Adding Custom Attributes in Activie Directory

Similar Messages

• Updating custom boolean attribute in Active Directory via OIM

  The adapters delivered with the AD connector support updating standard attributes (string) and multi-value attributes, but I can't seem to figure out how to update a custom Boolean attribute in AD via OIM. The delivered Boolean fields all appear to have custom adapters (ie Account Locked, Password Never Expires, etc.)
  I've tried using the delievered adpADCSCHANGEATTRIBUTE adapter, but it fails (as expected) with:
  +com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks : updateDetails : Attributes cannot update:[LDAP: error code 21 - 00000057: LdapErr: DSID-0C090B73, comment: Error in attribute conversion operation, data 0, v1772 ]+
  Suggestions?

  No I don't have custom boolean attributes in AD. But I added custom attributes of other types.
  When you say custom, do you mean it did not come with the out of the box AD connector, but exists in the Active Directory of your organization?
  There are a few attributes in AD which look like they are boolean when you see the AD console but are actually different. Look at the link for details.
  [http://support.microsoft.com/kb/305144]
  Look at this post for context.
  AD Provisioning - Password never expires & User must chg pwd at next logon
  Thanks,
  M

• ADDING CUSTOM ATTRIBUTES TO PORTAL USER

  Hi,
  We are using ldap server as the EP 6.0 user database.
  We have to add few custom attributes like comanycode etc to the user.
  As I understand, the first activity will be to add these custom attributes in the ldap followed by mapping of portal logical attributes and the custom attributes in dataSourceConfiguration_xxx.xml file.
  Now what about showing these attributes in the all relevant user management screens (like Create User, Modify User etc).
  Can anyone please tell the configuration for the same.
  Any input is highly appreciated.
  regards,
  Chandra

  Hi
  Additional custom attributes can be added by editing the dataSourceConfig....xml.In this case logical to physical mapping has to be performed for each attribute.The attributes created without any mapping may be using the default namespace.
  The getArttibute() method can be used for getting the attribute values of the specified logical attribute.
  IUser user;
  String attrs[]=
  user.getAttribute("<nameSpace>","<logicalname>");
  <b>Editing the dataSourceConfig....xml for Logical to Physical mapping</b>
  Inside the nameSpace add the attribute inside the attributes tag as below.
  <nameSpace name =.........>
  <attributes>
  <attribute name = "<logicalnameyouwant>">
  </attribute>
  </attributes>
  Inside the attributeMapping specify the attribute name given above and the physicalAttribute as below
  <attributeMapping>
  <nameSpace name =.........>
  <attributes>
  <attribute name ="<logicalnameyouwant>"
  <physicalAttribute name= "<physicalnameyouwant>"/>
  </attribute>
  </attributes>
  </attributeMapping>
  Regards
  Geogi

• Adding a user in Active Directory

  Hi fellows,
  I am having a serious problem in creating a new user in active directory. i am using LDAP JNDI code. I can delete and update users attributes, but fail to create users.
  ctx.createSubcontext("newuser,full domain", attributes);
  when i specify a new user in "newuser" it gives exception invalidnameexception. I don't understand how to create a new entry within the directory structure of predefined tree. by the way, i can create users by active directory explorer but java application is giving exceptions.
  Any help will be highly appreciated.

  A DistinguishedName is of the form e.g. "cn=username, ou=Users,dc=hostname,dc=com". In other words it contains attribute names and values for each name component. Evidently your DN doesn't do that.

• How to ge the value for attribute for terminal services attribute in Active Directory from userParameters attribute

  I am using dirsync to get  the attributes value that have changed in Active Directory(changelog).
  The following link explains how the dirsync is used to get attribute values :
  'http://blogs.technet.com/b/isrpfeplat/archive/2010/09/20/using-the-dirsync-control.aspx'
  I am changing the attribute Local path under Remote Desktop Services Profile of a user. I have ran a client which uses dirsync to get the changed objects in AD.
  In the client the attribute that is changed is `userParameters` and the value is in encrypted form. 
      CtxCfgPresent                                   P☺CtxCfgPresent???? ☻☺CtxWFProfi
      lePath?↑→☺CtxWFHomeDir?????????????"☻☺CtxWFHomeDirDrive?☺CtxShadow????☺CtxMaxDis
      connectionTime????☺CtxMaxConnectionTime????☺CtxMaxIdleTime???? ☻☺CtxWorkDirector
      y?☺CtxCfgFlags1????"☻☺CtxInitialProgram?
  Is there a way to get  the actual value form the userParameters.

  Hi,
  What about other changed attributes? Are other attributes retrieved by DirSync control turn to be encrypted form?
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Adding custom attributes in iPlanet User resource

  I have a custom attribute in LDAP called "CustomAttr1" created. I would like to add this attributes into iPlanet User RO so that I can update that attribute via OIM. What is the process of adding that attribute to the iPlanet User process and forms?

  Have you checked the Connector Document and specifically the section where it says "Extending the Connector"?
  This: http://docs.oracle.com/cd/E11223_01/doc.904/e10446/custom.htm#CDEGCCEB
  -Bikash

• Adding a field of Active Directory

  Hello,
  In Active Directory we have a field called Office that is populated.
  We are using Portal 6.0 SP1 - which syncs with AD via a Remote Authentication Source called Domain and a Profile Source called AD Profile. SSO is enabled.
  In the AD Profile I added a property called Section and mapped it to Office - but nothing shows up, it is blank.
  How do I get the office field from AD to show up in my sync to the Portal?
  Hope this is enough info to get started!
  Thanks,
  V
  Computers are like Old Testament gods; lots of rules and no mercy. ~Joseph Campbell

  Got it figured out.
  The field Office in AD goes by the name physicalDeliveryOfficeName not office....
  Check [url http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm#LDAP_Attribute_]this out
  It loaded fine.
  Thanks!
  V
  Computers are like Old Testament gods; lots of rules and no mercy. ~Joseph Campbell
  Edited by vivekvp at 02/12/2008 1:29 PM

• Adding a listener to Active directory for user creation using Java

  Hi,
  I would like to add a listener to active directory such that when a user is created to the "Users" container, I should be notified or informed. I would like to do this with Java. What should I do ?
  Regards,
  Anand Kumar D

  You should add a NamingListener or a NamespaceChangedListener.

• Cannot bind when using "pwdLastSet" attribute in Active Directory

  Admin resets the password & enables user has to change password at next logon, when i try to change user password, I couldn't able to bind the user & it shows error Such as
  Since Authentication fails, he could able to modify the attribute[pwdLastSet].
  please suggest me any solution
  Error occured
  xyz is not authenticated javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 773, vece
  javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090A1A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece
  Since i couldn't able to bind the user, i cann;t able to change user password. Here is my program :
  {code}public class Fastbindclient_changePwd extends HttpServlet{
  class ldapfastbind {
  class FastBindConnectionControl implements Control {
  public byte[] getEncodedValue() {
  return null;
  public String getID() {
  return "2.16.840.1.113730.3.4.2";
  public boolean isCritical() {
  return Control.CRITICAL;
  public ldapfastbind(String ldapurl) {
  env = new Hashtable();
  env.put(Context.INITIAL_CONTEXT_FACTORY,
  "com.sun.jndi.ldap.LdapCtxFactory");
  env.put(Context.SECURITY_AUTHENTICATION, "simple");
  env.put(Context.SECURITY_PROTOCOL, "ssl");
  env.put(Context.PROVIDER_URL, ldapurl);
  connCtls = new Control[] { new FastBindConnectionControl() };
  try {
  ctx = new InitialLdapContext(env,connCtls);
  catch (NamingException e) {
  public int Authenticate(String username, String password, HttpServletRequest request, HttpServletResponse response) throws LDAPException{
  try {
  ctx.addToEnvironment(Context.SECURITY_PRINCIPAL,username);
  ctx.addToEnvironment(Context.SECURITY_CREDENTIALS,password);
  ctx.reconnect(connCtls);
  System.out.println(username + " is authenticated");
  return 0;
  catch (AuthenticationException e) {
  int index5= errMsg.indexOf("data 773");
  if(index5 != -1)
  try {
  pwdLastSet = 1;
  System.out.println("Password Last Set "+pwdLastSet);
  String j_username=request.getParameter("j_username");
  String j_password=request.getParameter("j_password");
  String new_password=request.getParameter("new_password");
  String change_password=request.getParameter("change_password");
  boolean isChanged = ctxFast.ChangePassword(j_username, j_password, new_password, request, response);
  } catch (IOException e1) {
  catch (NamingException e) {
  return 0;
  public boolean ChangePassword(String sUserName, String sOldPassword, String sNewPassword, HttpServletRequest request, HttpServletResponse response) throws UnsupportedEncodingException {
  try {
  ModificationItem[] mods = new ModificationItem[1];
  ModificationItem[] mods1 = new ModificationItem[1];
  String oldQuotedPassword = "\"" + sOldPassword + "\"";
  byte[] oldUnicodePassword = oldQuotedPassword.getBytes("UTF-16LE");
  String newQuotedPassword = "\"" + sNewPassword + "\"";
  byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
  System.out.println("newUnicodePassword" + newUnicodePassword);
  System.out.println("printed before modify");
  mods[0] = new ModificationItem(LdapContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));
  ctx.modifyAttributes("cn="+sUserName+",cn=Users,dc=tc,dc=com", mods);
  mods1[0] = new ModificationItem(LdapContext.REPLACE_ATTRIBUTE, new BasicAttribute("pwdLastSet", "-1"));
  System.out.println("pwdLastSet Replaced");
  /* mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute("unicodePwd", oldUnicodePassword));
  mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));
  ctx.modifyAttributes("cn="+sUserName+",cn=Users,dc=tc,dc=com", mods1);
  ctx.close();
  return true;
  catch (AuthenticationException e) {
  if(index5 != -1)
  try {
  pwdLastSet = 1;
  System.out.println("Password Last Set "+pwdLastSet);
  String j_username=request.getParameter("j_username");
  String j_password=request.getParameter("j_password");
  String new_password=request.getParameter("new_password");
  String change_password=request.getParameter("change_password");
  boolean isChanged = ctxFast.ChangePassword(j_username, j_password, new_password, request, response);
  } catch (IOException e1) {
  // TODO Auto-generated catch block
  e1.printStackTrace();
  return false;
  catch (NamingException e) {
  return false;
  public void finito() {
  try {
  ctx.close();
  System.out.println("Context is closed");
  catch (NamingException e) {
  System.out.println("Context close failure " + e);
  public void bindClient(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
  String ldapurl = "ldaps://172.22.0.99:636";
  String keystore = "D:/j2sdk1.4.2_04/jre/lib/security/CACert.ks";
  System.setProperty("javax.net.ssl.trustStore",keystore);
  ctxFast = new ldapfastbind(ldapurl);
  try {
  IsAuthenticated = ctxFast.Authenticate(request.getParameter("j_username"),request.getParameter("j_password"), request, response);
  boolean isChangedNrml;
  if(pwdLastSet == 0)
  isChangedNrml = ctxFast.ChangePassword(j_username, j_password, new_password, request, response);
  System.out.println("b4 change");
  System.out.println("After change 1");
  } catch (LDAPException e) {
  System.out.println("LDAP Exception : " + e.getLDAPResultCode() + "LDAPMessage : " + e.getLDAPErrorMessage()+ "message : " + e.getMessage());
  e.printStackTrace();
  String errMsg = e.getMessage();
  System.out.println("error msa"+errMsg);
  ctxFast.finito();
  public ldapfastbind ctxFast = null;
  public int pwdLastSet = 0;
  }please suggest me solution
  Thanks in Advance..

  See my other reply concerning "user must change password" and the chicken & egg problem.
  In addition when using the LDAP Fast Bind control, it is only used to authenticate a user (verify credentials).
  If the user has the "user must change password" setting enabled, then the LDAP Fast Bind Connection Control will always fail the authentication attempt.
  Furthermore, the LDAP Fast Bind control does not create a Windows token, and even of the user had successfully authenticated, it does not permit the user to perform other operations againts the directory such as modify attribute values or change passwords.
  You must perform a full LDAP bind in order to allow a user to change their password or to modify other attribute values.

• Adding Custom Attributes in Search/Create iView

  Hi,
    I am able to create "Customized Information" in Search/Create user iView which is under User Administration Role. For example "CustomerCode" attribute I created in Search/Create iView. Also able to retrieve the "CustomerCode" value in the iViews.
    But the iView which I am using must have Role "super_admin_role", which is not the requirement.
    Can someone tell me how I can use the iView without having "super_admin_role" Role.
  Regards
  Deep Nain Kundra
  Message was edited by: Deep Nain Kundra

  Hi,
     You can go: Content Administration-Portal Content-Portal Content folder-choose your iview-by mean context menu-choose permission and add your role.
     Also, you could System Administration-Permission.
  Patricio.

• Problem adding some user or active directory group to sharepoint 2010 group

  Hi All
  I have a problem in a specific site collection in a web Application (but not on other site collection in that webApp).
  whenever I add a user like some system account to a sharepoint group or create a new sharepoint group or add an ActiveDirectory group to a sharepoint group I get an error and the user / group are not added :
  System.Runtime.InteropServices.COMException: [Work Email Address] - [Wrong Email Format]    at Microsoft.SharePoint.Library.SPRequestInternalClass.EnsureUserExists(String bstrUrl, String bstrLogin, String bstrEmail, String bstrName, String
  bstrNotes, String bstrMobilePhone, Int32 lFlags, Boolean bIsRole, Boolean bSendEmail, Boolean bForceAdd, Byte[]& ppsaSystemId, Boolean bImportDeleted, Int32& plUserId)     at Microsoft.SharePoint.Library.SPRequest.EnsureUserExists(String
  bstrUrl, String bstrLogin, String bstrEmail, String bstrName, String bstrNotes, String bstrMobilePhone, Int32 lFlags, Boolean bIsRole, Boolean bSendEmail, Boolean bForceAdd, Byte[]& ppsaSystemId, Boolean bImportDeleted, Int32& plUserId)
  when I add a regular user - all goes well.
  10x for any help
  Shlomy

  Hi Shlomy,
  i was thinking, perhaps there is an application that use this checking method on your specific site collection, and perhaps it is using a hard-coded command to request it, but seems it got some issue.
  as the other site collections, may not have the issue, so perhaps other site collections don't have this application, and you may check that as lead investigation process.
  you may try to capture fiddler tool, it may come in handy on tracing the http requests.
  http://fiddler2.com/
  usually when i trace the application, i would like to create new site, and add the webpart or application one by one, then i may know which application/webpart that have the issue.
  as other regular user may not have the issue, perhaps its because system account is by design to not have an email address properties, so when the application/webpart request for it, it become failure.
  Regards,
  Aries
  Microsoft Online Community Support
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Accessing Terminal Services Attributes from Active Directory LDAP property userParameters

  After many years of complaints, Microsoft has done little to address the overwhelming outcry for information on the accessing the Terminal Services properties through LDAP.
  I found this document that fully describes the Encode/Decode mechanism for the userParameters attribute.
  https://msdn.microsoft.com/en-us/library/ff635189.aspx
  The property is used for more than terminal services, but even Microsoft is confused about it's use it would seem.  I won't go into details, but for all those trying to access the terminal services attributes, this document should help.
  I have not yet converted the mapping into a JAVA module, so please don't ask for help.  I just need a more public place to put this, than the currently buried location at microsoft, to make for easier retrieval from the web community of java developers.

  Hi,
  What about other changed attributes? Are other attributes retrieved by DirSync control turn to be encrypted form?
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Add new attribute in active directory schema

  Hi
  I need to add two new attribute in Schema in my forest for the user class.
  Attribute name is jobclasscode and jobclass.
  How can I achieve it ? and where can I get X.500 OID.
  we are running on below AD forest:
  DFL and FFL : windows server 2003
  DCs: AD 2008 R2.

  Hi,
  You can use LDIFDE command from to export the schema attributes to <filename>.ldf (can be edited using notepad) as given below,
  ldifde -f c:\<filenmae>.ldf -d "cn=schema,cn=configuration,dc=<mydomain>,dc=<com>"
  Checkout the below thread on similar discussion,
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/6789d4c2-1027-4a64-9f04-eaf7996893c5/ldifde-command-to-export-everything
  Regards,
  Gopi
  JiJi
  Technologies

• Clear date attribute in Active Directory

  Hello!
  I've created attribute "birthdate" with syntax "Generalized Time" and fill up some user's info.
  Now I want to chane it to string but I can't.
  I can't delete or modify attribute because it is already set for some users. 
  But I can't clean it because $null can't be valuse of this attribute.
  What should I do?
  This topic first appeared in the Spiceworks Community

  Try it like this:
  if ($manager -ne $null) { #if mananger if not null
  Try {
  $manager = (Get-ADUser -filter 'displayname -like $manager').samAccountName
  set-aduser $samaccountname -Manager $manager #set mananger
  } Catch {$managerErrorList += "name: $name manager: $manager"}
  } Else {
  $managerErrorLIst += "name: $name manager: $manager"
  It won't be very efficient if you have a large organization, but it will be more efficient than the multiple Get-ADUser commands you have in your script now.
  Not sure what you're doing with your errors, you might change the Catch statement to more accurately reflect what that type of error means to you.
  I hope this post has helped!

• Extracting custom attributes for individual objects

  CRM service maintain those custom attributes and set types. By checking the 'BW relevant', it generates all the custom data sources for BW. The data sources are in $tmp, but can be viewd in RSO2.
  Those custom attributes can be added to 0crmp_prod and updated via flexible update from those generated datasource. My concern is that it creates a lot of maintenance depending on the number of set types maintained in CRM. Currently there are about 50 set types being maintained in CRM, which means additional 50 transfer rules for 0crm_prod.
  My question is whether there is more efficient way to handle this situation.
  Thanks for any suggestion.
  Jennifer

  It sounds as if your custom attributes may not have been created properly which is leading to your current problem. When creating a new attribute, one of the final steps is adding it to a specific 'Class'.  This is where you choose
  Computer or User or any other specific need you have.  It sounds very much like this is the piece that has been missed.
  To fix it you'll first need to clean out the User specific pieces that have gotten into the system.  Easier said than done, I understand, but it will be crucial going forward.  Once cleaned, add the attributes to the Computer class one at a time
  using the Active Directory Schema admin tool.  You will need to be a member of the Enterprise Admins to add yourself into the Schema Admins and please remember to remove yourself after you are done (Best Practice). 
  Refer to this for additional info:
  http://social.technet.microsoft.com/wiki/contents/articles/20319.how-to-create-a-custom-attribute-in-active-directory.aspx
  and: 
  http://blogs.technet.com/b/isingh/archive/2007/02/18/adding-custom-attributes-in-active-directory.aspx
  Hope that helps
  Gary
  Gary G. Gray
   MCP, MCTS, MCITP, MCT Alumni
  Please remember to mark the replies as answers if they are helpful.
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.