Business Objects XI R2 Active Directory
<p>Currently we are implimenting AD single server sign on but have an issue in that the active directory "Please enter your Active Directory credentials" will not update with the active directory user.</p><p> </p><p>It appears that the BO XI is not even communicating with the active directory server. Has anyone else struck this problem?</p><p> </p><p> </p>
There is a fairly detailed section in the Admin guide for setting up AD (p250). Â
Make sure you have set up the IIS server as detailed in that section
Thanks
Kevin
Similar Messages
-
Can't connect to Small Business Server 2003 via Active Directory
I have done lots of searching, both in these forums and the wider internet, and cannot find a solution to my specific problem.
I am trying to connect my G5 (10.3.9) to a Windows network. We have a Microsoft Small Business Server 2003 with Active Directory. The PCs have no problem using this, and I can connect to shares setup on the server via AFP.
But I am having problems when I try to configure the AD plug-in in Directory Access on the Mac. When I click 'Bind', I enter the Server's Administrator username & password and when I click 'OK', it gets to Step 3 of 5 "Verifying Credentials". It ticks away at this step for about 30 seconds, then comes up with error message saying "Invalid user name and password combination."
I have tried other users with admin privileges, but they don't work either. I know the usernames and passwords aren't invalid, because I created them. I have tried fiddling around with other settings in the AD setup, but nothing gets any further.
Without any other 3rd party software (that's my final option), is there something I need to check/change, either on the Mac or the server, to make this Mac to authenticate via AD? Please help!Hi Andbrowny, thanks for your response.
Your advice didn't really help my Active Directory problem (AD doesn't require SMB does it?), but it gave me some progress on my SMB problem. I can connect via AFP, but previously when I tried to connect via SMB, it kept coming up with the error "Could not connect to the server because the name or password is not correct".
Now, after changing the policies on the server, I get an error -43 message saying "The operation could not be completed because one or more required items cannot be found."
So now I have two problems! SMB is not finding something it needs, and Active Directory is not "verifying credentials".
Actually, I have three problems: When I am connected via AFP, filenames over 31 characters long are truncated on the server, and I can't copy long filenames onto the server without renaming them. I have read that SMB would fix this to a degree (256 characters for the complete file path), but is there anything (a protocol or software) that allows long filenames to be read/written with ease?
Side note: The server is not 100% configured, the bloke installing it still has some work to do, but Active Directory works for all the XP machines, and I can connect to each XP workstation with SMB. -
Cannot find the object "CrossRef" in Active Directory
I am trying to install Lync 2013. I'm getting the following error: Error:
An error
occurred: "Microsoft.Rtc.Management.Deployment.ActiveDirectoryException" "Cannot
find the object "CrossRef" in Active Directory."
WARNING: Enable-CSAdForest failed.
This error is at "Step 3: Prepare Current Forest" of the install.I've tried to run the forest prep as a local domain and I get the following:
Creating new log file "C:\Users\administrator.xxx\AppData\Local\Temp\2\Enable-CSAdForest-052cfe14-7f42-4969-88da-83279413ab8c.xml".Enable the Active Directory forest to host Lync Server 2013 deployments.
Prepare Forest Active Directory settings execution failed on an unrecoverable error.Creating new log file "C:\Users\administrator.xxx\AppData\Local\Temp\2\Enable-CSAdForest-[2013_05_30][13_25_56].html".WARNING:
Enable-CSAdForest failed.WARNING: Detailed results can be found at "C:\Users\administrator.xxx\AppData\Local\Temp\2\Enable-CSAdForest-[2013_05_30][13_25_56].html".Command
execution failed: Container CN=Microsoft,CN=Program Data,DC=xxx,DC=local not found -
Cfldap and deleted objects container in Active Directory
Hello,
I am trying to use a CFLDAP query to bind and search in the
Deleted Objects container of Active Directory. This would allow me
to get the sAMAccountname values of the users who have been deleted
within the last default 60 days (searching tombstone objects in
Deleted Objects).
I have tried various methods including <cfldap
start="CN=Deleted Objects, DC=<domain>, DC=<com>> (I
am omitting the rest of the CFLDAP attributes in the example
above). I'm not sure if CFLDAP can even query the deleted objects
container. Has anyone had any experience with this?
Thanks,
BenHi Michael,
Thanks for your help! I have however already explored those
solutions offered by Microsoft. Sadly, they only work in separate
programs (i.e. ldap.exe which comes with Windows Server tools).
After lots of research I have found a Java method that can bind
with the container and return the results. CFLDAP, I'm afraid is
just not capable of doing this - or at least I have had no luck
with it (I was connecting as domain admin btw).
The challenge now is to get the Java class to communicate
with the rest of my cf code.
Thanks again,
Ben -
Recon and provisioning of user-defined object class ICF Active Directory
I have followed the documentation instructions for reconciliation of a user-defined object class in the ICF Active Directory connector. I am using OIM 11gR2 with the ICF Active Directory 11.1.1.5 connector patched to 11.1.1.5.0A. The procedure states to create the new object class in AD and then change the objectClass value in the Lookup.Configuration.ActiveDirectory lookup. In my case I am using the existing ObjectClass of contact, rather than a new object class. Just for completeness I am using a clone of the AD User Resource Object which I call AD User Contact and so my lookup name is Lookup.Configuration.ActiveDirCon.
When I changed the ObjectClass from User to Contact, and ran the Active DirCon User Target Recon scheduled job, with Object Type also = contact. The first issue I noticed was that the connector wanted a different set of lookups, which is not in the documentation. It is looking for a lookup in my Configuration lookup where code key=contact Configuration Lookup (which I should have expected since there are code keys for User, Group, and organizationalUnit). I added a line to the lookup where code key=contact Configuration Lookup and the Decode=Lookup.ActiveDirCon.CM.Configuration and then I created a new lookup by that name, assigning the 5 values to be the Lookup.ActiveDirCon.UM.xxx lookups. I did not see any need to create a new set of Lookup.ActiveDirCon.CM.xxx lookups with the exact same values.
I re-ran the scheduled job and it ran successfully, but did not generate any Recon Events, even though I had objects in the OU and I have that same OU in the Lookup.ActiveDirCon.OrganizationalUnits lookup (from the Org Lookup Recon). Everything looks good but getting no results. Looked at the log file from the ConnectorServer and it is building the query properly and executing it properly with the correct syntax, getting no errors, but the SearchAndReturnObjects method is returning zero results.
Looking to see if anyone has successfully reconciled in user-defined or other non-User objectClass objects from Active Directory, and if so, can you provide Lookup configuration and Connector Server information so I can troubleshoot.
I resolved this issue by changing the recon lookups to a blank lookup called Lookup.ActiveDirCon.CM.ReconAttrMap and only added in the parameters that are used by a Contact object. Only populate the ReconAttrMap with parameters that exist for the custom object.
Edited by: Keith Smith AptecLLC on Mar 27, 2013 6:31 AMOracle Support answered this question via SR
-
Querying deleted objects container in Active Directory using JNDI
Hi,
I am trying to query deleted objects container using JNDI which fails with error 64.
Has anyone seen this or knows how to query AD using binary data in JNDI.
Seems to me there is some problem with the search base.
search base: <GUID=18E2EA80684F11D2B9AA00C04F79F805,dc=engserver,dc=com>.
filter: objectclass=*
search scope: subtree
This is the error:
Search example failed.
javax.naming.InvalidNameException: <GUID=18E2EA80684F11D2B9AA00C04F79F805,dc=eng
server,dc=com>: [LDAP: error code 64 - 00000057: LdapErr: DSID-0C090563, comment
: Error processing name, data 0, v893 ]; remaining name '<GUID=18E2EA80684F11D2B
9AA00C04F79F805,dc=engserver,dc=com>'
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2802)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2616)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1744)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1667)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirCon
text.java:368)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCom
positeDirContext.java:328)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCom
positeDirContext.java:313)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.jav
a:245)
at jSearch.main(jSearch.java, Compiled Code)
Thanks,
ChetanI thought I had posted one of these. How remiss of me !/**
* deleted.java
* 5 July 2001
* Sample JNDI application to search for deleted objects
* Modified December 2004 to add Win2K3 lastKnownParent
import java.util.Hashtable;
import javax.naming.*;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import com.sun.jndi.ldap.ctl.*;
class DeletedControl implements Control {
public byte[] getEncodedValue() {
return new byte[] {};
public String getID() {
return "1.2.840.113556.1.4.417";
public boolean isCritical() {
return true;
public class deleted {
public static void main (String[] args) {
Hashtable env = new Hashtable();
String adminName = "CN=Administrator,CN=Users,DC=ANTIPODES,DC=COM";
String adminPassword = "XXXXXX";
String ldapURL = "ldap://mydc.antipodes.com:389";
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//set security credentials, note using simple cleartext authentication
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL,adminName);
env.put(Context.SECURITY_CREDENTIALS,adminPassword);
//connect to my domain controller
env.put(Context.PROVIDER_URL,ldapURL);
try {
//Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
//Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the attributes to return
String returnedAtts[]={"distinguishedName","lastKnownParent"};
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//specify the LDAP search filter
String searchFilter = "(&(objectClass=user)(isDeleted=TRUE))";
//Specify the Base for the search
String searchBase = "DC=antipodes,DC=com";
//initialize counter to total the results
int totalResults = 0;
//specify the Deleted control
Control[] rqstCtls = new Control[] {new DeletedControl()};
ctx.setRequestControls(rqstCtls);
//Search for objects using the filter
NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
//Loop through the search results
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult)answer.next();
totalResults++;
System.out.println(totalResults + ". " + sr.getName().toString());
// Print out some of the attributes, catch the exception if the attributes have no values
Attributes attrs = sr.getAttributes();
if (attrs != null) {
try {
for (NamingEnumeration ae = attrs.getAll();ae.hasMore();) {
Attribute attr = (Attribute)ae.next();
System.out.println("Attribute: " + attr.getID());
for (NamingEnumeration e = attr.getAll();e.hasMore();System.out.println(" " + e.next().toString()));
catch (NullPointerException e) {
System.err.println("Problem listing attributes: " + e);
System.out.println("Deleted objects: " + totalResults);
ctx.close();
catch (NamingException e) {
System.err.println("Problem searching directory: " + e);
} -
Size limitation for all attributes in user objects in Active Directory????
hi geeks , i wanna know maximum size limit of an user objects attribute in active directory ... like max amount of character first name attribute can hold ... Thank in advance..
You can use ADSI Edit to view the properties of the attributes in the Schema container of your AD. In the Schema container you can select an attribute, like Company, right click, select properties, and find the rangeUpper property of the attribute. This
is the maximum length in characters (or bytes). You can also use dsquery to retrieve rangeUpper for an attribute. For example:
dsquery * "cn=Schema,cn=Configuration,dc=MyDomain,dc=com" -filter "(LDAPDisplayName=streetAddress)" -attr rangeUpper
where your domain is MyDomain.com. This finds the maximum length for the "street address" attribute. A few values in my test domain (the values can be modified, so these are the defaults):
company 64
streetAddress 1024
physicalDeliveryOfficeName 128
initials 6
st 128
postOfficeBox 40
name 255
cn 64
You can use the first two spreadsheets on this page to help identify attributes in AD (with no Exchange):
http://www.rlmueller.net/UserAttributes.htm
The first spreadsheet documents the attributes corresponding to the fields on most of the tabs of ADUC. For example, "st" is the attribute for state, "physicalDeliveryOfficeName" for the field labeled "office". You need the
LDAPDisplayName's of the attributes, like I used in the dsquery command above. The second spreadsheet documents all attributes in AD with more information, like the syntax and which class each applies to.
Richard Mueller - MVP Directory Services -
Oracle context and MS Active Directory
Hello,
I have one pc with Windows Server 2003 and Oracle 10g r2
When I add a user from my Active Directory in the External OS Users of the Oracle Managed Object (via mmc), I get this error:
ORA-30041: Cannot grant quota on the tablespace
And when I try to connect with this user (Active Directory user) to isqlplus, I get another error:
ORA-28030: Server encountered problems accessing LDAP directory servic
Someone know how to resolve these errors ?
Server's Configs
Active directory name: cyclops.home.com
Host name: server.cyclops.home.com
My database name in the Oracle context object of my Active directory: oracle_db
My Oracle context: “CN=OracleContext,DC=home,DC=com"
#Ldap.ora
DEFAULT_ADMIN_CONTEXT = "DC=cyclops,DC=home,DC=com"
DIRECTORY_SERVER_TYPE = AD
#Listener.ora
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = PLSExtProc)
(ORACLE_HOME = C:\oracle\product\10.2.0\db_1)
(PROGRAM = extproc)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = server.cyclops.home.com)(PORT = 1521))
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC0))
#Sqlnet.ora
SQLNET.AUTHENTICATION_SERVICES= (NTS)
NAMES.DIRECTORY_PATH= (LDAP)
#Tnsnames.ora
PROJET =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = server.cyclops.home.com)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = oracle_db)
EXTPROC_CONNECTION_DATA =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC0))
(CONNECT_DATA =
(SID = PLSExtProc)
(PRESENTATION = RO)When I use this cmd ldapbind -h cyclops.home.com that works.
If I log to isqlplus with the system user and do select username from all_users; I can see my Active Directory user.
I also changed the LDAP_DIRECTORY_ACCESS parameter to PASSWORD (default was SSL) but that changed nothing.
Maybe the problem is from the Oracle wallet, I did one when I have created the database but I don't know well about it and the use. I think I should have something in my sqlnet.ora file related to the wallet but I don't know how to set.
I search on internet, some homepages said I should use Oracle Net Manager to set the wallet location but I found nothing in Oracle Net manager for it. -
How to install Small Business Server 2008 in an existing Active Directory domain
It is shown on this page:
http://support.microsoft.com/kb/884453, "How to install Small Business Server 2003 in an existing Active Directory domain".
Is it possible to do this with SBS2008 ?
If "YES", are there any published information about the procedure ?Yes, it is. Thank you very much.
But there is something that confuses me - I want to migrate from Win2003Std to SBS2008. And also, I want to keep the existing Win2003Std as a second DC for a long time.
But it is written in the shown article:
... After the migration is finished, you must remove the Source Server from the network within 21 days. ...
Is this rule mandatory for the scenarios where the Source Server is Std, not SBS ? As I know, I can have more than one DC(Win2003Std/Win2008Std) together with SBS2003. But what about SBS2008 ? -
Hi, I'm using VS2012.
I want to use this ExtensionAttributes9 field to store date value for each user object. I use UserPrincipal class, a collection of these objects are then bind to a gridview control. Is ExtensionAttributes9 a field in AD user object?
How can I access it and bind to the gridview?
If this field isn't available then what other field can use?
Thank you.
Thank youUserPrincipal is basically a wrapper around DirectoryEntry:
http://msdn.microsoft.com/en-us/library/system.directoryservices.directoryentry.aspx and only provides a subset of the Active Directory, although the most common, attributes that are available for the user object. The attribute that you
seek is not one of them.
By utilizing the method that I provided you a link to, it will return the underlying DirectoryEntry that was used to build the UserPrincipal object and should allow you to access the attribute that you seek.
It would be greatly appreciated if you would mark any helpful entries as helpful and if the entry answers your question, please mark it with the Answer link. -
Team,
I am trying to Install Exchange on my Lab, getting below error
message.
The Schema Role is installed on Root Domain and trying to install
exchange on Child domain.
1 Root Domain - 1 Child domain. both are located on single site.
“Setup encountered a problem while validating
the state of Active Directory: Exchange organization-level objects have not been created, and setup cannot create them because the local computer is not in the same domain and site as the schema master. Run setup with the /prepareAD parameter and wait for
replication to complete.”
Followed below articles:
http://support.risualblogs.com/blog/2012/02/21/exchange-2010-sp2-upgrade-issue-exchange-organization-level-objects-have-not-been-created-and-setup-cannot-create-them-because-the-local-computer-is-not-in-the-same-domain-and-site-as-the-sche/
http://www.petenetlive.com/KB/Article/0000793.htm
transferred the schema roles to different server on root domain, still no luck.
can someone please help me.
regards
Srinivasa k
Srinivasa KHi Srinivasa,
I guess, you didn't completed the initial setup schemaprep and adprep before starting the installation. You can do it as follows:
1. Open command Prompt as administrator and browse to the root of installation cd and run Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
After finishing this,
2. Setup.exe /PrepareAD /OrganizationName:"<organization name>" /IAcceptExchangeServerLicenseTerms
3. To prepare all domains within the forest run Setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms. If you want to prepare a specific domain run Setup.exe /PrepareDomain:<FQDN of the domain you want to prepare> /IAcceptExchangeServerLicenseTerms
4. Once you complete all of the 3 steps, install the pre-requisities for Exchange 2013
5. Finally, run the setup program
Hope this will help you
Regards from Visit ExchangeOnline |
Visit WindowsAdmin -
Hello.
We have two domain controllers - node1 (Windows 2008 R2) and node2 (Windows 2012 R2). When administrator connects to node2 and tries to rename some object in AD (for example, user) AD Domain Services crashes and reboot server after 60 seconds.
In Events I can see these messages:
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 04.03.2014 12:37:58
Event ID: 1173
Task Category: Internal Processing
Level: Warning
Keywords: Classic
User: domain\admin
Computer: NODE2.domain.example
Description:
Internal event: Active Directory Domain Services has encountered the following exception and associated parameters.
Exception:
c0000005
Parameter:
0
Additional Data
Error value:
7ffc7c38e45d
Internal ID:
0
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
<EventID Qualifiers="32768">1173</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>9</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2014-03-04T06:37:58.116264800Z" />
<EventRecordID>881</EventRecordID>
<Correlation />
<Execution ProcessID="572" ThreadID="2580" />
<Channel>Directory Service</Channel>
<Computer>NODE2.domain.example</Computer>
<Security UserID="S-1-5-21-3794920928-4165619442-305938157-2047" />
</System>
<EventData>
<Data>c0000005</Data>
<Data>7ffc7c38e45d</Data>
<Data>0</Data>
<Data>0</Data>
</EventData>
</Event>
Log Name: Application
Source: Microsoft-Windows-Wininit
Date: 04.03.2014 12:37:58
Event ID: 1015
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: NODE2.domain.example
Description:
A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
<EventID Qualifiers="49152">1015</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-03-04T06:37:58.000000000Z" />
<EventRecordID>189578</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>NODE2.domain.example</Computer>
<Security />
</System>
<EventData>
<Data>C:\Windows\system32\lsass.exe</Data>
<Data>c0000005</Data>
</EventData>
</Event>
Log Name: Application
Source: Application Error
Date: 04.03.2014 12:37:58
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: NODE2.domain.example
Description:
Faulting application name: lsass.exe, version: 6.3.9600.16384, time stamp: 0x5215e25f
Faulting module name: ntdsai.dll, version: 6.3.9600.16421, time stamp: 0x524fcaed
Exception code: 0xc0000005
Fault offset: 0x000000000019e45d
Faulting process id: 0x23c
Faulting application start time: 0x01cf3773fe973e1b
Faulting application path: C:\Windows\system32\lsass.exe
Faulting module path: C:\Windows\system32\ntdsai.dll
Report Id: 85cfbe32-a367-11e3-80cc-00155d006724
Faulting package full name:
Faulting package-relative application ID:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-03-04T06:37:58.000000000Z" />
<EventRecordID>189576</EventRecordID>
<Channel>Application</Channel>
<Computer>NODE2.domain.example</Computer>
<Security />
</System>
<EventData>
<Data>lsass.exe</Data>
<Data>6.3.9600.16384</Data>
<Data>5215e25f</Data>
<Data>ntdsai.dll</Data>
<Data>6.3.9600.16421</Data>
<Data>524fcaed</Data>
<Data>c0000005</Data>
<Data>000000000019e45d</Data>
<Data>23c</Data>
<Data>01cf3773fe973e1b</Data>
<Data>C:\Windows\system32\lsass.exe</Data>
<Data>C:\Windows\system32\ntdsai.dll</Data>
<Data>85cfbe32-a367-11e3-80cc-00155d006724</Data>
<Data>
</Data>
<Data>
</Data>
</EventData>
</Event>
In node2 we installed all available updates and hotfixes.Hi Azamat Hackimov,
Regarding to error messages, it seems that the
ntdsai.dll file caused the issue. Based on current situation, please use
sfc /scannow command to scan protected system files and check if find error and repair. Meanwhile, you can also navigate to the location of this DLL file and confirm details.
In addition, Windows Server 2012 R2 has reboot unexpectedly. Please check if you get some dump file and then analysis it. It may help us to find the root reason. Please refer
to the following KB.
How to read the small dump memory dump file that is created by Windows if a crash occurs.
http://support.microsoft.com/kb/315263/en-us
By the way, it is not effective for us to debug the crash dump file here in the forum. If this issues is a state of emergency for you. Please contact Microsoft Customer Service
and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.
To obtain the phone numbers for specific technology request, please refer to the web site listed below:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
Hope this helps.
Best regards,
Justin Gu -
Hello Community
"forestA" is my forest it is a Windows 2008 Server Enterprise Edition
domain controller using Active Directory and the UI.
In my forest ("forestA") trust relationship I created a "One-Way, Out-going"
forest trust with Forest-Wide authentication so that a different forest user(s) or
group(s) with a different admin in a forest named “forestB” can access the resources in my “forestA”
But also forestB needs to create a "One-way, Incoming" forest trust so that
I can either add the user(s) or group(s) from “forestB” into to a "Global Security - Group"
in my "forestA" or I can
add user(s) as "domain user(s)" from “forestB” into my "forestA".
The problem is that when I right click the global group in my forestA and then
properties, when I click "Members" and then the "Add" button when I type
"forestB\username" I get an error message from Active Directory stating:
"the following object is not from a domain listed in the Select location
dialog box, and is therefore not valid: forestB\username".
Am I doing something wrong when creating the one-way trust in my
“forestA” or is the one-way trust being created wrong by the other domain admin in the other “forestB”?
Or could I possibly need to select "Change Domain" or "Change Domain Controller"
before adding the users or Groups to my forestA from forestB?
That is why I am asking
how do you add an Active Directory user from one forest into another forest?
Thank you
ShabeautHello Denis Cooper
That is the end result.
What I was trying to do was that I was trying to
bring in the user(s) and group(s) from “forestB” into
my “forestA” Global group.
Later on I was going to add the user(s) or Global groups(s) that I brought into my dc in my forestA
into the domain local groups on my member servers in my forestA.
So since the error message is:
"the following object is not from a domain listed in the Select location dialog box, and is therefore not valid: forestB\username".
Does your response
mean only Global group(s) from forestB not domain user(s) from forestB have
to been added to domain local groups in forestA?
Or is it also possible to add Global group(s) from “forestB” to Global group(s) in my “forestA” and if so
how without getting the above error message?
Thank you
Shabeaut -
Hi, can anyone help me troubleshoot the following please:
Active Directory Security Group Discovery Agent reported warnings for 524 object(s). DDRs were generated for 0 object(s) that had warning(s) while reading non-critical properties. DDRs were not generated for 524 object(s) that had warnings while reading
critical properties.
Possible cause: OU name or Security Group name may contain at least a Unicode character which has conversion problem between Unicode and your system ANSI locale(e.g. Korean characters in English System Locale). The site server might not have access to
some properties of this object. The container specified might not have the properties available.
Solution: Please verify the Active Directory schema for properties that are not replicated or locked. Refer to the discovery logs for more information.
Does the error relate to 524 security groups? There are several invalid search paths listed in adsgdis.log, are these related?
Thanks,
DaleYou'll have to examine the log to determine exactly which objects its referring to. Although this is in the context of group discovery, group discovery still creates DDRs for computer objects within those groups so it could be either groups or computers.
This is not a search path issue though as it's clear that the discovery process found 524 different objects, but as stated, it could not properly read criticial properties of those objects and thus did not create DDRs for them.
As mentioned, reading the log in detail will list the objects individually and the reason it could not create a DDR for it.
Jason | http://blog.configmgrftw.com -
[Forum FAQ] Using PowerShell to assign permissions on Active Directory objects
As we all know, the
ActiveDirectoryAccessRule class is used to represent an access control entry (ACE) in the discretionary access control list (DACL) of an Active Directory Domain Services object.
To set the permissions on Active Directory objects, the relevant classes and their enumerations are listed as below:
System.DirectoryServices.ActiveDirectoryAccessRule class:
http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryaccessrule(v=vs.110).aspx
System.DirectoryServices.ActiveDirectoryRights
class:
http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights(v=vs.110).aspx
System.Security.AccessControl.AccessControlType class:
http://msdn.microsoft.com/en-us/library/w4ds5h86(v=vs.110).aspx
System.DirectoryServices.ActiveDirectorySecurityInheritance class:
http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectorysecurityinheritance(v=vs.110).aspx
In this article, we introduce three ways to get and set the ACE on an Active Directory object. In general,
we use Active Directory Service Interfaces (ADSI) or
Active Directory module cmdlets
with the Get-Acl and Set-Acl cmdlets to assign simple permissions on Active Directory objects. In addition, we can use the extended rights and GUID settings to execute
more complex permission settings.
Method 1: Using ADSI
1. Get current permissions of an organization unit (OU)
We can use the PowerShell script below to get current permissions of an organization unit and you just need to define the name of the OU.
$Name = "OU=xxx,DC=com"
$ADObject = [ADSI]"LDAP://$Name"
$aclObject = $ADObject.psbase.ObjectSecurity
$aclList = $aclObject.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])
$output=@()
foreach($acl in $aclList)
$objSID = New-Object System.Security.Principal.SecurityIdentifier($acl.IdentityReference)
$info = @{
'ActiveDirectoryRights' = $acl.ActiveDirectoryRights;
'InheritanceType' = $acl.InheritanceType;
'ObjectType' = $acl.ObjectType;
'InheritedObjectType' = $acl.InheritedObjectType;
'ObjectFlags' = $acl.ObjectFlags;
'AccessControlType' = $acl.AccessControlType;
'IdentityReference' = $acl.IdentityReference;
'NTAccount' = $objSID.Translate( [System.Security.Principal.NTAccount] );
'IsInherited' = $acl.IsInherited;
'InheritanceFlags' = $acl.InheritanceFlags;
'PropagationFlags' = $acl.PropagationFlags;
$obj = New-Object -TypeName PSObject -Property $info
$output+=$obj}
$output
In the figure below, you can see the results of running the script above:
Figure 1.
2. Assign a computer object with Full Control permission on an OU
We can use the script below to delegate Full Control permission to the computer objects within an OU:
$SysManObj = [ADSI]("LDAP://OU=test….,DC=com") #get the OU object
$computer = get-adcomputer "COMPUTERNAME" #get the computer object which will be assigned with Full Control permission within an OU
$sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
$identity = [System.Security.Principal.IdentityReference] $SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType #set permission
$SysManObj.psbase.ObjectSecurity.AddAccessRule($ACE)
$SysManObj.psbase.commitchanges()
After running the script above, you can check the computer object in Active Directory Users and Computers (ADUC) and it is under the Security tab in OU Properties.
Method 2: Using Active Directory module with the Get-Acl and Set-Acl cmdlets
You can use the script below to get and assign Full Control permission to a computer object on an OU:
$acl = get-acl "ad:OU=xxx,DC=com"
$acl.access #to get access right of the OU
$computer = get-adcomputer "COMPUTERNAME"
$sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
# Create a new access control entry to allow access to the OU
$identity = [System.Security.Principal.IdentityReference] $SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
# Add the ACE to the ACL, then set the ACL to save the changes
$acl.AddAccessRule($ace)
Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
Method 3: Using GUID setting
The scripts above can only help us to complete simple tasks, however, we may want to execute more complex permission settings. In this scenario, we can use GUID settings to achieve
that.
The specific ACEs allow an administrator to delegate Active Directory specific rights (i.e. extended rights) or read/write access to a property set (i.e. a named collection of attributes) by
setting ObjectType field in an object specific ACE to the
rightsGuid of the extended right or property set. The delegation can also be created to target child objects of a specific class by setting the
InheritedObjectType field to the schemaIDGuid of the class.
We choose to use this pattern: ActiveDirectoryAccessRule(IdentityReference, ActiveDirectoryRights, AccessControlType, Guid, ActiveDirectorySecurityInheritance, Guid)
You can use the script below to
assign the group object with the permission to change user password on all user objects within an OU.
$acl = get-acl "ad:OU=xxx,DC=com"
$group = Get-ADgroup xxx
$sid = new-object System.Security.Principal.SecurityIdentifier $group.SID
# The following object specific ACE is to grant Group permission to change user password on all user objects under OU
$objectguid = new-object Guid
00299570-246d-11d0-a768-00aa006e0529 # is the rightsGuid for the extended right User-Force-Change-Password (“Reset Password”)
class
$inheritedobjectguid = new-object Guid
bf967aba-0de6-11d0-a285-00aa003049e2 # is the schemaIDGuid for the user
$identity = [System.Security.Principal.IdentityReference] $SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
$type = [System.Security.AccessControl.AccessControlType]
"Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType,$inheritedobjectguid
$acl.AddAccessRule($ace)
Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
The figure below shows the result of running the script above:
Figure 2.
In addition, if you want to assign other permissions, you can change the GUID values in the script above. The common GUID values are listed as below:
$guidChangePassword
= new-object Guid ab721a53-1e2f-11d0-9819-00aa0040529b
$guidLockoutTime
= new-object Guid 28630ebf-41d5-11d1-a9c1-0000f80367c1
$guidPwdLastSet
= new-object Guid bf967a0a-0de6-11d0-a285-00aa003049e2
$guidComputerObject
= new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2
$guidUserObject
= new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidLinkGroupPolicy
= new-object Guid f30e3bbe-9ff0-11d1-b603-0000f80367c1
$guidGroupPolicyOptions
= new-object Guid f30e3bbf-9ff0-11d1-b603-0000f80367c1
$guidResetPassword
= new-object Guid 00299570-246d-11d0-a768-00aa006e0529
$guidGroupObject
= new-object Guid BF967A9C-0DE6-11D0-A285-00AA003049E2
$guidContactObject
= new-object Guid 5CB41ED0-0E4C-11D0-A286-00AA003049E2
$guidOUObject
= new-object Guid BF967AA5-0DE6-11D0-A285-00AA003049E2
$guidPrinterObject
= new-object Guid BF967AA8-0DE6-11D0-A285-00AA003049E2
$guidWriteMembers
= new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2
$guidNull
= new-object Guid 00000000-0000-0000-0000-000000000000
$guidPublicInformation
= new-object Guid e48d0154-bcf8-11d1-8702-00c04fb96050
$guidGeneralInformation
= new-object Guid 59ba2f42-79a2-11d0-9020-00c04fc2d3cf
$guidPersonalInformation = new-object Guid 77B5B886-944A-11d1-AEBD-0000F80367C1
$guidGroupMembership
= new-object Guid bc0ac240-79a9-11d0-9020-00c04fc2d4cf
More information:
Add Object Specific ACEs using Active Directory Powershell
http://blogs.msdn.com/b/adpowershell/archive/2009/10/13/add-object-specific-aces-using-active-directory-powershell.aspx
Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.The ActiveDirectoryAccessRule has more than one constructor, but yes, you've interpreted the one that takes six arguments correctly.
Those GUIDs are different (check just before the first dash). Creating that ACE will create an empty GUID for InheritedObjectType, though, because you're telling it to apply to the Object only ([System.DirectoryServices.ActiveDirectorySecurityInheritance]::None).
Since the ACE will only apply to the object, there's no need to worry about what types of objects will inherit it.
If you've got time, check out
this module. It will let you view the security descriptors in a much friendlier format. Try both version 3.0 and the version 4.0 preview:
Sample version 3.0:
# This is going to be kind of slow, and it will take a few seconds the first time
# you run it because it has to build the list of GUID <--> Property/Class/etc objects
Get-ADGroup GroupY |
Get-AccessControlEntry -ObjectAceType member -InheritedObjectAceType group -ActiveDirectoryRights WriteProperty
# Same as the previous command, except limit it to access granted to GroupX
Get-ADGroup GroupY |
Get-AccessControlEntry -ObjectAceType member -InheritedObjectAceType group -ActiveDirectoryRights WriteProperty -Principal GroupX
Here's version 4.0. It's way faster than 3.0, but it's missing the -ObjectAceType and -InheritedObjectAceType parameters on Get-AccessControlEntry (don't worry, when they come back they'll be better than in 3.0):
Get-ADGroup GroupY |
Get-AccessControlEntry
Get-ADGroup GroupY |
Get-AccessControlEntry -ActiveDirectoryRights WriteProperty
Get-ADGroup GroupY |
Get-AccessControlEntry -ActiveDirectoryRights WriteProperty -Principal GroupX
# You can do a Where-Object filter until the parameters are added back to Get-AccessControlEntry:
Get-ADGroup GroupY |
Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
where { $_.AccessMask -match "All Prop|member Prop" }
Get-ADGroup GroupY |
Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
where { $_.ObjectAceType -in ($null, [guid]::Empty, "bf9679c0-0de6-11d0-a285-00aa003049e2") }
Get-ADGroup GroupY |
Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
where { $_.AccessMask -match "All Prop|member Prop" -and $_.AppliesTo -match "group"}
That's just for viewing. Version 3.0 can add and remove access, or you can use New-AccessControlEntry to replace your call to New-Object, and you can still use Get-Acl and Set-Acl. The benefit to New-AccessControlEntry is that you can do something like this:
New-AccessControlEntry -Principal GroupX -ActiveDirectoryRights WriteProperty -ObjectAceType member -InheritedObjectAceType group #-AppliesTo Object
Maybe you are looking for
-
Un-remove back up drive for Time Machine use?
I need to restore a removed disk to the Time Machine menu. I was using two external drives to back up my internal drive. One of the drives is a USB drive. The other was a Western Digital Live network drive. I connect to that network drive through m
-
How to find out the Transport request (TR)
Hi all, which is the table that stores all the Transport requests. (TR) Regards, Venkat
-
I just bought a brand new iMac 21, installed with the latest OSX (10.7.2) I installed Logic Pro from the app-store and when launching Logic, it crashes over and over again. Sometimes it lets me see the Logic menue at the top left, but when clicking s
-
What happens between the chime & the grey screen on boot?
Hi, My Mac Pro has recently started taking up to 30secs to reach the grey screen when booting. The chime happens shortly after (re)starting, and then there's a significant pause, where nothing seems to happen (even the Apple Display stays in stand-by
-
Why has "Pin as App Tab" command disappeared when I right click on a web site?
Very much like FF4 and especially App Tabs. Today when I relaunched FF (1) App Tabs have disappeared (I have been reading how to keep them when I reopen FF) and (2) I no longer have a "Pin as App Tab" command when I right click on a web site I want t