AD user object ntSecurityDescriptor changed

Similar Messages

• AD User object - cannot change Terminal Server Profile Path

  Hello
  When I try to change the "Profile Path:" on the "Remote Desktop Services Profile" Tab on a Users AD Properties, I receive a Error Message:
  "Operation failed: The operation completed successfully."
  After closing and reopen the users properties, the old path is shown as Profile Path...
  The problemes seems to be on only 1 user account.
  Any Ideas how i can fix this error?
  Thanks very much for any help
  pAscii

  Hi,   
  Could you tell us how many user have these question?
  Did you change the path to remote domain?
  Is there any other error information?
  Does the user have permission to access the new location?
  More detailed information about this setting is appropriate.
  Best Regards,
  Erin

• How one user can change other user objects- urgent

  My user id is changed from userxx to useryy,
  I have some objects which userxx developed and activated, so now I want to work/access the objects logging with useryy.
  I get the message saying userxx has the object locked, you can trafnsfer objects to ur change list but,
  when I ma trying I see the transfer  option on those change list is disabled.
  ples reply
  thanks
  KK

  KK,
  First unlock the object as krishna said and then reassign ie., transfer his changed list under your name. Then you activate it.
  When ever one user is working on the object and another tries to edit then you will have this message.
  Hope this helps......
  ---Satish

• How do I get the value of a resource property stored in the user object?

  I need a way to get to the myflag property on the resources in an object
  I have been trying to get to it by first getting the user object...
  but how can I get to the properties them self?
  If the following is the user object and I need to refer to the different myflag properties in a form?
  What I want to do is to make the system NOT change password on accounts where the myflag is set to true
  Anyone that could point me right here?
  I use the following code to get the userObj in the form...
        <Field name='userObj'>
          <Derivation>
            <invoke name='getObject'>
              <ref>:display.session</ref>
              <s>User</s>
              <ref>resourceAccounts.id</ref>
            </invoke>
          </Derivation>
          <Disable>
            <isnull>
              <ref>resourceAccounts.id</ref>
            </isnull>
          </Disable>
        </Field>And the resulting userObj looks like this
  <!--  MemberObjectGroups="#ID#Top" hasCapabilities="true" id="#ID#BAF7-:882E9B73531:87D587F7-:726EA99B2E0A89CD" name="43725"-->
  <User id='#ID#BAF7-:882E9B73531:87D587F7-:726EA99B2E0A89CD' name='43725' creator='Nnnnn' createDate='1328101309098' lastModifier='Nnnnn' lastModDate='1352128262380' lastMod='71' repoMod='1352128262383' primaryObjectClass='User' password='xxx' lastPasswordUpdate='1352128195038'>
    <Services>
      <ObjectRef type='Resource' id='#ID#DC98A0E2B99AE627:1A6684F:10F96310B9F:-7FE1' name='Xolid'/>
    </Services>
    <PasswordExpiration>2012-11-04T15:09:55.038Z</PasswordExpiration>
    <ResourceInfoList>
      <ResourceInfo accountId='cn=S43725,ou=Xolid Users,ou=User Accounts,dc=adxx,dc=xxx,dc=net' accountGUID='&lt;GUID=3c020b6e1c253d45808fc47889201c4a&gt;' tempId='dc98a0e2b99ae627:-3984a159:139b34ea14f:-4c10' created='true' lastPasswordUpdate='1352128262115'>
        <ObjectRef type='Resource' id='#ID#DC98A0E2B99AE627:1A6684F:10F96310B9F:-7FE1' name='Xolid'/>
        <ResourcePropertyValues>
          <Map>
            <MapEntry key='myflag' value='false'/>
          </Map>
        </ResourcePropertyValues>
      </ResourceInfo>
      <ResourceInfo accountId='cn=S43725A,ou=Administrative Users,ou=User Accounts,dc=adxx,dc=xxx,dc=net' accountGUID='&lt;GUID=fc4ca613bf40b644948cf216e1ec50bd&gt;' tempId='dc98a0e2b99ae627:-4ce08fd6:13a5c68dd38:4fc4' created='true' lastPasswordUpdate='1352128262285'>
        <ObjectRef type='Resource' id='#ID#DC98A0E2B99AE627:1A6684F:10F96310B9F:-7FE1' name='Xolid'/>
        <ResourcePropertyValues>
          <Map>
            <MapEntry key='myflag' value='true'/>
          </Map>
        </ResourcePropertyValues>
      </ResourceInfo>
    </ResourceInfoList>
    <Attribute name='closest_manager' type='string' value='77774'/>
    <Attribute name='firstname' type='string' value='Test'/>
    <Attribute name='fullname' type='string' value='Testersson, Test'/>
    <Attribute name='xr_attr_flag' type='string' value='N -------- MA20120201 MB20120201 MC20120201 MD20120201 ME20120201 MF20120201 MG20120201 MH20120201 MI20120201 MJ20120201 MK20120201'/>
    <Attribute name='xr_date_flag' type='string' value='N 20120914 MS20120201 MT20120914'/>
    <Attribute name='lastname' type='string' value='Testersson'/>
    <Attribute name='local_id' type='string' value='S43725'/>
    <Attribute name='position_end_date' type='string' value='2012-08-10 01:08:18.0'/>
    <AdminRoles>
      <ObjectRef type='AdminRole' id='#ID#DC98A0E2B99AE627:1A6684F:10F96310B9F:-7FF7' name='XXX - Manager'/>
    </AdminRoles>
    <MemberObjectGroups>
      <ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/>
    </MemberObjectGroups>
    <Properties>
      <Property name='AD_HomeDir_Xolid_S43725' value='\\XXX5014A\UserFolders$\S43725'/>
      <Property name='AD_ProfileDir_Xolid_S43725' value='\\XXX5014A\UserProfiles$\S43725'/>
      <Property name='idm_lastLoginLocale' value='sv'/>
      <Property name='myflag' value='false'/>
    </Properties>
  </User>

  Thanks Praveen.
  I was missing the default namespace of "http://sapportals.com/xmlns/cm" - I thought I could just pass an empty string for the namespace, but it looks like I must always specifiy, even if it is default.
  Tom

• Request: compare and propagate user objects

  After making changes to table definitions, views, program units, and so on, it may be useful to propagate these changes to another database user. This maybe another development environment, or a testing environment in same or another database. Like "Compare user objects" option in PLSQL/Developer.
  /* BEGIN: cut and paste from PLSQL Developer Help */
  Compare User Objects
  After making changes to table definitions, views, program units, and so on, it may be useful to propagate these changes to another database user. This maybe another development environment, or a testing environment. To compare the objects of your development user with another user, you can use the Compare User Objects function in the Tools menu. This will bring up the following dialog:
  On the Selection tab page you can select the objects you wish to compare. After making this selection, you can press the Target Session button, to select the user and database that you want to compare. This will enable the Compare button, which you can press to start the compare operation. You can select the Include storage... option to include the storage information such as tablespace names and initial sizes for new objects. These may differ across databases, so this may not always be appropriate.
  When the compare operation is finished, the dialog will switch to the Differences tab page, which will show a list of all objects that are different:
  This list is sorted in order of dependency. Below the list of different objects of the target user, you see the SQL that needs to be executed to make these objects equal to the corresponding objects of the current user. If no object is selected, the SQL of all objects is displayed. If one or more objects are selected, only the SQL for the selected object(s) is displayed. In the example above, a missing EMP_MGR_EMPNO check constraint was added to the EMP table.
  The Show Differences button will show a visual line-by-line difference of the old and new source file of an object. This can be useful to view the changes made in Program Units, or can help you determine why a specific DDL statement was generated for other object types. The Configure External Difference Tool allows you to configure the difference tool should be used. By default the ExamDiff utility will be used, for which a Pro version is available (See the About item of ExamDiff’s Info menu). See also Tools - Differences.
  You can now press the Apply SQL button to execute this SQL in the target session. You can alternatively save the SQL in a file by pressing the Save SQL button, or you can copy it to the clipboard by pressing the Copy SQL button.
  When objects are compared, the following properties are ignored:
  ·     Storage – Properties such as the next extent and pct free of tables and indexes are not considered relevant for comparison.
  ·     Constraints with system generated names – These constraints will have different names for the 2 users, so they cannot be compared. If a table is new in the target session, these constraints will be generated though.
  ·     Table creation properties – Properties that would require the recreation of the table are ignored.
  ·     Table data – To export table data, use the Export Table function (see Export Tables).
  ·     Sequence values – The current value of a sequence is considered data.
  /* END: cut and paste from PLSQL Developer Help */

  This is on the list but not for 1.0.
  -kris

• OM11g: Dynamic notifications on different user objects.

  Hello
  On the User object, I have 3 custom attributes. These attributes are of type "Checkbox". I'd like to notify an administrator when any one of these attributes change value.
  For example:
  Attribute1: Head Office Access
  Attribute2: Remote Office Access
  Attribute3: Foreign Office Access
  I have implemented a postprocess event handler on the "USER" object, for changetype "MODIFY".
  My orchestration event has the details of the attribute that changed, and I can tell if it's been checked, or unchecked, based on the value that is passed to my postprocess handler.
  My question though, is how do I call my notifier with this attribute, so i can have one notification template called "Physical Access Changed", and have the system differentiate between head office, remote office, and foreign office.
  Do I need 3 different notification templates? Can I do it with one? If so, how can I pass information from the postprocess handler, to the notification handler, to the resolver, and ultimately to the template?
  My current approach has a notification template for each access, and a the same message in each of them. My post process handler then determines based on the orchestration event which attribute was changed, and then calls the NotificationEvent with the appropriate template name. However, I'd like to collapse it to one NotificationEvent, and pass the orchestration attribute to it...
  Any ideas?
  Thank you.

  Thank you.
  I have a resolver class that implements NotificationEventResolver
  public class AccessNotificationResolver implements NotificationEventResolver {
  @Override
  public HashMap<String, Object> getReplacedData(String eventType, Map<String, Object> map) {
  String userLogin = (String) map.get("user_login");
  // find the user
  // iterate the attributes
  return resolvedNotificationData;
  This works, and lets me return any of the X2-Entity attributes that are listed in the Notification plugin. But, it does not allow me to return arbitrary data. For example, the checkboxes that are check or not checked for physical site access, in the notification show up as 1 or 0. So when someone gets added to the Head Office location my email reads:
  This is to inform you that $First_Name $Last_Name has had their access modified for the following location: Head Office: 1
  I would prefer that it say:
  This is to inform you that $First_Name $Last_Name has had their access modified for the following location: Head Office: Added
  I, however, don't seem to have a way to say "Added" and pass that up to the Notification template. Or am I missing something?
  Thank you.

• Database SID contains user objects belonging to system user dbo

  Hi,
  I started a Java AddIn installation for NetWeaver 2004.
  ABAP stack is on SP12.
  Win2003 Server SP2
  MS SQL 2005
  SAPInst is stopping with error <b>Database <SID> contains user objects belonging to system user dbo</b>.
  I can't find anything in the log files or in SMP that is guiding me into the right direction...
  Any hints??
  Thx,
  Michael

  Hi Michael,
  You can use the stored procedure sp_check_sap_login to check and verify your db-logins as per note # 610640 .                                                                               
  Afterwards you can use the script "user_change.sql" which is included in the attachment of note # 551915 to change the objects from 'dbo' to 'sid'.
  This may help narrow down the cause at least hopefully.
  Regards, Mark

• Topink 9.0.4 not generating an update statement, if the object was changed.

  I have 2 tables T_Objects and T_Categories.
  T_Objects stores images as a BLOB field. T_Categories stores the details of an article category and references the pictogram in T_Objects via a FK.
  I have 2 webpages. One which is used to load the pictogram in T_Objects and the other which is used to maintain details of the category in T_Categories. As soon as the image is uploaded and is displayed on the screen, user fills in the category details and saves them.
  Each of these operations is performed in a seperate HTTP Request (and consequently seperate UOW). The idea is that the user first uploads an image, checks the image on the screen and the decides to associate it with a category.
  The database is Oracle 9i. Driver used is OCI 8. Binary Steam Binding is enabled for BLOB fields. DatabasePlatform is Oracle9Platform.
  The descriptors of both the tables use SoftCacheWeakIdentity and the cache size is 100. Both tables use Optimistic Locking based on a version field using TimestampLockingPolicy.
  Coming to the problem, if the delay between the upload of the image and saving of the category details is large (say 20 seconds or so) Toplink generates a Update query to update the details in T_Categories. If the delay is smaller than that then Toplink fails to generate an update query even if the object was changed. Upon debugging I find that just before the commit, the BO being committed has all the correct details including the new PK of the uploaded image.
  Assuming that the BO pointing to T_Objects may not be in Cache (owing to images of size 200+ KB) I did an explicit read of this object before attempting to save details to T_Categories. Even that does not seem to help.
  Any ideas on what is happening here?

  Chris. Thanks for your reply. I did not get your point. However these are the steps being done.
  Can you please go through the code and check what could be wrong?
  Steps
  1) createContent(VmTObjectsVO vo) is called to insert into VM_T_OBJECTS.
  This internally calls create ( Object obj, UnitOfWork uow, boolean commitChanges )
  2) update( VmSubcategoriesVO vo ) is called to update a sub-category details to VM_T_SUBCATEGORIES.
  This internally calls save( Object bo, UnitOfWork uow, boolean commitChanges )
  In the save method at the time of uow.commitAndResume() no update statement is getting generated.
  These core methods are used for almost all tables in the application and all of them work.
  It is only in this use case I have a problem.
  * Creates a new entry for storing the image/document in VM_T_OBJECTS.
  * @param vo the content to be stored.
  * @return the sequence assigned to this object.
  public Long createContent(VmTObjectsVO vo){
  VmTObjectsVO voSaved = null;
  Long lnContentId = null;
  if(vo != null){
  VmTObjectsBO bo = new VmTObjectsBO();
  /* copy the properties from the VO to the BO. */
  ObjectAssembler.vo2bo((BaseVO)vo, bo);
  /* Create the content */
  lnContentId = create(bo);
  return lnContentId;
  * updates a subcategory to VM_T_SUBCATEGORIES
  * @param vo VmSubcategoriesVO to update.
  * @ return updated VmSubcategoriesVO
  public VmSubcategoriesVO update( VmSubcategoriesVO vo ) {
  VmSubcategoriesBO boSaved = null;
  VmSubcategoriesVO voSaved = null;
  VmSubcategoriesBO bo = new VmSubcategoriesBO( );
  /* Copy the properties in the VO to the BO */
  ObjectAssembler.vo2bo( vo, bo );
  /* Save the changed object */
  save( bo );
  return voSaved;
  * Stores the new object in the database and
  * returns the primary key identifier with which it was created.
  * @param obj The object to be created.
  * @param uow Use this unit of work for performing the insert.
  * @param commitChanges Should commit changes upon insertion?
  * If the client wants to perform the commit operation across several others
  * operations, then the value should be set to false.
  * @return Primary key of the object created.
  public Long create ( Object obj, UnitOfWork uow, boolean commitChanges ) {
  Object cacheObj = null;
  Long lnSequenceAssigned = null;
  if ( obj == null ) {
  throw new ObjectNotFoundException( null, null, null, null );
  try {
  if (uow == null) {
       /* create a new unit of work if necesasry */
       uow = getUnitOfWork( dbSession );
  /* Assign a sequence number */
  uow.assignSequenceNumber( obj );
  /* Get the descriptor associated with this object */
  Descriptor descriptor = uow.getDescriptor(obj);
  /* Get the sequence assigned */
  lnSequenceAssigned = (Long)descriptor.getObjectBuilder().getBaseValueForField(descriptor.getSequenceNumberField(),obj);
  /* Register the object */
  uow.registerObject( obj );
  if(commitChanges){
  /* Commit the changes */
  uow.commitAndResume();
  } finally {
  return lnSequenceAssigned;
  * Saves changes to an existing object to the data store.
  * Has only been tested for flat-objects. Objects that reference other
  * persistent objects have not been tested.
  * @param bo The object to be saved.
  * @param uow The UnitOfWork to use for saving the object.
  * @param commitChanges whether the changes should be committed.
  * If the client wants to perform the commit operation across several others
  * operations, then the value should be set to false.
  public void save( Object bo, UnitOfWork uow, boolean commitChanges ) {
  if ( bo == null ){
  throw new IllegalArgumentException(
  "Object is invalid" );
  try {
  /* Register the object supposed to be existing */
  Object clone = uow.registerExistingObject( bo );
  /* This object does not exist */
  if ( clone == null ) {
  throw new ObjectNotFoundException( "object not found", "dao", bo.getClass().getName(), bo.toString());
  /* Copy the properties from the object to the clone, to ensure that
  * the intended properties have not been overwritten in the object from
  * the cache
  ObjectAssembler.copy( bo, clone );
  /* Commit the changes. */
  if(commitChanges){
  uow.commitAndResume();
  } finally {
  dbSession.release( );
  }

• Links in User Object in aspx

  I have a user object that I use on my aspx page. If I use the
  same style sheet on my page inside my user object the object
  displays fine. But if I take the link out of the object, the page
  doesn't display correctly in the design view. Even though the link
  style sheet is in the page itself.
  When I load the page into the browser it displays fine.
  The only way to handle the problem is to put the link or
  style elements in the User Object itself. But that defeats the
  purpose of being able to move the object from page to page and use
  the styles of each sheet.
  Anyway to solve this?
  Thanks,
  Tom

  Nevermind.
  It was displaying fine but the relative address was giving it
  a problem.
  When I changed that it worked fine.
  Tom
  "tshad" <[email protected]> wrote in message
  news:espsfd$irp$[email protected]..
  >I have a user object that I use on my aspx page. If I use
  the same style
  >sheet
  > on my page inside my user object the object displays
  fine. But if I take
  > the
  > link out of the object, the page doesn't display
  correctly in the design
  > view.
  > Even though the link style sheet is in the page itself.
  >
  > When I load the page into the browser it displays fine.
  >
  > The only way to handle the problem is to put the link or
  style elements in
  > the
  > User Object itself. But that defeats the purpose of
  being able to move
  > the
  > object from page to page and use the styles of each
  sheet.
  >
  > Anyway to solve this?
  >
  > Thanks,
  >
  > Tom
  >

• RE: (forte-users) Object Request Brokers.....

  Hi Rajeev,
  I just happen to have the following two technotes on hand that helped me
  answers the very same questions..
  <<forte.zip>>
  Hope it helps... if you need more help... fell free to give me a shout!
  Ciao
  Kim
  -----Original Message-----
  From: Rajeev Talwar [SMTP:rtalshotmail.com]
  Sent: Monday, February 21, 2000 6:34 PM
  To: kamranaminyahoo.com
  Subject: (forte-users) Object Request Brokers.....
  Hi All,
  We are writing a cold fusion application which needs to use some
  services from a Forte application. We also have a Cold Fusion Visi
  Broker(ORB)to communicate with Forte. I was wondering what all we need
  in order to get a handle to all the service objects used by Forte
  application in our Cold Fusion application.
  Also do we need to change our deployment scheme for the Forte
  application. I
  believe we have to make a special deployment
  for Forte application to be available to ORB's. By default,
  Forte uses Unix internal communication mechanism like sockets
  etc. for service objects to be available across different
  partitions.
  Also do we need to run both applications and ORB on the same box
  or can we put them in some kind of network.
  I hope I made myself quite clear what we are looking for. I will be
  more than happy to put some more details in case someone needs
  further clarification.
  Are there any technotes out there whcih we can refer to.
  I will appreciate any thoughts.
  -Rajeev Talwar
  For the archives, go to: http://lists.xpedior.com/forte-users and use
  the login: forte and the password: archive. To unsubscribe, send in a
  new
  email the word: 'Unsubscribe' to:
  forte-users-requestlists.xpedior.com

  You can also use the HTTP-DC project.... You don't
  need Web Enterprise for this. From what I can tell,
  this is available in L.x on....
  There is api documentation in M.2 (with scant
  examples.)
  There's a special process to put the project in your
  repository (it isn't installed in the repository in
  the standard install,) the documentation in M.2
  (probably in M.0 too, AFAIK) that tells you how to do
  this (look for HTTP-DC in the online help.)
  I haven't done much with it yet, I've just installed
  it. If anybody out there has examples, that'd be
  great. I'll try to contribute more the moment I get a
  chance to explore it....
  Christopher Fury
  BellSouth Communications Systems
  --- Daniel Nguyen <dnguyenclub-internet.fr> wrote:
  Hi,
  If you have Web Enterprise, you can user
  HttpAccess.SendRequest().
  Hope this helps,
  Daniel Nguyen
  Freelance Forte Consultant
  Amin, Kamran a &eacute;crit:
  Is there any way to make a HTTP request from TOOLto another HTTP Service?
  thanks in advance.
  For the archives, go to:
  http://lists.xpedior.com/forte-users and use
  the login: forte and the password: archive. Tounsubscribe, send in a new
  email the word: 'Unsubscribe' to:forte-users-requestlists.xpedior.com
  For the archives, go to:
  http://lists.xpedior.com/forte-users and use
  the login: forte and the password: archive. To
  unsubscribe, send in a new
  email the word: 'Unsubscribe' to:
  forte-users-requestlists.xpedior.com
  Kick off your party with Yahoo! Invites.
  http://invites.yahoo.com/

• Java.lang.OutOfMemoryError when trying to refresh all User objects

  Hello - I am running IdM version 7.1. Currently, I am attempting to refresh all user objects in the IdM database as directed in this article:
  http://docs.sun.com/source/820-2961/A_edit_configObjects.html
  In order to interface with the Database, I am using NetBeans on a Windows 2003 SP2 server with 3.5G of memory. Through NetBeans, I select the "Run lh command" option, provide the Configurator password when prompted, and then enter the command: "refreshType User". This is supposed to go through and "touch" each user record.
  The command runs for about 5 minutes and then bombs out with an error message:
  Exception in thread "Object Change Dispatcher" java.lang.OutOfMemoryError: Java heap space
  I'm assuming that the JRE on the Windows server I'm running NetBeans on is running out of memory. My questions are 1) Is my assumption correct and 2) If so, is there a way to allocate more memory to the Java process which is running the lh command? This Windows server is running JRE 1.5
  Thanks in advance!

  I ran into same issue, ran the deferred task scanner instead.. Took a long time to run, but didn't hang.. :)

• Background User BWREMOTE got changed to Dialog user

  Hello,
  Recently we had a refresh in our system and after the refresh I found that a background user BWREMOTE got changed to dialog user and more strange the change documents is showing that the BWREMOTE has itself changed the user type. anybody can comment to this scenario?

  Looks like an amateur job (using dialog type user).
  You need to restrict the access of bwremote itself.
  The first step is S_USER* objects to display only.
  Contact your BW developer team. For sure they did it.
  Cheers,
  Julius

• Moving distribution list memberships from contact to user object with sync engine

  We only have the FIM sync engine and when replacing an AD contact object with a user object I am being asked to move the distribution lists that the contact is a member of over to the new user object. I've done the contact to user replacement provisioning
  many times before but never had to migrate the group memberships over.
  Does anyone have any advice for the best approach to do this?

  This is what I suspected.  You are not doing conversions.  You are simply Deprovisioning contact and provisioning user. For all intends and purposes, the 2 objects are not related in any shape of form.  So how do you know that this contact
  is related to that user?? 
  What you need is, to have both objects connected at the same time in MV before contact is deprovisioned.  Only this way you know that user 'U' is the same as contact 'C'.  FIM needs to know this.
  For this, you need to have one MV object with 2 AD connectors, one for user and one for contact. You can use to MAs, or you can use code to have one object with 2 connectors.  (Usually this is not allowed, but with code you can pass this)
  Before deprovisioning contact, you do the group membership changes, then you deprovision contact. 
  Nosh Mernacaj, Identity Management Specialist

• Entity object track changes "Modified by"

  Hi Experts,
  I have a question about entity object track changes. I change enabled one entity object attribute to track change "Modified by".
  However whenever the DB changes occurs then the Modified column is updated, however the name is the database connection user name. How can i override that value during the record update. Do i need to set any DbTransaction.session environment variable to save that in the db/
  - t

  Sorry for the late reply,
  I tried this but no luck. Can anyone let me know how to change the entity history columns values like modified by user name. etc....
  - t

• Exchange 2003 - bulk create smtp contacts from user objects, bulk forward to smtp contacts, bulk turn off forwarding

  Exchange 2003 running on Windows server 2003.  ~50 Users all in same OU on same domain with primary email address [email protected]  objective is to create smtp contacts from each of the user objects imported back into the same domain in
  a different OU with mail, targetAddress, proxyAddresses/SMTP on the contacts being [email protected] and the options 'automatically update email addresses based on recipient policy' disabled and hidden from GAL for all.   At a later time will require
  a method to bulk forward all of the user objects to their corresponding  [email protected] contact object and a way to to bulk disable the forwarding at a later time.   
  ldifde created the contacts via export/import but Exchange seems to like rewriting the mail & proxyaddresses  or replacing domain2.com with one of the internal recipient policy domains requiring manual change in AD.
  ldifde -f export-01.ldf -s dc1.domain1.com -d "OU=Users,OU=people,DC=domain1,DC=com" -r "(&(objectCategory=person)(objectClass=user)(givenname=*))" -l "cn,givenName,objectclass,samAccountName,mail,physicalDeliveryOfficeName,displayName,name,description,sn,targetAddress"
  ldifde -i -f import-test-01.ldf -s dc1.domain1.com
  I'm then using ADModify.net to bulk modify hide from address lists attribute and correct the mail, targetaddress, proxyaddress attributes, possibly forwarding as well.  The process is clunky compared to something like powershell on Exchange 2010. 
  Am I going about this the wrong way?

  users will remain on the domain.  decommissioning or altering access to the old mailboxes until some point post-migration would be unwanted so there's a fallback method in case anything goes wrong.  until testing reveals a better method, the strategy
  for Exchange 2003 / Server 2003 environment will remain as is for now using ldifde export of select user object attributes followed by ldifde import of select attributes to contact objects, followed by admodify.net / admodcmd updating of the necessary mail/exchange
  attributes via %’mailNickName’% similar to what's described below to forward internal mail to the external host.
  Using ADModify to Change Exchange Specific AD User Attributes in Bulk
  Using ADModify – A real world example