Active Directory Object Properties

Similar Messages

• [Forum FAQ] Using PowerShell to assign permissions on Active Directory objects

  As we all know, the
  ActiveDirectoryAccessRule class is used to represent an access control entry (ACE) in the discretionary access control list (DACL) of an Active Directory Domain Services object.
  To set the permissions on Active Directory objects, the relevant classes and their enumerations are listed as below:
  System.DirectoryServices.ActiveDirectoryAccessRule class:
  http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryaccessrule(v=vs.110).aspx
  System.DirectoryServices.ActiveDirectoryRights
  class:
  http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights(v=vs.110).aspx
  System.Security.AccessControl.AccessControlType class:
  http://msdn.microsoft.com/en-us/library/w4ds5h86(v=vs.110).aspx
  System.DirectoryServices.ActiveDirectorySecurityInheritance class:
  http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectorysecurityinheritance(v=vs.110).aspx
  In this article, we introduce three ways to get and set the ACE on an Active Directory object. In general,
  we use Active Directory Service Interfaces (ADSI) or
  Active Directory module cmdlets
  with the Get-Acl and Set-Acl cmdlets to assign simple permissions on Active Directory objects. In addition, we can use the extended rights and GUID settings to execute
  more complex permission settings.
  Method 1: Using ADSI
    1. Get current permissions of an organization unit (OU)
  We can use the PowerShell script below to get current permissions of an organization unit and you just need to define the name of the OU.
  $Name = "OU=xxx,DC=com"
  $ADObject = [ADSI]"LDAP://$Name"
  $aclObject = $ADObject.psbase.ObjectSecurity
  $aclList = $aclObject.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])
  $output=@()
  foreach($acl in $aclList)
  $objSID = New-Object System.Security.Principal.SecurityIdentifier($acl.IdentityReference)
       $info = @{
  'ActiveDirectoryRights' = $acl.ActiveDirectoryRights;
  'InheritanceType' = $acl.InheritanceType;
  'ObjectType' = $acl.ObjectType;
  'InheritedObjectType' = $acl.InheritedObjectType;
  'ObjectFlags' = $acl.ObjectFlags;
  'AccessControlType' = $acl.AccessControlType;
  'IdentityReference' = $acl.IdentityReference;
  'NTAccount' = $objSID.Translate( [System.Security.Principal.NTAccount] );
  'IsInherited' = $acl.IsInherited;
  'InheritanceFlags' = $acl.InheritanceFlags;
  'PropagationFlags' = $acl.PropagationFlags;
  $obj = New-Object -TypeName PSObject -Property $info
  $output+=$obj}
  $output
  In the figure below, you can see the results of running the script above:
  Figure 1．
  2. Assign a computer object with Full Control permission on an OU
  We can use the script below to delegate Full Control permission to the computer objects within an OU:
  $SysManObj = [ADSI]("LDAP://OU=test….,DC=com") #get the OU object
  $computer = get-adcomputer "COMPUTERNAME" #get the computer object which will be assigned with Full Control permission within an OU
  $sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
  $identity = [System.Security.Principal.IdentityReference] $SID
  $adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
  $type = [System.Security.AccessControl.AccessControlType] "Allow"
  $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
  $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType #set permission
  $SysManObj.psbase.ObjectSecurity.AddAccessRule($ACE)
  $SysManObj.psbase.commitchanges()
  After running the script above, you can check the computer object in Active Directory Users and Computers (ADUC) and it is under the Security tab in OU Properties.
  Method 2: Using Active Directory module with the Get-Acl and Set-Acl cmdlets
  You can use the script below to get and assign Full Control permission to a computer object on an OU:
  $acl = get-acl "ad:OU=xxx,DC=com"
  $acl.access #to get access right of the OU
  $computer = get-adcomputer "COMPUTERNAME"
  $sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
  # Create a new access control entry to allow access to the OU
  $identity = [System.Security.Principal.IdentityReference] $SID
  $adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
  $type = [System.Security.AccessControl.AccessControlType] "Allow"
  $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
  $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
  # Add the ACE to the ACL, then set the ACL to save the changes
  $acl.AddAccessRule($ace)
  Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
  Method 3: Using GUID setting
  The scripts above can only help us to complete simple tasks, however, we may want to execute more complex permission settings. In this scenario, we can use GUID settings to achieve
  that.
  The specific ACEs allow an administrator to delegate Active Directory specific rights (i.e. extended rights) or read/write access to a property set (i.e. a named collection of attributes) by
  setting ObjectType field in an object specific ACE to the
  rightsGuid of the extended right or property set. The delegation can also be created to target child objects of a specific class by setting the
  InheritedObjectType field to the schemaIDGuid of the class.
  We choose to use this pattern: ActiveDirectoryAccessRule(IdentityReference, ActiveDirectoryRights, AccessControlType, Guid, ActiveDirectorySecurityInheritance, Guid)
  You can use the script below to
  assign the group object with the permission to change user password on all user objects within an OU.
  $acl = get-acl "ad:OU=xxx,DC=com"
  $group = Get-ADgroup xxx
  $sid = new-object System.Security.Principal.SecurityIdentifier $group.SID
  # The following object specific ACE is to grant Group permission to change user password on all user objects under OU
  $objectguid = new-object Guid 
  00299570-246d-11d0-a768-00aa006e0529 # is the rightsGuid for the extended right User-Force-Change-Password (“Reset Password”) 
  class
  $inheritedobjectguid = new-object Guid 
  bf967aba-0de6-11d0-a285-00aa003049e2 # is the schemaIDGuid for the user
  $identity = [System.Security.Principal.IdentityReference] $SID
  $adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
  $type = [System.Security.AccessControl.AccessControlType]
  "Allow"
  $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
  $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType,$inheritedobjectguid
  $acl.AddAccessRule($ace)
  Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
  The figure below shows the result of running the script above:
  Figure 2．
  In addition, if you want to assign other permissions, you can change the GUID values in the script above. The common GUID values are listed as below:
  $guidChangePassword     
  = new-object Guid ab721a53-1e2f-11d0-9819-00aa0040529b
  $guidLockoutTime        
  = new-object Guid 28630ebf-41d5-11d1-a9c1-0000f80367c1
  $guidPwdLastSet         
  = new-object Guid bf967a0a-0de6-11d0-a285-00aa003049e2
  $guidComputerObject     
  = new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2
  $guidUserObject         
  = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
  $guidLinkGroupPolicy    
  = new-object Guid f30e3bbe-9ff0-11d1-b603-0000f80367c1
  $guidGroupPolicyOptions 
  = new-object Guid f30e3bbf-9ff0-11d1-b603-0000f80367c1
  $guidResetPassword      
  = new-object Guid 00299570-246d-11d0-a768-00aa006e0529
  $guidGroupObject        
  = new-object Guid BF967A9C-0DE6-11D0-A285-00AA003049E2                                          
  $guidContactObject      
  = new-object Guid 5CB41ED0-0E4C-11D0-A286-00AA003049E2
  $guidOUObject           
  = new-object Guid BF967AA5-0DE6-11D0-A285-00AA003049E2
  $guidPrinterObject      
  = new-object Guid BF967AA8-0DE6-11D0-A285-00AA003049E2
  $guidWriteMembers   
      = new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2
  $guidNull               
  = new-object Guid 00000000-0000-0000-0000-000000000000
  $guidPublicInformation  
  = new-object Guid e48d0154-bcf8-11d1-8702-00c04fb96050
  $guidGeneralInformation 
  = new-object Guid 59ba2f42-79a2-11d0-9020-00c04fc2d3cf
  $guidPersonalInformation = new-object Guid 77B5B886-944A-11d1-AEBD-0000F80367C1
  $guidGroupMembership    
  = new-object Guid bc0ac240-79a9-11d0-9020-00c04fc2d4cf
  More information:
  Add Object Specific ACEs using Active Directory Powershell
  http://blogs.msdn.com/b/adpowershell/archive/2009/10/13/add-object-specific-aces-using-active-directory-powershell.aspx
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  The ActiveDirectoryAccessRule has more than one constructor, but yes, you've interpreted the one that takes six arguments correctly.
  Those GUIDs are different (check just before the first dash). Creating that ACE will create an empty GUID for InheritedObjectType, though, because you're telling it to apply to the Object only ([System.DirectoryServices.ActiveDirectorySecurityInheritance]::None).
  Since the ACE will only apply to the object, there's no need to worry about what types of objects will inherit it.
  If you've got time, check out
  this module. It will let you view the security descriptors in a much friendlier format. Try both version 3.0 and the version 4.0 preview:
  Sample version 3.0:
  # This is going to be kind of slow, and it will take a few seconds the first time
  # you run it because it has to build the list of GUID <--> Property/Class/etc objects
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ObjectAceType member -InheritedObjectAceType group -ActiveDirectoryRights WriteProperty
  # Same as the previous command, except limit it to access granted to GroupX
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ObjectAceType member -InheritedObjectAceType group -ActiveDirectoryRights WriteProperty -Principal GroupX
  Here's version 4.0. It's way faster than 3.0, but it's missing the -ObjectAceType and -InheritedObjectAceType parameters on Get-AccessControlEntry (don't worry, when they come back they'll be better than in 3.0):
  Get-ADGroup GroupY |
  Get-AccessControlEntry
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty -Principal GroupX
  # You can do a Where-Object filter until the parameters are added back to Get-AccessControlEntry:
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
  where { $_.AccessMask -match "All Prop|member Prop" }
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
  where { $_.ObjectAceType -in ($null, [guid]::Empty, "bf9679c0-0de6-11d0-a285-00aa003049e2") }
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
  where { $_.AccessMask -match "All Prop|member Prop" -and $_.AppliesTo -match "group"}
  That's just for viewing. Version 3.0 can add and remove access, or you can use New-AccessControlEntry to replace your call to New-Object, and you can still use Get-Acl and Set-Acl. The benefit to New-AccessControlEntry is that you can do something like this:
  New-AccessControlEntry -Principal GroupX -ActiveDirectoryRights WriteProperty -ObjectAceType member -InheritedObjectAceType group #-AppliesTo Object
   

• How to list all the Fields for an Active Directory Object

  How do I list all the fields that an Active Directory object contains? I know the most common ones, but would like to enumerate through all the fields and obtain the type of fields and their values...

  Here is my complete code - I only put snippets so that the post was not too huge...
  Option Explicit
  Const ADS_SCOPE_SUBTREE = 2
  Const ForReading = 1, ForWriting = 2, ForAppending = 8
  Dim adoCommand, adoConnection, adoRecordSet
  Dim dtmDate, dtmValue
  Dim j
  Dim lngBias, lngBiasKey, lngHigh, lngLow, lngValue
  Dim objADObject, objClass, objDate, objFile, objFSO, objRootDSE, objShell
  Dim pathToScript
  Dim strAdsPath, strConfig, strDNSDomain, strHex, strItem, strProperty, strValue
  Dim strFilter, strQuery
  Set objFSO = CreateObject("Scripting.FileSystemObject")
  Set objShell = CreateObject("Wscript.Shell")
  pathToScript = objShell.CurrentDirectory
  Set objFile = objFSO.CreateTextFile(pathToScript & "\TestAD.csv")
  ' Determine Time Zone bias in local registry.
  ' This bias changes with Daylight Savings Time.
  lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\Control\TimeZoneInformation\ActiveTimeBias")
  If (UCase(TypeName(lngBiasKey)) = "LONG") Then
  lngBias = lngBiasKey
  ElseIf (UCase(TypeName(lngBiasKey)) = "VARIANT()") Then
  lngBias = 0
  For j = 0 To UBound(lngBiasKey)
  lngBias = lngBias + (lngBiasKey(j) * 256^j)
  Next
  End If
  ' Determine configuration context and DNS domain from RootDSE object.
  Set objRootDSE = GetObject("LDAP://RootDSE")
  strConfig = objRootDSE.Get("configurationNamingContext")
  strDNSDomain = objRootDSE.Get("defaultNamingContext")
  Set adoCommand = CreateObject("ADODB.Command")
  Set adoConnection = CreateObject("ADODB.Connection")
  adoConnection.Provider = "ADsDSOObject"
  adoConnection.Open "Active Directory Provider"
  adoCommand.ActiveConnection = adoConnection
  adoCommand.CommandText = "SELECT * FROM 'LDAP://" & strDNSDomain & "'WHERE objectClass=user'"
  adoCommand.Properties("Page Size") = 1000
  adoCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
  Set adoRecordSet = adoCommand.Execute
  Set adoRecordSet = adoCommand.Execute
  adoRecordSet.MoveFirst
  Do Until adoRecordSet.EOF
  strAdsPath = adoRecordSet.Fields("ADsPath").Value
  ' Bind to Active Directory object specified.
  Set objADObject = GetObject(strAdsPath)
  Set objClass = GetObject(objADObject.Schema)
  ' Write which object is grabbed from AD
  objFile.Write(Replace(strAdsPath, ",", ";;;"))
  ' Enumerate mandatory object properties.
  For Each strProperty In objClass.MandatoryProperties
  On Error Resume Next
  strValue = objADObject.Get(strProperty)
  If (Err.Number = 0) Then
  On Error GoTo 0
  If (TypeName(strValue) = "String") Or (TypeName(strValue) = "Long") Or (TypeName(strValue) = "Date") Then
  objFile.Write("," & strProperty & "|||" & Replace(CStr(strValue), ",", ";;;"))
  ElseIf (TypeName(strValue) = "Byte()") Then
  strHex = OctetToHexStr(strValue)
  objFile.Write("," & strProperty & "|||" & CStr(strHex))
  ElseIf (TypeName(strValue) = "Variant()") Then
  For Each strItem In strValue
  On Error Resume Next
  objFile.Write("," & strProperty & "|||" & Replace(CStr(strItem), ",", ";;;"))
  If (Err.Number <> 0) Then
  On Error GoTo 0
  objFile.Write("," & strProperty & "|||Value cannot be displayed")
  End If
  On Error GoTo 0
  Next
  ElseIf (TypeName(strValue) = "Boolean") Then
  objFile.Write("," & strProperty & "|||" & CBool(strValue))
  Else
  objFile.Write("," & strProperty & "|||Type:" & TypeName(strValue))
  End If
  Else
  Err.Clear
  sColl = objADObject.GetEx(strProperty)
  If (Err.Number = 0) Then
  For Each strItem In sColl
  objFile.Write("," & strProperty & "|||" & CStr(strItem))
  If (Err.Number <> 0) Then
  objFile.Write("," & strProperty & "|||Value cannot be displayed")
  End If
  Next
  On Error GoTo 0
  Else
  Err.Clear
  Set objDate = objADObject.Get(strProperty)
  If (Err.Number = 0) Then
  lngHigh = objDate.HighPart
  If (Err.Number = 0) Then
  lngLow = objDate.LowPart
  If (lngLow < 0) Then
  lngHigh = lngHigh + 1
  End If
  lngValue = (lngHigh * (2 ^ 32)) + lngLow
  If (lngValue > 120000000000000000) Then
  dtmValue = #1/1/1601# + (lngValue / 600000000 - lngBias) / 1440
  On Error Resume Next
  dtmDate = CDate(dtmValue)
  If (Err.Number <> 0) Then
  objFile.Write("," & strProperty & "|||<Never>")
  Else
  objFile.Write("," & strProperty & "|||" & CStr(dtmDate))
  End If
  Else
  objFile.Write("," & strProperty & "|||" & FormatNumber(lngValue, 0))
  End If
  Else
  objFile.Write("," & strProperty & "|||Value cannot be displayed")
  End If
  Else
  On Error GoTo 0
  objFile.Write("," & strProperty)
  End If
  On Error GoTo 0
  End If
  End If
  Next
  ' Enumerate optional object properties.
  For Each strProperty In objClass.OptionalProperties
  On Error Resume Next
  strValue = objADObject.Get(strProperty)
  If (Err.Number = 0) Then
  On Error GoTo 0
  If (TypeName(strValue) = "String") Then
  objFile.Write("," & strProperty & "|||" & Replace(CStr(strValue), ",", ";;;"))
  ElseIf (TypeName(strValue) = "Long") Then
  objFile.Write("," & strProperty & "|||" & Replace(CStr(strValue), ",", ";;;"))
  ElseIf (TypeName(strValue) = "Date") Then
  objFile.Write("," & strProperty & "|||" & Replace(CStr(strValue), ",", ";;;"))
  ElseIf (TypeName(strValue) = "Byte()") Then
  strHex = OctetToHexStr(strValue)
  objFile.Write("," & strProperty & "|||" & CStr(strHex))
  ElseIf (TypeName(strValue) = "Variant()") Then
  For Each strItem In strValue
  On Error Resume Next
  objFile.Write("," & strProperty & "|||" & Replace(CStr(strItem), ",", ";;;"))
  If (Err.Number <> 0) Then
  On Error GoTo 0
  objFile.Write("," & strProperty & "|||Value cannot be displayed")
  End If
  On Error GoTo 0
  Next
  ElseIf (TypeName(strValue) = "Boolean") Then
  objFile.Write("," & strProperty & "|||" & CBool(strValue))
  Else
  objFile.Write("," & strProperty & "|||Type:" & TypeName(strValue))
  End If
  Else
  Err.Clear
  sColl = objADObject.GetEx(strProperty)
  If (Err.Number = 0) Then
  For Each strItem In sColl
  objFile.Write("," & strProperty & "|||" & CStr(strItem))
  If (Err.Number <> 0) Then
  objFile.Write("," & strProperty & "|||Value cannot be displayed")
  End If
  Next
  On Error GoTo 0
  Else
  Err.Clear
  Set objDate = objADObject.Get(strProperty)
  If (Err.Number = 0) Then
  lngHigh = objDate.HighPart
  If (Err.Number = 0) Then
  lngLow = objDate.LowPart
  If (lngLow < 0) Then
  lngHigh = lngHigh + 1
  End If
  lngValue = (lngHigh * (2 ^ 32)) + lngLow
  If (lngValue > 120000000000000000) Then
  dtmValue = #1/1/1601# + (lngValue / 600000000 - lngBias) / 1440
  On Error Resume Next
  dtmDate = CDate(dtmValue)
  If (Err.Number <> 0) Then
  objFile.Write("," & strProperty & "|||<Never>")
  Else
  objFile.Write("," & strProperty & "|||" & CStr(dtmDate))
  End If
  Else
  objFile.Write("," & strProperty & "|||" & lngValue)
  End If
  Else
  objFile.Write("," & strProperty & "|||Value cannot be displayed")
  End If
  Else
  On Error GoTo 0
  objFile.Write("," & strProperty & "||| ")
  End If
  On Error GoTo 0
  End If
  End If
  Next
  objFile.WriteLine("")
  adoRecordSet.MoveNext
  Loop
  objFile.Close
  ' Function to convert OctetString (Byte Array) to a hex string.
  Function OctetToHexStr(arrbytOctet)
  Dim k
  OctetToHexStr = ""
  For k = 1 To Lenb(arrbytOctet)
  OctetToHexStr = OctetToHexStr _
  & Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
  Next
  End Function
  I have been able to obtain all the Computer, Contact, Group and OU objects without issue with this code...

• What is the default Win2000 Active Directory Object Attribute definition for adding users? I'm using the 4.1 Netscape Directory SDK

  The Netscape/NDS AddUser implements inetOrgPerson, and some other objects/Attributes not implemented in Active Directory Object Attributes, and I receive errors about the Attributes. Could you tell me the correct Attribute definition for the default DS, to add a user?

  Unsure what you mean. iDS 5 implements the inetOrgPerson as of the RFC. It is made of 4 objects top, person, organizationPerson and inetOrgPerson. The user object in MAD using many more MS specifi attributes in the top class. (53 extras)

• Renaming Active Directory object

  Hi guys,
  I have search all over the internet to find a solution for this, but I didn't find anything ... is there any way to rename an object in AD?
  For example:
  CN=my user name, CN=Users, DC=myCompany, DC=comneeds to be renamed to:
  CN=John Smith, CN=Users, DC=myCompany, DC=comSo I am trying to change the CN, but I can't figure this out!!!
  I know that this is possible because Microsoft has this functionality in C#
  try
      // Bind to the user object to modify.
      DirectoryEntry child = new DirectoryEntry("LDAP://CN=My User Name,OU=Marketing,DC=fabrikam,DC=com");
      // Rename the object to Jeff Smith.
      child.Rename("CN=New User Name");
  catch (Exception Exception1)
      // If a COMException is thrown, then the following code can capture the text of the error.
      // For more information about handling COM exceptions, see Handling Errors.
      System.Runtime.InteropServices.COMException COMEx =
      (System.Runtime.InteropServices.COMException) Exception1;
      Console.WriteLine(COMEx.ErrorCode);
  )Thanks in advance

  Of course there is a way to rename an Active Driectory object !
  You obviously didn't search very thoroughly, else you would have at least looked up the JNDI tutorial in which you would have found context.rename()
  Renaming an object is similar to a move operation as described in a previous post http://forum.java.sun.com/thread.jspa?threadID=628913&tstart=15
  Again assuming you have an initial context, the code would sort of look likeString oldUserName = "CN=Albert Einstein";
  String newUserName = "CN=Isaac Newton";
  String ouPath= "OU=Research,DC=antipodes,DC=com";
  LdapContext ouCtx = (LdapContext)ctx.lookup(ouPath);
  ouCtx.rename(oldUserName,newUserName);

• Logoncount Attribute on Computer objects in Active Directory

  Hello,
  I have one question about the logoncount Attribute on Active Directory objects. As I understood on user objects this attribute counts the number of logons per DC (because it is not replicating).
  My question is:
  What exactly is count here on computer objects?
  I can see that on a Domain Controller computer object the logoncount is high for the DC itself and low on the other DC objects.
  Thank you.
  Regards
  Dennis

  Here is an old thread.  You will see some of the explanation from our own Richard :)
  http://www.techtalkz.com/windows-server-2003/500367-attributes-update-during-computer-logon.html
  Santhosh Sivarajan | Houston, TX | www.sivarajan.com
  ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
  Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
  Blogs: Blogs
  Twitter: Twitter
  LinkedIn: LinkedIn
  Facebook: Facebook
  Microsoft Virtual Academy:
  Microsoft Virtual Academy
  This posting is provided AS IS with no warranties, and confers no rights.

• SharePoint 2013 profile service account requirements when using "Use SharePoint Active Directory Import" option

  Hi All,
  I am trying to configure SharePoint Profile service. We would like a straightforward profile import from Active Directory.
  On the "Configure Synchronization Settings" page, we have chosen the option "Use SharePoint Active Directory Import" option.
  We have created a connection to the Active Directory using Configure Synchronization Connections page. We have specified the account that would be used for the import process.
  Question:
  I would like to confirm whether the account configured for the profile import need any special privileges when using "Use SharePoint Active Directory Import" option ?
  Thanks,
  Saurabh

  Grant Replicate Directory Changes permission on a domain
  To do this please follows below procedure
  On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers.
  In Active Directory Users and Computers, right-click the domain, and then click Delegate Control.
  On the first page of the Delegation of Control Wizard, click Next.
  On the Users or Groups page, click Add.
  Type the name of the synchronization account, and then click OK.
  Click Next.
  On the Tasks to Delegate page, select Create a custom task to delegate, and then click Next.
  On the Active Directory Object Type page, select This folder, existing objects in this folder, and creation of new objects in this folder, and then clickNext.
  On the Permissions page, in the Permissions box, select Replicating Directory Changes (select Replicate Directory Changes on
  Windows Server 2003), and then click Next.
  Click Finish.
  Thanks & Regards
  ShivaPrasad Pola
  SharePoint Developer 

• How to update users to Active Directory using Hyena Active Task List?

  Kevin,
  thanks for your input. I was able to firgured it out. It need the full path. with the CN=John Doe
  Working like a charm!! thx!!

  http://www.systemtools.com/HyenaHelp/active_editor.htm"Each Active Directory object is identifiable by its directory path, called the ADsPath. A special symbol, %ADSPATH%, can be inserted in the field order list that can be associated with the directory path in the import file. The ADsPath doesNOThave to be one of the attributes for the directory objects in the Editor if the ADsPath is used as the Key Field in the import file.Using an ADsPath as a match field can be difficult, as it is a long and complex string, and if special characters are used in some directory fields, Active Directory will automatically insert additional special characters into the ADsPath. One method of getting the ADsPath into a file for directory objects is to use Hyena's Edit Copy dialog. A special symbol, %ADSPATH%, can be added to any Active Directory copied...

• Exchange trying to resolve external e-mail addresses in local Active Directory

  Hi
  On all of my Mailbox Database servers, i'm getting the following warning in my Application log: 
  Level: Warning
  Source: MSExchange Mid-Tier Storage
  EventID: 2009
  Message:
  [Process:w3wp PID:6032 Thread:89] Error occurred while resolving the Active Directory object for from email address field: '[email protected]'. Audit log will not be generated for this case. Exception details:
  Microsoft.Exchange.Data.Storage.ObjectNotFoundException: The Active Directory user wasn't found.
  at Microsoft.Exchange.Data.Storage.ExchangePrincipalFactory.FromProxyAddress(IRecipientSession session, String proxyAddress, RemotingOptions remotingOptions)
  at Microsoft.Exchange.Data.Storage.ExchangePrincipalFactory.FromProxyAddress(ADSessionSettings adSettings, String proxyAddress, RemotingOptions remotingOptions)
  at Microsoft.Exchange.Data.Storage.ExchangePrincipal.FromProxyAddress(ADSessionSettings adSettings, String proxyAddress)
  at Microsoft.Exchange.Data.Storage.COWAudit.GetSubmitEffectiveMailboxOwner(MailboxSession session, CallbackContext callbackContext)
  I have three Exchange Server 2013 MBX/CAS servers, and two Exchange Server 2013 Edge Transport servers in front of them.
  As mentioned earlier, this warning is on all three of the MBX/CAS servers. The external e-mail address vary.
  I've used the Get-MessageTrackingLog to debug, and I can see that this error comes when an internal user sends a "Meeting Forward Notification" to an external e-mail address. Exchange tries to resolve the external e-mail address in Active Directory
  and throws this warning, for some reason.
  Is there anyone that knows how to fix this?

  Hi Allen
  Sorry for the late reply.
  1. No it's not. It gets the EventID "HADISCARD" and SourceContext "ExplicitlyDiscarded". Here's an example:
  RunspaceId : a25e81b2-9f4a-49f2-895b-xxxxxxxxxxxx
  Timestamp : 09-02-2015 13:01:02
  ClientIp :
  ClientHostname :
  ServerIp :
  ServerHostname : MBX01
  SourceContext : ExplicitlyDiscarded
  ConnectorId :
  Source : SMTP
  EventId : HADISCARD
  InternalMessageId : 8907762172963
  MessageId : <[email protected]>
  Recipients : {[email protected]}
  RecipientStatus : {}
  TotalBytes : 17347
  RecipientCount : 1
  RelatedRecipientAddress :
  Reference :
  MessageSubject : Meeting Forward Notification: A subject
  Sender : [email protected]
  ReturnPath : [email protected]
  Directionality : Originating
  TenantId :
  OriginalClientIp :
  MessageInfo :
  MessageLatency :
  MessageLatencyType : None
  EventData : {[DeliveryPriority, None], [PrioritizationReason, ShadowRedundancy]}
  2. Yes, and other mails are routed to our Edge Transport Servers, and from there to Office 365 (Exchange Online Protection). It's only occurs when sending Meeting Forward Notifications, Accepting meetings, and so fourth - and it all comes from Outlook 2013
  clients (RPC over HTTPS).

• Active directory, SSGD and password change

  Hi everybody, we have some problems with SSGD, active directory and password change
  Scenario:
  We have 2 different perfectly working Active directory called "Gruppo" and "Eracle";
  We have 2 different tarantella installations called "Sgd" and "Tlv";
  Sgd servers are working servers and users authenticate against Eracle, used by our customer.
  We made 2 basic different test with Tlv:
  1. we configure Tlv to authenticate users against Gruppo (that is our real need)---> we can't change pasword using kpasswd or ttakpasswd
  2. we configure Tlv to authenticate users against Eracle ---> everything was ok
  There are NO DIFFERENCE beetween Sgd and Tlv, they have same configuration, same krb5.conf etc..
  There is ONE DIFFERENCE beetween Eracle and Gruppo:
  Eracle Active Directory's properties:
  Domain functional level: Windows 2000 mixed
  Forest functional level: Windows 2000
  Gruppo Active Directory's properties:
  Domain functional level: Windows 2000 native
  Forest functional level: Windows 2000
  SSGD documentation doesn't speak about different Active Directory properties. The SSGD documentation says that you can authenticate users against Active directory, so, IT HAS TO WORK even if the domain functional level of active directory is different.
  Can someone help us^Hi Simon
  I'll try again to explain you our problem, because it seems that I wasn't so clear.
  Scenario:
  We have 2 different perfectly working Active directory called "Gruppo" and "Eracle";
  We have 2 different tarantella installations called "Sgd" and "Tlv";
  Sgd servers are working servers and users authenticate against Eracle, used by our customer.
  We made 2 basic different test with Tlv:
  1. we configure Tlv to authenticate users against Gruppo (that is our real need)---> we can't change pasword using kpasswd or ttakpasswd
  2. we configure Tlv to authenticate users against Eracle ---> everything was ok
  There are NO DIFFERENCE beetween Sgd and Tlv, they have same configuration, same krb5.conf etc..
  There is ONE DIFFERENCE beetween Eracle and Gruppo:
  Eracle Active Directory's properties:
  Domain functional level: Windows 2000 mixed
  Forest functional level: Windows 2000
  Gruppo Active Directory's properties:
  Domain functional level: Windows 2000 native
  Forest functional level: Windows 2000
  SSGD documentation doesn't speak about different Active Directory properties. The SSGD documentation says that you can authenticate users against Active directory, so, IT HAS TO WORK even if the domain functional level of active directory is different.
  Can someone help us?
  Many thank
  Patrizia

  Added question.
  Do you guys know if changing the password will change the password on their Active directory access.
  Thanks,
  helmut

• Home Directory on Active Directory

  I am attempting to have the OS X users upon logging in, gain automatic access to their home directory in my W2K server. As an example, when I log in via the "Other" user, my home folder from the W2K server becomes my Home directory. All the necessary files from OS X seem to be resident in my W2K home directory so if I go to the Home item under the Go menu, that is the folder that appears. No local Home directory was/is created on the local machine. I am trying to have it so that all users work this way. If I try to log on as any other user including another Administrative user, the same does not occur, a local Home directory is always created and I must log onto the server through the Go menu to get the Home Directory. I cannot seem to find anything different with the settings on either the W2K server's Active Directory User Properties or in the Directory Access settings. So, in a nutshell, what do I need to do to make this work the way I'd like.
  Thank you in advance for any assistance.

  Sounds good but there are only two local users on the units I've played with and they do not match the AD username. I have attempted this with various users with varying levels of authority without finding the common thread yet. I've come to the conclusion that it has something more to do with permissions and/or settings on the AD or server volume rather than an OS X issue. Still working on it though so any assistance is welcome. Thanks.

• Show Active Directory Property Page

  Hello everybody,
  I hope this topic is published in the correct forum. I try to find the API which shows the native property page of Active Directory objects. If possible with an example (VB.Net)? There exists an similar function named "openquerywindow" which
  used by dsquery.dll. Is there a library function that would do this (e.g.
  activeds.dll or dsprop.dll)?
  Thanks in advance,
  Matthias

  Hello Matthias,
  >> I try to find the API which shows the native property page of Active Directory objects.
  I do not quite understand what the native property page of Active Directory objects is, if it means the native Active Directory Service Interfaces (ADSI) object, you then could get it by using
  DirectoryEntry class:
  DirectoryEntry.NativeObject Property
  If not, since it is not very clear what you are trying to query from the active directory, there is a list which you could query from .NET, you could check if there are features that you want:
  Search Active Directory
  Here is a blog which provides a detail description about how to: Querying Active Directory which I think could be helpful.
  Regards.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT - Active Directory Security Group Discovery Agent reported warnings for 524 object(s). DDRs were generated for 0 object(s) that had warning(s) while reading non-critical properties.

  Hi, can anyone help me troubleshoot the following please:
  Active Directory Security Group Discovery Agent reported warnings for 524 object(s). DDRs were generated for 0 object(s) that had warning(s) while reading non-critical properties. DDRs were not generated for 524 object(s) that had warnings while reading
  critical properties.
  Possible cause: OU name or Security Group name may contain at least a Unicode character which has conversion problem between Unicode and your system ANSI locale(e.g. Korean characters in English System Locale). The site server might not have access to
  some properties of this object. The container specified might not have the properties available.
  Solution: Please verify the Active Directory schema for properties that are not replicated or locked. Refer to the discovery logs for more information.
  Does the error relate to 524 security groups? There are several invalid search paths listed in adsgdis.log, are these related?
  Thanks,
  Dale

  You'll have to examine the log to determine exactly which objects its referring to. Although this is in the context of group discovery, group discovery still creates DDRs for computer objects within those groups so it could be either groups or computers.
  This is not a search path issue though as it's clear that the discovery process found 524 different objects, but as stated, it could not properly read criticial properties of those objects and thus did not create DDRs for them.
  As mentioned, reading the log in detail will list the objects individually and the reason it could not create a DDR for it.
  Jason | http://blog.configmgrftw.com

• Active Directory error message "the following object is not from a domain listed in the Select location forestB\username

  Hello Community
      "forestA" is my forest it is a Windows 2008 Server Enterprise Edition
  domain controller using Active Directory and the UI.
      In my forest ("forestA") trust relationship I created a "One-Way, Out-going"
  forest trust with Forest-Wide authentication so that a different forest user(s) or
  group(s) with a different admin in a forest named “forestB” can access the resources in my “forestA”
      But also forestB needs to create a "One-way, Incoming" forest trust so that
  I can either add the user(s) or group(s) from “forestB” into to a "Global Security - Group"
  in my "forestA" or I can
   add user(s)  as  "domain user(s)" from “forestB” into my "forestA".
      The problem is that when I right click  the global group in my forestA  and then
  properties, when I click "Members" and then the "Add" button when I type
  "forestB\username" I get an error message from Active Directory stating:
      "the following object is not from a domain listed in the Select location
  dialog box, and is therefore not valid: forestB\username".
      Am I doing something wrong when creating the one-way trust in my
  “forestA” or is the one-way trust being created wrong by the other domain admin in the other “forestB”?
      Or could I possibly need to select "Change Domain" or "Change Domain Controller"
  before adding the users or Groups to my forestA from forestB?
      That is why I am asking
   how do you add an Active Directory user from one forest into another forest?
      Thank you
      Shabeaut

  Hello Denis Cooper
      That is the end result.
      What I was trying  to do was that I was trying to
   bring in the user(s) and group(s) from “forestB”  into
  my “forestA”  Global group.
      Later on I was going to add the user(s) or Global groups(s) that I brought into my dc in my forestA
   into the domain local groups  on my member servers in my forestA.
      So since the error message is:
  "the following object is not from a domain listed in the Select location dialog box, and is therefore not valid: forestB\username".
  Does your response
   mean only Global group(s) from forestB not domain user(s) from forestB have
   to been added to domain local groups in forestA?
  Or is it also possible to add Global group(s) from “forestB” to Global group(s) in my “forestA” and if so
  how without getting the above error message?
  Thank you
      Shabeaut

• Size limitation for all attributes in user objects in Active Directory????

  hi geeks , i wanna know maximum size limit of an user objects attribute in   active directory ... like max amount of character first name attribute can hold ... Thank in advance..

  You can use ADSI Edit to view the properties of the attributes in the Schema container of your AD. In the Schema container you can select an attribute, like Company, right click, select properties, and find the rangeUpper property of the attribute. This
  is the maximum length in characters (or bytes). You can also use dsquery to retrieve rangeUpper for an attribute. For example:
  dsquery * "cn=Schema,cn=Configuration,dc=MyDomain,dc=com" -filter "(LDAPDisplayName=streetAddress)" -attr rangeUpper
  where your domain is MyDomain.com. This finds the maximum length for the "street address" attribute. A few values in my test domain (the values can be modified, so these are the defaults):
  company                      64
  streetAddress              1024
  physicalDeliveryOfficeName  128
  initials                      6
  st                          128
  postOfficeBox                40
  name                        255
  cn                           64
  You can use the first two spreadsheets on this page to help identify attributes in AD (with no Exchange):
  http://www.rlmueller.net/UserAttributes.htm
  The first spreadsheet documents the attributes corresponding to the fields on most of the tabs of ADUC. For example, "st" is the attribute for state, "physicalDeliveryOfficeName" for the field labeled "office". You need the
  LDAPDisplayName's of the attributes, like I used in the dsquery command above. The second spreadsheet documents all attributes in AD with more information, like the syntax and which class each applies to.
  Richard Mueller - MVP Directory Services