Active Directory - Lingering Objects

Hello,
I'm having an issue with replication and I'm hoping someone can point me in the right direction.
I have the Strict Replication setting enabled on all of my DCs.  I am running into a problem with replication failures due to lingering objects.  I ran repldiag.exe /removelingeringobjects /advisorymode on one of the DCs and it found 52 objects.
 However, the lingering objects are shared printer objects that are still in use in my organization.  What would be the impact of deleting these printer objects?  Would my workstations loose the ability to print to these printers?
Thank you.

Have you reviewed the link below?
Lingering objects prevent Active Directory replication from occurring
http://support.microsoft.com/kb/317097

Similar Messages

  • Active Directory Ghost Object replication issue

    I have a Windows 2003, Single Forest with nearly 50 Domains. This is a constantly changing, deployable system where not all Domains are connected and online at all times.
    Some months ago 2 of these domains were held up in transit and tombstoned. Before they were connected to the Forest again they went to our Hardware support department to be "cleaned" meaning remove dust etc, instead they wiped the arrays on all
    servers.
    Our Level 4 Support team reanimated these node after restoring them from a really old backup.
    This backup did not refelect the AD as it was when it was deleted, therefore we have several orphaned objects form those domains. The Domains are functioning correctly and replicating, however, the GC in the forest is inconsistent and the orphaned/ghost
    objects are still being replicated.
    We have rehosted the directory partitions from the problem nodes to online domains which works fine, but as soon as another domain comes online the orphaned objects are again replicated into the Global Catalog. The nature of our system means that we cannot
    control when the other domains are coming back online to rehost them before replicating the object items back into the GC.
    I have made several LDAP queries and can see that the items no longer exist on the problem domain, the only reference to the objects is in the GC directory partitions of those domains.
    The biggest issue I have is that these objects were mail enabled users and when the GAL queries the GC it is repopulating them. 
    I've hit a bit of a wall now and do not know how we can remove these ghost objects without having all domains online at the same time and rehosting the problem domains partitions forest wide. I'd appreciate any assistnce.
    I have asked this question before but with less detail so I'm having another go!

    An AD backup is as good as the Tombstone lifetime. By default the TSL of a 2003 forest functional level is 60. So if you haven't done this already you should probably configure a higher value for the TSL. By default Strict Replication
    Consistency is also enabled to prevent DC that have been disconnected for a long time to propagate lingering objects into the AD topology, check to see if you have this enabled. You should use "repadmin" to remove the lingering objects.
    "When a domain controller in your Active Directory environment is disconnected from the replication topology for an extended period of time, all objects that are deleted from AD DS on all other domain controllers might remain on the disconnected
    domain controller. Such objects are called lingering objects. When this domain controller is reconnected to the replication topology, it acts as a source replication partner that has one or more objects that its destination replication partners no longer have.
    Problems occur when these lingering objects on the source domain controller are updated and these updates are sent by replication to the destination domain controllers. A destination domain controller can respond in one of two ways:
    If the destination domain controller has strict replication consistency enabled, it recognizes that it cannot update the object (because the object does not exist), and it locally halts inbound replication of the directory partition from that source
    domain controller.
    If the destination domain controller does not have strict replication consistency enabled, it requests the full replica of the updated object, which introduces a lingering object into the directory."
    Also keep in mind that the Infrastructure Master role handles the cross-domain references and phantoms from the global catalog in its domain. Make sure that you either have all DCs as Global Catalogs or do not place the GC on the DC with the IM role.
    Here are some useful links:
    Determine the tombstone lifetime for the forest
    Event ID 1388 or 1988: A lingering object is detected
    Use Repadmin to remove lingering objects
    Enable strict replication consistency
    FSMO placement and optimization on Active Directory domain controllers
    Phantoms, tombstones and the infrastructure master
    http://mariusene.wordpress.com/

  • Search for single member in an Active Directory Group

    Hello all,
    I'm attempting to find a better method to search if a user is a member of a group in Active Directory. I currently retrieve the entire member attribute of the group.
    I need to reduce the time of the query. I would like to be able to search for a specific member (user) of the group instead of retrieving the entire member list of the group.
    I can post my current code if that would help.
    I believe the default Active Directory group object is the ldap group. I know that there are posixGroup and groupOfUniqueNames ldap classes available, but I'm not sure if Active Directory has access to those classes.
    Is my request possible using the group ldap object?

    Thanks for the reply.
    I have read the first post you gave, but not the second. I'm off to read that now.
    My main concern is that I don't have access to the DN of the user in the member attrib. I have access to their CN and uid (which is indexed). From what I can recall from when I last updated this code, I couldn't create a wildcard search filter e.g.,:
    (&(cn=All Scientists)(objectClass=Group)(member=CN=Albert Einstein*))
    If that's correct and I require a DN, is there any way around this?
    I was interested in the posixGroup and groupOfUniqueNames classes. I wasn't aware that these were available through Active Directory, but I see them listed in the AD schema (http://msdn.microsoft.com/en-us/library/ms683908(VS.85).aspx).
    If I'm correct, posixGroup would allow for a filter of (&(cn=All Scientists)(objectClass=posixGroup)(memberUid=AEinstein))
    I'm not sure how typical it is to use the posixGroup class in AD and I'll have to check with my AD team before moving forward with this. But I wanted to get some more direction/ideas before asking them to create some posixGroup objects for me.
    I'm now going to go and read the second post you linked, but I wanted to put the rest of my details out there.
    Thanks again.

  • Active Directory data replication to database

    Hi Guys
    Does anybody known how to replicate data from Active Directory (groups and users) direct to database table like Oracle?
    My research drive me to code a program that make persistent search on Active Directory monitoring object changes to make insert or update in my table.
    Java Technology Forums - JNDI, Active Directory and Persistent Searches (part 1)
    http://forum.java.sun.com/thread.jspa?threadID=578338&tstart=200
    Java Technology Forums - JNDI, Active Directory and Persistent Searches (part 2)
    http://forum.java.sun.com/thread.jspa?forumID=51&threadID=672007
    Is it a good idea ?
    Thanks
    MHM

    As I said previously, it depends on how frequently you need to synchronise the database; weekly, daily, hourly, realtime.
    LDIFDE, CSVDE can be used to export LDIF or CSV files respectively, which you could then import into a database. That would be a good pragmatic solution for something that needs to be done daily or weekly.
    The DIRSYNC control is good for any schedule synchronisation, whereas the LDAP Notification Control is better suited to real time applications.
    I am rather flattered that the post you referred to http://www.forumeasy.com/forums/thread.jsp?tid=117381285598&fid=ldapprof2&highlight=LDAP+Persistent+Search+Control+JNDI+Client
    is based on my original sample titled "JNDI, Active Directory and Persistent Searches (part 2)" which I posted at
    http://forum.java.sun.com/thread.jspa?threadID=672007&tstart=90
    BTW, the sample for using the dirscnc control which is titled "JNDI, Active Directory & Persistent Searches (part 1)" is available at
    http://forum.java.sun.com/thread.jspa?threadID=578338&tstart=200
    Another alternative would be to install another server with Active Directory Application Mode (ADAM) specifically for your "expensive" queries and use a tool such as ADAMSync to populate it from your other Active Directory domain controllers.
    ADAMSync is included with ADAM and you can find the command line options described at http://technet2.microsoft.com/windowsserver/en/library/c64799ab-88c0-4e5a-b296-bc26031141291033.mspx?mfr=true
    Personally, I would much prefer to use something like LDIFDE, CSVDE, ADAMSync or a full fledged synchrisation/provision product such as Identity Lifecycle Manager rather than write (and debug/maintain) my own code.

  • Is Active Directory's ExtensionAttributes9 a field in user object and how to retrieve it in the class type userprincipal?

    Hi, I'm using VS2012.
    I want to use this ExtensionAttributes9 field to store date value for each user object.  I use UserPrincipal class, a collection of these objects are then bind to a gridview control.  Is ExtensionAttributes9 a field in AD user object? 
    How can I access it and bind to the gridview?
    If this field isn't available then what other field can use?
    Thank you.
    Thank you

    UserPrincipal is basically a wrapper around DirectoryEntry:
    http://msdn.microsoft.com/en-us/library/system.directoryservices.directoryentry.aspx and only provides a subset of the Active Directory, although the most common, attributes that are available for the user object.  The attribute that you
    seek is not one of them.
    By utilizing the method that I provided you a link to, it will return the underlying DirectoryEntry that was used to build the UserPrincipal object and should allow you to access the attribute that you seek.
    It would be greatly appreciated if you would mark any helpful entries as helpful and if the entry answers your question, please mark it with the Answer link.

  • "Setup encountered a problem while validating the state of Active Directory: Exchange organization-level objects have not been created, and setup cannot create them because the local computer is not in the same domain and site as the schema master. Run se

    Team,
    I am trying to Install Exchange on my Lab, getting below error
    message.
    The Schema Role is installed on Root Domain and trying to install
    exchange on Child domain.
    1 Root Domain - 1 Child domain. both are located on single site.
    “Setup encountered a problem while validating
    the state of Active Directory: Exchange organization-level objects have not been created, and setup cannot create them because the local computer is not in the same domain and site as the schema master. Run setup with the /prepareAD parameter and wait for
    replication to complete.”
    Followed below articles:
    http://support.risualblogs.com/blog/2012/02/21/exchange-2010-sp2-upgrade-issue-exchange-organization-level-objects-have-not-been-created-and-setup-cannot-create-them-because-the-local-computer-is-not-in-the-same-domain-and-site-as-the-sche/
    http://www.petenetlive.com/KB/Article/0000793.htm
    transferred the schema roles to different server on root domain, still no luck.
    can someone please help me.
    regards
    Srinivasa k
    Srinivasa K

    Hi Srinivasa,
    I guess, you didn't completed the initial setup schemaprep and adprep before starting the installation. You can do it as follows:
    1. Open command Prompt as administrator and browse to the root of installation cd and run Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
    After finishing this,
    2. Setup.exe /PrepareAD /OrganizationName:"<organization name>" /IAcceptExchangeServerLicenseTerms
    3. To prepare all domains within the forest run Setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms. If you want to prepare a specific domain run Setup.exe /PrepareDomain:<FQDN of the domain you want to prepare> /IAcceptExchangeServerLicenseTerms
    4. Once you complete all of the 3 steps, install the pre-requisities for Exchange 2013
    5. Finally, run the setup program
    Hope this will help you
    Regards from Visit ExchangeOnline |
    Visit WindowsAdmin

  • Active Directory Domain Services crash after Administrator renames object in Active Directory Users and Computers

    Hello.
    We have two domain controllers - node1 (Windows 2008 R2) and node2 (Windows 2012 R2). When administrator connects to node2 and tries to rename some object in AD (for example, user) AD Domain Services crashes and reboot server after 60 seconds.
    In Events I can see these messages:
    Log Name:      Directory Service
    Source:        Microsoft-Windows-ActiveDirectory_DomainService
    Date:          04.03.2014 12:37:58
    Event ID:      1173
    Task Category: Internal Processing
    Level:         Warning
    Keywords:      Classic
    User:          domain\admin
    Computer:      NODE2.domain.example
    Description:
    Internal event: Active Directory Domain Services has encountered the following exception and associated parameters.
    Exception:
    c0000005
    Parameter:
    0
    Additional Data
    Error value:
    7ffc7c38e45d
    Internal ID:
    0
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
        <EventID Qualifiers="32768">1173</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>9</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8080000000000000</Keywords>
        <TimeCreated SystemTime="2014-03-04T06:37:58.116264800Z" />
        <EventRecordID>881</EventRecordID>
        <Correlation />
        <Execution ProcessID="572" ThreadID="2580" />
        <Channel>Directory Service</Channel>
        <Computer>NODE2.domain.example</Computer>
        <Security UserID="S-1-5-21-3794920928-4165619442-305938157-2047" />
      </System>
      <EventData>
        <Data>c0000005</Data>
        <Data>7ffc7c38e45d</Data>
        <Data>0</Data>
        <Data>0</Data>
      </EventData>
    </Event>
    Log Name:      Application
    Source:        Microsoft-Windows-Wininit
    Date:          04.03.2014 12:37:58
    Event ID:      1015
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      NODE2.domain.example
    Description:
    A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005.  The machine must now be restarted.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
        <EventID Qualifiers="49152">1015</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2014-03-04T06:37:58.000000000Z" />
        <EventRecordID>189578</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>Application</Channel>
        <Computer>NODE2.domain.example</Computer>
        <Security />
      </System>
      <EventData>
        <Data>C:\Windows\system32\lsass.exe</Data>
        <Data>c0000005</Data>
      </EventData>
    </Event>
    Log Name:      Application
    Source:        Application Error
    Date:          04.03.2014 12:37:58
    Event ID:      1000
    Task Category: (100)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      NODE2.domain.example
    Description:
    Faulting application name: lsass.exe, version: 6.3.9600.16384, time stamp: 0x5215e25f
    Faulting module name: ntdsai.dll, version: 6.3.9600.16421, time stamp: 0x524fcaed
    Exception code: 0xc0000005
    Fault offset: 0x000000000019e45d
    Faulting process id: 0x23c
    Faulting application start time: 0x01cf3773fe973e1b
    Faulting application path: C:\Windows\system32\lsass.exe
    Faulting module path: C:\Windows\system32\ntdsai.dll
    Report Id: 85cfbe32-a367-11e3-80cc-00155d006724
    Faulting package full name:
    Faulting package-relative application ID:
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Application Error" />
        <EventID Qualifiers="0">1000</EventID>
        <Level>2</Level>
        <Task>100</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2014-03-04T06:37:58.000000000Z" />
        <EventRecordID>189576</EventRecordID>
        <Channel>Application</Channel>
        <Computer>NODE2.domain.example</Computer>
        <Security />
      </System>
      <EventData>
        <Data>lsass.exe</Data>
        <Data>6.3.9600.16384</Data>
        <Data>5215e25f</Data>
        <Data>ntdsai.dll</Data>
        <Data>6.3.9600.16421</Data>
        <Data>524fcaed</Data>
        <Data>c0000005</Data>
        <Data>000000000019e45d</Data>
        <Data>23c</Data>
        <Data>01cf3773fe973e1b</Data>
        <Data>C:\Windows\system32\lsass.exe</Data>
        <Data>C:\Windows\system32\ntdsai.dll</Data>
        <Data>85cfbe32-a367-11e3-80cc-00155d006724</Data>
        <Data>
        </Data>
        <Data>
        </Data>
      </EventData>
    </Event>
    In node2 we installed all available updates and hotfixes.

     Hi Azamat Hackimov,
    Regarding to error messages, it seems that the
    ntdsai.dll file caused the issue. Based on current situation, please use
    sfc /scannow command to scan protected system files and check if find error and repair. Meanwhile, you can also navigate to the location of this DLL file and confirm details.
    In addition, Windows Server 2012 R2 has reboot unexpectedly. Please check if you get some dump file and then analysis it. It may help us to find the root reason. Please refer
    to the following KB.
    How to read the small dump memory dump file that is created by Windows if a crash occurs.
    http://support.microsoft.com/kb/315263/en-us
    By the way, it is not effective for us to debug the crash dump file here in the forum. If this issues is a state of emergency for you. Please contact Microsoft Customer Service
    and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.
    To obtain the phone numbers for specific technology request, please refer to the web site listed below:
    http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
    Hope this helps.
    Best regards,
    Justin Gu

  • Active Directory error message "the following object is not from a domain listed in the Select location forestB\username

    Hello Community
        "forestA" is my forest it is a Windows 2008 Server Enterprise Edition
    domain controller using Active Directory and the UI.
        In my forest ("forestA") trust relationship I created a "One-Way, Out-going"
    forest trust with Forest-Wide authentication so that a different forest user(s) or
    group(s) with a different admin in a forest named “forestB” can access the resources in my “forestA”
        But also forestB needs to create a "One-way, Incoming" forest trust so that
    I can either add the user(s) or group(s) from “forestB” into to a "Global Security - Group"
    in my "forestA" or I can
     add user(s)  as  "domain user(s)" from “forestB” into my "forestA".
        The problem is that when I right click  the global group in my forestA  and then
    properties, when I click "Members" and then the "Add" button when I type
    "forestB\username" I get an error message from Active Directory stating:
        "the following object is not from a domain listed in the Select location
    dialog box, and is therefore not valid: forestB\username".
        Am I doing something wrong when creating the one-way trust in my
    “forestA” or is the one-way trust being created wrong by the other domain admin in the other “forestB”?
        Or could I possibly need to select "Change Domain" or "Change Domain Controller"
    before adding the users or Groups to my forestA from forestB?
        That is why I am asking
     how do you add an Active Directory user from one forest into another forest?
        Thank you
        Shabeaut

    Hello Denis Cooper
        That is the end result.
        What I was trying  to do was that I was trying to
     bring in the user(s) and group(s) from “forestB”  into
    my “forestA”  Global group.
        Later on I was going to add the user(s) or Global groups(s) that I brought into my dc in my forestA
     into the domain local groups  on my member servers in my forestA.
        So since the error message is:
    "the following object is not from a domain listed in the Select location dialog box, and is therefore not valid: forestB\username".
    Does your response
     mean only Global group(s) from forestB not domain user(s) from forestB have
     to been added to domain local groups in forestA?
    Or is it also possible to add Global group(s) from “forestB” to Global group(s) in my “forestA” and if so
    how without getting the above error message?
    Thank you
        Shabeaut

  • SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT - Active Directory Security Group Discovery Agent reported warnings for 524 object(s). DDRs were generated for 0 object(s) that had warning(s) while reading non-critical properties.

    Hi, can anyone help me troubleshoot the following please:
    Active Directory Security Group Discovery Agent reported warnings for 524 object(s). DDRs were generated for 0 object(s) that had warning(s) while reading non-critical properties. DDRs were not generated for 524 object(s) that had warnings while reading
    critical properties.
    Possible cause: OU name or Security Group name may contain at least a Unicode character which has conversion problem between Unicode and your system ANSI locale(e.g. Korean characters in English System Locale). The site server might not have access to
    some properties of this object. The container specified might not have the properties available.
    Solution: Please verify the Active Directory schema for properties that are not replicated or locked. Refer to the discovery logs for more information.
    Does the error relate to 524 security groups? There are several invalid search paths listed in adsgdis.log, are these related?
    Thanks,
    Dale

    You'll have to examine the log to determine exactly which objects its referring to. Although this is in the context of group discovery, group discovery still creates DDRs for computer objects within those groups so it could be either groups or computers.
    This is not a search path issue though as it's clear that the discovery process found 524 different objects, but as stated, it could not properly read criticial properties of those objects and thus did not create DDRs for them.
    As mentioned, reading the log in detail will list the objects individually and the reason it could not create a DDR for it.
    Jason | http://blog.configmgrftw.com

  • [Forum FAQ] Using PowerShell to assign permissions on Active Directory objects

    As we all know, the
    ActiveDirectoryAccessRule class is used to represent an access control entry (ACE) in the discretionary access control list (DACL) of an Active Directory Domain Services object.
    To set the permissions on Active Directory objects, the relevant classes and their enumerations are listed as below:
    System.DirectoryServices.ActiveDirectoryAccessRule class:
    http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryaccessrule(v=vs.110).aspx
    System.DirectoryServices.ActiveDirectoryRights
    class:
    http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights(v=vs.110).aspx
    System.Security.AccessControl.AccessControlType class:
    http://msdn.microsoft.com/en-us/library/w4ds5h86(v=vs.110).aspx
    System.DirectoryServices.ActiveDirectorySecurityInheritance class:
    http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectorysecurityinheritance(v=vs.110).aspx
    In this article, we introduce three ways to get and set the ACE on an Active Directory object. In general,
    we use Active Directory Service Interfaces (ADSI) or
    Active Directory module cmdlets
    with the Get-Acl and Set-Acl cmdlets to assign simple permissions on Active Directory objects. In addition, we can use the extended rights and GUID settings to execute
    more complex permission settings.
    Method 1: Using ADSI
      1. Get current permissions of an organization unit (OU)
    We can use the PowerShell script below to get current permissions of an organization unit and you just need to define the name of the OU.
    $Name = "OU=xxx,DC=com"
    $ADObject = [ADSI]"LDAP://$Name"
    $aclObject = $ADObject.psbase.ObjectSecurity
    $aclList = $aclObject.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])
    $output=@()
    foreach($acl in $aclList)
    $objSID = New-Object System.Security.Principal.SecurityIdentifier($acl.IdentityReference)
         $info = @{
    'ActiveDirectoryRights' = $acl.ActiveDirectoryRights;
    'InheritanceType' = $acl.InheritanceType;
    'ObjectType' = $acl.ObjectType;
    'InheritedObjectType' = $acl.InheritedObjectType;
    'ObjectFlags' = $acl.ObjectFlags;
    'AccessControlType' = $acl.AccessControlType;
    'IdentityReference' = $acl.IdentityReference;
    'NTAccount' = $objSID.Translate( [System.Security.Principal.NTAccount] );
    'IsInherited' = $acl.IsInherited;
    'InheritanceFlags' = $acl.InheritanceFlags;
    'PropagationFlags' = $acl.PropagationFlags;
    $obj = New-Object -TypeName PSObject -Property $info
    $output+=$obj}
    $output
    In the figure below, you can see the results of running the script above:
    Figure 1.
    2. Assign a computer object with Full Control permission on an OU
    We can use the script below to delegate Full Control permission to the computer objects within an OU:
    $SysManObj = [ADSI]("LDAP://OU=test….,DC=com") #get the OU object
    $computer = get-adcomputer "COMPUTERNAME" #get the computer object which will be assigned with Full Control permission within an OU
    $sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
    $identity = [System.Security.Principal.IdentityReference] $SID
    $adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
    $type = [System.Security.AccessControl.AccessControlType] "Allow"
    $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
    $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType #set permission
    $SysManObj.psbase.ObjectSecurity.AddAccessRule($ACE)
    $SysManObj.psbase.commitchanges()
    After running the script above, you can check the computer object in Active Directory Users and Computers (ADUC) and it is under the Security tab in OU Properties.
    Method 2: Using Active Directory module with the Get-Acl and Set-Acl cmdlets
    You can use the script below to get and assign Full Control permission to a computer object on an OU:
    $acl = get-acl "ad:OU=xxx,DC=com"
    $acl.access #to get access right of the OU
    $computer = get-adcomputer "COMPUTERNAME"
    $sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
    # Create a new access control entry to allow access to the OU
    $identity = [System.Security.Principal.IdentityReference] $SID
    $adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
    $type = [System.Security.AccessControl.AccessControlType] "Allow"
    $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
    $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
    # Add the ACE to the ACL, then set the ACL to save the changes
    $acl.AddAccessRule($ace)
    Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
    Method 3: Using GUID setting
    The scripts above can only help us to complete simple tasks, however, we may want to execute more complex permission settings. In this scenario, we can use GUID settings to achieve
    that.
    The specific ACEs allow an administrator to delegate Active Directory specific rights (i.e. extended rights) or read/write access to a property set (i.e. a named collection of attributes) by
    setting ObjectType field in an object specific ACE to the
    rightsGuid of the extended right or property set. The delegation can also be created to target child objects of a specific class by setting the
    InheritedObjectType field to the schemaIDGuid of the class.
    We choose to use this pattern: ActiveDirectoryAccessRule(IdentityReference, ActiveDirectoryRights, AccessControlType, Guid, ActiveDirectorySecurityInheritance, Guid)
    You can use the script below to
    assign the group object with the permission to change user password on all user objects within an OU.
    $acl = get-acl "ad:OU=xxx,DC=com"
    $group = Get-ADgroup xxx
    $sid = new-object System.Security.Principal.SecurityIdentifier $group.SID
    # The following object specific ACE is to grant Group permission to change user password on all user objects under OU
    $objectguid = new-object Guid 
    00299570-246d-11d0-a768-00aa006e0529 # is the rightsGuid for the extended right User-Force-Change-Password (“Reset Password”) 
    class
    $inheritedobjectguid = new-object Guid 
    bf967aba-0de6-11d0-a285-00aa003049e2 # is the schemaIDGuid for the user
    $identity = [System.Security.Principal.IdentityReference] $SID
    $adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
    $type = [System.Security.AccessControl.AccessControlType]
    "Allow"
    $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
    $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType,$inheritedobjectguid
    $acl.AddAccessRule($ace)
    Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
    The figure below shows the result of running the script above:
    Figure 2.
    In addition, if you want to assign other permissions, you can change the GUID values in the script above. The common GUID values are listed as below:
    $guidChangePassword     
    = new-object Guid ab721a53-1e2f-11d0-9819-00aa0040529b
    $guidLockoutTime        
    = new-object Guid 28630ebf-41d5-11d1-a9c1-0000f80367c1
    $guidPwdLastSet         
    = new-object Guid bf967a0a-0de6-11d0-a285-00aa003049e2
    $guidComputerObject     
    = new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2
    $guidUserObject         
    = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
    $guidLinkGroupPolicy    
    = new-object Guid f30e3bbe-9ff0-11d1-b603-0000f80367c1
    $guidGroupPolicyOptions 
    = new-object Guid f30e3bbf-9ff0-11d1-b603-0000f80367c1
    $guidResetPassword      
    = new-object Guid 00299570-246d-11d0-a768-00aa006e0529
    $guidGroupObject        
    = new-object Guid BF967A9C-0DE6-11D0-A285-00AA003049E2                                          
    $guidContactObject      
    = new-object Guid 5CB41ED0-0E4C-11D0-A286-00AA003049E2
    $guidOUObject           
    = new-object Guid BF967AA5-0DE6-11D0-A285-00AA003049E2
    $guidPrinterObject      
    = new-object Guid BF967AA8-0DE6-11D0-A285-00AA003049E2
    $guidWriteMembers   
        = new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2
    $guidNull               
    = new-object Guid 00000000-0000-0000-0000-000000000000
    $guidPublicInformation  
    = new-object Guid e48d0154-bcf8-11d1-8702-00c04fb96050
    $guidGeneralInformation 
    = new-object Guid 59ba2f42-79a2-11d0-9020-00c04fc2d3cf
    $guidPersonalInformation = new-object Guid 77B5B886-944A-11d1-AEBD-0000F80367C1
    $guidGroupMembership    
    = new-object Guid bc0ac240-79a9-11d0-9020-00c04fc2d4cf
    More information:
    Add Object Specific ACEs using Active Directory Powershell
    http://blogs.msdn.com/b/adpowershell/archive/2009/10/13/add-object-specific-aces-using-active-directory-powershell.aspx
    Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

    The ActiveDirectoryAccessRule has more than one constructor, but yes, you've interpreted the one that takes six arguments correctly.
    Those GUIDs are different (check just before the first dash). Creating that ACE will create an empty GUID for InheritedObjectType, though, because you're telling it to apply to the Object only ([System.DirectoryServices.ActiveDirectorySecurityInheritance]::None).
    Since the ACE will only apply to the object, there's no need to worry about what types of objects will inherit it.
    If you've got time, check out
    this module. It will let you view the security descriptors in a much friendlier format. Try both version 3.0 and the version 4.0 preview:
    Sample version 3.0:
    # This is going to be kind of slow, and it will take a few seconds the first time
    # you run it because it has to build the list of GUID <--> Property/Class/etc objects
    Get-ADGroup GroupY |
    Get-AccessControlEntry -ObjectAceType member -InheritedObjectAceType group -ActiveDirectoryRights WriteProperty
    # Same as the previous command, except limit it to access granted to GroupX
    Get-ADGroup GroupY |
    Get-AccessControlEntry -ObjectAceType member -InheritedObjectAceType group -ActiveDirectoryRights WriteProperty -Principal GroupX
    Here's version 4.0. It's way faster than 3.0, but it's missing the -ObjectAceType and -InheritedObjectAceType parameters on Get-AccessControlEntry (don't worry, when they come back they'll be better than in 3.0):
    Get-ADGroup GroupY |
    Get-AccessControlEntry
    Get-ADGroup GroupY |
    Get-AccessControlEntry -ActiveDirectoryRights WriteProperty
    Get-ADGroup GroupY |
    Get-AccessControlEntry -ActiveDirectoryRights WriteProperty -Principal GroupX
    # You can do a Where-Object filter until the parameters are added back to Get-AccessControlEntry:
    Get-ADGroup GroupY |
    Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
    where { $_.AccessMask -match "All Prop|member Prop" }
    Get-ADGroup GroupY |
    Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
    where { $_.ObjectAceType -in ($null, [guid]::Empty, "bf9679c0-0de6-11d0-a285-00aa003049e2") }
    Get-ADGroup GroupY |
    Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
    where { $_.AccessMask -match "All Prop|member Prop" -and $_.AppliesTo -match "group"}
    That's just for viewing. Version 3.0 can add and remove access, or you can use New-AccessControlEntry to replace your call to New-Object, and you can still use Get-Acl and Set-Acl. The benefit to New-AccessControlEntry is that you can do something like this:
    New-AccessControlEntry -Principal GroupX -ActiveDirectoryRights WriteProperty -ObjectAceType member -InheritedObjectAceType group #-AppliesTo Object
     

  • Cannot find the object "CrossRef" in Active Directory

    I am trying to install Lync 2013. I'm getting the following error: Error:
    An error
    occurred: "Microsoft.Rtc.Management.Deployment.ActiveDirectoryException" "Cannot
    find the object "CrossRef" in Active Directory."
    WARNING: Enable-CSAdForest failed.
    This error is at "Step 3: Prepare Current Forest" of the install.

    I've tried to run the forest prep as a local domain and I get the following:
    Creating new log file "C:\Users\administrator.xxx\AppData\Local\Temp\2\Enable-CSAdForest-052cfe14-7f42-4969-88da-83279413ab8c.xml".Enable the Active Directory forest to host Lync Server 2013 deployments.
    Prepare Forest Active Directory settings execution failed on an unrecoverable error.Creating new log file "C:\Users\administrator.xxx\AppData\Local\Temp\2\Enable-CSAdForest-[2013_05_30][13_25_56].html".WARNING:
    Enable-CSAdForest failed.WARNING: Detailed results can be found at "C:\Users\administrator.xxx\AppData\Local\Temp\2\Enable-CSAdForest-[2013_05_30][13_25_56].html".Command
    execution failed: Container CN=Microsoft,CN=Program Data,DC=xxx,DC=local not found

  • Accessing active directory with javascript client object model

    Hello All,
    my requirement is to get user profile "picture" from
    active directory of my org. to my sharepoint 2013 intranet site via
    java script client object model programming.
    I am successful in retrieving user details (including pics) from user profile services using SP.UserProfile.js but it will show only user who are added in SharePoint groups. But, I need all company users (10,000+ user's) data like name, dept, photo etc.
    If the solution is not feasible with JSOM, please provide any alternative.
    Pls. assist.
    Thanks, Chintan

    You can import profile from AD directly to sharepoint and use it
    Check below:
    http://blogs.technet.com/b/harmeetw/archive/2011/09/10/importing-thumbnail-photos-from-ad-active-directory-into-sharepoint-2010.aspx
    Once imported you need to run below:
    Update-SPProfilePhotoStore -CreateThumbnailsForImportedPhotos 1 -MySiteHostLocation
    http://<YourServerName>/my
    The cmdlet was introduced in this fix:
    http://support.microsoft.com/kb/2394320  (14.0.5128.5000)
    http://blogs.technet.com/b/lukeb/archive/2013/01/04/sharepoint-import-a-picture-from-ad-for-the-user-profile.aspx

  • Cfldap and deleted objects container in Active Directory

    Hello,
    I am trying to use a CFLDAP query to bind and search in the
    Deleted Objects container of Active Directory. This would allow me
    to get the sAMAccountname values of the users who have been deleted
    within the last default 60 days (searching tombstone objects in
    Deleted Objects).
    I have tried various methods including <cfldap
    start="CN=Deleted Objects, DC=<domain>, DC=<com>> (I
    am omitting the rest of the CFLDAP attributes in the example
    above). I'm not sure if CFLDAP can even query the deleted objects
    container. Has anyone had any experience with this?
    Thanks,
    Ben

    Hi Michael,
    Thanks for your help! I have however already explored those
    solutions offered by Microsoft. Sadly, they only work in separate
    programs (i.e. ldap.exe which comes with Windows Server tools).
    After lots of research I have found a Java method that can bind
    with the container and return the results. CFLDAP, I'm afraid is
    just not capable of doing this - or at least I have had no luck
    with it (I was connecting as domain admin btw).
    The challenge now is to get the Java class to communicate
    with the rest of my cf code.
    Thanks again,
    Ben

  • Size limitation for all attributes in user objects in Active Directory????

    hi geeks , i wanna know maximum size limit of an user objects attribute in   active directory ... like max amount of character first name attribute can hold ... Thank in advance..

    You can use ADSI Edit to view the properties of the attributes in the Schema container of your AD. In the Schema container you can select an attribute, like Company, right click, select properties, and find the rangeUpper property of the attribute. This
    is the maximum length in characters (or bytes). You can also use dsquery to retrieve rangeUpper for an attribute. For example:
    dsquery * "cn=Schema,cn=Configuration,dc=MyDomain,dc=com" -filter "(LDAPDisplayName=streetAddress)" -attr rangeUpper
    where your domain is MyDomain.com. This finds the maximum length for the "street address" attribute. A few values in my test domain (the values can be modified, so these are the defaults):
    company                      64
    streetAddress              1024
    physicalDeliveryOfficeName  128
    initials                      6
    st                          128
    postOfficeBox                40
    name                        255
    cn                           64
    You can use the first two spreadsheets on this page to help identify attributes in AD (with no Exchange):
    http://www.rlmueller.net/UserAttributes.htm
    The first spreadsheet documents the attributes corresponding to the fields on most of the tabs of ADUC. For example, "st" is the attribute for state, "physicalDeliveryOfficeName" for the field labeled "office". You need the
    LDAPDisplayName's of the attributes, like I used in the dsquery command above. The second spreadsheet documents all attributes in AD with more information, like the syntax and which class each applies to.
    Richard Mueller - MVP Directory Services

  • Found DAG object in Active Directory

    Dear Friends,
    Today i have detected an Object called 'DAG' in Active Directory. I am not aware of these objects. Please some one could elaborate? It might be a silly question. But still i am feeling free to learn.
    Regards, Jay.

    Hi,
    This object is the Cluster Name Object(CNO) for a DAG.
    In Exchange 2010 when using the Database Availability Group (DAG), we leverage the cluster services in Windows 2008 and Windows 2008 R2. This requires that a machine account be created within the directory for association with this cluster name resource.
    This is known as the CNO or cluster name object.  
    For more information about CNO, you can refer to the following article.
    Exchange 2010 – Pre-staging the Cluster Name Object (CNO) to support a Database Availability Group (DAG)
    http://blogs.technet.com/b/timmcmic/archive/2010/01/05/exchange-2010-pre-staging-the-cluster-name-object-cno-to-support-a-database-availability-group-dag.aspx
    Best regards,
    Belinda
    Belinda Ma
    TechNet Community Support

Maybe you are looking for

  • Bridge / Lightroom and Premier Elements

    Am I missing something obvious? I am new to using Premier Elements, but use Lightroom, Phototoshop. In Design every day. So I use LR to manage my photographic files and Bridge for everything else. I capture video on my camera in AVCHD, so Lightroom c

  • Transferring creative cloud to new iMac

    I transferred all my files, including Creative Cloud to my new iMac. Creative Cloud suggested i download it, which I did, but when I went to install it, I get a message that says it is damaged and to re-download it. I have done this three times now w

  • Management console end up with error 1 status

    Hi Friends, When I start SAP management console, it is end-up with error status 1.  Immediately after starting Management console, it is coming to Green color and with in 2~3 minutes, again it is coming to Yellow color and ending with error status-1.

  • Enhanced for loop with DirectoryStream  in java 7

    Hi, I'm a newbie to Java and am having trouble with the following code, which I'm trying to use to iterate through a directory and obtain the file names of all the pics to create thumbnails of them. I've done hours and hours of searching on the web a

  • Context parameter com.sun.faces.DEFAULT_SUFFIX

    Hi All I was wondering about the context parameter com.sun.faces.DEFAULT_SUFFIX. Back when I learned JSF for the first time, together with learning Facelet, we use javax.faces.DEFAULT_SUFFIX context parameter to set to xhtml, as such: <context-param>