Found DAG object in Active Directory

Similar Messages

• OBIEE+ Problems trying to import objects from Active Directory

  Hi
  I'm trying to import my users from my Active Directory using the Administration Tool.
  If I give the Base DN to point to the Users entry and I get that It doesn't have any objects to import.
  If I give the Base DN to point to the parent folder of Users and Groups entry I get
  LDAP server referral not supported.
  Any configurations that I have to take in consideration?

  Henrik,
  I've found other problems where OWB adds a space between all characters returned from SQL*Server which is what is happening in your case, although it is being displayed as a square box.
  In one of these cases the problem was fixed by using the 11.2.0.2 OWB so would it be possible for you to try with that version ?
  Also, as the problem is not with the gateway itself as you can select successfully using a database link then it would be better to follow up in the OWB forum -
  Forum: Warehouse Builder
  Warehouse Builder
  as they will be able to help with the OWB side of the problem.
  Regards,
  Mike

• Active Directory Domain Services crash after Administrator renames object in Active Directory Users and Computers

  Hello.
  We have two domain controllers - node1 (Windows 2008 R2) and node2 (Windows 2012 R2). When administrator connects to node2 and tries to rename some object in AD (for example, user) AD Domain Services crashes and reboot server after 60 seconds.
  In Events I can see these messages:
  Log Name:      Directory Service
  Source:        Microsoft-Windows-ActiveDirectory_DomainService
  Date:          04.03.2014 12:37:58
  Event ID:      1173
  Task Category: Internal Processing
  Level:         Warning
  Keywords:      Classic
  User:          domain\admin
  Computer:      NODE2.domain.example
  Description:
  Internal event: Active Directory Domain Services has encountered the following exception and associated parameters.
  Exception:
  c0000005
  Parameter:
  0
  Additional Data
  Error value:
  7ffc7c38e45d
  Internal ID:
  0
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
      <EventID Qualifiers="32768">1173</EventID>
      <Version>0</Version>
      <Level>3</Level>
      <Task>9</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8080000000000000</Keywords>
      <TimeCreated SystemTime="2014-03-04T06:37:58.116264800Z" />
      <EventRecordID>881</EventRecordID>
      <Correlation />
      <Execution ProcessID="572" ThreadID="2580" />
      <Channel>Directory Service</Channel>
      <Computer>NODE2.domain.example</Computer>
      <Security UserID="S-1-5-21-3794920928-4165619442-305938157-2047" />
    </System>
    <EventData>
      <Data>c0000005</Data>
      <Data>7ffc7c38e45d</Data>
      <Data>0</Data>
      <Data>0</Data>
    </EventData>
  </Event>
  Log Name:      Application
  Source:        Microsoft-Windows-Wininit
  Date:          04.03.2014 12:37:58
  Event ID:      1015
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      NODE2.domain.example
  Description:
  A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005.  The machine must now be restarted.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
      <EventID Qualifiers="49152">1015</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-03-04T06:37:58.000000000Z" />
      <EventRecordID>189578</EventRecordID>
      <Correlation />
      <Execution ProcessID="0" ThreadID="0" />
      <Channel>Application</Channel>
      <Computer>NODE2.domain.example</Computer>
      <Security />
    </System>
    <EventData>
      <Data>C:\Windows\system32\lsass.exe</Data>
      <Data>c0000005</Data>
    </EventData>
  </Event>
  Log Name:      Application
  Source:        Application Error
  Date:          04.03.2014 12:37:58
  Event ID:      1000
  Task Category: (100)
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      NODE2.domain.example
  Description:
  Faulting application name: lsass.exe, version: 6.3.9600.16384, time stamp: 0x5215e25f
  Faulting module name: ntdsai.dll, version: 6.3.9600.16421, time stamp: 0x524fcaed
  Exception code: 0xc0000005
  Fault offset: 0x000000000019e45d
  Faulting process id: 0x23c
  Faulting application start time: 0x01cf3773fe973e1b
  Faulting application path: C:\Windows\system32\lsass.exe
  Faulting module path: C:\Windows\system32\ntdsai.dll
  Report Id: 85cfbe32-a367-11e3-80cc-00155d006724
  Faulting package full name:
  Faulting package-relative application ID:
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Application Error" />
      <EventID Qualifiers="0">1000</EventID>
      <Level>2</Level>
      <Task>100</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-03-04T06:37:58.000000000Z" />
      <EventRecordID>189576</EventRecordID>
      <Channel>Application</Channel>
      <Computer>NODE2.domain.example</Computer>
      <Security />
    </System>
    <EventData>
      <Data>lsass.exe</Data>
      <Data>6.3.9600.16384</Data>
      <Data>5215e25f</Data>
      <Data>ntdsai.dll</Data>
      <Data>6.3.9600.16421</Data>
      <Data>524fcaed</Data>
      <Data>c0000005</Data>
      <Data>000000000019e45d</Data>
      <Data>23c</Data>
      <Data>01cf3773fe973e1b</Data>
      <Data>C:\Windows\system32\lsass.exe</Data>
      <Data>C:\Windows\system32\ntdsai.dll</Data>
      <Data>85cfbe32-a367-11e3-80cc-00155d006724</Data>
      <Data>
      </Data>
      <Data>
      </Data>
    </EventData>
  </Event>
  In node2 we installed all available updates and hotfixes.

   Hi Azamat Hackimov,
  Regarding to error messages, it seems that the
  ntdsai.dll file caused the issue. Based on current situation, please use
  sfc /scannow command to scan protected system files and check if find error and repair. Meanwhile, you can also navigate to the location of this DLL file and confirm details.
  In addition, Windows Server 2012 R2 has reboot unexpectedly. Please check if you get some dump file and then analysis it. It may help us to find the root reason. Please refer
  to the following KB.
  How to read the small dump memory dump file that is created by Windows if a crash occurs.
  http://support.microsoft.com/kb/315263/en-us
  By the way, it is not effective for us to debug the crash dump file here in the forum. If this issues is a state of emergency for you. Please contact Microsoft Customer Service
  and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.
  To obtain the phone numbers for specific technology request, please refer to the web site listed below:
  http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
  Hope this helps.
  Best regards,
  Justin Gu

• Size limitation for all attributes in user objects in Active Directory????

  hi geeks , i wanna know maximum size limit of an user objects attribute in   active directory ... like max amount of character first name attribute can hold ... Thank in advance..

  You can use ADSI Edit to view the properties of the attributes in the Schema container of your AD. In the Schema container you can select an attribute, like Company, right click, select properties, and find the rangeUpper property of the attribute. This
  is the maximum length in characters (or bytes). You can also use dsquery to retrieve rangeUpper for an attribute. For example:
  dsquery * "cn=Schema,cn=Configuration,dc=MyDomain,dc=com" -filter "(LDAPDisplayName=streetAddress)" -attr rangeUpper
  where your domain is MyDomain.com. This finds the maximum length for the "street address" attribute. A few values in my test domain (the values can be modified, so these are the defaults):
  company                      64
  streetAddress              1024
  physicalDeliveryOfficeName  128
  initials                      6
  st                          128
  postOfficeBox                40
  name                        255
  cn                           64
  You can use the first two spreadsheets on this page to help identify attributes in AD (with no Exchange):
  http://www.rlmueller.net/UserAttributes.htm
  The first spreadsheet documents the attributes corresponding to the fields on most of the tabs of ADUC. For example, "st" is the attribute for state, "physicalDeliveryOfficeName" for the field labeled "office". You need the
  LDAPDisplayName's of the attributes, like I used in the dsquery command above. The second spreadsheet documents all attributes in AD with more information, like the syntax and which class each applies to.
  Richard Mueller - MVP Directory Services

• Logoncount Attribute on Computer objects in Active Directory

  Hello,
  I have one question about the logoncount Attribute on Active Directory objects. As I understood on user objects this attribute counts the number of logons per DC (because it is not replicating).
  My question is:
  What exactly is count here on computer objects?
  I can see that on a Domain Controller computer object the logoncount is high for the DC itself and low on the other DC objects.
  Thank you.
  Regards
  Dennis

  Here is an old thread.  You will see some of the explanation from our own Richard :)
  http://www.techtalkz.com/windows-server-2003/500367-attributes-update-during-computer-logon.html
  Santhosh Sivarajan | Houston, TX | www.sivarajan.com
  ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
  Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
  Blogs: Blogs
  Twitter: Twitter
  LinkedIn: LinkedIn
  Facebook: Facebook
  Microsoft Virtual Academy:
  Microsoft Virtual Academy
  This posting is provided AS IS with no warranties, and confers no rights.

• Hide all except one object in Active Directory Users and Computers.

  Hello,
  I have a question.. I need to allow to one group of "administrators" creating users in one OU and adding computers to the domain, nothing else. I allowed them to log on DC using the GPO "Allow log on locally", because I don't want to give
  them administrator rights, I allowed them to do these operations on one OU through delegation wizard and now I need to make all OUs, groups etc. invisible to them except this OU. What is the best way how to achieve this? Thank you...
  d.

  I would disable the ability to allow them to login. I suggest to create a Computers OU that you can delegate to the "admins" to add computers, and don't use the default Computers container.
  I assume the admins are using Windows 7 or newer. You can customize an RSAT installation to just provide the ADAC.
  Description of Remote Server Administration Tools for Windows 7:
  http://support.microsoft.com/default.aspx/kb/958830
  Remote Server Administration Tools for Windows 7:
  http://technet.microsoft.com/en-us/library/ee449475(WS.10).aspx
  Remote Server Administration Tools for Windows 7
  http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en
  Customizing - Installing Remote Server Administration Tools (RSAT) for Windows 7
  http://www.petri.co.il/remote-server-administration-tools-for-windows-7.htm
  Or if you want to chop it down and control it further, create a custom ADUC with just that OU you've delegated. I've done this in the past and worked fine for my customer:
  Delegate an Organizational Unit (OU) in Active Directory Users and Computers (ADUC), then create a custom MMC or customized RSAT
  http://blogs.msmvps.com/acefekay/2014/09/04/delegate-an-organizational-unit-ou-in-active-directory-users-and-computers-aduc-then-create-a-custom-mmc-or-customized-rsat/
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Removing Exchange 2007 from SBS 2008 (In an Exchange 2010 Coexistance Scenario) - In order to remove 2007 Mailbox Objects from Active Directory and remove the SBS2008 server completely

  I'm trying to remove Exchange 2007 from an SBS 2008 server
  (Server 2008 Standard FE).  My ultimate goal is to completely remove the SBS 2008 Server from the network environment.
  We have an Exchange 2010 Coexistence Scenario and Mailboxes/Public Folders/etc have been moved over to the 2010 mail server, on Server 2008 R2.
  I have moved all Shares, FSMO roles, DHCP, DNS, etc over to their respective servers.  We have two full blown DC's in the environment.
  I'm ready to remove Exchange 2007 from SBS 2008 and DCPROMO the server.  I can NOT seem to find a TechNet article that shows me how
  to proceed in this kind of scenario.  I am trying to use the TechNet article:
  http://technet.microsoft.com/en-us/library/dd728003(v=ws.10).aspx
  This article references Disabling Mailboxes, Removing OAB, Removing Public Folder Databases, then uninstalling Exchange using the Setup Wizard. 
  When I go to Disable Mailboxes I get the following error:
  Microsoft Exchange Error
  Action 'Disable' could not be performed on object 'Username (edited)'.
  Username (edited)
  Failed
  Error:
  Object cannot be saved because its ExchangeVersion property is 0.10 (14.0.100.0), which is not supported by the current version 0.1 (8.0.535.0). You will need a later version of Exchange.
  OK
  I really don't see why I need to Disable Mailboxes, Remove OAB and Public Folder Databases since they have been moved to 2010.  I just want
  to remove Exchange 2007 and DCPROMO this server (actually I just want to remove any lingering Exchange AD Objects referring to the SBS 2008 Server, using the easiest and cleanest method possible).
  Can someone point me in the right direction?
  Thanks!

  Hi,
  Based on your description, it seems that you are in a migration process (migrate SBS 2008 to Windows Server
  2008 R2). Now, you want to remove Exchange Server and demote server. If anything I misunderstand, please don’t hesitate to let me know.
  On current situation, please refer to following articles and check if can help you.
  Transition
  from Small Business Server to Standard Windows Server
  Removing SBS 2008 –
  Step 1: Exchange 2007
  Removing SBS 2008 – Step 2:
  ADCS
  Removing
  SBS 2008 – Step 3: remove from domain / DCPROMO
  Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft
  does not guarantee the accuracy of this information.
  Hope this helps.
  Best regards,
  Justin Gu

• Action Object and Active Directory?

  Hi,
  As I understand the documentation, there is no way to use Action Object in Storage Manager for AD.
  Is that correct?
  Is it possible to work around that when having IDM implemented?
  Many of our customers uses provisioning and self-provisioning through the UA-portal, and it seems rather difficult to integrate this to the NTFS in AD using Storage Manager.
  When customers is running OES and NSS it is a lot easier to customize and maintain a useful dynamic file system.
  Does anyone has any ideas or experience that could help us out?
  Thank you in advance
  Martin

  Moldin,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://forums.novell.com/

• Exchange 2010 - #554 5.2.0 The Active Directory user wasn't found

  We have migrated form Exchange 2003 to Exchange 2010 a year ago with no issues. All Exchange legacy servers uninstalled with no issues. We had an issue today were emails sent to mail-enabled public folder was returning NDRs. This happened on two or three
  and then trickled down thorugh several public folders. This client has several public folders and uses them for business processes. There have been 100s of incidents now. 
  Symtoms:
  E-mail messages that been sent to mail-enabled public folder in Exchange Server 2010 environment rejected with the following NDR:
  #554 5.2.0 STOREDRV.Deliver.Exception:ObjectNotFoundException; Failed to process message due to a permanent exception with message The Active Directory user wasn't found. ObjectNotFoundException: The Active Directory user wasn't found. ##
  We are getting the following Event log messages on Hub transport servers.
  Log Name:      Application
  Source:        MSExchange Store Driver
  Date:          5/29/2014 2:45:53 PM
  Event ID:      1020
  Task Category: MSExchangeStoreDriver
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      xxxxxx
  Description:
  The store driver couldn't deliver the public folder replication message "Backfill Request (xxxxxxx)" because the following error occurred: The Active Directory user wasn't found..
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="MSExchange Store Driver" />
      <EventID Qualifiers="49156">1020</EventID>
      <Level>2</Level>
      <Task>1</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-05-29T18:45:53.000000000Z" />
      <EventRecordID>168407</EventRecordID>
      <Channel>Application</Channel>
      <Computer>xxxxxx</Computer>
      <Security />
    </System>
    <EventData>
      <Data>"Backfill Request (xxxxxxx)"</Data>
      <Data>The Active Directory user wasn't found.</Data>
    </EventData>
  </Event>
  Actions:
  We have executed the following steps.
  1. Start the ADSI Edit MMC Snap-in. Click Start, then Run, and type adsiedit.msc, and then click OK.
  2.       Connect & Expand the Configuration Container [YourServer.DNSDomainName.com], and then expand CN=Configuration,DC=DNSDomainName,DC=com.
  3.       Expand CN=Services, and then CN=Microsoft Exchange, and then expand CN=YourOrganizationName.
  4.       You will see an empty Administrative Group. Expand the  CN=YourAdministrativeGroupName.
  5.       Expand CN=Servers.
  6.       Verify there are no server objects listed under the  CN=Servers container.
  7.       Right click on the empty CN=Servers container and choose Delete.
  8.       Verify the modification, and try to send again the E-mail to the mail-enabled public folder.
  To no avail the issue still exists.
  We have not rebooted the servers and plan to in the early morning.
  We have dismounted/mounted public folder DBs
   Does anyone have any other suggestions?
  Danny Kennedy, MCSE, MCITP

  I have already uninstalled legacy servers a year ago.
  This was the solution:
  I moved the public folder hierarchy to exchange 2010 using ADSIEdit.
                                    If you don't know adsiedit tool that much check this
  http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay?javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken&javax.portlet.prp_ba847bafb2a2d782fcbb0710b053ce01=wsrp-navigationalState%3DdocId%253Demr_na-c03067450-1%257CdocLocale%253D%257CcalledBy%253D&javax.portlet.tpst=ba847bafb2a2d782fcbb0710b053ce01&sp4ts.oid=1840527&ac.admitted=1401455429281.876444892.492883150
  Danny Kennedy, MCSE, MCITP

• Active Directory - Lingering Objects

  Hello,
  I'm having an issue with replication and I'm hoping someone can point me in the right direction.
  I have the Strict Replication setting enabled on all of my DCs.  I am running into a problem with replication failures due to lingering objects.  I ran repldiag.exe /removelingeringobjects /advisorymode on one of the DCs and it found 52 objects.
   However, the lingering objects are shared printer objects that are still in use in my organization.  What would be the impact of deleting these printer objects?  Would my workstations loose the ability to print to these printers?
  Thank you.

  Have you reviewed the link below?
  Lingering objects prevent Active Directory replication from occurring
  http://support.microsoft.com/kb/317097

• [Forum FAQ] Using PowerShell to assign permissions on Active Directory objects

  As we all know, the
  ActiveDirectoryAccessRule class is used to represent an access control entry (ACE) in the discretionary access control list (DACL) of an Active Directory Domain Services object.
  To set the permissions on Active Directory objects, the relevant classes and their enumerations are listed as below:
  System.DirectoryServices.ActiveDirectoryAccessRule class:
  http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryaccessrule(v=vs.110).aspx
  System.DirectoryServices.ActiveDirectoryRights
  class:
  http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights(v=vs.110).aspx
  System.Security.AccessControl.AccessControlType class:
  http://msdn.microsoft.com/en-us/library/w4ds5h86(v=vs.110).aspx
  System.DirectoryServices.ActiveDirectorySecurityInheritance class:
  http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectorysecurityinheritance(v=vs.110).aspx
  In this article, we introduce three ways to get and set the ACE on an Active Directory object. In general,
  we use Active Directory Service Interfaces (ADSI) or
  Active Directory module cmdlets
  with the Get-Acl and Set-Acl cmdlets to assign simple permissions on Active Directory objects. In addition, we can use the extended rights and GUID settings to execute
  more complex permission settings.
  Method 1: Using ADSI
    1. Get current permissions of an organization unit (OU)
  We can use the PowerShell script below to get current permissions of an organization unit and you just need to define the name of the OU.
  $Name = "OU=xxx,DC=com"
  $ADObject = [ADSI]"LDAP://$Name"
  $aclObject = $ADObject.psbase.ObjectSecurity
  $aclList = $aclObject.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])
  $output=@()
  foreach($acl in $aclList)
  $objSID = New-Object System.Security.Principal.SecurityIdentifier($acl.IdentityReference)
       $info = @{
  'ActiveDirectoryRights' = $acl.ActiveDirectoryRights;
  'InheritanceType' = $acl.InheritanceType;
  'ObjectType' = $acl.ObjectType;
  'InheritedObjectType' = $acl.InheritedObjectType;
  'ObjectFlags' = $acl.ObjectFlags;
  'AccessControlType' = $acl.AccessControlType;
  'IdentityReference' = $acl.IdentityReference;
  'NTAccount' = $objSID.Translate( [System.Security.Principal.NTAccount] );
  'IsInherited' = $acl.IsInherited;
  'InheritanceFlags' = $acl.InheritanceFlags;
  'PropagationFlags' = $acl.PropagationFlags;
  $obj = New-Object -TypeName PSObject -Property $info
  $output+=$obj}
  $output
  In the figure below, you can see the results of running the script above:
  Figure 1．
  2. Assign a computer object with Full Control permission on an OU
  We can use the script below to delegate Full Control permission to the computer objects within an OU:
  $SysManObj = [ADSI]("LDAP://OU=test….,DC=com") #get the OU object
  $computer = get-adcomputer "COMPUTERNAME" #get the computer object which will be assigned with Full Control permission within an OU
  $sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
  $identity = [System.Security.Principal.IdentityReference] $SID
  $adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
  $type = [System.Security.AccessControl.AccessControlType] "Allow"
  $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
  $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType #set permission
  $SysManObj.psbase.ObjectSecurity.AddAccessRule($ACE)
  $SysManObj.psbase.commitchanges()
  After running the script above, you can check the computer object in Active Directory Users and Computers (ADUC) and it is under the Security tab in OU Properties.
  Method 2: Using Active Directory module with the Get-Acl and Set-Acl cmdlets
  You can use the script below to get and assign Full Control permission to a computer object on an OU:
  $acl = get-acl "ad:OU=xxx,DC=com"
  $acl.access #to get access right of the OU
  $computer = get-adcomputer "COMPUTERNAME"
  $sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
  # Create a new access control entry to allow access to the OU
  $identity = [System.Security.Principal.IdentityReference] $SID
  $adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
  $type = [System.Security.AccessControl.AccessControlType] "Allow"
  $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
  $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
  # Add the ACE to the ACL, then set the ACL to save the changes
  $acl.AddAccessRule($ace)
  Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
  Method 3: Using GUID setting
  The scripts above can only help us to complete simple tasks, however, we may want to execute more complex permission settings. In this scenario, we can use GUID settings to achieve
  that.
  The specific ACEs allow an administrator to delegate Active Directory specific rights (i.e. extended rights) or read/write access to a property set (i.e. a named collection of attributes) by
  setting ObjectType field in an object specific ACE to the
  rightsGuid of the extended right or property set. The delegation can also be created to target child objects of a specific class by setting the
  InheritedObjectType field to the schemaIDGuid of the class.
  We choose to use this pattern: ActiveDirectoryAccessRule(IdentityReference, ActiveDirectoryRights, AccessControlType, Guid, ActiveDirectorySecurityInheritance, Guid)
  You can use the script below to
  assign the group object with the permission to change user password on all user objects within an OU.
  $acl = get-acl "ad:OU=xxx,DC=com"
  $group = Get-ADgroup xxx
  $sid = new-object System.Security.Principal.SecurityIdentifier $group.SID
  # The following object specific ACE is to grant Group permission to change user password on all user objects under OU
  $objectguid = new-object Guid 
  00299570-246d-11d0-a768-00aa006e0529 # is the rightsGuid for the extended right User-Force-Change-Password (“Reset Password”) 
  class
  $inheritedobjectguid = new-object Guid 
  bf967aba-0de6-11d0-a285-00aa003049e2 # is the schemaIDGuid for the user
  $identity = [System.Security.Principal.IdentityReference] $SID
  $adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
  $type = [System.Security.AccessControl.AccessControlType]
  "Allow"
  $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
  $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType,$inheritedobjectguid
  $acl.AddAccessRule($ace)
  Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
  The figure below shows the result of running the script above:
  Figure 2．
  In addition, if you want to assign other permissions, you can change the GUID values in the script above. The common GUID values are listed as below:
  $guidChangePassword     
  = new-object Guid ab721a53-1e2f-11d0-9819-00aa0040529b
  $guidLockoutTime        
  = new-object Guid 28630ebf-41d5-11d1-a9c1-0000f80367c1
  $guidPwdLastSet         
  = new-object Guid bf967a0a-0de6-11d0-a285-00aa003049e2
  $guidComputerObject     
  = new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2
  $guidUserObject         
  = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
  $guidLinkGroupPolicy    
  = new-object Guid f30e3bbe-9ff0-11d1-b603-0000f80367c1
  $guidGroupPolicyOptions 
  = new-object Guid f30e3bbf-9ff0-11d1-b603-0000f80367c1
  $guidResetPassword      
  = new-object Guid 00299570-246d-11d0-a768-00aa006e0529
  $guidGroupObject        
  = new-object Guid BF967A9C-0DE6-11D0-A285-00AA003049E2                                          
  $guidContactObject      
  = new-object Guid 5CB41ED0-0E4C-11D0-A286-00AA003049E2
  $guidOUObject           
  = new-object Guid BF967AA5-0DE6-11D0-A285-00AA003049E2
  $guidPrinterObject      
  = new-object Guid BF967AA8-0DE6-11D0-A285-00AA003049E2
  $guidWriteMembers   
      = new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2
  $guidNull               
  = new-object Guid 00000000-0000-0000-0000-000000000000
  $guidPublicInformation  
  = new-object Guid e48d0154-bcf8-11d1-8702-00c04fb96050
  $guidGeneralInformation 
  = new-object Guid 59ba2f42-79a2-11d0-9020-00c04fc2d3cf
  $guidPersonalInformation = new-object Guid 77B5B886-944A-11d1-AEBD-0000F80367C1
  $guidGroupMembership    
  = new-object Guid bc0ac240-79a9-11d0-9020-00c04fc2d4cf
  More information:
  Add Object Specific ACEs using Active Directory Powershell
  http://blogs.msdn.com/b/adpowershell/archive/2009/10/13/add-object-specific-aces-using-active-directory-powershell.aspx
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  The ActiveDirectoryAccessRule has more than one constructor, but yes, you've interpreted the one that takes six arguments correctly.
  Those GUIDs are different (check just before the first dash). Creating that ACE will create an empty GUID for InheritedObjectType, though, because you're telling it to apply to the Object only ([System.DirectoryServices.ActiveDirectorySecurityInheritance]::None).
  Since the ACE will only apply to the object, there's no need to worry about what types of objects will inherit it.
  If you've got time, check out
  this module. It will let you view the security descriptors in a much friendlier format. Try both version 3.0 and the version 4.0 preview:
  Sample version 3.0:
  # This is going to be kind of slow, and it will take a few seconds the first time
  # you run it because it has to build the list of GUID <--> Property/Class/etc objects
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ObjectAceType member -InheritedObjectAceType group -ActiveDirectoryRights WriteProperty
  # Same as the previous command, except limit it to access granted to GroupX
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ObjectAceType member -InheritedObjectAceType group -ActiveDirectoryRights WriteProperty -Principal GroupX
  Here's version 4.0. It's way faster than 3.0, but it's missing the -ObjectAceType and -InheritedObjectAceType parameters on Get-AccessControlEntry (don't worry, when they come back they'll be better than in 3.0):
  Get-ADGroup GroupY |
  Get-AccessControlEntry
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty -Principal GroupX
  # You can do a Where-Object filter until the parameters are added back to Get-AccessControlEntry:
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
  where { $_.AccessMask -match "All Prop|member Prop" }
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
  where { $_.ObjectAceType -in ($null, [guid]::Empty, "bf9679c0-0de6-11d0-a285-00aa003049e2") }
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
  where { $_.AccessMask -match "All Prop|member Prop" -and $_.AppliesTo -match "group"}
  That's just for viewing. Version 3.0 can add and remove access, or you can use New-AccessControlEntry to replace your call to New-Object, and you can still use Get-Acl and Set-Acl. The benefit to New-AccessControlEntry is that you can do something like this:
  New-AccessControlEntry -Principal GroupX -ActiveDirectoryRights WriteProperty -ObjectAceType member -InheritedObjectAceType group #-AppliesTo Object
   

• Recon and provisioning of user-defined object class ICF Active Directory

  I have followed the documentation instructions for reconciliation of a user-defined object class in the ICF Active Directory connector. I am using OIM 11gR2 with the ICF Active Directory 11.1.1.5 connector patched to 11.1.1.5.0A. The procedure states to create the new object class in AD and then change the objectClass value in the Lookup.Configuration.ActiveDirectory lookup. In my case I am using the existing ObjectClass of contact, rather than a new object class. Just for completeness I am using a clone of the AD User Resource Object which I call AD User Contact and so my lookup name is Lookup.Configuration.ActiveDirCon.
  When I changed the ObjectClass from User to Contact, and ran the Active DirCon User Target Recon scheduled job, with Object Type also = contact. The first issue I noticed was that the connector wanted a different set of lookups, which is not in the documentation. It is looking for a lookup in my Configuration lookup where code key=contact Configuration Lookup (which I should have expected since there are code keys for User, Group, and organizationalUnit). I added a line to the lookup where code key=contact Configuration Lookup and the Decode=Lookup.ActiveDirCon.CM.Configuration and then I created a new lookup by that name, assigning the 5 values to be the Lookup.ActiveDirCon.UM.xxx lookups. I did not see any need to create a new set of Lookup.ActiveDirCon.CM.xxx lookups with the exact same values.
  I re-ran the scheduled job and it ran successfully, but did not generate any Recon Events, even though I had objects in the OU and I have that same OU in the Lookup.ActiveDirCon.OrganizationalUnits lookup (from the Org Lookup Recon). Everything looks good but getting no results. Looked at the log file from the ConnectorServer and it is building the query properly and executing it properly with the correct syntax, getting no errors, but the SearchAndReturnObjects method is returning zero results.
  Looking to see if anyone has successfully reconciled in user-defined or other non-User objectClass objects from Active Directory, and if so, can you provide Lookup configuration and Connector Server information so I can troubleshoot.
  I resolved this issue by changing the recon lookups to a blank lookup called Lookup.ActiveDirCon.CM.ReconAttrMap and only added in the parameters that are used by a Contact object. Only populate the ReconAttrMap with parameters that exist for the custom object.
  Edited by: Keith Smith AptecLLC on Mar 27, 2013 6:31 AM

  Oracle Support answered this question via SR

• Why do I get general access denied trying to update my own field in Active Directory?

  I am trying to update a field pertaining to my own user object in Active Directory using ADSI and C++ app. The operating system
  is Windows Server 2012 Standard.
  I am able to read, I am able to call Put without problems, but when I call SetInfo, it returns with "General access denied". I have
  confirmed that it's my own user object I'm trying to access.
  I obtain my own FQDN like this:
  GetUserNameEx(EXTENDED_NAME_FORMAT::NameFullyQualifiedDN, pszFullyQualifiedDN, &dwFullyQualifiedDN);
  Then I use it like this:
  LPTSTR pszObj = (LPTSTR)LocalAlloc(LPTR, dwMemToAlloc);
  wcscpy_s(pszObj, dwMemToAlloc / sizeof(TCHAR), L"LDAP://");
  wcscat_s(pszObj, dwMemToAlloc / sizeof(TCHAR), pszFullyQualifiedDN);
  I bind to an object like this:
  ADsGetObject(pszObj, IID_IADs, (LPVOID*)&pObject);
  This call succeeds:
  pObject->Get(CComBSTR("Description"), &var);
  This call also succeeds:
  VariantClear(&var);
  V_BSTR(&var) = SysAllocString(L"Some new value");
  V_VT(&var) = VT_BSTR;
  hr = pObject->Put(CComBSTR("Description"), var);
  Trying to commit the above change using the following:
  pObject->SetInfo();
  This is where it fails.
  It returns E_ACCESSDENIED General access denied error.
  As you can see, that is my own user object I am trying to update. To my understanding that is supposed to work provided I am a member of Domain
  Users group. Which I am.
  What could possibly be the problem?

  The problem is that in Windows Server 2012 Domain Controller, permission to write to public (and personal,
  for that matter) properties is not granted to "SELF". The field I am trying to write to belongs to public properties. The only property set a user is able to change for himself in Windows Server 2012, by default, seems to be "Private-Information",
  which consists of ms-PKI-Credential-Roaming-Tokens,ms-PKI-RoamingTimeStamp, ms-PKI-DPAPIMasterKeys, ms-PKI-AccountCredentials
  Why on earth a user doesn't have permission to write to his own personal fields in Windows Server 2012 AD, Microsoft??!?!?!

• Creating computer Names with small letters and they appear as capitals in Active Directory Domain

  Hello,
  When I try to create computer objects in Active Directory - namely when i change computer name with small letters, in active directory users and computers they appear as capital letters and in DNS console as well.
  I know that it's not a problematic issue and technically all goes fine but, i want to know the reason.
  Is it possible to change computer name with small letters while joining in the domain and than in AD it appear with small letters also ?
  Thanks in advance,

  If you are asking about during the client join process, I believe the machines do all caps and you have to accept that as default.  I'm guessing it is a legacy issue for older clients that has hung on such as possibly related to WINS.
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• What is the Point of Active Directory/LDAP Specification?

  My college threw an interesting curve ball today and I couldn't give him a good enough answer. The question was simple 'What is the point of active directory'. Now I don't have a lot of exposure to active directory, but I thought I could easily answer. My argument was; If you have a group of objects its easy to look up attributes for those objects using active directory. For example, if you have a group in AD and you want to verify the users of that group you simply look up the member attribute of that group. However he argued, rightly so, that you can do that with a table in a database, why do that in AD. I couldn't give him a good enough answer and now I'm curious. Given the above example, why use AD over a database?
  To me AD is a way to manage a set of resources, whatever they are, by mapping them to objects that have however many attributes. But we could do that in a database, whats the point of AD? Why do you use AD?

  I come from a primarily database centric background. Just like life experience, it casts a certain perspective on problems. Database people solve things with databases. Directory people solve things with directories. Everyone has their perspective. It's not really about who's right and who's wrong. It's about perspective because people are most likely to go with what's familiar when given a problem. It's easy to have this conversation in a educational environment but when you're on the job it's about turf, schedules and careers. My latest job (in which this debate comes up a lot) has been about directories which has been a very enlightening experience because I've been given a gift of perspective. I can put on the directory hat and look at it from another angle.
  To get back to your professor's question. The answer is easy. LDAP (AD or other) is an application above a database. It has a data store behind it, in most cases we can just assume this is a database. So, in short, it's apples to oranges. But if we insist on comparing which makes the better juice, let's look at how we'd make a database like a directory. We could create a data model with an attributes table, an entries table and so on. We can deconstruct what LDAP data structures really are and implement each type as a table with FK/PK relationships and so on. It's sure to work because there are already so many products on the market doing this very thing. But think about the effort now. How are you going to add new users? A front-end? Stored procedures? Scripts? How are you going to keep someone from seeing things they shouldn't? You have to insert an object into all the right tables to ensure that your data is consistent and valid. In a pure database, you're trying to create ACLs on database rows. Now you're writing a full featured application with a lot of complexity. Given enough directory features, the database isn't going to be able to do everything without an external application.
  What is the point of LDAP? It's got hierarchy, ACLs, group of unique names functionality and things that are a layer of abstraction above the data store. I love databases but if you start designing out a directory server from scratch you'll realize it's far beyond comparing a user.ldif to a row in a user table. They are similar in appearance but different types of software.
  Edited by: milkfilk on Dec 16, 2008 11:48 AM
  Edited by: milkfilk on Dec 16, 2008 11:54 AM