Active directory Schema - Multiple password policies

Similar Messages

• Active Directory Schema Extension for Directory Synchronization - ADFS 3.0, Office 365

  Hi Team,
  We are in a situation with extending the schema for one customer so that these additional exchange attributes may be utilized. They have a single data center where the Primary Domain Controller resides and have multiple remote sites each of which have Additional
  Domain Controllers installed.
  As recommended by Microsoft, I am going to extend the Active Directory Schema with Exchange Setup so that I can leverage targetaddress attribute from Local AD to set primary email address when directory synchronization happens.
  My Query: Do I have to extend the AD Schema with Exchange from each of these ADC's? Or the changes I make on any of them will replicate over the others also?
  Note: The customer will be using ADFS 3.0 'Single Sign On' with Office 365 and does NOT have any On-Premise Exchange deployment.

  My Query: Do I have to extend the AD Schema with Exchange from each of these
  ADC's? Or the changes I make on any of them will replicate over the others also?
  Schema extension is done against the Schema Master. Once done, it gets replicated to other DCs with the AD forest.
  For more details about Schema Extension by Exchange, you can refer to that: http://www.resdevops.com/2013/02/13/extend-ad-schema-to-allow-greater-office-365-management/
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Error when extending Active Directory schema

  Hi there,
  I am trying to extend my active directory schema in order to store my managed preferences in AD.
  I am following this white paper : http://images.apple.com/business/solutions/it/docs/Modifyingthe_Active_DirectorySchema.pdf
  When I try to apply the changes on my test domain controller (running W2k3 R2 SP2), I get the following error :
  Entry DN: cn=apple-mount,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
  Add error on line 674: No Such Attribute
  The server side error is "The parameter is incorrect."
  An error has occurred in the program
  The corresponding section in the ldf file is :
  # Class: mount
  dn: cn=apple-mount,cn=Schema,cn=Configuration,dc=X
  changetype: ntdsschemaadd
  objectClass: classSchema
  governsID: 1.3.6.1.4.1.63.1000.1.1.2.8
  ldapDisplayName: mount
  objectClassCategory: 1
  # subclassOf: top
  subclassOf: 2.5.6.0
  # rdnAttId: cn
  rdnAttId: 2.5.4.3
  # mayContain: apple-mountDirectory
  mayContain: 1.3.6.1.4.1.63.1000.1.1.1.8.1
  # mayContain: apple-mountDumpFrequency
  mayContain: 1.3.6.1.4.1.63.1000.1.1.1.8.4
  # mayContain: apple-mountOption
  mayContain: 1.3.6.1.4.1.63.1000.1.1.1.8.3
  # mayContain: apple-mountPassNo
  mayContain: 1.3.6.1.4.1.63.1000.1.1.1.8.5
  # mayContain: apple-mountType
  mayContain: 1.3.6.1.4.1.63.1000.1.1.1.8.2
  possSuperiors: 2.5.6.5
  possSuperiors: container
  The attributes specified in "mayContain" appears to be correctly created (see log below)
  31: cn=apple-mountDirectory,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
  Entry DN: cn=apple-mountDirectory,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
  Entry modified successfully.
  32: cn=apple-mountDumpFrequency,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
  Entry DN: cn=apple-mountDumpFrequency,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
  Entry modified successfully.
  33: cn=apple-mountOption,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
  Entry DN: cn=apple-mountOption,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
  Entry modified successfully.
  34: cn=apple-mountPassNo,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
  Entry DN: cn=apple-mountPassNo,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
  Entry modified successfully.
  35: cn=apple-mountType,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
  Entry DN: cn=apple-mountType,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
  Entry modified successfully.
  Does anyone encountered the same issue ? Any idea ?
  Thanks in advance,
  Florent

  Which is line #674? Looking over your listing, the only thing that stands out to me is that I think possSuperiors takes object class names, not IDs (i.e. "possSuperiors: 2.5.6.5" should be "possSuperiors: organizationalUnit"). Also, if you copy and paste sections from the PDF, you're likely to get leading and trailing spaces on the pasted lines, which all need to be removed for it to function properly. The trailing spaces are especially nasty, since they're invisible in most text editors.

• Sccm 2012 extent the active directory schema error

  Hello
  I am experiecing an issue when attempting to extend my AD Schema for SCCM 2012
  <12-10-2014 20:04:33> Modifying Active Directory Schema - with SMS extensions.
  <12-10-2014 20:04:33> DS Root:CN=Schema,CN=Configuration,DC=,DC=com
  <12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Site-Code.  Error code = 8224.
  <12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Assignment-Site-Code.  Error code = 8224.
  <12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Site-Boundaries.  Error code = 8224.
  <12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Roaming-Boundaries.  Error code = 8224.
  <12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Default-MP.  Error code = 8224.
  <12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Device-Management-Point.  Error code = 8224.
  <12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-MP-Name.  Error code = 8224.
  <12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-MP-Address.  Error code = 8224.
  <12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Health-State.  Error code = 8224.
  <12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Source-Forest.  Error code = 8224.
  <12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Ranged-IP-Low.  Error code = 8224.
  <12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Ranged-IP-High.  Error code = 8224.
  <12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Version.  Error code = 8224.
  <12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Capabilities.  Error code = 8224.
  <12-10-2014 20:04:33> Failed to create class cn=MS-SMS-Management-Point.  Error code = 8202.
  <12-10-2014 20:04:33> Failed to create class cn=MS-SMS-Server-Locator-Point.  Error code = 8202.
  <12-10-2014 20:04:33> Failed to create class cn=MS-SMS-Site.  Error code = 8202.
  <12-10-2014 20:04:33> Failed to create class cn=MS-SMS-Roaming-Boundary-Range.  Error code = 8202.
  <12-10-2014 20:04:33> Failed to extend the Active Directory schema, please find details in "C:\ExtADSch.log".
  any one help me to fix this issue

  Hi,
  It is most likley due to a replication Issue in your AD, check the previous thread on the topic:https://social.technet.microsoft.com/Forums/systemcenter/en-US/1d377109-4fa9-4608-8a3a-cefd436e82ee/error-8224-when-extending-active-directory-schema
  Make sure that all replication issues are solved and try again.
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Questions about Extending Active Directory Schema

  We have about 24 Macs at the moment in the environment and we are starting to look at Extending the Active Directory Schema.  I have been doing a lot of reading over the past few weeks and I think that I am more confused the more I research it.  The Windows Servers here are running Server 2008_R2.  So here are my questions:
  1. If we extend the schema does that mean that we do not need an OS X Server?
  2. Is this really the easiest option to go with?
  3. We are looking to be able to apply GPOs to the Macs through Active Directory so will this accomplish it?
  4. Will this also allow Group Policy Preferences to map printers to the Macs automatically too?
  5. Is this the least expensive option?
  6. What is the best way to convince the Windows Administrators that this is how we should proceed?
  Thanks
  Pads

  Hi
  1. Yes. However OSX Server offers far more than MCX or Mac-Style GPOs. NetBoot, SUS, Wiki are some you should be looking at IMO.
  2. Again IMO not really. It takes a lot of work and you really don't want to be doing this on a 'live' server. Set up a lab environment first, thoroughly test it and then go with it when you're happy. The other possible 'gotcha' is you will have no way of knowing if Microsoft decide to change/amend or extend their own proprietary schema in a Revision update sometime in the future. If that does happen then you may be looking at doing it all over again?
  3. Yes, but you will still need WorkGroup Manager installed on a mac client. The documentation is clear about what to do once the Schema has been extended.
  4. Not done this myself but I would think so.
  5. Yes, but is it the 'best' option? Not in my opinion.
  6. Offer them the 'easier' but more expensive alternatives (some of them very expensive) and see which way they jump.
  HTH?
  Tony

• Active Directory User and Password Sync

  Hi,
  We have virtualised development labs that are direct clones of our production environment, including names, IP addresses and Active Directory. These labs are ring fenced using virtual network appliances with firewall rules that allow access to specific ports.
  The issue we have is that when passwords expire either in the labs or in production AD, it causes issues for our developers. Also, when new users are created in production, the process has to be repeated in multiple labs which is a bit of a time sink, even
  with scripts.
  Currently we sporadically do system state restores to AD controllers in the labs to get them in sync with prod but this also requires us re-adding all the servers back onto the domain and again is tedious process. Is there any way to sync from production
  AD to the labs AD?
  Thanks in advanced.
  Mark

  If it is an isolated environment, you won't be able to synchronize the data.  
  Export/Import, Backup/restore, P2V, D2VHD etc are the only option. 
  Santhosh Sivarajan | Houston, TX | www.sivarajan.com
  ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
  Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
  Blogs: Blogs
  Twitter: Twitter
  LinkedIn: LinkedIn
  Facebook: Facebook
  Microsoft Virtual Academy:
  Microsoft Virtual Academy
  This posting is provided AS IS with no warranties, and confers no rights.

• Active directory schema error

  Dear all,
  We have an issue regarding active directory user registry. Our application wants to retrieve the user registry from active directory, 
  So after we type the domain name, username and password for the domain admin, the apps add a schema in the AD, usually we directly can get the respons from the active directory server. 
  Below is the log from the configuration                                 
  < 3/17/2013 - 8:26:43 PM                                                
  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
  <<<<<<<<                                                                
  3/17/2013-8:27:03 PM: Configuring Access Manager Policy Server....      
  C:\PROGRA~2\Tivoli\POLICY~1\sbin\ivmgrd_setup.exe -y no -m "********" - 
  r 7135 -l 1460 -t 7200 -D no -f no                                      
  OpenConfFile: "C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf"                 
  getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf pdrte user-reg-type   
  CloseConfFile: C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf                  
  OpenConfFile: "C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf"          
  getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf uraf-registry  
  hostname                                                                
  getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf uraf-registry  
  useEncryption                                                           
  getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf uraf-registry  
  domain                                                                  
  getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf uraf-registry  
  dnforpd                                                                 
  getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf uraf-registry  
  Multi-domain                                                            
  getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf uraf-registry  
  bind-id                                                                 
  getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf uraf-registry  
  bind-pwd                                                                
  CloseConfFile: C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf           
  OpenConfFile: "C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf"                 
  getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf pdrte user-reg-type   
  CloseConfFile: C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf                  
  OpenConfFile: "C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf"                 
  getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf pdrte user-reg-type   
  CloseConfFile: C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf                  
  C:\PROGRA~2\Tivoli\POLICY~1\sbin\mgrsslcfg.exe -config -f no -t 7200 -l 
  1460 -D no                                                              
  Creating the SSL certificate. This might take several minutes.          
  The SSL configuration of the Tivoli Access Manager policy server        
  has completed successfully.                                             
  The policy server's signed SSL certificate is base-64 encoded and       
  saved in text file "C:\PROGRA~2\Tivoli\POLICY~1\keytab\pdcacert.b64."   
  This file is required by the configuration program on each machine      
  in your secure domain.                                                  
  C:\PROGRA~2\Tivoli\POLICY~1\sbin\bassslcfg.exe -config -f no -c "C:     
  \PROGRA~2\Tivoli\POLICY~1\keytab\pdcacert.b64" -p 7135 -h TAMEB1        
  The SSL configuration of Access Control Runtime has completed           
  successfully.                                                           
  Tivoli Access Manager policy server domain name: Default                
  Tivoli Access Manager policy server host name: TAMEB1                   
  Tivoli Access Manager policy server listening port: 7135                
  2013-03-17-20:27:13.770-07:00I----- 0x16B48064 PID#2848 ERROR rgy ad E: 
  \build\am611\src\uraf\ad\schema\adschema_update.cpp 550 0x00000ad0      
  HPDRG0100E The operation in the Active Directory registry for           
  adschema_update.exe: ADSCHEMA_CHECK_SCHEMA_RIGHTS failed with return    
  error 8000500d.                                                         
  adschema_update: result 1, retcode -2147463155                          
  HPDBG0938E Configuration failed.                                        
  3/17/2013-8:29:13 PM: HPDBG0938E Configuration failed.                  
  >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  >>>>>>>>                                                                
  > 3/17/2013 - 8:29:15 PM                                                
  >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  >>>>>>>>                                         
  Please your advice,
  Thanks,
  Best Regards,
  Achmad

  Hi you log states:
  adschema_update.exe: ADSCHEMA_CHECK_SCHEMA_RIGHTS failed
  with return    
  error 8000500d.  
  The error code is documented in
  this kbTo go short i think the running user does not have the required privilegs to edit the AD schema. You need to be member of 'Schema Admins' in the forest root domain to edit the AD schema.
  MCP/MCSA/MCTS/MCITP

• Search Active Directory Entries without password authentication

  JNDI, Active Directory
  I am newbie to JDNI and Active Directory.
  I am trying to create a Web Application
  which provides domain users with the information
  of the Active Directory group user are belonging.
  I know how to access Active Directory and search Entries
  with JNDI like below codes.
  Hashtable env = new Hashtable();
  env.put(Context.PROVIDER_URL, "LDAP://URL:389");
  env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
  env.put(Context.SECURITY_AUTHENTICATION,"none");
  env.put(Context.REFERRAL, "follow");
  env.put("java.naming.ldap.version" , "3" );
  env.put(Context.SECURITY_PRINCIPAL, "uid=admin,ou=system");
  env.put(Context.SECURITY_CREDENTIALS, "secret");
  .....But I want know how to search Entries without Active Directory password
  because I don't tell users their Active Directory password.
  I don't have any idea. Could you give me good idea?
  Sorry for my English. Thank you.
  Danno

  It means to allow "Anonymous LOGON" and "Everyone" users to search entries in AD, I think.Sorry, can't help. In OpenLDAP it meansallow * searchor possiblyallow * auth
  You mean that if I do it, will the codes below be unnecessary in Java?That's not only what I meant, it is what I said, concerning the principal and credentials lines.
  You don't need the SECURITY_AUTHENTICATION line, I never use it with LDAP whether I'm providing credentials or not (and in the cases where you are supplying the principal and credentials, it certainly doesn't make any sense to specify 'none'.)

• Active Directory schema extensions

  Hi
  We are in a process of implementing SAP LDAP sync to manage users from MS Active Directory. SAP requires schema extension generated by RSLDAPSCHEMAEXT program to be applied to Active Directory so that report RSLDAPSYNC_USER can be identify SAP users in MS AD.
  The MS AD team says that any non miscrosoft schema extensions are not supported as OIDs of the schema might conflict with other applications / patches.
  Are the MS AD schema extensions generated by SAP program RSLDAPSCHEMAEXT supported / certified by Microsoft.
  Harsh

  Hi Harsh,
  I would like to point you also to SAP Note 888848 - Notes on schema enhancement with RSLDAPSCHEMAEXT.
  It especially states that:
  ..."The text document generated by RSLDAPSCHEMAEXT was supplied and validate as part of a certification process by the directory vendor."...
  that means in this case by Microsoft.
  If you decide not to use the schema extension that has been supplied by Microsoft you can use attributes that are already existing in your Active Directory as Juergen already pointed out.
  As an example Microsoft Exchange Server creates several additional attributes such as extensionattribute1, ... , extensionattribute15 as part of the installation process. These attributes might be an option for you if you do not want to use the schema extension suggested by RSLDAPSCHEMAEXT.
  Please have in mind that the filter attribute that you will use to determine the SAP username should be indexed since this will reduce the synchronization time.
  Best Regards,
  André

• Active directory, SSGD and password change

  Hi everybody, we have some problems with SSGD, active directory and password change
  Scenario:
  We have 2 different perfectly working Active directory called "Gruppo" and "Eracle";
  We have 2 different tarantella installations called "Sgd" and "Tlv";
  Sgd servers are working servers and users authenticate against Eracle, used by our customer.
  We made 2 basic different test with Tlv:
  1. we configure Tlv to authenticate users against Gruppo (that is our real need)---> we can't change pasword using kpasswd or ttakpasswd
  2. we configure Tlv to authenticate users against Eracle ---> everything was ok
  There are NO DIFFERENCE beetween Sgd and Tlv, they have same configuration, same krb5.conf etc..
  There is ONE DIFFERENCE beetween Eracle and Gruppo:
  Eracle Active Directory's properties:
  Domain functional level: Windows 2000 mixed
  Forest functional level: Windows 2000
  Gruppo Active Directory's properties:
  Domain functional level: Windows 2000 native
  Forest functional level: Windows 2000
  SSGD documentation doesn't speak about different Active Directory properties. The SSGD documentation says that you can authenticate users against Active directory, so, IT HAS TO WORK even if the domain functional level of active directory is different.
  Can someone help us^Hi Simon
  I'll try again to explain you our problem, because it seems that I wasn't so clear.
  Scenario:
  We have 2 different perfectly working Active directory called "Gruppo" and "Eracle";
  We have 2 different tarantella installations called "Sgd" and "Tlv";
  Sgd servers are working servers and users authenticate against Eracle, used by our customer.
  We made 2 basic different test with Tlv:
  1. we configure Tlv to authenticate users against Gruppo (that is our real need)---> we can't change pasword using kpasswd or ttakpasswd
  2. we configure Tlv to authenticate users against Eracle ---> everything was ok
  There are NO DIFFERENCE beetween Sgd and Tlv, they have same configuration, same krb5.conf etc..
  There is ONE DIFFERENCE beetween Eracle and Gruppo:
  Eracle Active Directory's properties:
  Domain functional level: Windows 2000 mixed
  Forest functional level: Windows 2000
  Gruppo Active Directory's properties:
  Domain functional level: Windows 2000 native
  Forest functional level: Windows 2000
  SSGD documentation doesn't speak about different Active Directory properties. The SSGD documentation says that you can authenticate users against Active directory, so, IT HAS TO WORK even if the domain functional level of active directory is different.
  Can someone help us?
  Many thank
  Patrizia

  Added question.
  Do you guys know if changing the password will change the password on their Active directory access.
  Thanks,
  helmut

• Active sync with Active Directory.  activeSync.password

  AD - OS - Win2k3
  IDM -6.0SP1
  I am using active sync with Active Directory.
  Form for Active Sync make with Wizard Active Sync.
  Make user in AD with correct password.Excecute StartActiveSync.
  User not make in Lighthouse.
  In log file appears the following:
  <WavesetResult>
  <ResultItem type='error' status='error'>
  <ResultError throwable='com.waveset.exception.PolicyViolation'>
  <Message id='PL_POLICY_VIOLATION_HEADER'>
  <String>password</String>
  <String>Lighthouse User</String>
  </Message>
  <Message id='PL_STRING_MIN_CHARACTERS'>
  <String>4</String>
  </Message>
  <StackTrace>com.waveset.exception.PolicyViolation: Policy Violation (password on Lighthouse User):
  Must contain at least 4 valid characters.
       at com.waveset.policy.StringQualityPolicy.check(StringQualityPolicy.java:1090)
       at com.waveset.provision.PolicyProcessor.checkPolicy(PolicyProcessor.java:716)
       at com.waveset.provision.PolicyProcessor.checkLighthousePasswordPolicy(PolicyProcessor.java:651)
       at com.waveset.provision.PolicyProcessor.checkPasswordPolicies(PolicyProcessor.java:574)
       at com.waveset.provision.PolicyProcessor.checkAccountPolicies(PolicyProcessor.java:232)
       at com.waveset.provision.Provisioner.checkPolicies(Provisioner.java:1102)
       at com.waveset.view.UserViewer.checkPolicies(UserViewer.java:1559)
       at com.waveset.view.UserViewer.checkPoliciesAndConstraints(UserViewer.java:1415)
       at com.waveset.view.UserViewer.checkinView(UserViewer.java:1159)
       at com.waveset.object.ViewMaster.checkinView(ViewMaster.java:725)
       at com.waveset.sync.IAPIUserImpl.submitCreate(IAPIUserImpl.java:559)
       at com.waveset.sync.IAPIUserImpl.submit(IAPIUserImpl.java:657)
       at com.waveset.adapter.ADSIResourceAdapter.processUpdates(ADSIResourceAdapter.java:1419)
       at com.waveset.adapter.ADSIResourceAdapter.getAndProcessChanges(ADSIResourceAdapter.java:1456)
       at com.waveset.adapter.ADSIResourceAdapter.poll(ADSIResourceAdapter.java:1546)
       at com.waveset.adapter.SARunner.doRealWork(SARunner.java:268)
       at com.waveset.task.Executor.execute(Executor.java:159)
       at com.waveset.task.TaskThread.run(TaskThread.java:119)
  </StackTrace>
  </ResultError>
  </ResultItem>
  </WavesetResult>
  2006-11-09T13:19:07.904+0500: lastname: Bogdanov9, accountId: Bogdanov9, objectGUID: <GUID=fb4016ebb4851b43af59763d6094932d>, isDisabled: false, identity: cn=Alexey L. Bogdanov9,ou=Users,ou=Test,dc=aut,dc=tst, uSNChanged: 78587, firstname: Alexey, AccountLocked: false, fullname: Alexey L. Bogdanov9, Initials: L
  Policy Violation (password on Lighthouse User):
  Must contain at least 4 valid characters.
  But, when i use sample active sync form from ...sample/forms/ActiveDirectoryActiveSyncForm user make in Ligthhouse with password change12345.
  Logicaly, from this code:
  <Field name='waveset.password'>
  <Comments>
  Make up a password for accounts that are being
  created. This makes it a constant
  </Comments>
  <Disable>
            <neq>
            <ref>feedOp</ref>
                 <s>create</s>
            </neq>
       </Disable>
  <Expansion>
  <cond>
            <notnull>
                 <ref>activeSync.password</ref>
            </notnull>
  <ref>activeSync.password</ref>
  <s>change12345</s>
  </cond>
  </Expansion>
  </Field>
  I think password from AD not put in to activeSync.
  Why?
  With MBR
  Bogdanov Alexey.

  --I think password from AD not put in to activeSync.
  --Why?
  You cannot change the user's password from the activeSync RA. The password is encrypted in Active Directory and you can't decrypt it.
  You can read the Idm Resources Reference - Active Directory. There's a table with all the supported fields; the userPassword field is write-only.
  If you want to take the AD password and send it to IDM, you want to use Password Sync.
  Good luck

• Best way to implement active directory in multiple locations

  Hi,
  Currently we don't have an active directory domain and looking in to configuring a test setup for it.
  We have 6 countries and in some countries we have 2 to 3 sites. There is a constant VPN connection between all the locations.
  Our users are travelling between the sites. IT is managed from a central location and have one IT responsible on each site which also have to create / modify users. 
  Should we go for one domain with a domain controller in each site? Or should we go for a parent DC at central location with child DC (sub domains) at the other sites?
  What are the pro's and cons of each scenario?
  Kr,
  Joeri

  Hi jfeyen,
  I think you have some misunderstanding about OU and site in AD.
  OU is the purpose container that can be used to group most other object classes together for administrative purposes. An organizational unit in Active Directory is analogous to a directory in the file system; it is a container that can hold other objects.
  And it represent the logical structure of your organization as domain.
  Sites in Active Directory represent the physical structure, or topology, of your network. Active Directory uses topology information, stored as site and site link objects in the directory, to build the most efficient replication topology. A site is a set
  of well-connected subnets. Sites differ from domains.
  For your information, please refer to the following articles:
  Organizational Units
  http://technet.microsoft.com/en-us/library/cc978003.aspx
  Sites overview
  http://technet.microsoft.com/en-us/library/cc782048(v=ws.10).aspx
  So if a user or a computer connected to the domain, he will be located in the OU which is configured. And this will not change except the configuration changes.
  As for the question If we use site & services our workstations will automatically find the right DC?, please refer to the following article:
  Finding a Domain Controller in the Closest Site
  http://technet.microsoft.com/en-us/library/cc978016.aspx
  Regards,
  Lany Zhang

• Add new attribute in active directory schema

  Hi
  I need to add two new attribute in Schema in my forest for the user class.
  Attribute name is jobclasscode and jobclass.
  How can I achieve it ? and where can I get X.500 OID.
  we are running on below AD forest:
  DFL and FFL : windows server 2003
  DCs: AD 2008 R2.

  Hi,
  You can use LDIFDE command from to export the schema attributes to <filename>.ldf (can be edited using notepad) as given below,
  ldifde -f c:\<filenmae>.ldf -d "cn=schema,cn=configuration,dc=<mydomain>,dc=<com>"
  Checkout the below thread on similar discussion,
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/6789d4c2-1027-4a64-9f04-eaf7996893c5/ldifde-command-to-export-everything
  Regards,
  Gopi
  JiJi
  Technologies

• Changing user password in Active Directory using the JNDI GSS-API/Kerberos5

  Hello,
  I am trying to the JNDI GSS-API to change a user password on an Active Directory Server 2003. I have seen a variation of this using SSL on the thread [*http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0*|http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0]
  but I can't seem to make this work using the GSS-API. I can successfully create a javax.security.auth.login.LoginContext.LoginContext and then call the login method on it to log in as a user. I then call the javax.security.auth.Subject.doAs() method which calls the run method in a class extending the javax.security.PrivilegedActionClass. But when I actually try to change the password using InitialDirContext.modifyAttributes(), I get the exception:
  *javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-03190DC9, problem 5003 (WILL_NOT_PERFORM), data 0*
  *If anyone can help me figure out why it doesn't work, that would be great!*
  P.S: I know the error seems to suggest that there might be some active directory setting that is preventing this from working, but I've checked all relevant settings on the Windows 2003 server Active Directory that I can think of: In the User properties->Account->Account options, I've made sure the user can change password. Also, in the Group Policy->Computer Configuration->Windows Settings->Security Settings->Account Policies->Password Policy, Maximum password age is zero and so is minimum password age.
  Here's my java code:
  {code}import javax.naming.*;
  import javax.security.auth.*;
  import java.security.PrivilegedAction;
  import java.io.UnsupportedEncodingException;
  public void changeSecret((String uid, String oldPassword, String newPassword)
       throws NamingException, ACException{
  try {
       K5CallbackHandler cb = new K5CallbackHandler(uid, oldPassword);
       LoginContext lc = new LoginContext("marker", cb);
       lc.login();
       Subject.doAs(lc.getSubject(), new ChangePasswordAction(rz.getName(), oldPassword, newPassword));
       catch(LoginException e) {
       try {
            lc.logout();
       catch(LoginException e) {
  }ChangePasswordAction.java is:import javax.naming.*;
  import javax.naming.naming.directory.*;
  import java.io.UnsupportedEncodingException;
  private class ChangePasswordAction implements PrivilegedAction {
       private String uid;
       private String quotedOldPassword;
       private String quotedNewPassword;
       public ChangePasswordAction(String uid, String oldPassword, String newPassword) {
            this.uid = uid;
            quotedOldPassword = "\"" + oldPassword + "\"";
            quotedNewPassword = "\"" + newPassword + "\"";
       public Object run() {
            Hashtable env = new Hashtable(11);
            env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.PROVIDER_URL, "ldap://ad2k3:389");
            env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
            try {
                 DirContext ctx = new InitialDirContext(env);
                 ModificationItem[] mods = new ModificationItem[2];
                 byte[] oldPasswordUnicode = quotedOldPassword.getBytes("UTF-16LE");
                 byte[] newPasswordUnicode = quotedNewPassword.getBytes("UTF-16LE");
                 mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute("unicodePwd", oldPasswordUnicode));
                 mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("unicodePwd", newPasswordUnicode));
                 ctx.modifyAttributes(uid, mods);
                 ctx.close();
            } catch (NamingException e) {
            } catch (UnsupportedEncodingException e) {
            return null;
  }K5CallbackHandler is:import javax.security.auth.callback.*;
  final class K5CallbackHandler
  implements CallbackHandler {
       private final String name;
       private final char[] passwd;
       public K5CallbackHandler(String nm, String pw) {
            name = nm;
            if(pw == null) {
                 passwd = new char[0];
            else {
                 passwd = pw.toCharArray();
       public void handle(Callback[] callbacks)
       throws java.io.IOException, UnsupportedCallbackException {
            for(int i = 0; i < callbacks.length; i++) {
                 if(callbacks[i] instanceof NameCallback) {
                      NameCallback cb = (NameCallback) callbacks;
                      cb.setName(name);
                 else {
                      if(callbacks[i] instanceof PasswordCallback) {
                           PasswordCallback cb = (PasswordCallback) callbacks[i];
                           cb.setPassword(passwd);
                      else {
                           throw new UnsupportedCallbackException(callbacks[i]);
  }The relevant entry in the JAAS.conf file that is referred to as "marker" in the LoginContext constructor is:
  marker {
  com.sun.security.auth.module.Krb5LoginModule required client=TRUE;

  This is one of the two Active Directory operations I have never solved using Java/JNDI. (FYI the other one is Cross Domain Move).
  My gut feel is that the underlying problem (which happens to be common to both Change Password & X-Domain Move) is that Java/JNDI/GSSAPI does not negotiate a sufficiently strong key length that allows Active Directory to change passwords or perform cross domain moves when using Kerberos & GSSAPI.
  Active Directory requires at a minimum, 128 bit key lengths for these security related operations.
  In more recent Kerberos suites and Java versions, support for RC4-HMAC & AES has been introduced, so it may be possible that you can negotiate a suitably string key length.
  Make sure that your Kerberos configuration is using either RC4-HMAC or AES and that Java is requesting a strong level of protection. (You can do this by adding //Specify the quality of protection
  //Eg. auth-conf; confidentiality, auth-int; integrity
  //confidentiality is required to set a password
  env.put("javax.security.sasl.qop","auth-conf");
  //require high strength 128 bit crypto
  env.put("javax.security.sasl.strength","high"); in your ChangePasswordAction class.
  You may also want to enable sasl logging in your app to see what exactly is going on and you may also want to check on the Java Security forum how to configure/enforce/check both RC4-HMAC or AES is used as the Kerbeos cipher suite and that a string key length is being used.
  Good luck.

• Creation of a second Exchange 2013 server on a different site (with the roles of MBX and CAS) fails on prepare active directory and prepare schema.

  Hello everyone
  I have a network infrastructure  consisting of 3 sites, site A, site B, and site C. i have 2 domain controllers on every site, and the AD roles are on the primary domain controller on site A. On site A I have an Exchange 2013sp1 CU6.
  I want to create a second Exchange on Site B, with the roles of mailbox (the exchange on Site A will be first DAG member and the Exchange on Site B will be the second member of the DAG) and CAS.
  First question: Is my  thought correct about installaing on the same server mailbox and CAS server?
  Second question: how many DAG witnesses I need for the DAG? One per site, or one in general (for example located on site A)
  Third question: When I am trying to perform “Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms”  I receive the error
  “ Setup encountered a problem while validating the state of Active Directory:
   The Active Directory schema version (15303) is higher than Setup's version (15292). Therefore, PrepareSchema can't be executed.  See the Exchange setup log for more information on this error. For more information, visit:
  http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.AdInitErrorRule.aspx “
  I tried  to run the PrepareSchema from  the ISO of Exchange 2013 SP1 and form the extracted content of Exchange 2013SP1 CU6 archive, but still receive the same error. Any ideas?
  Thanks in advance.

  Thank you for your answer,
  I have tried to run "Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms”  from
  Exchange 2013 CU6 media, but I still receive  the error:
  The Active Directory schema version (15303) is higher than Setup's version (15292). Therefore, PrepareSchema
  can't be executed.  See the Exchange setup log for more information on this error. For more information, visit:http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.AdInitErrorRule.aspx “
  any ideas?