Active directory Schema - Multiple password policies
Hi All,
I am new to AD and would need some suggestion to configure AD. I want to set up AD(2008 R2) for three categories of users: individual, dealers and organisations. Each dealer and each organisation will have further sub-categories based
on their location. I want to set up separate password policies for the above three categories using AD. I wanted to create them as separate OUs. So I would have multiple OUs for each dealer per location (e.g. individual, dealer1loc1, dealer1loc2,
dealer2loc3 and so on)
I know the concept of PSO(Password Settings Object) and that it can only be applied to OU using shadow groups and batch file (to copy users from OU to Shadow Groups). The issue is that the OUs would keep getting added as per requirement (would
be creating new OUs using C#) and then the management of PSO or shadow groups or batch file would be very complicated, not sure if it can be automated.
Also, I have budet constraints to add new servers for each domain and separate password policies.
What could be the possible solution to separate password policies and set up this user structure in Active Directory. I am using W2k8 R2.
Thanks.
Thanks Mahdi. In this case, the OUs would get created at run time, so the script needs to get updated at run time as well. I guess this will be not easy to automate.
Also, can you confirm if I can set up separate password policies by creating sub domain(e.g. example.com will be divided into sales.example.com and admin.example.com and this would further be divided as melourne.sales.example.com and sydney.sales.example.com)
and I can set separate password policies for sales.example.com and admin.example.com.
By adding child domains,it is like you are killing a mosquito with a rocket launcher, if you know what I mean. adding child domains increase the cost and administration and also adds complexity to your environment.
From technical perspective it is OK to have child domains, but if I were you I would not add that much complexity to my environment because of a script. I would spend enough time or get help form a skilled script writer to edit the script. Also I am saying
that editing your script to a fully automated script is not impossible, it just needs enough time and skills.
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights.
How to query members of 'Local Administrators' group in all computers?
Similar Messages
-
Active Directory Schema Extension for Directory Synchronization - ADFS 3.0, Office 365
Hi Team,
We are in a situation with extending the schema for one customer so that these additional exchange attributes may be utilized. They have a single data center where the Primary Domain Controller resides and have multiple remote sites each of which have Additional
Domain Controllers installed.
As recommended by Microsoft, I am going to extend the Active Directory Schema with Exchange Setup so that I can leverage targetaddress attribute from Local AD to set primary email address when directory synchronization happens.
My Query: Do I have to extend the AD Schema with Exchange from each of these ADC's? Or the changes I make on any of them will replicate over the others also?
Note: The customer will be using ADFS 3.0 'Single Sign On' with Office 365 and does NOT have any On-Premise Exchange deployment.My Query: Do I have to extend the AD Schema with Exchange from each of these
ADC's? Or the changes I make on any of them will replicate over the others also?
Schema extension is done against the Schema Master. Once done, it gets replicated to other DCs with the AD forest.
For more details about Schema Extension by Exchange, you can refer to that: http://www.resdevops.com/2013/02/13/extend-ad-schema-to-allow-greater-office-365-management/
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Error when extending Active Directory schema
Hi there,
I am trying to extend my active directory schema in order to store my managed preferences in AD.
I am following this white paper : http://images.apple.com/business/solutions/it/docs/Modifyingthe_Active_DirectorySchema.pdf
When I try to apply the changes on my test domain controller (running W2k3 R2 SP2), I get the following error :
Entry DN: cn=apple-mount,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
Add error on line 674: No Such Attribute
The server side error is "The parameter is incorrect."
An error has occurred in the program
The corresponding section in the ldf file is :
# Class: mount
dn: cn=apple-mount,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: classSchema
governsID: 1.3.6.1.4.1.63.1000.1.1.2.8
ldapDisplayName: mount
objectClassCategory: 1
# subclassOf: top
subclassOf: 2.5.6.0
# rdnAttId: cn
rdnAttId: 2.5.4.3
# mayContain: apple-mountDirectory
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.8.1
# mayContain: apple-mountDumpFrequency
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.8.4
# mayContain: apple-mountOption
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.8.3
# mayContain: apple-mountPassNo
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.8.5
# mayContain: apple-mountType
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.8.2
possSuperiors: 2.5.6.5
possSuperiors: container
The attributes specified in "mayContain" appears to be correctly created (see log below)
31: cn=apple-mountDirectory,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
Entry DN: cn=apple-mountDirectory,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
Entry modified successfully.
32: cn=apple-mountDumpFrequency,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
Entry DN: cn=apple-mountDumpFrequency,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
Entry modified successfully.
33: cn=apple-mountOption,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
Entry DN: cn=apple-mountOption,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
Entry modified successfully.
34: cn=apple-mountPassNo,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
Entry DN: cn=apple-mountPassNo,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
Entry modified successfully.
35: cn=apple-mountType,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
Entry DN: cn=apple-mountType,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
Entry modified successfully.
Does anyone encountered the same issue ? Any idea ?
Thanks in advance,
FlorentWhich is line #674? Looking over your listing, the only thing that stands out to me is that I think possSuperiors takes object class names, not IDs (i.e. "possSuperiors: 2.5.6.5" should be "possSuperiors: organizationalUnit"). Also, if you copy and paste sections from the PDF, you're likely to get leading and trailing spaces on the pasted lines, which all need to be removed for it to function properly. The trailing spaces are especially nasty, since they're invisible in most text editors.
-
Sccm 2012 extent the active directory schema error
Hello
I am experiecing an issue when attempting to extend my AD Schema for SCCM 2012
<12-10-2014 20:04:33> Modifying Active Directory Schema - with SMS extensions.
<12-10-2014 20:04:33> DS Root:CN=Schema,CN=Configuration,DC=,DC=com
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Site-Code. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Assignment-Site-Code. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Site-Boundaries. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Roaming-Boundaries. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Default-MP. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Device-Management-Point. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-MP-Name. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-MP-Address. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Health-State. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Source-Forest. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Ranged-IP-Low. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Ranged-IP-High. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Version. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Capabilities. Error code = 8224.
<12-10-2014 20:04:33> Failed to create class cn=MS-SMS-Management-Point. Error code = 8202.
<12-10-2014 20:04:33> Failed to create class cn=MS-SMS-Server-Locator-Point. Error code = 8202.
<12-10-2014 20:04:33> Failed to create class cn=MS-SMS-Site. Error code = 8202.
<12-10-2014 20:04:33> Failed to create class cn=MS-SMS-Roaming-Boundary-Range. Error code = 8202.
<12-10-2014 20:04:33> Failed to extend the Active Directory schema, please find details in "C:\ExtADSch.log".
any one help me to fix this issueHi,
It is most likley due to a replication Issue in your AD, check the previous thread on the topic:https://social.technet.microsoft.com/Forums/systemcenter/en-US/1d377109-4fa9-4608-8a3a-cefd436e82ee/error-8224-when-extending-active-directory-schema
Make sure that all replication issues are solved and try again.
Regards,
Jörgen
-- My System Center blog ccmexec.com -- Twitter
@ccmexec -
Questions about Extending Active Directory Schema
We have about 24 Macs at the moment in the environment and we are starting to look at Extending the Active Directory Schema. I have been doing a lot of reading over the past few weeks and I think that I am more confused the more I research it. The Windows Servers here are running Server 2008_R2. So here are my questions:
1. If we extend the schema does that mean that we do not need an OS X Server?
2. Is this really the easiest option to go with?
3. We are looking to be able to apply GPOs to the Macs through Active Directory so will this accomplish it?
4. Will this also allow Group Policy Preferences to map printers to the Macs automatically too?
5. Is this the least expensive option?
6. What is the best way to convince the Windows Administrators that this is how we should proceed?
Thanks
PadsHi
1. Yes. However OSX Server offers far more than MCX or Mac-Style GPOs. NetBoot, SUS, Wiki are some you should be looking at IMO.
2. Again IMO not really. It takes a lot of work and you really don't want to be doing this on a 'live' server. Set up a lab environment first, thoroughly test it and then go with it when you're happy. The other possible 'gotcha' is you will have no way of knowing if Microsoft decide to change/amend or extend their own proprietary schema in a Revision update sometime in the future. If that does happen then you may be looking at doing it all over again?
3. Yes, but you will still need WorkGroup Manager installed on a mac client. The documentation is clear about what to do once the Schema has been extended.
4. Not done this myself but I would think so.
5. Yes, but is it the 'best' option? Not in my opinion.
6. Offer them the 'easier' but more expensive alternatives (some of them very expensive) and see which way they jump.
HTH?
Tony -
Active Directory User and Password Sync
Hi,
We have virtualised development labs that are direct clones of our production environment, including names, IP addresses and Active Directory. These labs are ring fenced using virtual network appliances with firewall rules that allow access to specific ports.
The issue we have is that when passwords expire either in the labs or in production AD, it causes issues for our developers. Also, when new users are created in production, the process has to be repeated in multiple labs which is a bit of a time sink, even
with scripts.
Currently we sporadically do system state restores to AD controllers in the labs to get them in sync with prod but this also requires us re-adding all the servers back onto the domain and again is tedious process. Is there any way to sync from production
AD to the labs AD?
Thanks in advanced.
MarkIf it is an isolated environment, you won't be able to synchronize the data.
Export/Import, Backup/restore, P2V, D2VHD etc are the only option.
Santhosh Sivarajan | Houston, TX | www.sivarajan.com
ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
Blogs: Blogs
Twitter: Twitter
LinkedIn: LinkedIn
Facebook: Facebook
Microsoft Virtual Academy:
Microsoft Virtual Academy
This posting is provided AS IS with no warranties, and confers no rights. -
Dear all,
We have an issue regarding active directory user registry. Our application wants to retrieve the user registry from active directory,
So after we type the domain name, username and password for the domain admin, the apps add a schema in the AD, usually we directly can get the respons from the active directory server.
Below is the log from the configuration
< 3/17/2013 - 8:26:43 PM
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
<<<<<<<<
3/17/2013-8:27:03 PM: Configuring Access Manager Policy Server....
C:\PROGRA~2\Tivoli\POLICY~1\sbin\ivmgrd_setup.exe -y no -m "********" -
r 7135 -l 1460 -t 7200 -D no -f no
OpenConfFile: "C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf"
getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf pdrte user-reg-type
CloseConfFile: C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf
OpenConfFile: "C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf"
getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf uraf-registry
hostname
getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf uraf-registry
useEncryption
getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf uraf-registry
domain
getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf uraf-registry
dnforpd
getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf uraf-registry
Multi-domain
getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf uraf-registry
bind-id
getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf uraf-registry
bind-pwd
CloseConfFile: C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf
OpenConfFile: "C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf"
getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf pdrte user-reg-type
CloseConfFile: C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf
OpenConfFile: "C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf"
getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf pdrte user-reg-type
CloseConfFile: C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf
C:\PROGRA~2\Tivoli\POLICY~1\sbin\mgrsslcfg.exe -config -f no -t 7200 -l
1460 -D no
Creating the SSL certificate. This might take several minutes.
The SSL configuration of the Tivoli Access Manager policy server
has completed successfully.
The policy server's signed SSL certificate is base-64 encoded and
saved in text file "C:\PROGRA~2\Tivoli\POLICY~1\keytab\pdcacert.b64."
This file is required by the configuration program on each machine
in your secure domain.
C:\PROGRA~2\Tivoli\POLICY~1\sbin\bassslcfg.exe -config -f no -c "C:
\PROGRA~2\Tivoli\POLICY~1\keytab\pdcacert.b64" -p 7135 -h TAMEB1
The SSL configuration of Access Control Runtime has completed
successfully.
Tivoli Access Manager policy server domain name: Default
Tivoli Access Manager policy server host name: TAMEB1
Tivoli Access Manager policy server listening port: 7135
2013-03-17-20:27:13.770-07:00I----- 0x16B48064 PID#2848 ERROR rgy ad E:
\build\am611\src\uraf\ad\schema\adschema_update.cpp 550 0x00000ad0
HPDRG0100E The operation in the Active Directory registry for
adschema_update.exe: ADSCHEMA_CHECK_SCHEMA_RIGHTS failed with return
error 8000500d.
adschema_update: result 1, retcode -2147463155
HPDBG0938E Configuration failed.
3/17/2013-8:29:13 PM: HPDBG0938E Configuration failed.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>
> 3/17/2013 - 8:29:15 PM
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>
Please your advice,
Thanks,
Best Regards,
AchmadHi you log states:
adschema_update.exe: ADSCHEMA_CHECK_SCHEMA_RIGHTS failed
with return
error 8000500d.
The error code is documented in
this kbTo go short i think the running user does not have the required privilegs to edit the AD schema. You need to be member of 'Schema Admins' in the forest root domain to edit the AD schema.
MCP/MCSA/MCTS/MCITP -
Search Active Directory Entries without password authentication
JNDI, Active Directory
I am newbie to JDNI and Active Directory.
I am trying to create a Web Application
which provides domain users with the information
of the Active Directory group user are belonging.
I know how to access Active Directory and search Entries
with JNDI like below codes.
Hashtable env = new Hashtable();
env.put(Context.PROVIDER_URL, "LDAP://URL:389");
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION,"none");
env.put(Context.REFERRAL, "follow");
env.put("java.naming.ldap.version" , "3" );
env.put(Context.SECURITY_PRINCIPAL, "uid=admin,ou=system");
env.put(Context.SECURITY_CREDENTIALS, "secret");
.....But I want know how to search Entries without Active Directory password
because I don't tell users their Active Directory password.
I don't have any idea. Could you give me good idea?
Sorry for my English. Thank you.
DannoIt means to allow "Anonymous LOGON" and "Everyone" users to search entries in AD, I think.Sorry, can't help. In OpenLDAP it meansallow * searchor possiblyallow * auth
You mean that if I do it, will the codes below be unnecessary in Java?That's not only what I meant, it is what I said, concerning the principal and credentials lines.
You don't need the SECURITY_AUTHENTICATION line, I never use it with LDAP whether I'm providing credentials or not (and in the cases where you are supplying the principal and credentials, it certainly doesn't make any sense to specify 'none'.) -
Active Directory schema extensions
Hi
We are in a process of implementing SAP LDAP sync to manage users from MS Active Directory. SAP requires schema extension generated by RSLDAPSCHEMAEXT program to be applied to Active Directory so that report RSLDAPSYNC_USER can be identify SAP users in MS AD.
The MS AD team says that any non miscrosoft schema extensions are not supported as OIDs of the schema might conflict with other applications / patches.
Are the MS AD schema extensions generated by SAP program RSLDAPSCHEMAEXT supported / certified by Microsoft.
HarshHi Harsh,
I would like to point you also to SAP Note 888848 - Notes on schema enhancement with RSLDAPSCHEMAEXT.
It especially states that:
..."The text document generated by RSLDAPSCHEMAEXT was supplied and validate as part of a certification process by the directory vendor."...
that means in this case by Microsoft.
If you decide not to use the schema extension that has been supplied by Microsoft you can use attributes that are already existing in your Active Directory as Juergen already pointed out.
As an example Microsoft Exchange Server creates several additional attributes such as extensionattribute1, ... , extensionattribute15 as part of the installation process. These attributes might be an option for you if you do not want to use the schema extension suggested by RSLDAPSCHEMAEXT.
Please have in mind that the filter attribute that you will use to determine the SAP username should be indexed since this will reduce the synchronization time.
Best Regards,
André -
Active directory, SSGD and password change
Hi everybody, we have some problems with SSGD, active directory and password change
Scenario:
We have 2 different perfectly working Active directory called "Gruppo" and "Eracle";
We have 2 different tarantella installations called "Sgd" and "Tlv";
Sgd servers are working servers and users authenticate against Eracle, used by our customer.
We made 2 basic different test with Tlv:
1. we configure Tlv to authenticate users against Gruppo (that is our real need)---> we can't change pasword using kpasswd or ttakpasswd
2. we configure Tlv to authenticate users against Eracle ---> everything was ok
There are NO DIFFERENCE beetween Sgd and Tlv, they have same configuration, same krb5.conf etc..
There is ONE DIFFERENCE beetween Eracle and Gruppo:
Eracle Active Directory's properties:
Domain functional level: Windows 2000 mixed
Forest functional level: Windows 2000
Gruppo Active Directory's properties:
Domain functional level: Windows 2000 native
Forest functional level: Windows 2000
SSGD documentation doesn't speak about different Active Directory properties. The SSGD documentation says that you can authenticate users against Active directory, so, IT HAS TO WORK even if the domain functional level of active directory is different.
Can someone help us^Hi Simon
I'll try again to explain you our problem, because it seems that I wasn't so clear.
Scenario:
We have 2 different perfectly working Active directory called "Gruppo" and "Eracle";
We have 2 different tarantella installations called "Sgd" and "Tlv";
Sgd servers are working servers and users authenticate against Eracle, used by our customer.
We made 2 basic different test with Tlv:
1. we configure Tlv to authenticate users against Gruppo (that is our real need)---> we can't change pasword using kpasswd or ttakpasswd
2. we configure Tlv to authenticate users against Eracle ---> everything was ok
There are NO DIFFERENCE beetween Sgd and Tlv, they have same configuration, same krb5.conf etc..
There is ONE DIFFERENCE beetween Eracle and Gruppo:
Eracle Active Directory's properties:
Domain functional level: Windows 2000 mixed
Forest functional level: Windows 2000
Gruppo Active Directory's properties:
Domain functional level: Windows 2000 native
Forest functional level: Windows 2000
SSGD documentation doesn't speak about different Active Directory properties. The SSGD documentation says that you can authenticate users against Active directory, so, IT HAS TO WORK even if the domain functional level of active directory is different.
Can someone help us?
Many thank
PatriziaAdded question.
Do you guys know if changing the password will change the password on their Active directory access.
Thanks,
helmut -
Active sync with Active Directory. activeSync.password
AD - OS - Win2k3
IDM -6.0SP1
I am using active sync with Active Directory.
Form for Active Sync make with Wizard Active Sync.
Make user in AD with correct password.Excecute StartActiveSync.
User not make in Lighthouse.
In log file appears the following:
<WavesetResult>
<ResultItem type='error' status='error'>
<ResultError throwable='com.waveset.exception.PolicyViolation'>
<Message id='PL_POLICY_VIOLATION_HEADER'>
<String>password</String>
<String>Lighthouse User</String>
</Message>
<Message id='PL_STRING_MIN_CHARACTERS'>
<String>4</String>
</Message>
<StackTrace>com.waveset.exception.PolicyViolation: Policy Violation (password on Lighthouse User):
Must contain at least 4 valid characters.
at com.waveset.policy.StringQualityPolicy.check(StringQualityPolicy.java:1090)
at com.waveset.provision.PolicyProcessor.checkPolicy(PolicyProcessor.java:716)
at com.waveset.provision.PolicyProcessor.checkLighthousePasswordPolicy(PolicyProcessor.java:651)
at com.waveset.provision.PolicyProcessor.checkPasswordPolicies(PolicyProcessor.java:574)
at com.waveset.provision.PolicyProcessor.checkAccountPolicies(PolicyProcessor.java:232)
at com.waveset.provision.Provisioner.checkPolicies(Provisioner.java:1102)
at com.waveset.view.UserViewer.checkPolicies(UserViewer.java:1559)
at com.waveset.view.UserViewer.checkPoliciesAndConstraints(UserViewer.java:1415)
at com.waveset.view.UserViewer.checkinView(UserViewer.java:1159)
at com.waveset.object.ViewMaster.checkinView(ViewMaster.java:725)
at com.waveset.sync.IAPIUserImpl.submitCreate(IAPIUserImpl.java:559)
at com.waveset.sync.IAPIUserImpl.submit(IAPIUserImpl.java:657)
at com.waveset.adapter.ADSIResourceAdapter.processUpdates(ADSIResourceAdapter.java:1419)
at com.waveset.adapter.ADSIResourceAdapter.getAndProcessChanges(ADSIResourceAdapter.java:1456)
at com.waveset.adapter.ADSIResourceAdapter.poll(ADSIResourceAdapter.java:1546)
at com.waveset.adapter.SARunner.doRealWork(SARunner.java:268)
at com.waveset.task.Executor.execute(Executor.java:159)
at com.waveset.task.TaskThread.run(TaskThread.java:119)
</StackTrace>
</ResultError>
</ResultItem>
</WavesetResult>
2006-11-09T13:19:07.904+0500: lastname: Bogdanov9, accountId: Bogdanov9, objectGUID: <GUID=fb4016ebb4851b43af59763d6094932d>, isDisabled: false, identity: cn=Alexey L. Bogdanov9,ou=Users,ou=Test,dc=aut,dc=tst, uSNChanged: 78587, firstname: Alexey, AccountLocked: false, fullname: Alexey L. Bogdanov9, Initials: L
Policy Violation (password on Lighthouse User):
Must contain at least 4 valid characters.
But, when i use sample active sync form from ...sample/forms/ActiveDirectoryActiveSyncForm user make in Ligthhouse with password change12345.
Logicaly, from this code:
<Field name='waveset.password'>
<Comments>
Make up a password for accounts that are being
created. This makes it a constant
</Comments>
<Disable>
<neq>
<ref>feedOp</ref>
<s>create</s>
</neq>
</Disable>
<Expansion>
<cond>
<notnull>
<ref>activeSync.password</ref>
</notnull>
<ref>activeSync.password</ref>
<s>change12345</s>
</cond>
</Expansion>
</Field>
I think password from AD not put in to activeSync.
Why?
With MBR
Bogdanov Alexey.--I think password from AD not put in to activeSync.
--Why?
You cannot change the user's password from the activeSync RA. The password is encrypted in Active Directory and you can't decrypt it.
You can read the Idm Resources Reference - Active Directory. There's a table with all the supported fields; the userPassword field is write-only.
If you want to take the AD password and send it to IDM, you want to use Password Sync.
Good luck -
Best way to implement active directory in multiple locations
Hi,
Currently we don't have an active directory domain and looking in to configuring a test setup for it.
We have 6 countries and in some countries we have 2 to 3 sites. There is a constant VPN connection between all the locations.
Our users are travelling between the sites. IT is managed from a central location and have one IT responsible on each site which also have to create / modify users.
Should we go for one domain with a domain controller in each site? Or should we go for a parent DC at central location with child DC (sub domains) at the other sites?
What are the pro's and cons of each scenario?
Kr,
JoeriHi jfeyen,
I think you have some misunderstanding about OU and site in AD.
OU is the purpose container that can be used to group most other object classes together for administrative purposes. An organizational unit in Active Directory is analogous to a directory in the file system; it is a container that can hold other objects.
And it represent the logical structure of your organization as domain.
Sites in Active Directory represent the physical structure, or topology, of your network. Active Directory uses topology information, stored as site and site link objects in the directory, to build the most efficient replication topology. A site is a set
of well-connected subnets. Sites differ from domains.
For your information, please refer to the following articles:
Organizational Units
http://technet.microsoft.com/en-us/library/cc978003.aspx
Sites overview
http://technet.microsoft.com/en-us/library/cc782048(v=ws.10).aspx
So if a user or a computer connected to the domain, he will be located in the OU which is configured. And this will not change except the configuration changes.
As for the question If we use site & services our workstations will automatically find the right DC?, please refer to the following article:
Finding a Domain Controller in the Closest Site
http://technet.microsoft.com/en-us/library/cc978016.aspx
Regards,
Lany Zhang -
Add new attribute in active directory schema
Hi
I need to add two new attribute in Schema in my forest for the user class.
Attribute name is jobclasscode and jobclass.
How can I achieve it ? and where can I get X.500 OID.
we are running on below AD forest:
DFL and FFL : windows server 2003
DCs: AD 2008 R2.Hi,
You can use LDIFDE command from to export the schema attributes to <filename>.ldf (can be edited using notepad) as given below,
ldifde -f c:\<filenmae>.ldf -d "cn=schema,cn=configuration,dc=<mydomain>,dc=<com>"
Checkout the below thread on similar discussion,
http://social.technet.microsoft.com/Forums/windowsserver/en-US/6789d4c2-1027-4a64-9f04-eaf7996893c5/ldifde-command-to-export-everything
Regards,
Gopi
JiJi
Technologies -
Changing user password in Active Directory using the JNDI GSS-API/Kerberos5
Hello,
I am trying to the JNDI GSS-API to change a user password on an Active Directory Server 2003. I have seen a variation of this using SSL on the thread [*http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0*|http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0]
but I can't seem to make this work using the GSS-API. I can successfully create a javax.security.auth.login.LoginContext.LoginContext and then call the login method on it to log in as a user. I then call the javax.security.auth.Subject.doAs() method which calls the run method in a class extending the javax.security.PrivilegedActionClass. But when I actually try to change the password using InitialDirContext.modifyAttributes(), I get the exception:
*javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-03190DC9, problem 5003 (WILL_NOT_PERFORM), data 0*
*If anyone can help me figure out why it doesn't work, that would be great!*
P.S: I know the error seems to suggest that there might be some active directory setting that is preventing this from working, but I've checked all relevant settings on the Windows 2003 server Active Directory that I can think of: In the User properties->Account->Account options, I've made sure the user can change password. Also, in the Group Policy->Computer Configuration->Windows Settings->Security Settings->Account Policies->Password Policy, Maximum password age is zero and so is minimum password age.
Here's my java code:
{code}import javax.naming.*;
import javax.security.auth.*;
import java.security.PrivilegedAction;
import java.io.UnsupportedEncodingException;
public void changeSecret((String uid, String oldPassword, String newPassword)
throws NamingException, ACException{
try {
K5CallbackHandler cb = new K5CallbackHandler(uid, oldPassword);
LoginContext lc = new LoginContext("marker", cb);
lc.login();
Subject.doAs(lc.getSubject(), new ChangePasswordAction(rz.getName(), oldPassword, newPassword));
catch(LoginException e) {
try {
lc.logout();
catch(LoginException e) {
}ChangePasswordAction.java is:import javax.naming.*;
import javax.naming.naming.directory.*;
import java.io.UnsupportedEncodingException;
private class ChangePasswordAction implements PrivilegedAction {
private String uid;
private String quotedOldPassword;
private String quotedNewPassword;
public ChangePasswordAction(String uid, String oldPassword, String newPassword) {
this.uid = uid;
quotedOldPassword = "\"" + oldPassword + "\"";
quotedNewPassword = "\"" + newPassword + "\"";
public Object run() {
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://ad2k3:389");
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
try {
DirContext ctx = new InitialDirContext(env);
ModificationItem[] mods = new ModificationItem[2];
byte[] oldPasswordUnicode = quotedOldPassword.getBytes("UTF-16LE");
byte[] newPasswordUnicode = quotedNewPassword.getBytes("UTF-16LE");
mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute("unicodePwd", oldPasswordUnicode));
mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("unicodePwd", newPasswordUnicode));
ctx.modifyAttributes(uid, mods);
ctx.close();
} catch (NamingException e) {
} catch (UnsupportedEncodingException e) {
return null;
}K5CallbackHandler is:import javax.security.auth.callback.*;
final class K5CallbackHandler
implements CallbackHandler {
private final String name;
private final char[] passwd;
public K5CallbackHandler(String nm, String pw) {
name = nm;
if(pw == null) {
passwd = new char[0];
else {
passwd = pw.toCharArray();
public void handle(Callback[] callbacks)
throws java.io.IOException, UnsupportedCallbackException {
for(int i = 0; i < callbacks.length; i++) {
if(callbacks[i] instanceof NameCallback) {
NameCallback cb = (NameCallback) callbacks;
cb.setName(name);
else {
if(callbacks[i] instanceof PasswordCallback) {
PasswordCallback cb = (PasswordCallback) callbacks[i];
cb.setPassword(passwd);
else {
throw new UnsupportedCallbackException(callbacks[i]);
}The relevant entry in the JAAS.conf file that is referred to as "marker" in the LoginContext constructor is:
marker {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE;This is one of the two Active Directory operations I have never solved using Java/JNDI. (FYI the other one is Cross Domain Move).
My gut feel is that the underlying problem (which happens to be common to both Change Password & X-Domain Move) is that Java/JNDI/GSSAPI does not negotiate a sufficiently strong key length that allows Active Directory to change passwords or perform cross domain moves when using Kerberos & GSSAPI.
Active Directory requires at a minimum, 128 bit key lengths for these security related operations.
In more recent Kerberos suites and Java versions, support for RC4-HMAC & AES has been introduced, so it may be possible that you can negotiate a suitably string key length.
Make sure that your Kerberos configuration is using either RC4-HMAC or AES and that Java is requesting a strong level of protection. (You can do this by adding //Specify the quality of protection
//Eg. auth-conf; confidentiality, auth-int; integrity
//confidentiality is required to set a password
env.put("javax.security.sasl.qop","auth-conf");
//require high strength 128 bit crypto
env.put("javax.security.sasl.strength","high"); in your ChangePasswordAction class.
You may also want to enable sasl logging in your app to see what exactly is going on and you may also want to check on the Java Security forum how to configure/enforce/check both RC4-HMAC or AES is used as the Kerbeos cipher suite and that a string key length is being used.
Good luck. -
Hello everyone
I have a network infrastructure consisting of 3 sites, site A, site B, and site C. i have 2 domain controllers on every site, and the AD roles are on the primary domain controller on site A. On site A I have an Exchange 2013sp1 CU6.
I want to create a second Exchange on Site B, with the roles of mailbox (the exchange on Site A will be first DAG member and the Exchange on Site B will be the second member of the DAG) and CAS.
First question: Is my thought correct about installaing on the same server mailbox and CAS server?
Second question: how many DAG witnesses I need for the DAG? One per site, or one in general (for example located on site A)
Third question: When I am trying to perform “Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms” I receive the error
“ Setup encountered a problem while validating the state of Active Directory:
The Active Directory schema version (15303) is higher than Setup's version (15292). Therefore, PrepareSchema can't be executed. See the Exchange setup log for more information on this error. For more information, visit:
http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.AdInitErrorRule.aspx “
I tried to run the PrepareSchema from the ISO of Exchange 2013 SP1 and form the extracted content of Exchange 2013SP1 CU6 archive, but still receive the same error. Any ideas?
Thanks in advance.Thank you for your answer,
I have tried to run "Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms” from
Exchange 2013 CU6 media, but I still receive the error:
The Active Directory schema version (15303) is higher than Setup's version (15292). Therefore, PrepareSchema
can't be executed. See the Exchange setup log for more information on this error. For more information, visit:http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.AdInitErrorRule.aspx “
any ideas?
Maybe you are looking for
-
Resore SQL server 2008 SP3 database to SQL server 2008 R2 SP1
I have a dump from a SQL server 2008 SP3 server and I'm trying to restore it to SQL server 2008 R2 SP1 server but getting the error: Msg 3241, Level 16, State 0, Line 2 The media family on device 'E:\Work\backup.bak0' is incorrectly formed. SQL Serve
-
Indesign CS5.5 won't open/start after a recent windows 8 update -- how to fix?
I just had a Windows 8 auto update happen and then my Indesign CS5.5 won't open/start. When I go to open it, it gets to the usual screen but then an error message shows up saying that Windows has encountered a problem and needs to shut the program do
-
How do I authorize computer to play iTunes from old account which I have forgotten password?
I have itunes (music) from an old account for which I cannot recall the password to authorize my computer to play. I try to retrieve the old password, but my challenge question asks me for my birthdate and when I enter it, it says it is incorrect.
-
CD shows up as blank, but works in boot camp
My mac mini (2010) has started to not show up CDs lately. I insert an audio CD and it comes up with a message that I have inserted a blank CD. When I do the same in Boot Camp (windows 7) it works fine. I am running Lion. This didn't happen when I
-
Convert one row to multiple rows
Hi i have a table Calendar_1 with 4 columns and 1 row CREATE TABLE Calendar_1 Sunday CHAR(1), Monday CHAR(1), Tuesday CHAR(1), Wednesday CHAR(1) INSERT INTO Calendar_1 VALUES ('A', 'B', 'C', 'D'); COMMIT; i need to get my output under a single column