Add OU(Organizational Unit)  to active directory plugin

Similar Messages

• Add a mac to an active directory group using a script?

  I am managing a bunch of Macs and we are using Active Directory groups to assign certificates for 802.11x. I am binding the device to AD using JAMF software and was wondering if I could use a script to then add the deive to an active directory group.
  Thanks in advance...

  I think I misunderstood your question.  If you are trying to add the computer record to a location other than the Computers container, then just change your binding script to target the folder you want.  Remember that the user account you are using to bind must have access rights to this folder.
  For example, the sample command from the man page shows you how.  Say you have a subfolder inside Computers called Macs.  You would do this in your binding script.  Note the notation of an organizational unit within the Computers container.
  dsconfigad -a ThisComputer -u "administrator"
  - ou "CN=Computers,OU=Macs,DC=ads,DC=demo,DC=com" -domain domain.ads.apple.com
  Is that what you are looking to do?

• Active Directory plugin not correctly creating users home directories

  Is there a trick to getting the Active Directory plugin in 10.4.7 to correctly create home directories for AD users? It is creating them with the root owning everything in it, and this is unacceptable.
  Our setup: We have a Active Directory network (Windows Server 2003 SP1 as DCs), and are trying to integrate some of our Mac clients to user AD single-sign logins. We are not using OS X Server at all.
  We do not user any sort of network home directories, as our users always use the same computers.
  We just want a user to have a local home directory created when they log on for the first time. Unfortunately, the directories are being created with the wrong permissions.
  One thing that may be the problem: the UID that are assigned to the AD users on the Mac clients are very high (> 60000000000). There is an error in the log that a UID that high cannot be added to the lastlog db, so that may be another symptom of the problem.
  Is there a way to fix this wihout changing anything on the domain?

  Is there a trick to getting the Active Directory plugin in 10.4.7 to correctly create home directories for AD users? It is creating them with the root owning everything in it, and this is unacceptable.
  Our setup: We have a Active Directory network (Windows Server 2003 SP1 as DCs), and are trying to integrate some of our Mac clients to user AD single-sign logins. We are not using OS X Server at all.
  We do not user any sort of network home directories, as our users always use the same computers.
  We just want a user to have a local home directory created when they log on for the first time. Unfortunately, the directories are being created with the wrong permissions.
  One thing that may be the problem: the UID that are assigned to the AD users on the Mac clients are very high (> 60000000000). There is an error in the log that a UID that high cannot be added to the lastlog db, so that may be another symptom of the problem.
  Is there a way to fix this wihout changing anything on the domain?

• Active Directory plugin: Preferred credentials not recognized

  I have installed the Active Directory Plugin 2.0.2.1.0 in my Grid Control (10) and I am getting the following error:
  Version 2.0.2.1.0
  Description Microsoft Active Directory monitoring including reports
  Deployment Requirements: Requires network access and credentials of the host where Microsoft 'Active Directory' is installed and running
  I set the preferred credentials for the agent. They are a user/password for someone that has "installation" and "admistration" privileges on the Active Directory server.
  Is there a specific format the userid and password should be entered? (i.e. cn=xxxx)

  If entering username only is having an error, enter the username as DOMAIN_NAME\username. Where domain_name is the domain of the AD host

• How to add a new schema in active directory by jndi?

  I can add new objectclass schema and new attribute into eDirectory from JNDI. But I failed doing the same to active directory. I search all topic in this forums and seems like there is no such answer. So for active directory, the only way to add new schema is by using MS MMC + AD schema snap-in?

  You can update the schema via LDAP. Any tool that uses LDAP, such as Active Directory Services Interface (ADSI), Java/JNDI, LDAP Data Interchange Format (LDIF) can be used. You are not restricted to the Active Directory Schema Management snap-in.
  I strongly recomend that you read the following article http://windowssdk.msdn.microsoft.com/en-us/library/ms677995.aspx as schema extensions are not to be undertaken lightly.
  Also, if you are extending the schema, DO NOT use other organization's schema OID's. Imagine how directories would become inoperable because you defined hat size as an integer value with an OID of 1.2.3 and someone else defined Social Security Number as a string with an OID of 1.2.3 ! You can obtain your own OID branch from either Microsoft (http://msdn.microsoft.com/certification/ad-registration.asp) or from a standards organization such as ANSI.
  I'm kind of hoping that seeing as though you have mentioned that you have extended the schema for e-Directory, that you understand LDAP schemas and that you have your own valid OID. Do not use my shoe size OID !
  The following snippet illustrates how to extend the schema using JNDI.....
  String attrName = "cn=ms-ShoeSize,cn=Schema,cn=Configuration,dc=antipodes,dc=com";
  LdapContext ctx = new InitialLdapContext(env,null);
  Attributes attr = new BasicAttributes(true);
  attr.put("cn","ms-ShoeSize");
  attr.put("objectClass","attributeSchema");
  attr.put("ldapDisplayName","msShoeSize");
  attr.put("isSingleValued","TRUE");
  attr.put("attributeID","1.2.840.113556.1.4.7000.141");
  attr.put("attributeSyntax","2.5.5.9");
  Context newattr = ctx.createSubcontext(attrName,attr);Having created a new attribute, you could then either add it to an existing class, or create another abstract class, add it to the new abstract class, and add the the new abstract class as an auxilliary class to an existing structural class. For example create a new auxilliary class called "clothes Sizes", add the attribute "Shoe Size" as a mayContain attribute, and then add "Clothes Sizes" as an auxilliary class to inetOrgPerson.
  Note that you need to wait for the schema cache to refresh, before adding attribute or class definitions to one another, and before instantianting new objects with the new classes & attribute definitions. You can either wait for teh schema cache to refresh itself, or you can force a refresh by writing the value of 1, to the attribute "schemaUpdateNow" on the RootDSE.
  As I mentioned at the start of this response, I personally prefer to use LDIF, simply because it enables end-users/customers to review the schema extensions and understand their potential impact before applying them. A sample that accomplishes the above would look something like:dn: CN=ms-ShoeSize,CN=Schema,CN=Configuration,DC=Antipodes,dc=com
  changetype: add
  objectClass: attributeSchema
  cn: ms-ShoeSize
  ldapDisplayName: msShoeSize
  attributeID: 1.2.840.113556.1.4.7000.141
  attributeSyntax: 2.5.5.9
  isSingleValued: TRUE
  dn:
  changetype: modify
  replace: schemaupdatenow
  schemaupdatenow: 1
  dn: CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=Antipodes,dc=com
  changetype: modify
  add: mayContain
  mayContain: mSShoeSize
  dn:
  changetype: modify
  replace: schemaupdatenow
  schemaupdatenow: 1
  -

• Organizational Unit in DC directory

  If you are maintaining the Organizational Unit (OU) information in DC directory, does this information replicate over with CCM database? If so, does it map to "department" field in CCM or any other field? CCM version in this case is 4.1.3.

  getUser (as well as addUser/updateUser) actually accesses the DC directory.
  Direct ldap access is also possible though. There's just one consideration when choosing the technology: with CCM 5.0 and above there's no DC directory anymore so (although then you can send a sql request via AXL which is more efficient than getting users via AXL though).
  So I guess unless you need seamless upgrade (only changing the URL and http to https) when upgrading CCMs, you're better off using ldap.
  Keep in mind though, you will need a link between phones and users to make this work.. or if you use extension mobility, you need to look up the user device profiles associated with each user then look up the lines on those profiles (using an sql query via axl.. this translates almost 1:1 to versions 5.0+) to get the line numbers.

• Add User wiht CFLDAP to Active Directory

  Hi,
  I have read all the topics that "Internet" have about this
  issue.
  I would like to know if it is necessary to complete all
  Mandatory attributes that I have in my AD Schema to add a user onto
  AD.
  I have this Mandatory Attributes:
  Name Type System Description Source Class
  cn Mandatory Yes Common-Name mailRecipient
  cn Mandatory No Common-Name fw1person
  cn Mandatory Yes Common-Name person
  instanceType Mandatory Yes Instance-Type top
  nTSecurityDescriptor Mandatory Yes NT-Security-Descriptor top
  objectCategory Mandatory Yes Object-Category top
  objectClass Mandatory Yes Object-Class top
  objectSid Mandatory Yes Object-Sid securityPrincipal
  sAMAccountName Mandatory Yes SAM-Account-Name
  securityPrincipal
  I don't know how can I complete all these attributes.
  Could someone help me?
  Thanks in advance.
  Dario

  Hello,
  please see the following articles about adding the employee ID:
  http://adisfun.blogspot.com/2009/05/add-employee-id-field-aduc.html
  http://pberblog.com/post/2009/06/21/Add-extra-columns-to-Active-Directory-Users-and-Computers-display.aspx
  http://msexchangegeek.com/2010/05/06/how-to-add-employee-numbers-in-aduc-and-exchange-gal/
  Moreover
  there is been a thread been discussed over at the forum before also please have a look in to this also
  http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/85f5cf1f-387b-48e2-b392-bc0042719ea0/
  Hope it helps you.

• Active Directory Plugin for Crystal Reports Server XI

  Post Author: pkhot
  CA Forum: Deployment
  Hello,
  I Installed Crystal Reports Server XI on a test W2K3 R2 machine. When I try to logon using the Business View Manager or the Administrator LaunchPad, selecting the Active Directory Authentication I get an error saying secWinAd plugin is not available. How do i fix this?
  Is there a plugin available and if yes where can i download it from?
  Any help will be greatly appreciated.
  thanks

  Did you lon on to the console and go to authentication-> windows ad and enter in your domain info ?

• Active directory plugin

  hallo, i am trying to connect my os x server to 2000 server active directory through ad plug in but it does'nt work it always tells me unknow error!!!!
  i also tried trought LDAPv3 i made a new connection i put the IP adresse and continue he knew that is an active directory and he shows me the name of the active directory but i cant continue!!
  anybody has an idea to help me????
  Message was edited by: x-x-x

  Hi
  To bind to Active Directory you don’t use the LDAPv3 plug-in in Directory Access, you only use the AD plug-in. Would the Realm be based around .local DNS? If it is then that is more than likely the root of the problem.
  You could try this: Make sure the OSX Server has a fixed IP address then create a DNS entry on the Forward lookup zone for the OSX Server using the DNS snap in tool on the AD Server, make sure after you do this you create a reverse pointer. Thoroughly test DNS using nslookup and host/dig commands. Add the AD Server's IP address in the DNS Server's field in the Network Preferences Pane on the OSX Server. If DNS Services are based around .local then add .local in the Search Domains field. Delete the Directory/Service folder from /Library/Preferences and restart the OSX Server. Now try to bind again. When configuring the Active Directory plug-in the only thing you have to key in is the Active Directory Domain name (ideally this should resemble an FQDN), the Computer ID should be filled in with an administrator name that has authorative control over the Active Directory.
  Tony

• Organization chart with Active directory AD in Sharepoint 2013

  Dear All, 
  I need to create organizational chart with sharepoint 2013 through the Active directory. Is there any opensource webpart for 2013 please confirm me 
  Regards 
  RB

  Any one know about it? 
  RB

• How to determine the organizational unit using activity category  ????????

  Hello All
  We are working on CRM 7.0 , we need to have the organizational determination based on the activity category , I have put the activity category in the attribute list then I created a determination rule type responsibility and it is working fine in the simulation but after I assigned the determination rule to the transaction type the organizational unity could not be determined. I tried the BADI CRM_ORGMAN_BADI but it was not help.
  Any clues regarding this issue ?
  Regards
  Jacopo

  No answers

• Delegate permissions in Active Directory

  Hello All,
  I have a temporary technician that comes once in a while to do work for us.I want to delegate the following permissions to do the day to day support tasks:-
  1)Reset Users password
  2)Unlock the User Accounts
  3)join computers into our domain and remove the computers
  from our domain
  All our User are kept under a "OU=Staff" and All our Computer accounts are kept under "OU=Computers" 
  I don't want to give any other unnecessary permissions to this
  technician on other OU's, My Domain Controller is windows 2008.
  Can you please help me how to do this task.
  Regards,

  You see the Wiki I started here for the permissions delegation in AD: http://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx
  To delegate unlocking user accounts: http://windowsitpro.com/security/q-how-can-i-delegate-right-unlock-locked-active-directory-ad-user-accounts
  To delegate the reset of users password: http://community.spiceworks.com/how_to/1464-how-to-delegate-password-reset-permissions-for-your-it-staff
  To delegate joining computers to a domain: https://robiulislam.wordpress.com/2012/02/07/delegate-non-admin-account-to-add-workstations-to-domain/
  To delegate removing computers from a domain: http://sigkillit.com/2013/06/12/delegate-adddelete-computer-objects-in-ad/
  In case you would like also delegating moving AD objects then here you go: http://social.technet.microsoft.com/wiki/contents/articles/20747.delegate-moving-user-group-and-computer-accounts-between-organizational-units-in-active-directory.aspx
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Best way to implement active directory in multiple locations

  Hi,
  Currently we don't have an active directory domain and looking in to configuring a test setup for it.
  We have 6 countries and in some countries we have 2 to 3 sites. There is a constant VPN connection between all the locations.
  Our users are travelling between the sites. IT is managed from a central location and have one IT responsible on each site which also have to create / modify users. 
  Should we go for one domain with a domain controller in each site? Or should we go for a parent DC at central location with child DC (sub domains) at the other sites?
  What are the pro's and cons of each scenario?
  Kr,
  Joeri

  Hi jfeyen,
  I think you have some misunderstanding about OU and site in AD.
  OU is the purpose container that can be used to group most other object classes together for administrative purposes. An organizational unit in Active Directory is analogous to a directory in the file system; it is a container that can hold other objects.
  And it represent the logical structure of your organization as domain.
  Sites in Active Directory represent the physical structure, or topology, of your network. Active Directory uses topology information, stored as site and site link objects in the directory, to build the most efficient replication topology. A site is a set
  of well-connected subnets. Sites differ from domains.
  For your information, please refer to the following articles:
  Organizational Units
  http://technet.microsoft.com/en-us/library/cc978003.aspx
  Sites overview
  http://technet.microsoft.com/en-us/library/cc782048(v=ws.10).aspx
  So if a user or a computer connected to the domain, he will be located in the OU which is configured. And this will not change except the configuration changes.
  As for the question If we use site & services our workstations will automatically find the right DC?, please refer to the following article:
  Finding a Domain Controller in the Closest Site
  http://technet.microsoft.com/en-us/library/cc978016.aspx
  Regards,
  Lany Zhang

• [Forum FAQ] Using PowerShell to assign permissions on Active Directory objects

  As we all know, the
  ActiveDirectoryAccessRule class is used to represent an access control entry (ACE) in the discretionary access control list (DACL) of an Active Directory Domain Services object.
  To set the permissions on Active Directory objects, the relevant classes and their enumerations are listed as below:
  System.DirectoryServices.ActiveDirectoryAccessRule class:
  http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryaccessrule(v=vs.110).aspx
  System.DirectoryServices.ActiveDirectoryRights
  class:
  http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights(v=vs.110).aspx
  System.Security.AccessControl.AccessControlType class:
  http://msdn.microsoft.com/en-us/library/w4ds5h86(v=vs.110).aspx
  System.DirectoryServices.ActiveDirectorySecurityInheritance class:
  http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectorysecurityinheritance(v=vs.110).aspx
  In this article, we introduce three ways to get and set the ACE on an Active Directory object. In general,
  we use Active Directory Service Interfaces (ADSI) or
  Active Directory module cmdlets
  with the Get-Acl and Set-Acl cmdlets to assign simple permissions on Active Directory objects. In addition, we can use the extended rights and GUID settings to execute
  more complex permission settings.
  Method 1: Using ADSI
    1. Get current permissions of an organization unit (OU)
  We can use the PowerShell script below to get current permissions of an organization unit and you just need to define the name of the OU.
  $Name = "OU=xxx,DC=com"
  $ADObject = [ADSI]"LDAP://$Name"
  $aclObject = $ADObject.psbase.ObjectSecurity
  $aclList = $aclObject.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])
  $output=@()
  foreach($acl in $aclList)
  $objSID = New-Object System.Security.Principal.SecurityIdentifier($acl.IdentityReference)
       $info = @{
  'ActiveDirectoryRights' = $acl.ActiveDirectoryRights;
  'InheritanceType' = $acl.InheritanceType;
  'ObjectType' = $acl.ObjectType;
  'InheritedObjectType' = $acl.InheritedObjectType;
  'ObjectFlags' = $acl.ObjectFlags;
  'AccessControlType' = $acl.AccessControlType;
  'IdentityReference' = $acl.IdentityReference;
  'NTAccount' = $objSID.Translate( [System.Security.Principal.NTAccount] );
  'IsInherited' = $acl.IsInherited;
  'InheritanceFlags' = $acl.InheritanceFlags;
  'PropagationFlags' = $acl.PropagationFlags;
  $obj = New-Object -TypeName PSObject -Property $info
  $output+=$obj}
  $output
  In the figure below, you can see the results of running the script above:
  Figure 1．
  2. Assign a computer object with Full Control permission on an OU
  We can use the script below to delegate Full Control permission to the computer objects within an OU:
  $SysManObj = [ADSI]("LDAP://OU=test….,DC=com") #get the OU object
  $computer = get-adcomputer "COMPUTERNAME" #get the computer object which will be assigned with Full Control permission within an OU
  $sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
  $identity = [System.Security.Principal.IdentityReference] $SID
  $adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
  $type = [System.Security.AccessControl.AccessControlType] "Allow"
  $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
  $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType #set permission
  $SysManObj.psbase.ObjectSecurity.AddAccessRule($ACE)
  $SysManObj.psbase.commitchanges()
  After running the script above, you can check the computer object in Active Directory Users and Computers (ADUC) and it is under the Security tab in OU Properties.
  Method 2: Using Active Directory module with the Get-Acl and Set-Acl cmdlets
  You can use the script below to get and assign Full Control permission to a computer object on an OU:
  $acl = get-acl "ad:OU=xxx,DC=com"
  $acl.access #to get access right of the OU
  $computer = get-adcomputer "COMPUTERNAME"
  $sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
  # Create a new access control entry to allow access to the OU
  $identity = [System.Security.Principal.IdentityReference] $SID
  $adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
  $type = [System.Security.AccessControl.AccessControlType] "Allow"
  $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
  $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
  # Add the ACE to the ACL, then set the ACL to save the changes
  $acl.AddAccessRule($ace)
  Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
  Method 3: Using GUID setting
  The scripts above can only help us to complete simple tasks, however, we may want to execute more complex permission settings. In this scenario, we can use GUID settings to achieve
  that.
  The specific ACEs allow an administrator to delegate Active Directory specific rights (i.e. extended rights) or read/write access to a property set (i.e. a named collection of attributes) by
  setting ObjectType field in an object specific ACE to the
  rightsGuid of the extended right or property set. The delegation can also be created to target child objects of a specific class by setting the
  InheritedObjectType field to the schemaIDGuid of the class.
  We choose to use this pattern: ActiveDirectoryAccessRule(IdentityReference, ActiveDirectoryRights, AccessControlType, Guid, ActiveDirectorySecurityInheritance, Guid)
  You can use the script below to
  assign the group object with the permission to change user password on all user objects within an OU.
  $acl = get-acl "ad:OU=xxx,DC=com"
  $group = Get-ADgroup xxx
  $sid = new-object System.Security.Principal.SecurityIdentifier $group.SID
  # The following object specific ACE is to grant Group permission to change user password on all user objects under OU
  $objectguid = new-object Guid 
  00299570-246d-11d0-a768-00aa006e0529 # is the rightsGuid for the extended right User-Force-Change-Password (“Reset Password”) 
  class
  $inheritedobjectguid = new-object Guid 
  bf967aba-0de6-11d0-a285-00aa003049e2 # is the schemaIDGuid for the user
  $identity = [System.Security.Principal.IdentityReference] $SID
  $adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
  $type = [System.Security.AccessControl.AccessControlType]
  "Allow"
  $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
  $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType,$inheritedobjectguid
  $acl.AddAccessRule($ace)
  Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
  The figure below shows the result of running the script above:
  Figure 2．
  In addition, if you want to assign other permissions, you can change the GUID values in the script above. The common GUID values are listed as below:
  $guidChangePassword     
  = new-object Guid ab721a53-1e2f-11d0-9819-00aa0040529b
  $guidLockoutTime        
  = new-object Guid 28630ebf-41d5-11d1-a9c1-0000f80367c1
  $guidPwdLastSet         
  = new-object Guid bf967a0a-0de6-11d0-a285-00aa003049e2
  $guidComputerObject     
  = new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2
  $guidUserObject         
  = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
  $guidLinkGroupPolicy    
  = new-object Guid f30e3bbe-9ff0-11d1-b603-0000f80367c1
  $guidGroupPolicyOptions 
  = new-object Guid f30e3bbf-9ff0-11d1-b603-0000f80367c1
  $guidResetPassword      
  = new-object Guid 00299570-246d-11d0-a768-00aa006e0529
  $guidGroupObject        
  = new-object Guid BF967A9C-0DE6-11D0-A285-00AA003049E2                                          
  $guidContactObject      
  = new-object Guid 5CB41ED0-0E4C-11D0-A286-00AA003049E2
  $guidOUObject           
  = new-object Guid BF967AA5-0DE6-11D0-A285-00AA003049E2
  $guidPrinterObject      
  = new-object Guid BF967AA8-0DE6-11D0-A285-00AA003049E2
  $guidWriteMembers   
      = new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2
  $guidNull               
  = new-object Guid 00000000-0000-0000-0000-000000000000
  $guidPublicInformation  
  = new-object Guid e48d0154-bcf8-11d1-8702-00c04fb96050
  $guidGeneralInformation 
  = new-object Guid 59ba2f42-79a2-11d0-9020-00c04fc2d3cf
  $guidPersonalInformation = new-object Guid 77B5B886-944A-11d1-AEBD-0000F80367C1
  $guidGroupMembership    
  = new-object Guid bc0ac240-79a9-11d0-9020-00c04fc2d4cf
  More information:
  Add Object Specific ACEs using Active Directory Powershell
  http://blogs.msdn.com/b/adpowershell/archive/2009/10/13/add-object-specific-aces-using-active-directory-powershell.aspx
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  The ActiveDirectoryAccessRule has more than one constructor, but yes, you've interpreted the one that takes six arguments correctly.
  Those GUIDs are different (check just before the first dash). Creating that ACE will create an empty GUID for InheritedObjectType, though, because you're telling it to apply to the Object only ([System.DirectoryServices.ActiveDirectorySecurityInheritance]::None).
  Since the ACE will only apply to the object, there's no need to worry about what types of objects will inherit it.
  If you've got time, check out
  this module. It will let you view the security descriptors in a much friendlier format. Try both version 3.0 and the version 4.0 preview:
  Sample version 3.0:
  # This is going to be kind of slow, and it will take a few seconds the first time
  # you run it because it has to build the list of GUID <--> Property/Class/etc objects
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ObjectAceType member -InheritedObjectAceType group -ActiveDirectoryRights WriteProperty
  # Same as the previous command, except limit it to access granted to GroupX
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ObjectAceType member -InheritedObjectAceType group -ActiveDirectoryRights WriteProperty -Principal GroupX
  Here's version 4.0. It's way faster than 3.0, but it's missing the -ObjectAceType and -InheritedObjectAceType parameters on Get-AccessControlEntry (don't worry, when they come back they'll be better than in 3.0):
  Get-ADGroup GroupY |
  Get-AccessControlEntry
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty -Principal GroupX
  # You can do a Where-Object filter until the parameters are added back to Get-AccessControlEntry:
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
  where { $_.AccessMask -match "All Prop|member Prop" }
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
  where { $_.ObjectAceType -in ($null, [guid]::Empty, "bf9679c0-0de6-11d0-a285-00aa003049e2") }
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
  where { $_.AccessMask -match "All Prop|member Prop" -and $_.AppliesTo -match "group"}
  That's just for viewing. Version 3.0 can add and remove access, or you can use New-AccessControlEntry to replace your call to New-Object, and you can still use Get-Acl and Set-Acl. The benefit to New-AccessControlEntry is that you can do something like this:
  New-AccessControlEntry -Principal GroupX -ActiveDirectoryRights WriteProperty -ObjectAceType member -InheritedObjectAceType group #-AppliesTo Object
   

• Authenticating Workgroup Manager to Active Directory.

  Dear all,
  I've searched the forums and Internet and tried various things that could help my situation but I'm still having issues.
  I am running 10.4.11 server 10.4.11 client machines. All machines and server are connected to Active Directory via the built in AD plugin.
  Logging on to a client machine with an AD login works fine, no issues.
  System image deployment over the network from the Xserve work fine.
  The I have is implementing managed preferences from Workgroup Manager. When I open it, it will show me all of the users and groups. It says:
  *Viewing directory: /Active Directory/All domains. Not authenticated*
  When I click the padlock to authenticate, and enter my domain admin username and password, it says:
  *The login information is not valid for this server.*
  My login works as it allows me  to add machines to the domain.
  More info available as needed. If anyone can assist, thanks in advance.
  Regards,
  M.

  Hi
  Viewing directory: /Active Directory/All domains. Not authenticated
  When you bound the server to the Active Directory Realm what user name and password did you use? It will be this name and password that you will need to authenticate to the Active Directory node. This name and password should be the one that already exists on the AD that has authority for that server. Its also the name and password that should be used when binding mac clients to the AD node using the Active Directory plugin in Directory Access.
  This name and password can be the same as the one created for promoting your server to OD Master (diradmin). Its a good idea to create this account on the AD first (make it authoratative for the AD) before promotion and client binding.
  If you want to augment the AD with OSX Server managed preferences (MCX) then create a group within the /LDAPv3/127.0.0.1 node (assuming you have promoted the server to OD Master and disabled sso). Have two windows open in WGM (better done from a client). One window will show you the AD node and the other the OD node. Drag users or groups from the AD node into the newly created group in the OD node.
  Apologies if you already know this, Tony