorrectly that it's just easier to set the individual attributes directly.
The attributes set in the accounts[Resource] namespace is a perfectly valid way to both reference attributes on a resource as well as set them.
As has been suggested, don't use a default but rather use an expansion. -
Looking for list of standard Active Directory attributes
Hey all,
where can I find a standard list of active dir attributes? I'm not too familiar with AD, so I'd like to know my standard options which I can query.
I'm going to read all the adler_steven posts, so that should get me a little more aquatinted with JNDI, but I'll be back to ask some more questions!
Thanks,
ryanThanks all.
I got all the info I need.
A main point to keep in mind is that connecting & searching through a OpenLDAP server is much different than connecting to an AD server.
I couldn't find much info on the major differences, so it was tough for me to figure.
A good adsi browser helps more than the typical LDAP browsers that are available. Also, make sure you know of the out-of-the-box settings for AD win 2003 server.
thanks again all!
ryan. -
Need to Pass Active Directory Attributes into OBIEE for use in Report Query
Hi,
We're using OBIEE 11.1.1.5 and have integrated it with AD security. Users successfully log into OBIEE and BIP (which is integrated with OBIEE) using their network/AD accounts.
Next step for us is to be able to pass some AD attributes that are on the user accounts into OBIEE and BIP so we can restrict data queries for the person logged in.
I've searched the web and so far have only come up with specific steps for setting this up in BIP. Since BIP is integrated with OBIEE, we have not set any of the MSAD/LDAP security up there - it is all in OBIEE. I have been unable to find the equivalent for adding the attribute names for data query bind variables.
With our current setup, we are unable to filter the report data automatically based on who has logged into the application (analytics and BIP). We have security setup within the catalog so only certain AD groups can access objects, but beyond that we need to be able to secure the data using AD attribute information. For example, all of our users should be able to access an Open Purchase Order report, but they should only be able to see their own purchase orders - not everyone in the company.
Anyway, we're looking to be able to pass AD attributes into OBIEE so that we can use this data in our Analytics and BIP queries.
How can we get this setup?
Thank you in advance!
SuzanneA fairly common problem, see:
http://www.williamrobertson.net/documents/comma-separated.html
http://www.oracle-base.com/articles/misc/DynamicInLists.php
http://tkyte.blogspot.com/2006/06/varying-in-lists.html -
Setting the logonHours attribute for a user in Active Directory
Hi Anyone,
I'm a brasilian guy and I need your help. How can I set the logonHours attribute on my Active Directory?
I have this code but it doesn't works good:
public void setLogonHours(boolean[] logonHoursBits){
int i;
int j;
int k;
int index21 = 0;
int index24 = 0;
byte[] byteLogonHour = new byte[21];
byte byte8Hours = 0;
for(i=0; i <= 6; i++){
for(j=1; j <= 3; j++){
for(k=7; k >= 0; k--){
if (i < 6){
if (logonHoursBits[i] == (boolean)(index24 == 0) ? true : false){
byte8Hours += (byte)Math.pow(2,k);
else{
if (logonHoursBits[0] == (boolean)(index24 == 0) ? true : false){
byte8Hours += (byte)Math.pow(2,k);
index24++;
byteLogonHour[index21] = byte8Hours;
index21++;
index24 = 0;
try{
String nome = "CN=Dryelle,OU=Pesquisa,DC=cifya,DC=com,DC=br";
ctx = new InitialLdapContext(env,null);
ModificationItem logonHours[] = new ModificationItem[1];
logonHours[0]= new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("logonHours",byteLogonHour));
ctx.modifyAttributes(name,logonHours);
System.out.println("Atributo logonHours alterado com sucesso.");
catch (NamingException e) {
System.err.println("Problema na altera??o " + e);
}the code set the attribute but wrong. Can anyone help-me? It's making me crazy.
Sorry about my poor english.
Tks.
Edited by: th_slopes on Aug 15, 2008 5:50 PMDirContext ctx = new InitialDirContext(pr);
BasicAttributes entry = new BasicAttributes(true);
String entryDN = "cn=CharbelHad,ou=test users,dc=test,dc=dev";
Attribute cn = new BasicAttribute("cn", "ChHad");
Attribute street = (new BasicAttribute("streetAddress", "Ach"));
Attribute loginPreW2k = (new BasicAttribute("sAMAccountName", "[email protected]"));
Attribute login = (new BasicAttribute("userPrincipalName", "[email protected]"));
Attribute sn = (new BasicAttribute("sn", "Chl"));
Attribute pwd = new BasicAttribute("unicodePwd", "\"Ch@341\"".getBytes("UTF-8"));
Attribute userAccountControl = new BasicAttribute("userAccountControl", "512");
Attribute oc = new BasicAttribute("objectClass");
oc.add("top");
oc.add("person");
oc.add("organizationalPerson");
oc.add("user");
// build the entry
entry.put(cn);
entry.put(street);
entry.put(sn);
entry.put(userAccountControl);
entry.put(pwd);
entry.put(login);
entry.put(loginPreW2k);
entry.put(oc);
ctx.createSubcontext(entryDN, entry); -
Report on Active Directory User Attributes in SCCM 2012
I need to output a list of all users in a collection, along with certain user attributes from Active Directory. I can get part of what I need with the following query:
SELECT v_FullCollectionMembership.ResourceID,
v_R_User.Windows_NT_Domain0,
v_R_User.Distinguished_Name0,
v_R_User.Full_User_Name0,
v_R_User.Mail0,
v_R_User.User_Name0
FROM v_FullCollectionMembership, v_R_User
WHERE v_FullCollectionMembership.ResourceID = v_R_User.ResourceID
AND v_FullCollectionMembership.CollectionID = 'SMS00002'
If possible I need to add:
Last logon timestamp
User account status (enabled or disabled)
I have added "lastLogon" and "lastLogonTimestamp" as additional attributesunder Active Directory User Discovery. This discovery method is enabled and I have run a full discovery about a month ago, and again today. I read in
another thread that these attributes should appear in the table v_R_User, however they have not. Is v_R_User the right place to look for this or is there another view or table I can query?
Once I have the above sorted out, how can I find the user account status in SCCM? I have done reports in the past directly from AD and used the 'useraccountcontrol' attribute and I noticed there is a column named 'User_Account_Control0' in v_R_User, however
the values do not match those found in Active Directory.
Thanks.Have you checked the attribute from the Active Directory in decimal format? Check that and compare it to the value ConfigMgr has stored in its 'User_Account_Control0'...
User Account Control tells you multiple things of the account, for example does the account have "Smart card login required" -option checked from the account properties.
The tricky part here is to actually get the report show you what you really want, because "useraccountcontrol" -attribute is a numeric value, you have to calculate what decimal combination means what in readable text.
More info on the attribute can be found from here
http://support.microsoft.com/kb/305144 and from there you can also find the values for different settings. For example:
account is enabled = 512
account is disabled = 514
account is enabled with smart card = 262656 -
SCCM report to show last logged on user and the Active Directory department attribute of that user.
I need to create an SCCM report to show last logged on user on all machines and the Active Directory department attribute of that last logged on user.
You problem is here.
right
join v_R_User USR on USR.ResourceID
= CS.ResourceID
USR.ResourceID != CS.ResourceID, you need to map the username to the user logon to the PC. By using the user’s department information you will
end up with unreliable results.
Anyways you need to make these changes to your query.
left
join v_R_User USR on USR.Unique_User_Name0
= CS.UserName0
http://www.enhansoft.com/
Maybe you are looking for
-
I created a IEAK11 deployment package with all our corporate settings. It creates an exe and an msi. Exe works fine, msi does nothing. It runs, it completes (according to verbose log), but it doesn't modify the system in any way. After restart IE11 i
-
whenever i videochat with someone (even with a mac) the quality *****. Like crazy. Can I raise the quality of the webcam?
-
Adobe photoshop album starter edition
Can anyone help me in regards to the Adobe phots album. I have downloaded picture to this photoshop and it will not let me save any of my pictures to "My Pictures" can someone advise me on what to do?
-
I've followed the instructions to add the latest Camera RAW files but still cannot get PSE6 Organizer to recognize the RAW files from my Canon 50D. The editor has no problem recognizing them and allowing edits to take place. Anyone have additional id
-
Why is my mac-pro ci7 running hot while working with imovie and eyetv?
Hello, I am creating short videos of ps-3 gameplays. For recording I use eye-tv and my mac is connected through a HD-Haupauge with my Playstation. When transferring the recording-file from eye-tv to i-movie and getting started to work on the video, m