Excluding some computers from Active Directory System Discovery

Similar Messages

• Exclude servers from Active Directory System Discovery

  We would like to exclude all servers from being discovered by Active Directory System Discovery. Is there any way to achieve this, i. e. with a custom LDAP query? Or does SCCM always detect all systems in the configured OUs? (Moving all servers to a separate
  OU is not an option.)

  Well, good question ;) ... We don't use SCCM on servers, and the basic reason was excluding them from statistics. Of course we want to prevent accidental client installation, but that can be done in other ways (like mentioned by Eswar).
  Still, we always get tons of "computers without client", low success rates etc. Of course all that can be adjusted, excluding servers from "All Systems" etc., but excluding the servers directly from discovery would be the easiest way. If it can't be done,
  it can't be done, and we will be able to live with that. I just wanted to know IF it can be done.
  Well.If that is the issue with reporting,then you may have to edit the report to avoid servers in displaying in reports ,so will be on right track with results.
  Or while creating collections to exclude certain number of computers or may be more,create a AD sec group and all the computers to it .Create collection to exclude computers which are member of this AD group to aviod accidentals installation...
  Please click on "vote as Helpful" if you feel this post helpful to you.
  Eswar Koneti | Configmgr blog:
  www.eskonr.com | Linkedin: Eswar Koneti

• After Active Directory System Discovery, some computers have Operating_System_Name_and0 as only the version number

  Good morning,
  We've been experiencing some odd behavior with discovery.  After Active Directory System Discovery, some computers have Operating_System_Name_and0 as only the version number; for example, " 6.1" (note the space before the 6) vs.
  "Microsoft Windows NT Workstation 6.1" (although, not limited to Windows 7 workstations).
  Here are two seemingly identical machine records in Active Directory WCBWIN7VDI10 and WCBWIN7VDI11.
  After discovery
  select Name0, Operating_System_Name_and0 from v_r_system where Name0 LIKE 'WCBWIN7VDI1[0,1]'
  yields
  Name0 Operating_System_Name_and0
  WCBWIN7VDI10  6.1
  WCBWIN7VDI11 Microsoft Windows NT Workstation 6.1
  For discovery on a new domain yesterday we have the following distribution:
  select count (*) as [count], convert (nvarchar, Creation_Date0, 110) as [creation date], Operating_System_Name_and0
  from v_r_system where Full_Domain_Name0 like 'aaa.bbb.ccc'
  group by Operating_System_Name_and0, convert (nvarchar, Creation_Date0, 110)
  order by Operating_System_Name_and0
  count
  creation   date
  Operating_System_Name_and0
  274
  12-01-2014
  3
  12-01-2014
   5.0
  23
  12-01-2014
   5.1
  124
  12-01-2014
   5.2
  20
  12-01-2014
   6.0
  5109
  12-01-2014
   6.1
  6
  12-01-2014
   6.2
  4
  12-01-2014
   6.3
  1
  12-01-2014
  CentOS 6.0
  13
  12-01-2014
  Microsoft   Windows NT Server
  54
  12-01-2014
  Microsoft   Windows NT Server 5.2
  9
  12-01-2014
  Microsoft   Windows NT Server 6.0
  120
  12-01-2014
  Microsoft   Windows NT Server 6.1
  2
  12-01-2014
  Microsoft   Windows NT Server 6.2
  7
  12-01-2014
  Microsoft   Windows NT Server 6.3
  6
  12-01-2014
  Microsoft   Windows NT Workstation 5.1
  3501
  12-01-2014
  Microsoft   Windows NT Workstation 6.1
  1
  12-02-2014
  Microsoft   Windows NT Workstation 6.1
  5
  12-01-2014
  Microsoft   Windows NT Workstation 6.2
  1
  12-01-2014
  Microsoft   Windows NT Workstation 6.3
  2
  12-01-2014
  SLES 11
  6
  12-01-2014
  Windows   Embedded Standard 6.1
  Anybody know why this occurs?  We typically build our server vs. workstation collections with this.
  Thanks,
  Terence Durning

  Hi Terence,
  What is the value in Active Directory for the computer account?
  Do you have the same behavior if you run this query? 
  SELECT DISTINCT Operating_System_Name_and0 FROM v_R_System ORDER BY 1
  You are talking about a space before 6.1. Do I see also a space for all Microsoft Windows like "Microsoft   Windows NT Workstation 6.3" ? 
  Nick Pilon - Blog: System Center Dudes

• Error in Active Directory System Discovery (0x80005010)

  Hi,
  I've configured Active Directory System Discovery in a SCCM 2007 R2 SP2 configuration. I see several SCCM clients being populated with OU information, but others do not. I've taken a look in the adsysdis.log. There it states for a very large number of computer accounts:
  INFO: discovered object with ADsPath = 'LDAP://<domain controller>/<DN computerobject>'
  WARN: Could not get property (domain) for system (0x80005010)
  Afterwards there is no entry that states a ddr is written for this computer object and the SCCM client object is not populated with information.
  Can someone explain what exactly is the issue, and how to solve it?

  I got exactly same issue - SCCM 2007 SP2 two primary sites (one central). AD sctructure got one forest and two domains.
  Does anyone solved this issue ?
  adsysdis.log :
  Starting the data discovery. SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
  INFO: Processing search path: 'LDAP://CN=COMPUTERS,DC=MY,DC=DOMAIN'. SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
  INFO: Full synchronization requested SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
  INFO: DC DNS name = 'dc01.my.domain' SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
  INFO: search filter = '(&(objectClass=user)(objectCategory=computer))' SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
  INFO: ads path = 'LDAP://dc01.my.domain/CN=COMPUTERS,DC=MY,DC=DOMAIN' SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
  INFO: Bound to 'LDAP://dc01.my.domain/CN=COMPUTERS,DC=MY,DC=DOMAIN' SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
  INFO: discovered object with ADsPath = 'LDAP://dc01.my.domain/CN=TEST1,CN=Computers,DC=MY,DC=DOMAIN' SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
  WARN: Could not get property (domain) for system (0x80005010) SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
  INFO: discovered object with ADsPath = 'LDAP://dc01.my.domain/CN=COMP2,CN=Computers,DC=MY,DC=DOMAIN' SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
  WARN: Could not get property (domain) for system (0x80005010) SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
  INFO: discovered object with ADsPath = 'LDAP://dc01.my.domain/CN=SRV2,CN=Computers,DC=MY,DC=DOMAIN' SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
  WARN: Could not get property (domain) for system (0x80005010) SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
  INFO: discovered object with ADsPath = 'LDAP://dc01.my.domain/CN=SRV3,CN=Computers,DC=MY,DC=DOMAIN' SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
  WARN: Could not get property (operatingSystem) for system (0x80005010) SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
  WARN: Could not get property (operatingSystemVersion) for system (0x80005010) SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
  WARN: Could not get property (domain) for system (0x80005010) SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
  WARN: Could not get property (dNSHostName) for system (0x80005010) SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
  ERROR: System SRV3 is a unsupported operating system, unsupported version, or malformed AD entry. Reported system type is:  (). SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
  WARN: CADSource::ProcessSystemInfo: Failed to get IP Address for the system. SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)

• Doing Active Directory System Discovery security roles

  Hi Experts
  I am assigning users who have specific roles in SCCM2012 (Reporting, application management etc) , they are not assigned with permissions which is the same as Full Administrator or Operation Manager. 
  The team would like to run Active Directory System Discovery on the Primary Site server to detect the computer objects found in the AD once they have joined the new computers to the domain, they are unable to perform RUN on the Active Directory System Discovery
  as the option is not available to them. Possible to advise, which additional security roles should I assign to them so that the RUN command can appear?? They are unable to do this with the current permission as listed below, RUN is not listed when they right
  click on Active Directory System Discovery, unlike the Full Administrator:
  Application Administrator
  Application Author
  Application Deployment Manager
  Operating System Deployment Manager
  Read-only Analyst
  Remote Tools Operator
  Software Update Manager

  Hi,
  You could create a Custom role and modify the rights.
  Administration workspace >Security >Security Roles >Select a Built-in role >Click Copy on the ribbon.
  Otherwise, Role-based Administration Modeling and Auditing Tool helps administrators to model and audit RBA configurations.
  http://www.microsoft.com/en-us/download/details.aspx?id=36213
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• SCCM 2012R2 Active Directory System Discovery

  I just set up SCCM and was kind of going back and forth on how I wanted to run the computer discovery portion.  I deleted some computers from the devices section and know I want them back but when I run a rescan they are not populating. I didn't push
  the client or anything just ran the system discovery. How do I get those machines back?  Thanks.

  Correct, the AD System Discovery needs to be able to resolve the computer name to an ip address. See also:
  http://technet.microsoft.com/en-us/library/gg712308.aspx#BKMK_ADSystemDisc
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• SCCM 2012 Active Directory System Discovery - How does it find systems?

  I have setup System Discovery for the forest and have not limited the view of the forest in any way.  Also I have it to setup to discover everything, no limits on the number of days since last check-in. But I have some objects that haven't checked
  into the domain in years that are enabled (yes i want to delete them) and others are disabled that don't show up.  If there is a discovered object that I disable in AD, I run a full discovery and it still found.
  My question is for this discovery, what criteria does SCCM look for?  I assume that it authenticates to the domain with the supplied user account and reads Active Directory and pulls objects.  From there, does it pull Disabled objects or leave
  them be?  If a client hasn't checked in in over 90 (or any number) days, does it discard that automatically? I'm just trying to understand the discovery process.
  Jason Apt, Microsoft Certified Master | Exchange 2010
  My Blog

  it should look for objects that are in AD and also in DNS. When you use the 90 days rules, those objects will not be deleted from the ConfigMgr database (that's a site maintenance rule), the discovery process will just not discover the object.
  Kent Agerlund | My blogs: blog.coretech.dk/kea and
  SCUG.dk/ | Twitter:
  @Agerlund | Linkedin: Kent Agerlund

• Active Directory System Discovery - extensionAttribute1

  Hello,
  My apologies if this should be in the SQL forum but wanted to start here in case someone was familiar with what I'm seeing.
  At this time I have system discovery polling on extensionattribute1 which works fine. When I go into SQL the v_R_System view lists extensionAttribute10 with the data from 1. I looked at the same computer object in question in powershell and see the 10 has
  no data and 1 truly has the data, so it looks like SQL is showing 10 when it should be 1? It's not really breaking anything, just something I noticed. Has anyone ever came across this or perhaps know of a better place I should pull data from AD other than
  v_R_System that might not show this conflict?
  Joshua

  Are you saying in SQL it's v_R_System.extensionAttribute10? That seems logical. That "0" appended to the end of almost all columns in the SQL views for CM inventory. I can't explain why but that's just how it is. If you added extensionAttribute10 it would
  probbaly show up as extensionAttribute100
  John Marcum | Microsoft MVP - Enterprise Client Management
  My blog: System Center Admin | Twitter:
  @SCCM_Marcum | Linkedin:
  John Marcum

• Active Directory System Discovery Properties Error

  Hi,
  I'm getting a strange error within SCCM 2012 System Discovery Properties. The error occurs every time I open the properties for the discover method. I can close it OK, and Systems still seem to be getting discovered. It appears even when the discovery properties
  is completely empty.
  Does anyone know what could be the problem? The error message is below. Thanks in advance
  System.DirectoryServices.ActiveDirectory.ActiveDirectoryObjectNotFoundException
  The Specified directory object cannot be found.
  Stack Trace:
  at System.DirectoryServices.ActiveDirectory.ActiveDirectorySchemaProperty.GetPropertiesFromSchemaContainer(DirectoryContext context, DirectoryEntry schemaEntry, String name, Boolean isDefunctOnServer)
  at System.DirectoryServices.ActiveDirectory.ActiveDirectorySchemaProperty.InitializePropertiesFromSchemaContainer()
  at System.DirectoryServices.ActiveDirectory.ActiveDirectorySchemaProperty.GetValueFromCache(String propertyName, Boolean mustExist)
  at System.DirectoryServices.ActiveDirectory.ActiveDirectorySchemaProperty.get_Syntax()
  at Microsoft.ConfigurationManagement.AdminConsole.ActiveDirectory.AttibutesPageControl.IsAttributeAvailabe(ActiveDirectorySchemaProperty schemaProperty)
  at Microsoft.ConfigurationManagement.AdminConsole.ActiveDirectory.AttibutesPageControl.AddAvailableAttributes(ActiveDirectorySchemaPropertyCollection properties)
  at Microsoft.ConfigurationManagement.AdminConsole.ActiveDirectory.AttibutesPageControl.worker_DoWork(Object sender, DoWorkEventArgs e)
  at System.ComponentModel.BackgroundWorker.OnDoWork(DoWorkEventArgs e)
  at System.ComponentModel.BackgroundWorker.WorkerThreadStart(Object argument)

  Hi Mike,
  Not exactly, however when the console is logged into as a user who is a domain admin - the error doesn't appear. To make things more complex - the way AD is set up here is quite/very messed up and domain admins is actually nested in schema admins (yep..you
  read that correctly). This nesting is due to be removed, but until then i can only assume the following:
  Not being a schema admin, or domain admin restricts the attributes that you are able to read in the SCCM console system and user discovery properties. I know it shouldn't be like this. Its also interesting that when you open these discovery properties -
  it appears it must read based on the user operating the console, rather than the site server, which I assumed it would be read based on the rights that has.
  Why this is happening, I dont know yet. Its been parked because it isn't actually having an detrimental effect that I can see. I know this probably doesn't help you much, but maybe it will point you in a direction to start looking in..

• Active Directory System Discovery not discover 'correctly'

  Hi,
  I am having a very strange problem with some devices in my environment.
  The operating system of these is discovered as 'Windows 7 Entreprise 6.1' which causes a lot of my queries to fail.
  Normal from my point of view would be 'Microsoft Windows NT Workstation 6.1' (which is correct at 90% of devices in the same OU)
  Where is the difference to others?
  I already deleted those devices fully from SCCM and I checked the AD for 'Operating System' attribute (which is the same for both types of devices.

  i checked my console and i see all the entries for operating system are start with ' Microsoft windows NT'.the value that you are referring in the screen is custom attribute called 'operatingSystem' and that value cannot be seen in the console .and it
  is not added to the discovery method by default. May be you can try deleting the computer object from SCCM and let the discovery happens again.
  Eswar Koneti | Configmgr Blog: www.eskonr.com | Linkedin: Eswar Koneti
  | Twitter: eskonr

• SCCM Active Directory System Discovery

  Hi,
  We have enabled most of the Discovery Methods in SCCM 2012 R2 - and now we are looking at cleaning the clients that are set as inactive for a set of amount of time not sure yet how long (recommendations would be great).
  If I enable "Only discover computers that logged on to a domain in a given period of time" will this remove any inactive clients (Workstations) from the device collections if they have not logged on to the domain for 90 days?
  Thanks Tom

  Hi,
  Also,I recommend you create a collection query all computers without a CM client installed. The Rotten Objects that still exists in AD will automatically be detected by the collection.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Active Directory System Group discovery has been removed

  Hello,
  I noticed in SCCM 2012 Active Directory System Group discovery has been removed which discovery is provided the
  information previously collected through this discovery?
  Thanks,
  Dom
  System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

  Hi,
  Yes Active Directory System Group Discovery has been removed (not Active Directory System Discovery)
  It is written in http://technet.microsoft.com/en-us/library/gg712308.aspx#BKMK_DiscoveryMethods
  What's new in SCCM 2012
  and confirmed in
  http://blogs.technet.com/b/elie/archive/2012/05/10/system-center-2012-configuration-manager-part2-discovery-methods.aspx
  Thanks,
  DOm
  System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

• Creating custom fields for manual entry and fields that gather data from Active Directory

  So I am no SQL developer but I am being asked to do this.. I've spent the last few days researching but cannot find anything related to my particular situation.
  I have made a copy of the following report to add or modify a few columns:
   Hardware 01A - Summary of computers in a specific collection
  So I have 2 questions:
  How do I create a field that will search the "Managed By" tab in the Computer Properties window in Active Directory.
  How do I create a field that can be manually updated for example: "Date Deployed" or "Deployed By: Analyst"
  I understand I need edit this in SQL report builder and think I know how to create the columns. I believe all I am really asking is.. What are the SQL statements I need to write in order to get this to work?
  I'm sure it's not as cut and dry as I hope it to be so I will be standing by to try to answer any further information that you will want to know.
  thanks!

  Before you can accomplish this you need:
  "Managed by" -attribute has to be added to your Active Directory System Discovery, more on this here: http://technet.microsoft.com/en-us/library/bb693618.aspx
  For "Date Deployed", I'd use a custom Tattoo script in your task sequence to "Tattoo" the installation info in the registry, after that I'd configure the Hardware Inventory to pick that from the registry, more on this here: http://ccmexec.com/2012/08/script-to-tattoo-the-client-registry-during-osd/
  and here: http://www.petervanderwoude.nl/post/reporting-about-the-all-the-different-os-deployment-versions-with-configmgr-2012/
  After those prerequisites, you can start working with SQL reports. More info here: http://myitforum.com/myitforumwp/2012/10/29/sccm-2012-reporting-for-dummies-creating-your-own-ssrs-reports/

• How do I get info from Active Directory and use it in my web-applications?

  I borrowed a nice piece of code for JNDI hits against Active Directory from this website: http://www.sbfsbo.com/mike/JndiTutorial/
  I have altered it and am trying to use it to retrieve info from our Active Directory Server.
  I altered it to point to my domain, and I want to retrieve a person's full name(CN), e-mail address and their work location.
  I've looked at lots of examples, I've tried lots of things, but I'm really missing something. I'm new to Java, new to JNDI, new to LDAP, new to AD and new to Tomcat. Any help would be so appreciated.
  Thanks,
  To show you the code, and the error message, I've changed the actual names I used for connection.
  What am I not coding right? I get an error message like this:
  javax.naming.NameNotFoundException[LDAP error code 32 - 0000208D: nameErr DSID:03101c9 problem 2001 (no Object), data 0,best match of DC=mycomp, DC=isd, remaining name dc=mycomp, dc=isd
  [code]
  import java.util.Hashtable;
  import java.util.Enumeration;
  import javax.naming.*;
  import javax.naming.directory.*;
  public class JNDISearch2 {
  // initial context implementation
  public static String INITCTX = "com.sun.jndi.ldap.LdapCtxFactory";
  public static String MY_HOST = "ldap://99.999.9.9:389/dc=mycomp,dc=isd";
  public static String MGR_DN = "CN=connectionID,OU=CO,dc=mycomp,dc=isd";
  public static String MGR_PW = "connectionPassword";
  public static String MY_SEARCHBASE = "dc=mycomp,dc=isd";
  public static String MY_FILTER =
  "(&(objectClass=user)(sAMAccountName=usersignonname))";
  // Specify which attributes we are looking for
  public static String MY_ATTRS[] =
  { "cn", "telephoneNumber", "postalAddress", "mail" };
  public static void main(String args[]) {
  try { //----------------------------------------------------------        
  // Binding
  // Hashtable for environmental information
  Hashtable env = new Hashtable();
  // Specify which class to use for our JNDI Provider
  env.put(Context.INITIAL_CONTEXT_FACTORY, INITCTX);
  // Specify the host and port to use for directory service
  env.put(Context.PROVIDER_URL, MY_HOST);
  // Security Information
  env.put(Context.SECURITY_AUTHENTICATION, "simple");
  env.put(Context.SECURITY_PRINCIPAL, MGR_DN);
  env.put(Context.SECURITY_CREDENTIALS, MGR_PW);
  // Get a reference toa directory context
  DirContext ctx = new InitialDirContext(env);
  // Begin search
  // Specify the scope of the search
  SearchControls constraints = new SearchControls();
  constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
  // Perform the actual search
  // We give it a searchbase, a filter and the constraints
  // containing the scope of the search
  NamingEnumeration results = ctx.search(MY_SEARCHBASE, MY_FILTER, constraints);
  // Now step through the search results
  while (results != null && results.hasMore()) {
  SearchResult sr = (SearchResult) results.next();
  String dn = sr.getName() + ", " + MY_SEARCHBASE;
  System.out.println("Distinguished Name is " + dn);
  // Code for displaying attribute list
  Attributes ar = ctx.getAttributes(dn, MY_ATTRS);
  if (ar == null)
  // Has no attributes
  System.out.println("Entry " + dn);
  System.out.println(" has none of the specified attributes\n");
  else // Has some attributes
  // Determine the attributes in this record.
  for (int i = 0; i < MY_ATTRS.length; i++) {
  Attribute attr = ar.get(MY_ATTRS);
  if (attr != null) {
  System.out.println(MY_ATTRS[i] + ":");
  // Gather all values for the specified attribute.
  for (Enumeration vals = attr.getAll(); vals.hasMoreElements();) {
  System.out.println("\t" + vals.nextElement());
  // System.out.println ("\n");
  // End search
  } // end try
  catch (Exception e) {
  e.printStackTrace();
  System.exit(1);
  My JNDIRealm in Tomcat which actually does the initial authentication looks like this:(again, for security purposes, I've changed the access names and passwords, etc.)
  <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
  connectionURL="ldap://99.999.9.9:389"
  connectionName="CN=connectionId,OU=CO,dc=mycomp,dc=isd"
  connectionPassword="connectionPassword"
  referrals="follow"
  userBase="dc=mycomp,dc=isd"
  userSearch="(&(sAMAccountName={0})(objectClass=user))"
  userSubtree="true"
  roleBase="dc=mycomp, dc=isd"
  roleSearch="(uniqueMember={0})"
  rolename="cn"
  />
  I'd be so grateful for any help.
  Any suggestions about using the data from Active directory in web-application.
  Thanks.
  R.Vaughn

  By this time you probably have already solved this, but I think the problem is that the Search Base is relative to the attachment point specified with the PROVIDER_URL. Since you already specified "DC=mycomp,DC=isd" in that location, you merely want to set the search base to "". The error message is trying to tell you that it could only find half of the "DC=mycomp, DC=isd, DC=mycomp, DC=isd" that you specified for the search base.
  Hope that helps someone.
  Ken Gartner
  Quadrasis, Inc (We Unify Security, www -dot- quadrasis -dot- com)

• Getting list of all users and their group memberships from Active Directory

  Hi,
  I want to retrieve a list of all the users and their group memberships through JNDI from Active Directory. I am using the following code to achieve this:
  ==================
  import javax.naming.*;
  import java.util.Hashtable;
  import javax.naming.directory.*;
  public class GetUsersGroups{
       public static void main(String[] args){
            String[] attributeNames = {"memberOf"};
            //create an initial directory context
            Hashtable env = new Hashtable();
            env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.PROVIDER_URL, "ldap://172.19.1.32:389/");
            env.put(Context.SECURITY_AUTHENTICATION, "simple");
            env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
            env.put(Context.SECURITY_CREDENTIALS, "p8admin");
            try {
                 // Create the initial directory context
                 DirContext ctx = new InitialDirContext(env);     
                 //get all the users list and their group memberships
                 NamingEnumeration contentsEnum = ctx.list("CN=Users,DC=filenetp8,DC=com");
                 while (contentsEnum.hasMore()){
                      NameClassPair ncp = (NameClassPair) contentsEnum.next();
                      String userName = ncp.getName();
                      System.out.println("User: "+userName);
                      try{
                           System.out.println("am here....1");
                           Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should be returned
                           System.out.println("am here....2");
                           Attribute groupsAttribute = attrs.get(attributeNames[0]); // memberOf
                           System.out.println("-----"+groupsAttribute.size());
                           if (groupsAttribute != null){
                                // memberOf is a multi valued attribute
                                for (int i=0; i<groupsAttribute.size(); i++){
                                // print out each group that user belongs to
                                System.out.println("MemberOf: "+groupsAttribute.get(i));
                      }catch(NamingException ne){
                      // ignore for now
                 System.err.println("Problem encountered....0000:" + ne);
                 //get all the groups list
            } catch (NamingException e) {
            System.err.println("Problem encountered 1111:" + e);
  =================
  The following exception gets thrown at every user entry:
  User: CN=Administrator
  am here....1
  Problem encountered....0000:javax.naming.NamingException: [LDAP: error code 1 -
  000020D6: SvcErr: DSID-03100690, problem 5012 (DIR_ERROR), data 0
  ]; remaining name 'CN=Administrator'
  I think it gets thrown at this line in the code:
  Attributes attrs = ctx.getAttributes(userName, attributeNames);
  Any idea how to overcome this and where am I wrong?
  Thanks in advance,
  Regards.

  In this sentence:
  Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should
  It seems Ok when I add "CN=Users,DC=filenetp8,DC=com" after userName, just as
  userName + ",CN=Users,DC=filenetp8,DC=com"
  But I still have some problem with it.
  Hope it will be useful for you.