Add new attribute in active directory schema
Hi
I need to add two new attribute in Schema in my forest for the user class.
Attribute name is jobclasscode and jobclass.
How can I achieve it ? and where can I get X.500 OID.
we are running on below AD forest:
DFL and FFL : windows server 2003
DCs: AD 2008 R2.
Hi,
You can use LDIFDE command from to export the schema attributes to <filename>.ldf (can be edited using notepad) as given below,
ldifde -f c:\<filenmae>.ldf -d "cn=schema,cn=configuration,dc=<mydomain>,dc=<com>"
Checkout the below thread on similar discussion,
http://social.technet.microsoft.com/Forums/windowsserver/en-US/6789d4c2-1027-4a64-9f04-eaf7996893c5/ldifde-command-to-export-everything
Regards,
Gopi
JiJi
Technologies
Similar Messages
-
Need Help creating new user in Active Directory
I am trying to create a new user in active directory via a java application. I have included the code that I am using. I am able to successfully bind to Active Directory. I have been able to change passwords, and delete users, but I have not been able to create a user.
ldapHost : "mta101.DOM101.CEL.ACC.AF.MIL"
domainName: "dc=dom101,dc=cel,dc=acc,dc=af,dc=mil"
existing account: CN=Brett K. Humpherys,OU=Users,OU=CEL
I get the following error on the createSubcontext statement:
javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - 00000057: LdapErr: DSID-0C09098B, comment: Error in attribute conversion operation, data 0, v893 ; remaining name 'CN=test1,OU=Users,OU=CEL'
I have commented out the password portion and change the ObjectCategory to a 32 and get the same error.
public GblStatus createAccount7(DbaDb dbConn,
String jsrcName,
String personName,
String username,
String password)
Hashtable ldapEnv = new Hashtable(11);
ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
ldapEnv.put(Context.PROVIDER_URL, "ldap://" + this.ldapHost + ":636");
ldapEnv.put(Context.SECURITY_AUTHENTICATION, "simple");
ldapEnv.put(Context.SECURITY_PROTOCOL, "ssl");
ldapEnv.put(Context.REFERRAL, "ignore");
ldapEnv.put(Context.SECURITY_PRINCIPAL,"cn=" + this.adminAcct + ",cn=users," + this.domainName);
ldapEnv.put(Context.SECURITY_CREDENTIALS, this.adminPwd);
try
// Create the initial context
DirContext ctx = new InitialDirContext(ldapEnv);
BasicAttributes attrs = new BasicAttributes();
BasicAttribute ocs = new BasicAttribute("objectclass");
ocs.add("top");
ocs.add("person");
ocs.add("organizationalPerson");
ocs.add("user");
attrs.put(ocs);
BasicAttribute gn = new BasicAttribute("givenName", "test1");
attrs.put(gn);
BasicAttribute sn = new BasicAttribute("sn", "");
attrs.put(sn);
BasicAttribute cn = new BasicAttribute("cn", "test1");
attrs.put(cn);
BasicAttribute uac = new BasicAttribute("userAccountControl", "66048");
attrs.put(uac);
BasicAttribute sam = new BasicAttribute("sAMAccountName", "test1");
attrs.put(sam);
BasicAttribute disName = new BasicAttribute("displayName", "test1");
attrs.put(disName);
BasicAttribute userPrincipalName = new BasicAttribute
("userPrincipalName", "[email protected]");
attrs.put(userPrincipalName);
BasicAttribute instanceType = new BasicAttribute("instanceType", "4");
attrs.put(instanceType);
BasicAttribute objectCategory = new BasicAttribute
("objectCategory","CN=User,CN=Schema,CN=Configuration," + domainName);
attrs.put(objectCategory);
String newVal = new String("\"password\"");
byte _bytes[] = newVal.getBytes("Unicode");
byte bytes[] = new byte[_bytes.length - 2];
System.arraycopy(_bytes, 2, bytes, 0, _bytes.length - 2);
BasicAttribute attribute = new BasicAttribute("unicodePwd");
attribute.add((byte[]) bytes);
attrs.put(attribute);
ctx.createSubcontext("CN=test1,OU=Users,OU=CEL", attrs);
ctx.close();
catch (NameAlreadyBoundException nex)
System.out.println("User ID is already in use, please select a different user ID ...");
catch (Exception ex)
System.out.println("Failed to create user account... Please verify the user information...");
ex.printStackTrace();
return new GblStatus();
Any help would be much appreciated.Hi .,
me too got up with same problem., can anyone help me.??
Someone help me to create attributes in AD using LDAP
package LDAPpack;
import javax.naming.*;
import javax.naming.directory.*;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import java.util.Hashtable;
class CreateAttrs {
public static void main(String[] args) {
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://10.242.6.166:389/");
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL, "CN=cname,OU=Users,OU=Dealer,OU=Community,DC=test2,DC=org");
env.put(Context.SECURITY_CREDENTIALS, "password-1");
LdapContext ctx =null;
try {
//ctx = new InitialLdapContext(env,null);
try {
ctx = new InitialLdapContext(env,null);
catch(NamingException e) {
System.out.println("Login failed");
System.exit(0);
if(ctx!=null){
System.out.println("Login Successful");
byte[] buf = new byte[] {0, 1, 2, 3, 4, 5, 6, 7}; // same data
// Create a multivalued attribute with 4 String values
BasicAttribute oc = new BasicAttribute("objectClassNew", "topNew");
oc.add("personNew");
oc.add("organizationalPersonNew");
// Create an attribute with a byte array
BasicAttribute photo = new BasicAttribute("jpegPhotoNew", buf);
// Create attribute set
BasicAttributes attrs = new BasicAttributes(true);
attrs.put(oc);
attrs.put(photo);
Attributes attrs1 = ctx.getAttributes("CN=cname,OU=Users,OU=Dealer,OU=Community,DC=test2,DC=org");
System.out.println(attrs1);
Context result = ctx.createSubcontext("CN=cname,OU=Users,OU=Dealer,OU=Community,DC=test2,DC=org", attrs);
//i got error here; i attach the error below.
ctx.close();
System.out.println("close");
catch(NamingException e){
e.printStackTrace();
ERROR:
Login Successful
javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090B38, comment: Error in attribute conversion operation, data 0, vece
ANYONE HELP ME PLS.
Edited by: vencer on Jun 19, 2008 12:38 AM -
Adding Custom Attributes in Activie Directory
hi
i've a requirement of getting few user properties from Active Directory into the user profile,for example i need the following properties.
user image
user birthday
user employee number
these properties are not available in the active directory,so how can i add these into the active directory and secondly how can i insert image of the user into the active directory property for imageThere are two ways here.
First:
You can ask your AD administrator to create an attribute for you so that you can use it.
Second:
You can use the thumbnailPhoto attribute for Images
You can use Employee ID for employee number
You can use roomnumber for Birthday. Birthday attribute is not present in AD. So, we would have to use some other attribute which matches. So, i would personally request you to create a new attribute inside AD for the same. For this please follow
this URL.
Thank You, Pallav S. Srivastav ----- If this helped you resolve your issue, please mark it Answered. -
Error when extending Active Directory schema
Hi there,
I am trying to extend my active directory schema in order to store my managed preferences in AD.
I am following this white paper : http://images.apple.com/business/solutions/it/docs/Modifyingthe_Active_DirectorySchema.pdf
When I try to apply the changes on my test domain controller (running W2k3 R2 SP2), I get the following error :
Entry DN: cn=apple-mount,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
Add error on line 674: No Such Attribute
The server side error is "The parameter is incorrect."
An error has occurred in the program
The corresponding section in the ldf file is :
# Class: mount
dn: cn=apple-mount,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: classSchema
governsID: 1.3.6.1.4.1.63.1000.1.1.2.8
ldapDisplayName: mount
objectClassCategory: 1
# subclassOf: top
subclassOf: 2.5.6.0
# rdnAttId: cn
rdnAttId: 2.5.4.3
# mayContain: apple-mountDirectory
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.8.1
# mayContain: apple-mountDumpFrequency
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.8.4
# mayContain: apple-mountOption
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.8.3
# mayContain: apple-mountPassNo
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.8.5
# mayContain: apple-mountType
mayContain: 1.3.6.1.4.1.63.1000.1.1.1.8.2
possSuperiors: 2.5.6.5
possSuperiors: container
The attributes specified in "mayContain" appears to be correctly created (see log below)
31: cn=apple-mountDirectory,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
Entry DN: cn=apple-mountDirectory,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
Entry modified successfully.
32: cn=apple-mountDumpFrequency,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
Entry DN: cn=apple-mountDumpFrequency,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
Entry modified successfully.
33: cn=apple-mountOption,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
Entry DN: cn=apple-mountOption,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
Entry modified successfully.
34: cn=apple-mountPassNo,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
Entry DN: cn=apple-mountPassNo,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
Entry modified successfully.
35: cn=apple-mountType,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
Entry DN: cn=apple-mountType,cn=Schema,cn=Configuration,DC=TOTO,DC=CHIPS
Entry modified successfully.
Does anyone encountered the same issue ? Any idea ?
Thanks in advance,
FlorentWhich is line #674? Looking over your listing, the only thing that stands out to me is that I think possSuperiors takes object class names, not IDs (i.e. "possSuperiors: 2.5.6.5" should be "possSuperiors: organizationalUnit"). Also, if you copy and paste sections from the PDF, you're likely to get leading and trailing spaces on the pasted lines, which all need to be removed for it to function properly. The trailing spaces are especially nasty, since they're invisible in most text editors.
-
How to add new Attribute in exits Entity at RunTime
Hi ,
I have try to add new attribute in my entity object at run time useing following code .
EntityDefImpl lnewEntity = EntityDefImpl.findDefObject("model.entity.Applicant");
aNewEntity.addAttribute("FirstName", "FIRST_NAME", String.class, false,
false, false);
but its giveing me NullPointerException exception
Caused by: java.lang.NullPointerException
at oracle.jbo.server.EntityDefImpl.getSuperAttrDef(EntityDefImpl.java:4709)
at oracle.jbo.server.EntityDefImpl.addAttributeOfKind(EntityDefImpl.java:4774)
at oracle.jbo.server.EntityDefImpl.addAttribute(EntityDefImpl.java:4764)
at dk.decorateWithAttributes(UC1315ServiceImpl.java:1120)
at dk.ServiceImpl.setNewQuestionsRowSet(UC1315ServiceImpl.java:858)
at dk.bean.HelperBean.setQuestionsFrameLayout(UC1315HelperBean.java:314)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
... 57 more
<RegistrationConfigurator> <handleError> ADF_FACES-60096:Serverundtagelse under PPR, nr. 1
javax.el.ELException: java.lang.NullPointerException
at com.sun.el.parser.AstValue.invoke(Unknown Source)
at com.sun.el.MethodExpressionImpl.invoke(Unknown Source)
at oracle.adf.controller.internal.util.ELInterfaceImpl.invokeMethod(ELInterfaceImpl.java:168)
at oracle.adfinternal.controller.activity.MethodCallActivityLogic.execute(MethodCallActivityLogic.java:160)
at oracle.adfinternal.controller.engine.ControlFlowEngine.executeActivity(ControlFlowEngine.java:989)
at oracle.adfinternal.controller.engine.ControlFlowEngine.doRouting(ControlFlowEngine.java:878)
at oracle.adfinternal.controller.engine.ControlFlowEngine.doRouting(ControlFlowEngine.java:777)
at oracle.adfinternal.controller.engine.ControlFlowEngine.routeFromActivity(ControlFlowEngine.java:551)
at oracle.adfinternal.controller.engine.ControlFlowEngine.performControlFlow(ControlFlowEngine.java:147)
at oracle.adfinternal.controller.application.NavigationHandlerImpl.handleAdfcNavigation(NavigationHandlerImpl.java:109)
at oracle.adfinternal.controller.application.NavigationHandlerImpl.handleNavigation(NavigationHandlerImpl.java:78)
at org.apache.myfaces.trinidadinternal.application.NavigationHandlerImpl.handleNavigation(NavigationHandlerImpl.java:43)
at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:130)
at org.apache.myfaces.trinidad.component.UIXCommand.broadcast(UIXCommand.java:190)
at oracle.adf.view.rich.component.fragment.UIXRegion.broadcast(UIXRegion.java:148)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.broadcastEvents(LifecycleImpl.java:879)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:312)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:185)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:106)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:271)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:177)
at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:175)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:207)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:176)
Thanks,
AshwaniCan you provide the correct code snippet?
The provided code snippet:
EntityDefImpl lnewEntity = EntityDefImpl.findDefObject("model.entity.Applicant");
aNewEntity .addAttribute("FirstName", "FIRST_NAME", String.class, false, false, false);
The variable references are different - lnewEntity / aNewEntity
Can you do a null check if you add the attribute?
if(aNewEntity != null) {
aNewEntity .addAttribute("FirstName", "FIRST_NAME", String.class, false, false, false);
Thanks,
Navaneeth -
Sccm 2012 extent the active directory schema error
Hello
I am experiecing an issue when attempting to extend my AD Schema for SCCM 2012
<12-10-2014 20:04:33> Modifying Active Directory Schema - with SMS extensions.
<12-10-2014 20:04:33> DS Root:CN=Schema,CN=Configuration,DC=,DC=com
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Site-Code. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Assignment-Site-Code. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Site-Boundaries. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Roaming-Boundaries. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Default-MP. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Device-Management-Point. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-MP-Name. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-MP-Address. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Health-State. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Source-Forest. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Ranged-IP-Low. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Ranged-IP-High. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Version. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Capabilities. Error code = 8224.
<12-10-2014 20:04:33> Failed to create class cn=MS-SMS-Management-Point. Error code = 8202.
<12-10-2014 20:04:33> Failed to create class cn=MS-SMS-Server-Locator-Point. Error code = 8202.
<12-10-2014 20:04:33> Failed to create class cn=MS-SMS-Site. Error code = 8202.
<12-10-2014 20:04:33> Failed to create class cn=MS-SMS-Roaming-Boundary-Range. Error code = 8202.
<12-10-2014 20:04:33> Failed to extend the Active Directory schema, please find details in "C:\ExtADSch.log".
any one help me to fix this issueHi,
It is most likley due to a replication Issue in your AD, check the previous thread on the topic:https://social.technet.microsoft.com/Forums/systemcenter/en-US/1d377109-4fa9-4608-8a3a-cefd436e82ee/error-8224-when-extending-active-directory-schema
Make sure that all replication issues are solved and try again.
Regards,
Jörgen
-- My System Center blog ccmexec.com -- Twitter
@ccmexec -
Active Directory Schema Extension for Directory Synchronization - ADFS 3.0, Office 365
Hi Team,
We are in a situation with extending the schema for one customer so that these additional exchange attributes may be utilized. They have a single data center where the Primary Domain Controller resides and have multiple remote sites each of which have Additional
Domain Controllers installed.
As recommended by Microsoft, I am going to extend the Active Directory Schema with Exchange Setup so that I can leverage targetaddress attribute from Local AD to set primary email address when directory synchronization happens.
My Query: Do I have to extend the AD Schema with Exchange from each of these ADC's? Or the changes I make on any of them will replicate over the others also?
Note: The customer will be using ADFS 3.0 'Single Sign On' with Office 365 and does NOT have any On-Premise Exchange deployment.My Query: Do I have to extend the AD Schema with Exchange from each of these
ADC's? Or the changes I make on any of them will replicate over the others also?
Schema extension is done against the Schema Master. Once done, it gets replicated to other DCs with the AD forest.
For more details about Schema Extension by Exchange, you can refer to that: http://www.resdevops.com/2013/02/13/extend-ad-schema-to-allow-greater-office-365-management/
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Create a new group in Active Directory ?
Hello,
I'd like to create a new group in Active Directory. Can somebody show me a sample code please ?
Thanks.Someone should show you how to perform a search. There's a sample in this forum.
http://forums.sun.com/thread.jspa?threadID=623860 -
Questions about Extending Active Directory Schema
We have about 24 Macs at the moment in the environment and we are starting to look at Extending the Active Directory Schema. I have been doing a lot of reading over the past few weeks and I think that I am more confused the more I research it. The Windows Servers here are running Server 2008_R2. So here are my questions:
1. If we extend the schema does that mean that we do not need an OS X Server?
2. Is this really the easiest option to go with?
3. We are looking to be able to apply GPOs to the Macs through Active Directory so will this accomplish it?
4. Will this also allow Group Policy Preferences to map printers to the Macs automatically too?
5. Is this the least expensive option?
6. What is the best way to convince the Windows Administrators that this is how we should proceed?
Thanks
PadsHi
1. Yes. However OSX Server offers far more than MCX or Mac-Style GPOs. NetBoot, SUS, Wiki are some you should be looking at IMO.
2. Again IMO not really. It takes a lot of work and you really don't want to be doing this on a 'live' server. Set up a lab environment first, thoroughly test it and then go with it when you're happy. The other possible 'gotcha' is you will have no way of knowing if Microsoft decide to change/amend or extend their own proprietary schema in a Revision update sometime in the future. If that does happen then you may be looking at doing it all over again?
3. Yes, but you will still need WorkGroup Manager installed on a mac client. The documentation is clear about what to do once the Schema has been extended.
4. Not done this myself but I would think so.
5. Yes, but is it the 'best' option? Not in my opinion.
6. Offer them the 'easier' but more expensive alternatives (some of them very expensive) and see which way they jump.
HTH?
Tony -
Unable to add objectclass:nismap to active directory
I'm try to move some autofs maps from linux to Active Directory but am having some problems:
using this ldif file;
dn: nisMapName=auto.dal,ou=automount,ou=nfs,ou=generic-test,dc=test,dc=com
objectClass: top
objectClass: nisMap
nisMapName: auto.dal
dn: cn=/home,nisMapName=auto.dal,ou=automount,ou=nfs,ou=generic-test,dc=test,dc=com
nisMapName: auto.dal
objectClass: nisObject
nisMapEntry: ldap:vm1:nismapname=auto.home,ou=autofs,dc=test,dc =com
cn: /home
I get an an error when using ldapadd
test01 /test/LDAP# ldapadd -h adserver01 -p 50006 -D "CN=autofs_admin,OU=Users,Ou=generic-test,DC=test,DC=com" -w xxxxxx -f example_2.ldif
adding new entry "nisMapName=auto.dal,ou=automount,ou=nfs,ou=generic-test,dc=test,dc=com"
ldap_add: Naming violation (64)
additional info: 00002073: NameErr: DSID-03050C0D, problem 2005 (NAMING_VIOLATION), data 0, best match of:
'nisMapName=auto.dal,ou=automount,ou=nfs,ou=generic-test,dc=test,dc=com'
Error 0x2073 An attempt was made to add an object using an RDN that is not the RDN defined in the schema.
not sure why it doesn't like the nisMapName=auto.dal bit
anyone see why or can suggest where to look.
ThanksHi,
>>Error 0x2073 An attempt was made to add an object using an RDN that is not the RDN defined in the schema.
Based on the error description, the RDN attribute of the object doesn't match the RDN attribute defined in AD Schema.
Regarding RDN attribute in AD Schema, the following article can be referred to for more information.
RDN attribute
https://msdn.microsoft.com/en-us/library/ms678697(v=vs.85).aspx
In addition, for this involves third party product, it's recommended that we also contact vendor support to ask for suggestions.
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Change (or add) a password to Active Directory with Java and JNDI
I've create a new account in LDAP with attributs, It's ok. But a can't initialize the password, i've tryed some samples without result.
Maybe it's a SSL problem (i don't know why, i read it somewhere).
my code :
import java.util.*;
import java.io.*;
import java.net.*;
import javax.naming.Context;
import javax.naming.NameAlreadyBoundException;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.BasicAttributes;
import javax.naming.directory.BasicAttribute;
import javax.naming.directory.ModificationItem;
public class addUser {
private static final String UNICODE = "Unicode";
private static final String UNICODE_PASSWORD = "unicodePwd";
public addUser() {}
private Hashtable env;
private DirContext ctx;
private void _initialize()
String jndiURL = "ldap://DOMAINSRV:389/";
String initialContextFactory = "com.sun.jndi.ldap.LdapCtxFactory";
String authenticationMode = "simple";
String contextReferral = "ignore";
String principal = "[email protected]";
String credentials = "oce";
env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, initialContextFactory);
env.put(Context.PROVIDER_URL, jndiURL);
env.put(Context.SECURITY_AUTHENTICATION, authenticationMode);
env.put(Context.SECURITY_PRINCIPAL, principal);
env.put(Context.SECURITY_CREDENTIALS, credentials);
env.put(Context.REFERRAL, contextReferral);
public boolean createUser()
try
ctx = new InitialDirContext(env);
ctx.destroySubcontext("cn=FBXX,cn=users,DC=gedeon,DC=fr");
BasicAttributes attrs = new BasicAttributes();
BasicAttribute ocs = new BasicAttribute("objectclass");
ocs.add("user");
attrs.put(ocs);
BasicAttribute sa = new BasicAttribute("sAMAccountName", "FBXX");
attrs.put(sa);
BasicAttribute na = new BasicAttribute("name", "FRANCOIS BERTOUX");
attrs.put(na);
BasicAttribute sn = new BasicAttribute("sn", "BERT");
attrs.put(sn);
BasicAttribute up = new BasicAttribute("userPrincipalName", "[email protected]");
attrs.put(up);
BasicAttribute ua = new BasicAttribute("userAccountControl", "512");
attrs.put(ua);
BasicAttribute dn = new BasicAttribute("displayName", "FRA BERT");
attrs.put(dn);
BasicAttribute gn = new BasicAttribute("givenName", "FRA");
attrs.put(gn);
BasicAttribute des = new BasicAttribute("description", "CECI EST MON TEST");
attrs.put(des);
BasicAttribute cp = new BasicAttribute("codePage", "0");
attrs.put(cp);
BasicAttribute cc = new BasicAttribute("countryCode", "0");
attrs.put(cc);
BasicAttribute it = new BasicAttribute("instanceType", "4");
attrs.put(it);
ctx.createSubcontext("cn=FBXX,cn=users,DC=gedeon,DC=fr", attrs);
changePassword ("cn=FBXX,cn=users,DC=gedeon,DC=fr", "TOTO" , "FBX");
ctx.close();
catch (NameAlreadyBoundException nex)
System.out.println("User ID is already in use, please select a different user ID ...");
catch (Exception ex)
System.out.println("Failed to create user account... Please verify the user information...");
ex.printStackTrace();
return true;
public final void changePassword(
String argRDN,
String argOldPassword,
String argNewPassword)
throws NamingException
ModificationItem modificationItem[] = new ModificationItem[2];
try
modificationItem[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE,new BasicAttribute("unicodePwd",(byte[])this.encodePassword(argOldPassword)));
modificationItem[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE,new BasicAttribute("unicodePwd",(byte[])this.encodePassword(argNewPassword)));
catch (UnsupportedEncodingException e1)
System.out.println("changePassword(String argOldPassword, String argNewPassword)" +
"Passwordchange failed: " + e1.toString());
throw new RuntimeException(e1.toString());
try
ctx.modifyAttributes(argRDN, modificationItem);
catch (NamingException e1)
System.out.println(
"changePassword(String argOldPassword, String argNewPassword)" +
"Passwordchange failed : " + e1.toString());
throw e1;
private byte[] encodePassword(String pass) throws UnsupportedEncodingException
final String ATT_ENCODING = "Unicode";
// Agree with MS's ATTRIBUTE_CONSTRAINT
String pwd = "\"" + pass +"\"";
byte bytes[] = pwd.getBytes(ATTENCODING);
// strip unicode marker
byte bytes[] = new byte [_bytes.length - 2];
System.arraycopy(_bytes, 2, bytes, 0,_bytes.length - 2);
return bytes;
public static void main(String[] args)
addUser testUser = new addUser();
testUser._initialize();
testUser.createUser();
And the result is :
changePassword(String argOldPassword, String argNewPassword)Passwordchange failed : javax.naming.OperationNotSupportedException: [LDAP: erro
r code 53 - 00002077: SvcErr: DSID-03190ADF, problem 5003 (WILL_NOT_PERFORM), data 0
]; remaining name 'cn=FBXX,cn=users,DC=gedeon,DC=fr'
Failed to create user account... Please verify the user information...
javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-03190ADF, problem 5003 (WILL_NOT_PERFORM), data 0
]; remaining name 'cn=FBXX,cn=users,DC=gedeon,DC=fr'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2804)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2677)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2483)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1285)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:253)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:170)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:159)
at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:144)
at addUser.changePassword(addUser.java:129)
at addUser.createUser(addUser.java:92)
at addUser.main(addUser.java:167)
And with "userPassword" no error but no change.
Please, help.
ThanksHello!
I have a new variant of the set password problem, and as i did not get any longer with a big running application i wrote a small standalone program to connect to an Active Directory server, and, hm, it works! I can login with a account which has administrator priveledges, i can set passwords, works fine, unless, and now it gets a little bit curious, unless i change the VM.
Everything works fine with a jdk 1.5.0_07, but if i switch over to the fine new 1.6.0_16, the login works still but the change of a password leads to a not so fine javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0.
As i use the same cacerts file, i do not really understand what is failing here, anyone who has an idea? -
Active Directory schema extensions
Hi
We are in a process of implementing SAP LDAP sync to manage users from MS Active Directory. SAP requires schema extension generated by RSLDAPSCHEMAEXT program to be applied to Active Directory so that report RSLDAPSYNC_USER can be identify SAP users in MS AD.
The MS AD team says that any non miscrosoft schema extensions are not supported as OIDs of the schema might conflict with other applications / patches.
Are the MS AD schema extensions generated by SAP program RSLDAPSCHEMAEXT supported / certified by Microsoft.
HarshHi Harsh,
I would like to point you also to SAP Note 888848 - Notes on schema enhancement with RSLDAPSCHEMAEXT.
It especially states that:
..."The text document generated by RSLDAPSCHEMAEXT was supplied and validate as part of a certification process by the directory vendor."...
that means in this case by Microsoft.
If you decide not to use the schema extension that has been supplied by Microsoft you can use attributes that are already existing in your Active Directory as Juergen already pointed out.
As an example Microsoft Exchange Server creates several additional attributes such as extensionattribute1, ... , extensionattribute15 as part of the installation process. These attributes might be an option for you if you do not want to use the schema extension suggested by RSLDAPSCHEMAEXT.
Please have in mind that the filter attribute that you will use to determine the SAP username should be indexed since this will reduce the synchronization time.
Best Regards,
André -
Dear all,
We have an issue regarding active directory user registry. Our application wants to retrieve the user registry from active directory,
So after we type the domain name, username and password for the domain admin, the apps add a schema in the AD, usually we directly can get the respons from the active directory server.
Below is the log from the configuration
< 3/17/2013 - 8:26:43 PM
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
<<<<<<<<
3/17/2013-8:27:03 PM: Configuring Access Manager Policy Server....
C:\PROGRA~2\Tivoli\POLICY~1\sbin\ivmgrd_setup.exe -y no -m "********" -
r 7135 -l 1460 -t 7200 -D no -f no
OpenConfFile: "C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf"
getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf pdrte user-reg-type
CloseConfFile: C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf
OpenConfFile: "C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf"
getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf uraf-registry
hostname
getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf uraf-registry
useEncryption
getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf uraf-registry
domain
getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf uraf-registry
dnforpd
getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf uraf-registry
Multi-domain
getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf uraf-registry
bind-id
getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf uraf-registry
bind-pwd
CloseConfFile: C:\PROGRA~2\Tivoli\POLICY~1\etc\activedir.conf
OpenConfFile: "C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf"
getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf pdrte user-reg-type
CloseConfFile: C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf
OpenConfFile: "C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf"
getentry: C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf pdrte user-reg-type
CloseConfFile: C:\PROGRA~2\Tivoli\POLICY~1\etc\pd.conf
C:\PROGRA~2\Tivoli\POLICY~1\sbin\mgrsslcfg.exe -config -f no -t 7200 -l
1460 -D no
Creating the SSL certificate. This might take several minutes.
The SSL configuration of the Tivoli Access Manager policy server
has completed successfully.
The policy server's signed SSL certificate is base-64 encoded and
saved in text file "C:\PROGRA~2\Tivoli\POLICY~1\keytab\pdcacert.b64."
This file is required by the configuration program on each machine
in your secure domain.
C:\PROGRA~2\Tivoli\POLICY~1\sbin\bassslcfg.exe -config -f no -c "C:
\PROGRA~2\Tivoli\POLICY~1\keytab\pdcacert.b64" -p 7135 -h TAMEB1
The SSL configuration of Access Control Runtime has completed
successfully.
Tivoli Access Manager policy server domain name: Default
Tivoli Access Manager policy server host name: TAMEB1
Tivoli Access Manager policy server listening port: 7135
2013-03-17-20:27:13.770-07:00I----- 0x16B48064 PID#2848 ERROR rgy ad E:
\build\am611\src\uraf\ad\schema\adschema_update.cpp 550 0x00000ad0
HPDRG0100E The operation in the Active Directory registry for
adschema_update.exe: ADSCHEMA_CHECK_SCHEMA_RIGHTS failed with return
error 8000500d.
adschema_update: result 1, retcode -2147463155
HPDBG0938E Configuration failed.
3/17/2013-8:29:13 PM: HPDBG0938E Configuration failed.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>
> 3/17/2013 - 8:29:15 PM
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>
Please your advice,
Thanks,
Best Regards,
AchmadHi you log states:
adschema_update.exe: ADSCHEMA_CHECK_SCHEMA_RIGHTS failed
with return
error 8000500d.
The error code is documented in
this kbTo go short i think the running user does not have the required privilegs to edit the AD schema. You need to be member of 'Schema Admins' in the forest root domain to edit the AD schema.
MCP/MCSA/MCTS/MCITP -
Active directory Schema - Multiple password policies
Hi All,
I am new to AD and would need some suggestion to configure AD. I want to set up AD(2008 R2) for three categories of users: individual, dealers and organisations. Each dealer and each organisation will have further sub-categories based
on their location. I want to set up separate password policies for the above three categories using AD. I wanted to create them as separate OUs. So I would have multiple OUs for each dealer per location (e.g. individual, dealer1loc1, dealer1loc2,
dealer2loc3 and so on)
I know the concept of PSO(Password Settings Object) and that it can only be applied to OU using shadow groups and batch file (to copy users from OU to Shadow Groups). The issue is that the OUs would keep getting added as per requirement (would
be creating new OUs using C#) and then the management of PSO or shadow groups or batch file would be very complicated, not sure if it can be automated.
Also, I have budet constraints to add new servers for each domain and separate password policies.
What could be the possible solution to separate password policies and set up this user structure in Active Directory. I am using W2k8 R2.
Thanks.Thanks Mahdi. In this case, the OUs would get created at run time, so the script needs to get updated at run time as well. I guess this will be not easy to automate.
Also, can you confirm if I can set up separate password policies by creating sub domain(e.g. example.com will be divided into sales.example.com and admin.example.com and this would further be divided as melourne.sales.example.com and sydney.sales.example.com)
and I can set separate password policies for sales.example.com and admin.example.com.
By adding child domains,it is like you are killing a mosquito with a rocket launcher, if you know what I mean. adding child domains increase the cost and administration and also adds complexity to your environment.
From technical perspective it is OK to have child domains, but if I were you I would not add that much complexity to my environment because of a script. I would spend enough time or get help form a skilled script writer to edit the script. Also I am saying
that editing your script to a fully automated script is not impossible, it just needs enough time and skills.
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights.
How to query members of 'Local Administrators' group in all computers? -
Bulk Uploading of New Users without Active Directory Sync. Possible?
Hello,
WithOUT Active Directory synchronization, is it possible to do a bulk upload of 100+ users onto Project Server 2013 (Online)? If so, how?
In addition, can these new users be setup to default with “User can be assigned as a resource"?
Thanks in advance,
\Spiro Theopoulos PMP, MCITP. Montreal, QC (Canada)Hi,
it is possible, but not completely.
If you select at least one resource in Resource Center and click "Open", this resource is opened for editing in client. At this place, you can add your new resources with all fields (and Default Booking Type), e.g. with copy/paste from some other
source. They are added as resources. However, editing column "User Logon Account" is disabled, so you can't add this information in client. You need to do this afterwards from Resource Center for each single resource.
And yes - I agree: This is very inconvinient!
Regards
Barbara
To increase the value of this forum, please mark the replies that helped to solve your issue as answer. If you find answers to questions from other forum participants to be helpful, please mark them as helpful. Your participation will help others to find
an appropriate solution faster. Thanks for your support!
Maybe you are looking for
-
Help needed for file to file communication
Dear all I am working on file to file adapter in XI 3.0 . I tried to different waysof flat file location C:\ and C:/ I am not soure witch one is currect and any time i am getting NO MESSAGE FOUND ! error in SX_MONI. and Any one have step by step clea
-
I am using Adobe Acrobat 7.0. It has been working fine, until late yesterday morning. Now when I open it, I get the following messages: error loading plug-in 'catalog.api' failed to initiate error loading plug-in 'JDFProdDef.api failed to initiate er
-
Exchange rate gain or loss in Payment proposal
Hi, Is there a way where we can show the amount of exchange rate gain or loss realized on the detailed screen of the payment proposal.. Thanks,
-
Crash when right-clicking or control-clicking misspelled word
When I run a variety of applications that involve word processing (Word, Pages, Keynote, PowerPoint) and I misspell a word, and the application indicates it with a red underline, and then I right-click or control-click on the word in at attempt to co
-
Tutorial for customizing an adapter
Hello Is there a tutorial or detailed guide to how an adapter can be created/customized. I get as far as using the generateadaptertemplate tool to get a clone of the sample adapter but I'm not sure how to proce