Cfldap and deleted objects container in Active Directory

Hello,
I am trying to use a CFLDAP query to bind and search in the
Deleted Objects container of Active Directory. This would allow me
to get the sAMAccountname values of the users who have been deleted
within the last default 60 days (searching tombstone objects in
Deleted Objects).
I have tried various methods including <cfldap
start="CN=Deleted Objects, DC=<domain>, DC=<com>> (I
am omitting the rest of the CFLDAP attributes in the example
above). I'm not sure if CFLDAP can even query the deleted objects
container. Has anyone had any experience with this?
Thanks,
Ben

Hi Michael,
Thanks for your help! I have however already explored those
solutions offered by Microsoft. Sadly, they only work in separate
programs (i.e. ldap.exe which comes with Windows Server tools).
After lots of research I have found a Java method that can bind
with the container and return the results. CFLDAP, I'm afraid is
just not capable of doing this - or at least I have had no luck
with it (I was connecting as domain admin btw).
The challenge now is to get the Java class to communicate
with the rest of my cf code.
Thanks again,
Ben

Similar Messages

Querying deleted objects container in Active Directory using JNDI

Hi,
I am trying to query deleted objects container using JNDI which fails with error 64.
Has anyone seen this or knows how to query AD using binary data in JNDI.
Seems to me there is some problem with the search base.
search base: <GUID=18E2EA80684F11D2B9AA00C04F79F805,dc=engserver,dc=com>.
filter: objectclass=*
search scope: subtree
This is the error:
Search example failed.
javax.naming.InvalidNameException: <GUID=18E2EA80684F11D2B9AA00C04F79F805,dc=eng
server,dc=com>: [LDAP: error code 64 - 00000057: LdapErr: DSID-0C090563, comment
: Error processing name, data 0, v893 ]; remaining name '<GUID=18E2EA80684F11D2B
9AA00C04F79F805,dc=engserver,dc=com>'
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2802)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2616)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1744)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1667)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirCon
text.java:368)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCom
positeDirContext.java:328)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCom
positeDirContext.java:313)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.jav
a:245)
at jSearch.main(jSearch.java, Compiled Code)
Thanks,
Chetan

I thought I had posted one of these. How remiss of me !/**
* deleted.java
* 5 July 2001
* Sample JNDI application to search for deleted objects
* Modified December 2004 to add Win2K3 lastKnownParent
import java.util.Hashtable;
import javax.naming.*;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import com.sun.jndi.ldap.ctl.*;
class DeletedControl implements Control {
 public byte[] getEncodedValue() {
 return new byte[] {};
 public String getID() {
 return "1.2.840.113556.1.4.417";
 public boolean isCritical() {
 return true;
public class deleted {
 public static void main (String[] args) {
 Hashtable env = new Hashtable();
 String adminName = "CN=Administrator,CN=Users,DC=ANTIPODES,DC=COM";
 String adminPassword = "XXXXXX";
 String ldapURL = "ldap://mydc.antipodes.com:389";
 env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
 //set security credentials, note using simple cleartext authentication
 env.put(Context.SECURITY_AUTHENTICATION,"simple");
 env.put(Context.SECURITY_PRINCIPAL,adminName);
 env.put(Context.SECURITY_CREDENTIALS,adminPassword);
 //connect to my domain controller
 env.put(Context.PROVIDER_URL,ldapURL);
 try {
 //Create the initial directory context
 LdapContext ctx = new InitialLdapContext(env,null);
 //Create the search controls
 SearchControls searchCtls = new SearchControls();
 //Specify the attributes to return
 String returnedAtts[]={"distinguishedName","lastKnownParent"};
 searchCtls.setReturningAttributes(returnedAtts);
 //Specify the search scope
 searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
 //specify the LDAP search filter
 String searchFilter = "(&(objectClass=user)(isDeleted=TRUE))";
 //Specify the Base for the search
 String searchBase = "DC=antipodes,DC=com";
 //initialize counter to total the results
 int totalResults = 0;
 //specify the Deleted control
 Control[] rqstCtls = new Control[] {new DeletedControl()};
 ctx.setRequestControls(rqstCtls);
 //Search for objects using the filter
 NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
 //Loop through the search results
 while (answer.hasMoreElements()) {
 SearchResult sr = (SearchResult)answer.next();
 totalResults++;
 System.out.println(totalResults + ". " + sr.getName().toString());
 // Print out some of the attributes, catch the exception if the attributes have no values
 Attributes attrs = sr.getAttributes();
 if (attrs != null) {
 try {
 for (NamingEnumeration ae = attrs.getAll();ae.hasMore();) {
 Attribute attr = (Attribute)ae.next();
 System.out.println("Attribute: " + attr.getID());
 for (NamingEnumeration e = attr.getAll();e.hasMore();System.out.println(" " + e.next().toString()));
 catch (NullPointerException e) {
 System.err.println("Problem listing attributes: " + e);
 System.out.println("Deleted objects: " + totalResults);
 ctx.close();
 catch (NamingException e) {
 System.err.println("Problem searching directory: " + e);
}

Arbitration Mailbox is pointing to the Deleted Objects container

Recently completed a migration from Exchange 2010 to 2013. We are occationally receiving the following message. Could someone point me in the right direction? Thanks!
Process w3wp.exe (EWS) (PID=10092). Object [CN=_mailgroup,OU=Groups,DC=localdomain,DC=local]. Property [ArbitrationMailbox] is set to value [localdomain.local/Deleted Objects/SystemMailbox{1f05a927-b82d-41fe-b690-eb9b4350207a}
DEL:e43a17d1-7c97-4ae9-9bfb-17c730878662], it is pointing to the Deleted Objects container in Active Directory. This property should be fixed as soon as possible.

Hi,
Please run the Get-Mailbox -Arbitration cmdlet to check result. Make sure these system mailboxes are in existing Exchange server.
And please check if you can find the object "CN=_mailgroup,OU=Groups,DC=localdomain,DC=local", you can compare this object with another normal object to see if there is any defference on property settings.
Best regards,
If you have feedback for TechNet Subscriber Support, contact
[email protected]
Belinda Ma
TechNet Community Support

Cannot find the object "CrossRef" in Active Directory

I am trying to install Lync 2013. I'm getting the following error: Error:
An error
occurred: "Microsoft.Rtc.Management.Deployment.ActiveDirectoryException" "Cannot
find the object "CrossRef" in Active Directory."
WARNING: Enable-CSAdForest failed.
This error is at "Step 3: Prepare Current Forest" of the install.

I've tried to run the forest prep as a local domain and I get the following:
Creating new log file "C:\Users\administrator.xxx\AppData\Local\Temp\2\Enable-CSAdForest-052cfe14-7f42-4969-88da-83279413ab8c.xml".Enable the Active Directory forest to host Lync Server 2013 deployments.
Prepare Forest Active Directory settings execution failed on an unrecoverable error.Creating new log file "C:\Users\administrator.xxx\AppData\Local\Temp\2\Enable-CSAdForest-[2013_05_30][13_25_56].html".WARNING:
Enable-CSAdForest failed.WARNING: Detailed results can be found at "C:\Users\administrator.xxx\AppData\Local\Temp\2\Enable-CSAdForest-[2013_05_30][13_25_56].html".Command
execution failed: Container CN=Microsoft,CN=Program Data,DC=xxx,DC=local not found

IDOC : Message Function 003: Delete Object contains message to be deleted.

Hi,
I am trying to process a Customer master Icreation DOC (OILDEB06) which has a Message function 003: with the description Delete Object contains message to be deleted.
I am testing my IDOC, when should I be using this message function.
If you can detail with the example,
it does not mark the customer for deletion for sure. when it is recommended to use this message function.
Thanks
Regards

yes   your object was locked in the another session ... please close all the remaining sessions ...
and for cross check in SM12   tcode   ....see the lock list ...delete all the list ...
now you can delete the object from the list ..
it happens some times for all   ... when you work with multiple sessions.
reward points if is is usefull .
Girish

Best way to restore "deleted objects" container's ACLs?

Hi,
I haven noticed, when using the the LDP for reading the security description of "Deleted Objects" container that LDP returns to me "Error: Security: No Such Attribute <16>". Should it be readable or not? At least all other environments
I can read it.
And if it should be readable, then what is the best way to fix it? Take the ownership, and etc... If I take the ownership, then I assume some ACLs are reseted and installations like Exchange and Lync requires domain preparations, right?
Petri

> description of "Deleted Objects" container that LDP returns to me
> "Error: Security: No Such Attribute <16>". Should it be readable or not?
AFAIK, deleted objects lose their ACL.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))

Recon and provisioning of user-defined object class ICF Active Directory

I have followed the documentation instructions for reconciliation of a user-defined object class in the ICF Active Directory connector. I am using OIM 11gR2 with the ICF Active Directory 11.1.1.5 connector patched to 11.1.1.5.0A. The procedure states to create the new object class in AD and then change the objectClass value in the Lookup.Configuration.ActiveDirectory lookup. In my case I am using the existing ObjectClass of contact, rather than a new object class. Just for completeness I am using a clone of the AD User Resource Object which I call AD User Contact and so my lookup name is Lookup.Configuration.ActiveDirCon.
When I changed the ObjectClass from User to Contact, and ran the Active DirCon User Target Recon scheduled job, with Object Type also = contact. The first issue I noticed was that the connector wanted a different set of lookups, which is not in the documentation. It is looking for a lookup in my Configuration lookup where code key=contact Configuration Lookup (which I should have expected since there are code keys for User, Group, and organizationalUnit). I added a line to the lookup where code key=contact Configuration Lookup and the Decode=Lookup.ActiveDirCon.CM.Configuration and then I created a new lookup by that name, assigning the 5 values to be the Lookup.ActiveDirCon.UM.xxx lookups. I did not see any need to create a new set of Lookup.ActiveDirCon.CM.xxx lookups with the exact same values.
I re-ran the scheduled job and it ran successfully, but did not generate any Recon Events, even though I had objects in the OU and I have that same OU in the Lookup.ActiveDirCon.OrganizationalUnits lookup (from the Org Lookup Recon). Everything looks good but getting no results. Looked at the log file from the ConnectorServer and it is building the query properly and executing it properly with the correct syntax, getting no errors, but the SearchAndReturnObjects method is returning zero results.
Looking to see if anyone has successfully reconciled in user-defined or other non-User objectClass objects from Active Directory, and if so, can you provide Lookup configuration and Connector Server information so I can troubleshoot.
I resolved this issue by changing the recon lookups to a blank lookup called Lookup.ActiveDirCon.CM.ReconAttrMap and only added in the parameters that are used by a Contact object. Only populate the ReconAttrMap with parameters that exist for the custom object.
Edited by: Keith Smith AptecLLC on Mar 27, 2013 6:31 AM

Oracle Support answered this question via SR

UnitOfWorkChangeSet and deleted objects

I would like use the UnitOfWorkChangeSet for auditing changes made to the objects. It seams that the UnitOfWorkChangeSet contains new objects and updated objects, but I cannot find deleted objects. The function UnitOfWorkChangeSet.getDeletedObjects always returns an empty set.
1) How to get deleted objects?
2) Where can I find the best information about usage of the change sets?
3) Can I process the change set after calling the method commit or is it better do it in any SessionEvent method (if so - which method should I use?)?
Thank you in advance for any help
Jan Kostrhun

Hello Jan,
For effeciency reasons the deleted objects are only placed in the UnitOfWorkChangeSet in the case of Cache Coordination (Cache Synchronization). If your application is not configured to use Cache Coordination the deleted objects can be found in unitOfWork.getObjectsDeletedDuringCommit(). Please note that this is an internal method in TopLink that may change in future released.
Accessing the UnitOfWorkChangeSet after you have called commit is fine.
--Gordon

Turn "Delete Resource Account" for Active Directory into rename/move/unlink

My Windows sysad would like me to stop deleting Active Directory users; he's tired of cleaning up from dangling SIDs, and I don't particularly blame him. Instead, he would like the process of "deleting" an AD account to be more like:
1. disable
2. rename from cn=user to cn=user_999, where 999 is replaced with an incrementing number (jsmith_001, jsmith_002, etc.). (Or maybe he;d be Ok with jsmith_yyyymmddhhmmss...)
3. move (probably in the same "rename" above) from ou=Employees to ou=4Delete.
4. unlink account from user.
We are assigning AD accounts through roles, and so the Delete Resource User (or Delete Resource Person?) task is invoked. Does anyone have a customized version of this task that differentiates between resource account types and handles the "disable/rename/move/unlink" AD account paradigm my sysad would like? -Les

Hi,
did you ever resolve this? If so, how did you work it out as we would like to do the same.
Thanks.

How open and see Log File in Active Directory

Hello Friends.. ^-^
how i can open log files active directory and see this data files ?
Can export this logs ?
thanks for help.

And adds a definition of edbxxxxx.log for completeness:
These are auxiliary transaction logs used to store changes if the main Edb.log file
gets full before it can be flushed toNtds.dit.
The xxxxx stands for a sequential number in hex. When the Edb.log file
fills up, an Edbtemp.log file
is opened. The original Edb.log file
is renamed to Edb00001.log, and Edbtemp.log is
renamed to Edb.log file,
and the process starts over again. Excess log files are deleted after they have been committed. You may see more than one Edbxxxxx.log file
if a busy domain controller has many updates pending.
Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable. This helps the community, keeps the forums tidy, and recognises useful contributions. Thank you!

How can I capture delete user event in Active Directory 2008 using Powershell command

Hi,
In my Active Directory every user have own home drive in the file server. When I delete user I also need to delete folder from the server.
My target is make the process automated, so that when I delete user account form AD, the folder associate with user also delete.
Can I write any power shell script to grep the delete event and remove folder from file server.
Thanks
Tamim Khan

You can setup event viewer to provide alerts (email alerts) for event id 630.
Find an existing Event ID 630 entry, right click on it and "Attach Task To This Event...."
Follow the wizard.
** Event ID Sample **
Event ID: 630
Type: Success Audit
Description: User Account Deleted:
Target Account Name: %1 Target Domain: %2
Target Account ID: %3 Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6
Privileges: %7
- Chris Ream -
**Remember, if you find a post that is helpful, or is the answer, please mark it appropriately.**

Creation of a second Exchange 2013 server on a different site (with the roles of MBX and CAS) fails on prepare active directory and prepare schema.

Hello everyone
I have a network infrastructure consisting of 3 sites, site A, site B, and site C. i have 2 domain controllers on every site, and the AD roles are on the primary domain controller on site A. On site A I have an Exchange 2013sp1 CU6.
I want to create a second Exchange on Site B, with the roles of mailbox (the exchange on Site A will be first DAG member and the Exchange on Site B will be the second member of the DAG) and CAS.
First question: Is my thought correct about installaing on the same server mailbox and CAS server?
Second question: how many DAG witnesses I need for the DAG? One per site, or one in general (for example located on site A)
Third question: When I am trying to perform “Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms” I receive the error
“ Setup encountered a problem while validating the state of Active Directory:
The Active Directory schema version (15303) is higher than Setup's version (15292). Therefore, PrepareSchema can't be executed. See the Exchange setup log for more information on this error. For more information, visit:
http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.AdInitErrorRule.aspx “
I tried to run the PrepareSchema from the ISO of Exchange 2013 SP1 and form the extracted content of Exchange 2013SP1 CU6 archive, but still receive the same error. Any ideas?
Thanks in advance.

Thank you for your answer,
I have tried to run "Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms” from
Exchange 2013 CU6 media, but I still receive the error:
The Active Directory schema version (15303) is higher than Setup's version (15292). Therefore, PrepareSchema
can't be executed. See the Exchange setup log for more information on this error. For more information, visit:http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.AdInitErrorRule.aspx “
any ideas?

Getting list of all users and their group memberships from Active Directory

Hi,
I want to retrieve a list of all the users and their group memberships through JNDI from Active Directory. I am using the following code to achieve this:
==================
import javax.naming.*;
import java.util.Hashtable;
import javax.naming.directory.*;
public class GetUsersGroups{
 public static void main(String[] args){
 String[] attributeNames = {"memberOf"};
 //create an initial directory context
 Hashtable env = new Hashtable();
 env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
 env.put(Context.PROVIDER_URL, "ldap://172.19.1.32:389/");
 env.put(Context.SECURITY_AUTHENTICATION, "simple");
 env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
 env.put(Context.SECURITY_CREDENTIALS, "p8admin");
 try {
 // Create the initial directory context
 DirContext ctx = new InitialDirContext(env);
 //get all the users list and their group memberships
 NamingEnumeration contentsEnum = ctx.list("CN=Users,DC=filenetp8,DC=com");
 while (contentsEnum.hasMore()){
 NameClassPair ncp = (NameClassPair) contentsEnum.next();
 String userName = ncp.getName();
 System.out.println("User: "+userName);
 try{
 System.out.println("am here....1");
 Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should be returned
 System.out.println("am here....2");
 Attribute groupsAttribute = attrs.get(attributeNames[0]); // memberOf
 System.out.println("-----"+groupsAttribute.size());
 if (groupsAttribute != null){
 // memberOf is a multi valued attribute
 for (int i=0; i<groupsAttribute.size(); i++){
 // print out each group that user belongs to
 System.out.println("MemberOf: "+groupsAttribute.get(i));
 }catch(NamingException ne){
 // ignore for now
 System.err.println("Problem encountered....0000:" + ne);
 //get all the groups list
 } catch (NamingException e) {
 System.err.println("Problem encountered 1111:" + e);
=================
The following exception gets thrown at every user entry:
User: CN=Administrator
am here....1
Problem encountered....0000:javax.naming.NamingException: [LDAP: error code 1 -
000020D6: SvcErr: DSID-03100690, problem 5012 (DIR_ERROR), data 0
]; remaining name 'CN=Administrator'
I think it gets thrown at this line in the code:
Attributes attrs = ctx.getAttributes(userName, attributeNames);
Any idea how to overcome this and where am I wrong?
Thanks in advance,
Regards.

In this sentence:
Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should
It seems Ok when I add "CN=Users,DC=filenetp8,DC=com" after userName, just as
userName + ",CN=Users,DC=filenetp8,DC=com"
But I still have some problem with it.
Hope it will be useful for you.

How to identify and delete objects after failure of registering XML schema

Hi,
I have tried to register a XML schema with many global elements but failed.
I have checked the view DBA_XML_SCHEMA and found that there is an entry for this failed XML schema and the disk spaces would not be freed after the failure of registration as well.
I have tried DBMS_XMLSCHEMA.deleteSchema() with DELETE_CASCADE_FORCE but failed with ORA-31000: Resource is not XDB document.
How can I identify and delete the objects for this failed XML schema and free up the disk space ?
I would not prefer to use 'DROP USER ... CASCADE' since there are other objects owned by this user.
Thanks in advance.

you can get them from user_objects.
but you have to identify them manuallly if your schema has other objects other then created by the xml schema creation process.
Note these objects will be cases senistitive. so you should enclose them with double quotes during deletion.

Business Objects XI R2 Active Directory

Currently we are implimenting AD single server sign on but have an issue in that the active directory "Please enter your Active Directory credentials" will not update with the active directory user. It appears that the BO XI is not even communicating with the active directory server. Has anyone else struck this problem?  

There isÂ a fairly detailed section in the Admin guide for setting up AD (p250).Â Â
Make sure you have set up the IIS server as detailed in that section
Thanks
Kevin

Cfldap and deleted objects container in Active Directory

Similar Messages

Maybe you are looking for