Active Directory - Creator or Owner of an Object

Hi,
My goal is to find out who did create an AD Account user.
For now I'm using the quest cmdlet:
Get-QADObjectsecurity "test" -owner
And I though it worked pretty well, until I found some owner being the Domain Admins groups !
How is this possible, a user cannot be created by a group of user, but just by a user (most of the time part of the Domain Admins group). Of course the domain admin group could have takne ownership of the account. Anyway is there a way to know who really
created the account ?

try query ntsecurity.owner
however you should be abandoning vbs for powershell from here on in.
dim strOwner as string
Set objGroup = GetObject ("FullLDAPPathHere")
Set objNtSecurityDescriptor = objGroup.Get("ntSecurityDescriptor")
strOwner = objNtSecurityDescriptor.Owner
msgbox strOwner

Similar Messages

  • ACS 5.3, EAP-TLS Machine Authentication with Active Directory

    I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
    My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
    Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
    Evaluating Identity Policy
    15006 Matched Default Rule
    22037 Authentication Passed
    22023 Proceed to attribute retrieval
    24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
    24437 Machine not found in Active Directory
    22016 Identity sequence completed iterating the IDStores
    Evaluating Group Mapping Policy
    12506 EAP-TLS authentication succeeded
    11503 Prepared EAP-Success
    Evaluating Exception Authorization Policy
    15042 No rule was matched
    Evaluating Authorization Policy
    15006 Matched Default Rule
    15016 Selected Authorization Profile - Permit Access
    22065 Max sessions policy passed
    22064 New accounting session created in Session cache
    11002 Returned RADIUS Access-Accept
    I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
    Note: In my Identity Store Sequence, I did enable the option:
    For Attribute Retrieval only:
    If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
    but this only seems to work for internal identity stores (at least based on my testing)
    Under my Access Policy Identity tab, I configured the following Advanced features:
    Advanced Options
    If authentication failed
    RejectDropContinue
    If user not found
    RejectDropContinue
    If process failed
    RejectDropContinue
    And that didn't do anything either.
    Any ideas? Thanks in advance.

    Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
    Then can make a rule in the authorization policy such as
    If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"

  • How to check Internet usage userwise in Active Directory ?

    How to check Internet usage userwise in Active Directory ? Without third party software is it possible ?
    Thanks & Regards, Amol . Amol Dhaygude

    Hi,
    Thanks for your comment. 
    The schema is the Active Directory component that defines all the objects and attributes that the directory service uses to store data. 
    Active Directory stores and retrieves information from a wide variety of applications and services. So that it can store and replicate data from a potentially infinite variety of sources, Active Directory standardizes how data is stored in the directory. By
    standardizing how data is stored, the directory service can retrieve, update, and replicate data while ensuring that the integrity of the data is maintained. 
    The directory service uses objects as units of storage. All objects are defined in the schema. Each time that the directory handles data, the directory queries the schema for an appropriate object definition. Based on the object definition in the schema, the
    directory creates the object and stores the data. 
    Object definitions control the types of data that the objects can store, as well as the syntax of the data. Using this information, the schema ensures that all objects conform to their standard definitions. As a result, Active Directory can store, retrieve,
    and validate the data that it manages, regardless of the application that is the original source of the data. Only data that has an existing object definition in the schema can be stored in the directory. If a new type of data needs to be stored, a new object
    definition for the data must first be created in the schema. 
    You can find more information from below article.
    Active Directory Schema Technical Reference
    http://technet.microsoft.com/en-us/library/cc759402(v=ws.10).aspx
    What's New in Active Directory Domain Services (AD DS)
    http://technet.microsoft.com/en-in/library/hh831477.aspx
    Hope it helps!
    Thanks.
    Dharmesh Solanki

  • Is Active Directory's ExtensionAttributes9 a field in user object and how to retrieve it in the class type userprincipal?

    Hi, I'm using VS2012.
    I want to use this ExtensionAttributes9 field to store date value for each user object.  I use UserPrincipal class, a collection of these objects are then bind to a gridview control.  Is ExtensionAttributes9 a field in AD user object? 
    How can I access it and bind to the gridview?
    If this field isn't available then what other field can use?
    Thank you.
    Thank you

    UserPrincipal is basically a wrapper around DirectoryEntry:
    http://msdn.microsoft.com/en-us/library/system.directoryservices.directoryentry.aspx and only provides a subset of the Active Directory, although the most common, attributes that are available for the user object.  The attribute that you
    seek is not one of them.
    By utilizing the method that I provided you a link to, it will return the underlying DirectoryEntry that was used to build the UserPrincipal object and should allow you to access the attribute that you seek.
    It would be greatly appreciated if you would mark any helpful entries as helpful and if the entry answers your question, please mark it with the Answer link.

  • "Setup encountered a problem while validating the state of Active Directory: Exchange organization-level objects have not been created, and setup cannot create them because the local computer is not in the same domain and site as the schema master. Run se

    Team,
    I am trying to Install Exchange on my Lab, getting below error
    message.
    The Schema Role is installed on Root Domain and trying to install
    exchange on Child domain.
    1 Root Domain - 1 Child domain. both are located on single site.
    “Setup encountered a problem while validating
    the state of Active Directory: Exchange organization-level objects have not been created, and setup cannot create them because the local computer is not in the same domain and site as the schema master. Run setup with the /prepareAD parameter and wait for
    replication to complete.”
    Followed below articles:
    http://support.risualblogs.com/blog/2012/02/21/exchange-2010-sp2-upgrade-issue-exchange-organization-level-objects-have-not-been-created-and-setup-cannot-create-them-because-the-local-computer-is-not-in-the-same-domain-and-site-as-the-sche/
    http://www.petenetlive.com/KB/Article/0000793.htm
    transferred the schema roles to different server on root domain, still no luck.
    can someone please help me.
    regards
    Srinivasa k
    Srinivasa K

    Hi Srinivasa,
    I guess, you didn't completed the initial setup schemaprep and adprep before starting the installation. You can do it as follows:
    1. Open command Prompt as administrator and browse to the root of installation cd and run Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
    After finishing this,
    2. Setup.exe /PrepareAD /OrganizationName:"<organization name>" /IAcceptExchangeServerLicenseTerms
    3. To prepare all domains within the forest run Setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms. If you want to prepare a specific domain run Setup.exe /PrepareDomain:<FQDN of the domain you want to prepare> /IAcceptExchangeServerLicenseTerms
    4. Once you complete all of the 3 steps, install the pre-requisities for Exchange 2013
    5. Finally, run the setup program
    Hope this will help you
    Regards from Visit ExchangeOnline |
    Visit WindowsAdmin

  • Active Directory Domain Services crash after Administrator renames object in Active Directory Users and Computers

    Hello.
    We have two domain controllers - node1 (Windows 2008 R2) and node2 (Windows 2012 R2). When administrator connects to node2 and tries to rename some object in AD (for example, user) AD Domain Services crashes and reboot server after 60 seconds.
    In Events I can see these messages:
    Log Name:      Directory Service
    Source:        Microsoft-Windows-ActiveDirectory_DomainService
    Date:          04.03.2014 12:37:58
    Event ID:      1173
    Task Category: Internal Processing
    Level:         Warning
    Keywords:      Classic
    User:          domain\admin
    Computer:      NODE2.domain.example
    Description:
    Internal event: Active Directory Domain Services has encountered the following exception and associated parameters.
    Exception:
    c0000005
    Parameter:
    0
    Additional Data
    Error value:
    7ffc7c38e45d
    Internal ID:
    0
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
        <EventID Qualifiers="32768">1173</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>9</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8080000000000000</Keywords>
        <TimeCreated SystemTime="2014-03-04T06:37:58.116264800Z" />
        <EventRecordID>881</EventRecordID>
        <Correlation />
        <Execution ProcessID="572" ThreadID="2580" />
        <Channel>Directory Service</Channel>
        <Computer>NODE2.domain.example</Computer>
        <Security UserID="S-1-5-21-3794920928-4165619442-305938157-2047" />
      </System>
      <EventData>
        <Data>c0000005</Data>
        <Data>7ffc7c38e45d</Data>
        <Data>0</Data>
        <Data>0</Data>
      </EventData>
    </Event>
    Log Name:      Application
    Source:        Microsoft-Windows-Wininit
    Date:          04.03.2014 12:37:58
    Event ID:      1015
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      NODE2.domain.example
    Description:
    A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005.  The machine must now be restarted.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
        <EventID Qualifiers="49152">1015</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2014-03-04T06:37:58.000000000Z" />
        <EventRecordID>189578</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>Application</Channel>
        <Computer>NODE2.domain.example</Computer>
        <Security />
      </System>
      <EventData>
        <Data>C:\Windows\system32\lsass.exe</Data>
        <Data>c0000005</Data>
      </EventData>
    </Event>
    Log Name:      Application
    Source:        Application Error
    Date:          04.03.2014 12:37:58
    Event ID:      1000
    Task Category: (100)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      NODE2.domain.example
    Description:
    Faulting application name: lsass.exe, version: 6.3.9600.16384, time stamp: 0x5215e25f
    Faulting module name: ntdsai.dll, version: 6.3.9600.16421, time stamp: 0x524fcaed
    Exception code: 0xc0000005
    Fault offset: 0x000000000019e45d
    Faulting process id: 0x23c
    Faulting application start time: 0x01cf3773fe973e1b
    Faulting application path: C:\Windows\system32\lsass.exe
    Faulting module path: C:\Windows\system32\ntdsai.dll
    Report Id: 85cfbe32-a367-11e3-80cc-00155d006724
    Faulting package full name:
    Faulting package-relative application ID:
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Application Error" />
        <EventID Qualifiers="0">1000</EventID>
        <Level>2</Level>
        <Task>100</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2014-03-04T06:37:58.000000000Z" />
        <EventRecordID>189576</EventRecordID>
        <Channel>Application</Channel>
        <Computer>NODE2.domain.example</Computer>
        <Security />
      </System>
      <EventData>
        <Data>lsass.exe</Data>
        <Data>6.3.9600.16384</Data>
        <Data>5215e25f</Data>
        <Data>ntdsai.dll</Data>
        <Data>6.3.9600.16421</Data>
        <Data>524fcaed</Data>
        <Data>c0000005</Data>
        <Data>000000000019e45d</Data>
        <Data>23c</Data>
        <Data>01cf3773fe973e1b</Data>
        <Data>C:\Windows\system32\lsass.exe</Data>
        <Data>C:\Windows\system32\ntdsai.dll</Data>
        <Data>85cfbe32-a367-11e3-80cc-00155d006724</Data>
        <Data>
        </Data>
        <Data>
        </Data>
      </EventData>
    </Event>
    In node2 we installed all available updates and hotfixes.

     Hi Azamat Hackimov,
    Regarding to error messages, it seems that the
    ntdsai.dll file caused the issue. Based on current situation, please use
    sfc /scannow command to scan protected system files and check if find error and repair. Meanwhile, you can also navigate to the location of this DLL file and confirm details.
    In addition, Windows Server 2012 R2 has reboot unexpectedly. Please check if you get some dump file and then analysis it. It may help us to find the root reason. Please refer
    to the following KB.
    How to read the small dump memory dump file that is created by Windows if a crash occurs.
    http://support.microsoft.com/kb/315263/en-us
    By the way, it is not effective for us to debug the crash dump file here in the forum. If this issues is a state of emergency for you. Please contact Microsoft Customer Service
    and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.
    To obtain the phone numbers for specific technology request, please refer to the web site listed below:
    http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
    Hope this helps.
    Best regards,
    Justin Gu

  • Active Directory error message "the following object is not from a domain listed in the Select location forestB\username

    Hello Community
        "forestA" is my forest it is a Windows 2008 Server Enterprise Edition
    domain controller using Active Directory and the UI.
        In my forest ("forestA") trust relationship I created a "One-Way, Out-going"
    forest trust with Forest-Wide authentication so that a different forest user(s) or
    group(s) with a different admin in a forest named “forestB” can access the resources in my “forestA”
        But also forestB needs to create a "One-way, Incoming" forest trust so that
    I can either add the user(s) or group(s) from “forestB” into to a "Global Security - Group"
    in my "forestA" or I can
     add user(s)  as  "domain user(s)" from “forestB” into my "forestA".
        The problem is that when I right click  the global group in my forestA  and then
    properties, when I click "Members" and then the "Add" button when I type
    "forestB\username" I get an error message from Active Directory stating:
        "the following object is not from a domain listed in the Select location
    dialog box, and is therefore not valid: forestB\username".
        Am I doing something wrong when creating the one-way trust in my
    “forestA” or is the one-way trust being created wrong by the other domain admin in the other “forestB”?
        Or could I possibly need to select "Change Domain" or "Change Domain Controller"
    before adding the users or Groups to my forestA from forestB?
        That is why I am asking
     how do you add an Active Directory user from one forest into another forest?
        Thank you
        Shabeaut

    Hello Denis Cooper
        That is the end result.
        What I was trying  to do was that I was trying to
     bring in the user(s) and group(s) from “forestB”  into
    my “forestA”  Global group.
        Later on I was going to add the user(s) or Global groups(s) that I brought into my dc in my forestA
     into the domain local groups  on my member servers in my forestA.
        So since the error message is:
    "the following object is not from a domain listed in the Select location dialog box, and is therefore not valid: forestB\username".
    Does your response
     mean only Global group(s) from forestB not domain user(s) from forestB have
     to been added to domain local groups in forestA?
    Or is it also possible to add Global group(s) from “forestB” to Global group(s) in my “forestA” and if so
    how without getting the above error message?
    Thank you
        Shabeaut

  • SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT - Active Directory Security Group Discovery Agent reported warnings for 524 object(s). DDRs were generated for 0 object(s) that had warning(s) while reading non-critical properties.

    Hi, can anyone help me troubleshoot the following please:
    Active Directory Security Group Discovery Agent reported warnings for 524 object(s). DDRs were generated for 0 object(s) that had warning(s) while reading non-critical properties. DDRs were not generated for 524 object(s) that had warnings while reading
    critical properties.
    Possible cause: OU name or Security Group name may contain at least a Unicode character which has conversion problem between Unicode and your system ANSI locale(e.g. Korean characters in English System Locale). The site server might not have access to
    some properties of this object. The container specified might not have the properties available.
    Solution: Please verify the Active Directory schema for properties that are not replicated or locked. Refer to the discovery logs for more information.
    Does the error relate to 524 security groups? There are several invalid search paths listed in adsgdis.log, are these related?
    Thanks,
    Dale

    You'll have to examine the log to determine exactly which objects its referring to. Although this is in the context of group discovery, group discovery still creates DDRs for computer objects within those groups so it could be either groups or computers.
    This is not a search path issue though as it's clear that the discovery process found 524 different objects, but as stated, it could not properly read criticial properties of those objects and thus did not create DDRs for them.
    As mentioned, reading the log in detail will list the objects individually and the reason it could not create a DDR for it.
    Jason | http://blog.configmgrftw.com

  • [Forum FAQ] Using PowerShell to assign permissions on Active Directory objects

    As we all know, the
    ActiveDirectoryAccessRule class is used to represent an access control entry (ACE) in the discretionary access control list (DACL) of an Active Directory Domain Services object.
    To set the permissions on Active Directory objects, the relevant classes and their enumerations are listed as below:
    System.DirectoryServices.ActiveDirectoryAccessRule class:
    http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryaccessrule(v=vs.110).aspx
    System.DirectoryServices.ActiveDirectoryRights
    class:
    http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights(v=vs.110).aspx
    System.Security.AccessControl.AccessControlType class:
    http://msdn.microsoft.com/en-us/library/w4ds5h86(v=vs.110).aspx
    System.DirectoryServices.ActiveDirectorySecurityInheritance class:
    http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectorysecurityinheritance(v=vs.110).aspx
    In this article, we introduce three ways to get and set the ACE on an Active Directory object. In general,
    we use Active Directory Service Interfaces (ADSI) or
    Active Directory module cmdlets
    with the Get-Acl and Set-Acl cmdlets to assign simple permissions on Active Directory objects. In addition, we can use the extended rights and GUID settings to execute
    more complex permission settings.
    Method 1: Using ADSI
      1. Get current permissions of an organization unit (OU)
    We can use the PowerShell script below to get current permissions of an organization unit and you just need to define the name of the OU.
    $Name = "OU=xxx,DC=com"
    $ADObject = [ADSI]"LDAP://$Name"
    $aclObject = $ADObject.psbase.ObjectSecurity
    $aclList = $aclObject.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])
    $output=@()
    foreach($acl in $aclList)
    $objSID = New-Object System.Security.Principal.SecurityIdentifier($acl.IdentityReference)
         $info = @{
    'ActiveDirectoryRights' = $acl.ActiveDirectoryRights;
    'InheritanceType' = $acl.InheritanceType;
    'ObjectType' = $acl.ObjectType;
    'InheritedObjectType' = $acl.InheritedObjectType;
    'ObjectFlags' = $acl.ObjectFlags;
    'AccessControlType' = $acl.AccessControlType;
    'IdentityReference' = $acl.IdentityReference;
    'NTAccount' = $objSID.Translate( [System.Security.Principal.NTAccount] );
    'IsInherited' = $acl.IsInherited;
    'InheritanceFlags' = $acl.InheritanceFlags;
    'PropagationFlags' = $acl.PropagationFlags;
    $obj = New-Object -TypeName PSObject -Property $info
    $output+=$obj}
    $output
    In the figure below, you can see the results of running the script above:
    Figure 1.
    2. Assign a computer object with Full Control permission on an OU
    We can use the script below to delegate Full Control permission to the computer objects within an OU:
    $SysManObj = [ADSI]("LDAP://OU=test….,DC=com") #get the OU object
    $computer = get-adcomputer "COMPUTERNAME" #get the computer object which will be assigned with Full Control permission within an OU
    $sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
    $identity = [System.Security.Principal.IdentityReference] $SID
    $adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
    $type = [System.Security.AccessControl.AccessControlType] "Allow"
    $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
    $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType #set permission
    $SysManObj.psbase.ObjectSecurity.AddAccessRule($ACE)
    $SysManObj.psbase.commitchanges()
    After running the script above, you can check the computer object in Active Directory Users and Computers (ADUC) and it is under the Security tab in OU Properties.
    Method 2: Using Active Directory module with the Get-Acl and Set-Acl cmdlets
    You can use the script below to get and assign Full Control permission to a computer object on an OU:
    $acl = get-acl "ad:OU=xxx,DC=com"
    $acl.access #to get access right of the OU
    $computer = get-adcomputer "COMPUTERNAME"
    $sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
    # Create a new access control entry to allow access to the OU
    $identity = [System.Security.Principal.IdentityReference] $SID
    $adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
    $type = [System.Security.AccessControl.AccessControlType] "Allow"
    $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
    $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
    # Add the ACE to the ACL, then set the ACL to save the changes
    $acl.AddAccessRule($ace)
    Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
    Method 3: Using GUID setting
    The scripts above can only help us to complete simple tasks, however, we may want to execute more complex permission settings. In this scenario, we can use GUID settings to achieve
    that.
    The specific ACEs allow an administrator to delegate Active Directory specific rights (i.e. extended rights) or read/write access to a property set (i.e. a named collection of attributes) by
    setting ObjectType field in an object specific ACE to the
    rightsGuid of the extended right or property set. The delegation can also be created to target child objects of a specific class by setting the
    InheritedObjectType field to the schemaIDGuid of the class.
    We choose to use this pattern: ActiveDirectoryAccessRule(IdentityReference, ActiveDirectoryRights, AccessControlType, Guid, ActiveDirectorySecurityInheritance, Guid)
    You can use the script below to
    assign the group object with the permission to change user password on all user objects within an OU.
    $acl = get-acl "ad:OU=xxx,DC=com"
    $group = Get-ADgroup xxx
    $sid = new-object System.Security.Principal.SecurityIdentifier $group.SID
    # The following object specific ACE is to grant Group permission to change user password on all user objects under OU
    $objectguid = new-object Guid 
    00299570-246d-11d0-a768-00aa006e0529 # is the rightsGuid for the extended right User-Force-Change-Password (“Reset Password”) 
    class
    $inheritedobjectguid = new-object Guid 
    bf967aba-0de6-11d0-a285-00aa003049e2 # is the schemaIDGuid for the user
    $identity = [System.Security.Principal.IdentityReference] $SID
    $adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
    $type = [System.Security.AccessControl.AccessControlType]
    "Allow"
    $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
    $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType,$inheritedobjectguid
    $acl.AddAccessRule($ace)
    Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
    The figure below shows the result of running the script above:
    Figure 2.
    In addition, if you want to assign other permissions, you can change the GUID values in the script above. The common GUID values are listed as below:
    $guidChangePassword     
    = new-object Guid ab721a53-1e2f-11d0-9819-00aa0040529b
    $guidLockoutTime        
    = new-object Guid 28630ebf-41d5-11d1-a9c1-0000f80367c1
    $guidPwdLastSet         
    = new-object Guid bf967a0a-0de6-11d0-a285-00aa003049e2
    $guidComputerObject     
    = new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2
    $guidUserObject         
    = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
    $guidLinkGroupPolicy    
    = new-object Guid f30e3bbe-9ff0-11d1-b603-0000f80367c1
    $guidGroupPolicyOptions 
    = new-object Guid f30e3bbf-9ff0-11d1-b603-0000f80367c1
    $guidResetPassword      
    = new-object Guid 00299570-246d-11d0-a768-00aa006e0529
    $guidGroupObject        
    = new-object Guid BF967A9C-0DE6-11D0-A285-00AA003049E2                                          
    $guidContactObject      
    = new-object Guid 5CB41ED0-0E4C-11D0-A286-00AA003049E2
    $guidOUObject           
    = new-object Guid BF967AA5-0DE6-11D0-A285-00AA003049E2
    $guidPrinterObject      
    = new-object Guid BF967AA8-0DE6-11D0-A285-00AA003049E2
    $guidWriteMembers   
        = new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2
    $guidNull               
    = new-object Guid 00000000-0000-0000-0000-000000000000
    $guidPublicInformation  
    = new-object Guid e48d0154-bcf8-11d1-8702-00c04fb96050
    $guidGeneralInformation 
    = new-object Guid 59ba2f42-79a2-11d0-9020-00c04fc2d3cf
    $guidPersonalInformation = new-object Guid 77B5B886-944A-11d1-AEBD-0000F80367C1
    $guidGroupMembership    
    = new-object Guid bc0ac240-79a9-11d0-9020-00c04fc2d4cf
    More information:
    Add Object Specific ACEs using Active Directory Powershell
    http://blogs.msdn.com/b/adpowershell/archive/2009/10/13/add-object-specific-aces-using-active-directory-powershell.aspx
    Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

    The ActiveDirectoryAccessRule has more than one constructor, but yes, you've interpreted the one that takes six arguments correctly.
    Those GUIDs are different (check just before the first dash). Creating that ACE will create an empty GUID for InheritedObjectType, though, because you're telling it to apply to the Object only ([System.DirectoryServices.ActiveDirectorySecurityInheritance]::None).
    Since the ACE will only apply to the object, there's no need to worry about what types of objects will inherit it.
    If you've got time, check out
    this module. It will let you view the security descriptors in a much friendlier format. Try both version 3.0 and the version 4.0 preview:
    Sample version 3.0:
    # This is going to be kind of slow, and it will take a few seconds the first time
    # you run it because it has to build the list of GUID <--> Property/Class/etc objects
    Get-ADGroup GroupY |
    Get-AccessControlEntry -ObjectAceType member -InheritedObjectAceType group -ActiveDirectoryRights WriteProperty
    # Same as the previous command, except limit it to access granted to GroupX
    Get-ADGroup GroupY |
    Get-AccessControlEntry -ObjectAceType member -InheritedObjectAceType group -ActiveDirectoryRights WriteProperty -Principal GroupX
    Here's version 4.0. It's way faster than 3.0, but it's missing the -ObjectAceType and -InheritedObjectAceType parameters on Get-AccessControlEntry (don't worry, when they come back they'll be better than in 3.0):
    Get-ADGroup GroupY |
    Get-AccessControlEntry
    Get-ADGroup GroupY |
    Get-AccessControlEntry -ActiveDirectoryRights WriteProperty
    Get-ADGroup GroupY |
    Get-AccessControlEntry -ActiveDirectoryRights WriteProperty -Principal GroupX
    # You can do a Where-Object filter until the parameters are added back to Get-AccessControlEntry:
    Get-ADGroup GroupY |
    Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
    where { $_.AccessMask -match "All Prop|member Prop" }
    Get-ADGroup GroupY |
    Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
    where { $_.ObjectAceType -in ($null, [guid]::Empty, "bf9679c0-0de6-11d0-a285-00aa003049e2") }
    Get-ADGroup GroupY |
    Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
    where { $_.AccessMask -match "All Prop|member Prop" -and $_.AppliesTo -match "group"}
    That's just for viewing. Version 3.0 can add and remove access, or you can use New-AccessControlEntry to replace your call to New-Object, and you can still use Get-Acl and Set-Acl. The benefit to New-AccessControlEntry is that you can do something like this:
    New-AccessControlEntry -Principal GroupX -ActiveDirectoryRights WriteProperty -ObjectAceType member -InheritedObjectAceType group #-AppliesTo Object
     

  • Cannot find the object "CrossRef" in Active Directory

    I am trying to install Lync 2013. I'm getting the following error: Error:
    An error
    occurred: "Microsoft.Rtc.Management.Deployment.ActiveDirectoryException" "Cannot
    find the object "CrossRef" in Active Directory."
    WARNING: Enable-CSAdForest failed.
    This error is at "Step 3: Prepare Current Forest" of the install.

    I've tried to run the forest prep as a local domain and I get the following:
    Creating new log file "C:\Users\administrator.xxx\AppData\Local\Temp\2\Enable-CSAdForest-052cfe14-7f42-4969-88da-83279413ab8c.xml".Enable the Active Directory forest to host Lync Server 2013 deployments.
    Prepare Forest Active Directory settings execution failed on an unrecoverable error.Creating new log file "C:\Users\administrator.xxx\AppData\Local\Temp\2\Enable-CSAdForest-[2013_05_30][13_25_56].html".WARNING:
    Enable-CSAdForest failed.WARNING: Detailed results can be found at "C:\Users\administrator.xxx\AppData\Local\Temp\2\Enable-CSAdForest-[2013_05_30][13_25_56].html".Command
    execution failed: Container CN=Microsoft,CN=Program Data,DC=xxx,DC=local not found

  • Accessing active directory with javascript client object model

    Hello All,
    my requirement is to get user profile "picture" from
    active directory of my org. to my sharepoint 2013 intranet site via
    java script client object model programming.
    I am successful in retrieving user details (including pics) from user profile services using SP.UserProfile.js but it will show only user who are added in SharePoint groups. But, I need all company users (10,000+ user's) data like name, dept, photo etc.
    If the solution is not feasible with JSOM, please provide any alternative.
    Pls. assist.
    Thanks, Chintan

    You can import profile from AD directly to sharepoint and use it
    Check below:
    http://blogs.technet.com/b/harmeetw/archive/2011/09/10/importing-thumbnail-photos-from-ad-active-directory-into-sharepoint-2010.aspx
    Once imported you need to run below:
    Update-SPProfilePhotoStore -CreateThumbnailsForImportedPhotos 1 -MySiteHostLocation
    http://<YourServerName>/my
    The cmdlet was introduced in this fix:
    http://support.microsoft.com/kb/2394320  (14.0.5128.5000)
    http://blogs.technet.com/b/lukeb/archive/2013/01/04/sharepoint-import-a-picture-from-ad-for-the-user-profile.aspx

  • Active Directory Ghost Object replication issue

    I have a Windows 2003, Single Forest with nearly 50 Domains. This is a constantly changing, deployable system where not all Domains are connected and online at all times.
    Some months ago 2 of these domains were held up in transit and tombstoned. Before they were connected to the Forest again they went to our Hardware support department to be "cleaned" meaning remove dust etc, instead they wiped the arrays on all
    servers.
    Our Level 4 Support team reanimated these node after restoring them from a really old backup.
    This backup did not refelect the AD as it was when it was deleted, therefore we have several orphaned objects form those domains. The Domains are functioning correctly and replicating, however, the GC in the forest is inconsistent and the orphaned/ghost
    objects are still being replicated.
    We have rehosted the directory partitions from the problem nodes to online domains which works fine, but as soon as another domain comes online the orphaned objects are again replicated into the Global Catalog. The nature of our system means that we cannot
    control when the other domains are coming back online to rehost them before replicating the object items back into the GC.
    I have made several LDAP queries and can see that the items no longer exist on the problem domain, the only reference to the objects is in the GC directory partitions of those domains.
    The biggest issue I have is that these objects were mail enabled users and when the GAL queries the GC it is repopulating them. 
    I've hit a bit of a wall now and do not know how we can remove these ghost objects without having all domains online at the same time and rehosting the problem domains partitions forest wide. I'd appreciate any assistnce.
    I have asked this question before but with less detail so I'm having another go!

    An AD backup is as good as the Tombstone lifetime. By default the TSL of a 2003 forest functional level is 60. So if you haven't done this already you should probably configure a higher value for the TSL. By default Strict Replication
    Consistency is also enabled to prevent DC that have been disconnected for a long time to propagate lingering objects into the AD topology, check to see if you have this enabled. You should use "repadmin" to remove the lingering objects.
    "When a domain controller in your Active Directory environment is disconnected from the replication topology for an extended period of time, all objects that are deleted from AD DS on all other domain controllers might remain on the disconnected
    domain controller. Such objects are called lingering objects. When this domain controller is reconnected to the replication topology, it acts as a source replication partner that has one or more objects that its destination replication partners no longer have.
    Problems occur when these lingering objects on the source domain controller are updated and these updates are sent by replication to the destination domain controllers. A destination domain controller can respond in one of two ways:
    If the destination domain controller has strict replication consistency enabled, it recognizes that it cannot update the object (because the object does not exist), and it locally halts inbound replication of the directory partition from that source
    domain controller.
    If the destination domain controller does not have strict replication consistency enabled, it requests the full replica of the updated object, which introduces a lingering object into the directory."
    Also keep in mind that the Infrastructure Master role handles the cross-domain references and phantoms from the global catalog in its domain. Make sure that you either have all DCs as Global Catalogs or do not place the GC on the DC with the IM role.
    Here are some useful links:
    Determine the tombstone lifetime for the forest
    Event ID 1388 or 1988: A lingering object is detected
    Use Repadmin to remove lingering objects
    Enable strict replication consistency
    FSMO placement and optimization on Active Directory domain controllers
    Phantoms, tombstones and the infrastructure master
    http://mariusene.wordpress.com/

  • Cfldap and deleted objects container in Active Directory

    Hello,
    I am trying to use a CFLDAP query to bind and search in the
    Deleted Objects container of Active Directory. This would allow me
    to get the sAMAccountname values of the users who have been deleted
    within the last default 60 days (searching tombstone objects in
    Deleted Objects).
    I have tried various methods including <cfldap
    start="CN=Deleted Objects, DC=<domain>, DC=<com>> (I
    am omitting the rest of the CFLDAP attributes in the example
    above). I'm not sure if CFLDAP can even query the deleted objects
    container. Has anyone had any experience with this?
    Thanks,
    Ben

    Hi Michael,
    Thanks for your help! I have however already explored those
    solutions offered by Microsoft. Sadly, they only work in separate
    programs (i.e. ldap.exe which comes with Windows Server tools).
    After lots of research I have found a Java method that can bind
    with the container and return the results. CFLDAP, I'm afraid is
    just not capable of doing this - or at least I have had no luck
    with it (I was connecting as domain admin btw).
    The challenge now is to get the Java class to communicate
    with the rest of my cf code.
    Thanks again,
    Ben

  • Size limitation for all attributes in user objects in Active Directory????

    hi geeks , i wanna know maximum size limit of an user objects attribute in   active directory ... like max amount of character first name attribute can hold ... Thank in advance..

    You can use ADSI Edit to view the properties of the attributes in the Schema container of your AD. In the Schema container you can select an attribute, like Company, right click, select properties, and find the rangeUpper property of the attribute. This
    is the maximum length in characters (or bytes). You can also use dsquery to retrieve rangeUpper for an attribute. For example:
    dsquery * "cn=Schema,cn=Configuration,dc=MyDomain,dc=com" -filter "(LDAPDisplayName=streetAddress)" -attr rangeUpper
    where your domain is MyDomain.com. This finds the maximum length for the "street address" attribute. A few values in my test domain (the values can be modified, so these are the defaults):
    company                      64
    streetAddress              1024
    physicalDeliveryOfficeName  128
    initials                      6
    st                          128
    postOfficeBox                40
    name                        255
    cn                           64
    You can use the first two spreadsheets on this page to help identify attributes in AD (with no Exchange):
    http://www.rlmueller.net/UserAttributes.htm
    The first spreadsheet documents the attributes corresponding to the fields on most of the tabs of ADUC. For example, "st" is the attribute for state, "physicalDeliveryOfficeName" for the field labeled "office". You need the
    LDAPDisplayName's of the attributes, like I used in the dsquery command above. The second spreadsheet documents all attributes in AD with more information, like the syntax and which class each applies to.
    Richard Mueller - MVP Directory Services

  • Found DAG object in Active Directory

    Dear Friends,
    Today i have detected an Object called 'DAG' in Active Directory. I am not aware of these objects. Please some one could elaborate? It might be a silly question. But still i am feeling free to learn.
    Regards, Jay.

    Hi,
    This object is the Cluster Name Object(CNO) for a DAG.
    In Exchange 2010 when using the Database Availability Group (DAG), we leverage the cluster services in Windows 2008 and Windows 2008 R2. This requires that a machine account be created within the directory for association with this cluster name resource.
    This is known as the CNO or cluster name object.  
    For more information about CNO, you can refer to the following article.
    Exchange 2010 – Pre-staging the Cluster Name Object (CNO) to support a Database Availability Group (DAG)
    http://blogs.technet.com/b/timmcmic/archive/2010/01/05/exchange-2010-pre-staging-the-cluster-name-object-cno-to-support-a-database-availability-group-dag.aspx
    Best regards,
    Belinda
    Belinda Ma
    TechNet Community Support

Maybe you are looking for

  • How to set HP 4502 to print black only

    How to set my HP4502 to print from Mac in black ink only

  • Bug report - Copy page with IR raises ORA-3113

    Apex 3.1.2.00.02 on Oracle 9.2.0.8 When I copy a page with an IR using the Copy Page wizard (from page X to Y in the same app), I get the following error in the Apache log I don't change a single thing in the Copy Page Wizard, just accept all the def

  • SQL Modeler: Logical Model Merge

    Hi all, I'll like to consolidate and merge two (and more) logical models into one single model. We have design teams that work separately and we need to consolidate their logical models into one. Is this possible? If yes, how can I do it? If not, wil

  • How to merge  one swf to another

    Hi, I want to merge two swf file in to a single swf file, how i can achieve that , since i have done some part of my project modules in cairngorm framework and other parts of module i have coded with out using any frame work, intern both the module g

  • Safari will NOT open after new update!! :(

    After updating safari, it won't open. I see this is happening to other users in the forum as well. Is there anyway that Apple can fix this bug by removing the most recent update?