Modify Active Directory attributes
I have a strange query here -
I am working with a small base of active directory users. Their account properties in active directory has all the information like phone, email, webpage etc. Only recently all of the users migrated to Gmail which means that their username remains same for
ex. firstname.lastname but their email part changed to Gmail.com.
So earlier it was [email protected] & now it
[email protected]
Is there a way I can change just the domain part of their email through Powershell? In otherwords, can I change AD attribute, in this case email without going through them manually.
Thanks in advance.
Assuming you need to modify the mail attribute, this PowerShell V1 script should work. However, I have not tested this:
$Searcher
= New-Object System.DirectoryServices.DirectorySearcher
$Searcher.SearchRoot
= "LDAP://dc=MyDomain,dc=com"
$Searcher.PageSize
= 200
$Searcher.SearchScope
= "subtree"
# Retrieve all objects with an email address using @xyz.com.
$Searcher.Filter =
"(mail=*xyz.com)"
$Searcher.PropertiesToLoad.Add("distinguishedName") >
$Null
$Searcher.PropertiesToLoad.Add("mail") >
$Null
$Results =
$Searcher.FindAll()
ForEach ($Result
In $Results)
$DN
= $Result.Properties.Item("distinguishedName")[0]
$Email
= $Result.Properties.Item("mail")[0]
# Modify email address.
$Email
= $Email.Replace("@xyz.com",
"gmail.com")
# Bind to the user object.
$User
= [ADSI]"LDAP://$DN"
# Assign new value.
$User.mail
= $Email.ToString()
$User.SetInfo()
Richard Mueller - MVP Directory Services
Richard,
I need a script which is almost identical to this in Powershell V2 format... are you able to help?
Similar Messages
-
Hey Scripting Guys,
I have been in and out of Powershell last few years, not that great at it tbh !!! I'm looking for advice on how I can as in Title, Create a Powershell script to Scan Active Directory Attributes for Country and Department ,Then add to Group then add to Distribution
list based on Region/Country
I was thinking along the lines of get-aduser -LDAPFilter "(department=SALES France) and adding a where clause for country.
Any help would be great.
DecSo I have tried a few variations but get errors on both
get-aduser -LDAPFilter "(&(department=SALES)(c=us))" | Add-ADPrincipalGroupMembership -MemberOf "testgroup"
get-aduser -LDAPFilter "(&(department=SALES)(c=fr))" | Add-ADGroupMember -identity "testgroup"
Add-ADPrincipalGroupMembership : Object reference not set to an instance of an
object.
At line:1 char:86
+ get-aduser -LDAPFilter "(&(department=SALES)(c=fr))" | Add-ADPrincipalGroupMe
mbership <<<< -MemberOf "testgroup"
+ CategoryInfo : NotSpecified: (:) [Add-ADPrincipalGroupMembershi
p], NullReferenceException
+ FullyQualifiedErrorId : Object reference not set to an instance of an ob
ject.,Microsoft.ActiveDirectory.Management.Commands.AddADPrincipalGroupMem
bership -
Making LDAP calls to update Active directory attributes
Hi,
I see a lot of postings about authenticating using LDAP, Ibut I am trying to make LDAP calls to update Active directory attributes
How can I do this from my BPEL process ? My input xml file will have a list of users whose attributes need to be updated.
I need to query by making LDAP calls and update as needed.
I am a novice to a step by step guidance will be very helpful.
Thanks much!This is really an AD question. Basically the easist way is to expose a web service to do this then BPEL calls that web service. I think later versions of AD do this out of the box.
Otherwise there are many examples on Google using differnt technology.
cheers
James -
Can the universe designer read in Active Directory attributes? I'm trying to apply row-level security to allow members of one group (by department ID, which is stored in an attribute in AD) permission to only view their department's information. Any help would be greatly appreciated. Thank you.
ChrisHi Chris,
You need to have configured AD authentication in the CMC. You can then import the AD group(s) with its users and use the group(s) in the Designer to apply row level restictions.
Hope this helps
Jacques -
Word 2013 and Active Directory attribut
Hi,
I'm working with WS2008R2 SP1 AD and Office standard 2013 and W7 SP1 x64. Our compagny wants to create .dotm/.dotx with automatic fields.
For example, we want that when a user opens a .dotx his name appears automatically. This one is easy it's the {AUTHOR \*MERGEFORMAT}.
But What we want to do is to do the same for the:
- street adress
- email adress
- the job title
All informations are in our Active Directory, but it seems that Word does not read directly the Active Directory info but some cached info on the computer.
So, is there a way or workaround to create some .dotx with the possibility to extrat some AD fields attribut attached with some user and at the end to build a semi automatic doc with the information of the user who has open this .dotx/.dotm?
So far, clues say that I have to write some vba script and 2 kind of solution/workaround:
The first lead is:
To retrieve the user account properties from Active Directory, we have to turn to some VBA scripts, no way to achieve this via any built-in features.
As far as I know, you can bind to the user account object by using the
GetObject function and the LDAP provider.
Then use the GetInfo method to initialize the local cache with attributes of the user account object. This step will ensure that the most up-to-date attribute values of the ADSI object are retrieved.
For example:
Set objUser = GetObject _
("LDAP://...")
objUser.GetInfo
If you want to get this attributes when you create a new document based on a template (.dotx/.dotm), you'll need to use the
AutoNew macro.
the second lead is:
http://heureuxoli.developpez.com/office/word/creermodele/#L2-G
Thank you in advance for any king od answer.
best regardsHello,
Have you tried these two methods? What is the result and what is your decision?
If you're familiar with Visual Studio IDE and .Net Framework, I would recommend that you create a application-level or document-level Add-In for word. Because it's easy to access the AD with managed code, and it's suitable in your case. You can check the
MSDN document here for the related objects you need to use in .Net Framework to access AD:
https://msdn.microsoft.com/en-us/library/gg145037(v=vs.110).aspx
But if you just want to use VBA for Word, this kb article tells you how to do this via ADO connection:
https://support.microsoft.com/kb/187529/en-us?wa=wsignin1.0
If you want to know something about Active Directory itself, then it's not the correct forum, you can open up new thread in the AD forums for help.
Thanks for your understanding.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Windows 2003 Active Directory Attribute Editor Tab
My Active Directory does not have an Attribute Editor Tab....how do I add it?
My Active Directory does not have an Attribute Editor Tab....how do I add it?
Bradheld is correct, attribute editor tab was introduced in windows 2008. To view the attribute editor tab from vista/windows 2008 & above for 2000/2003 forest, refer below article.
http://social.technet.microsoft.com/Forums/windowsserver/en-US/6e6ef6bd-b5c9-4f16-b346-097832e3b93c/rsat-and-the-missing-attribute-editor-tab-solution?forum=winserverManagement
Awinish Vishwakarma - MVP
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
Portal Active directory attributes mapping
Hi All.
I am trying to map additional fields from the Active Directory to fields located within the Portal User Administration area.
I added the new fields within the XML file dataSourceConfiguration_ads_readonly_db.xml, and then uploaded this file using the config tool.I then configured SAP Portal to use the newly uploaded XML file. I then restarted the SAP Server.
Here is how I added new fields Zip and City to the XML file:
<?xml version="1.0" encoding="UTF-8"?>
<!-- $Id: //shared_tc/com.sapall.security/630_SP_COR/src/_deploy/dist/configuration/shared/dataSourceConfiguration_ads_readonly_db.xml#6 $ from $DateTime: 2004/08/20 09:55:24 $ ($Change: 17140 $) -->
<dataSources>
<dataSource id="PRIVATE_DATASOURCE"
className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence"
isReadonly="false"
isPrimary="true">
<homeFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</homeFor>
<notHomeFor/>
<responsibleFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</responsibleFor>
<privateSection>
</privateSection>
</dataSource>
<dataSource id="CORP_LDAP"
className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
isReadonly="true"
isPrimary="true">
<homeFor/>
<responsibleFor>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="j_user"/>
<attribute name="logonalias"/>
<attribute name="j_password"/>
<attribute name="userid"/>
</nameSpace>
<nameSpace name="com.sap.security.core.authentication">
<attribute name="principal"/>
<attribute name="realm"/>
<attribute name="domain"/>
</nameSpace>
</principal>
<principal type="user">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="firstname" populateInitially="true"/>
<attribute name="displayname" populateInitially="true"/>
<attribute name="lastname" populateInitially="true"/>
<attribute name="fax"/>
<attribute name="email"/>
<attribute name="title"/>
<attribute name="department"/>
<attribute name="description"/>
<attribute name="mobile"/>
<attribute name="telephone"/>
<attribute name="streetaddress"/>
<attribute name="uniquename" populateInitially="true"/>
<attribute name="Zip"/>
<attribute name="City"/>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
</nameSpace>
<nameSpace name="$usermapping$">
<attribute name="REFERENCE_SYSTEM_USER"/>
</nameSpace>
</principal>
<principal type="group">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="displayname" populateInitially="true"/>
<attribute name="description" populateInitially="true"/>
<attribute name="uniquename"/>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE"/>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attribute name="dn"/>
</nameSpace>
</principal>
</responsibleFor>
<attributeMapping>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="j_user">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="logonalias">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="j_password">
<physicalAttribute name="unicodepwd"/>
</attribute>
<attribute name="userid">
<physicalAttribute name="*null*"/>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.authentication">
<attribute name="principal">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="realm">
<physicalAttribute name="*null*"/>
</attribute>
<attribute name="domain">
<physicalAttribute name="*null*"/>
</attribute>
</nameSpace>
</principal>
<principal type="user">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="firstname">
<physicalAttribute name="givenname"/>
</attribute>
<attribute name="displayname">
<physicalAttribute name="displayname"/>
</attribute>
<attribute name="lastname">
<physicalAttribute name="sn"/>
</attribute>
<attribute name="fax">
<physicalAttribute name="facsimiletelephonenumber"/>
</attribute>
<attribute name="uniquename">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="loginid">
<physicalAttribute name="*null*"/>
</attribute>
<attribute name="email">
<physicalAttribute name="mail"/>
</attribute>
<attribute name="mobile">
<physicalAttribute name="mobile"/>
</attribute>
<attribute name="telephone">
<physicalAttribute name="telephonenumber"/>
</attribute>
<attribute name="department">
<physicalAttribute name="ou"/>
</attribute>
<attribute name="description">
<physicalAttribute name="description"/>
</attribute>
<attribute name="streetaddress">
<physicalAttribute name="postalAddress"/>
</attribute>
<attribute name="pobox">
<physicalAttribute name="postofficebox"/>
</attribute>
<attribute name="Zip">
<physicalAttribute name="postalCode"/>
</attribute>
<attribute name="City">
<physicalAttribute name="l"/>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="memberof"/>
</attribute>
</nameSpace>
<nameSpace name="$usermapping$">
<attribute name="REFERENCE_SYSTEM_USER">
<physicalAttribute name="sapusername"/>
</attribute>
</nameSpace>
</principal>
<principal type="group">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="displayname">
<physicalAttribute name="displayname"/>
</attribute>
<attribute name="description">
<physicalAttribute name="description"/>
</attribute>
<attribute name="uniquename" populateInitially="true">
<physicalAttribute name="cn"/>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE">
<physicalAttribute name="member"/>
</attribute>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="memberof"/>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attribute name="dn">
<physicalAttribute name="*null*"/>
</attribute>
</nameSpace>
</principal>
</attributeMapping>
<privateSection>
<ume.ldap.access.server_type>MSADS</ume.ldap.access.server_type>
<ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>
<ume.ldap.access.authentication>simple</ume.ldap.access.authentication>
<ume.ldap.access.flat_group_hierachy>true</ume.ldap.access.flat_group_hierachy>
<ume.ldap.access.user_as_account>true</ume.ldap.access.user_as_account>
<ume.ldap.access.dynamic_groups>false</ume.ldap.access.dynamic_groups>
<ume.ldap.access.ssl_socket_factory>com.sap.security.core.server.https.SecureConnectionFactory</ume.ldap.access.ssl_socket_factory>
<ume.ldap.access.objectclass.user>User</ume.ldap.access.objectclass.user>
<ume.ldap.access.objectclass.uacc>User</ume.ldap.access.objectclass.uacc>
<ume.ldap.access.objectclass.grup>Group</ume.ldap.access.objectclass.grup>
<ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user>
<ume.ldap.access.auxiliary_naming_attribute.user>samaccountname</ume.ldap.access.auxiliary_naming_attribute.user>
<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>
<ume.ldap.access.auxiliary_naming_attribute.uacc>samaccountname</ume.ldap.access.auxiliary_naming_attribute.uacc>
<ume.ldap.access.naming_attribute.grup>cn</ume.ldap.access.naming_attribute.grup>
</privateSection>
</dataSource>
</dataSources>
I am not able to see the values for Zip and City inside the User Administration section of the Portal.
Please advise,
Thanks in advanceHi,
Apart from doing the XML file configuration, you would need to add the custom attributes to the UME.
Kindly read the following link for the same:
http://help.sap.com/saphelp_nw70/helpdata/EN/44/0316d50bbe025ce10000000a1553f7/frameset.htm
Thanks,
GLM -
Handling Active Directory attributes and negativeFilter like !memberof
Hello,
I connected the portal-UME with an active directory. Because of two different pathes I configured two ADs.
The point I don't get is how AD works and how it is used normally.
How can I add an attribute to the user like "active employee"? Is it only possible to use the predefined attributnames or can I choose an own?
Is it possible configure the negativeUser-Filter in a way that I can say that I just want those users that are in group X?
like !memberof?
Thx, VanessaHello SG,
sorry, I don't get the point. I would like to maintain my users and groups via LDAP. When I have to maintain the blocked users in the UME-configuration too, this is to much work and there can be too much mistakes.
I would like to have a AD-group with my portalusers and everybody that is not in this group should be blocked (/not transfered).
Can I do this with the blocked users?
Thx, Vanessa -
Find Active Directory Attributes that are Not Set
I'm trying to generate a report that lists all accounts where the thumbnailPhoto attribute in Active Directory is not set. I've tried using WHERE thumbnailPhoto < 0, WHERE IsNULL({thumbnailPhoto}) and several others with no success. Can anyone point me in the right direction?
Hi,
1) What version of Crystal Reports are you using?
2) Are you using a SQL Query to report against the Active Directory?
3) What is the datatype of the 'thumbnailPhoto' field?
-Abhilash -
IDM / Active Directory : Attributes not geting updated
I am trying to update attributes in my Active Directory Resource, via IDM. But, they are not getting updated.
Before we installed the IDM system in our organization, the Active Directory's "*Department*" field contained previous (old) information.
Now, we want to use IDM to update this information for ALL our employees.
I used the "*Default*" syntax in the IDM User Form, as follows :
*<Field name = 'global.department'>*
*<Display class='Text'>*
*<Property name='Title' value='Department'/>*
*</Display>*
*<Default>*
*<s>Sales Department</s>*
*</Default>*
*</Field>*
Next, I mapped this attribute to the Active Directory "*Department*" field.
However, the new value "*Sales Department*" is not being sent to Active Directory. The old values still remain.
When I tried to do the update directly in AD...........I simply DELETED the old value. And then, I went to IDM to update the employee's account (thereby, I tried to PUSH the new value into AD). But, it did not work. Instead, IDM displayed the following info :
Old value : "empty space"
New value : "old data"
The new data........"*Sales Department*"..........was not being sent to AD.
Next, I simply repeated the update process in AD. But this time, I erased the old data, and wrote "*Sales Department*". Then it worked. AD accepted the new data, and also sent it BACK to idm.
I found this very strange
*(a) why does AD not get updated with the new value from IDM?*
*(b) why does AD reject the new value if the field itself (in AD) is left blank?*
*(c) how can I UPDATE all the employees in Active directory with the new DEFAULT data : "Sales Department"*MichaelSt wrote:
I want IDM to update AD (meaning, the data-flow is from IDM to AD), not the other way round.
Using "*accounts[AD].department*" means that IDM will take its data FROM active directory. I want AD to take info FROM idmSorry but that's incorrect. The global namespace simply maps an attribute to the equivalent accounts[...].attribute name. So global.department would translate to accounts[AD].department and accounts[LDAP].department and accounts[Some Resource].department. (Incidentally, global.department would get set by the first resource IDM reads with a department attribute so it is very possible to read the attribute from AD. AD may simply not be the first one that IDM comes across.)
Setting the individual resource value, as redindian suggested, is a perfectly valid way of pushing attributes to the resource. (Assuming of course you have the attribute marked as writable in the resource configuration.) So technically if you so desired, you could set different values for accounts[LDAP].department and accounts[AD].department and accounts[Some Resource].department which you cannot do if you use the global namespace.
I do this all the time for some of my attributes. For example, some of my resources (usually the really old legacy ones) require an upper case email address while others require lower case addresses. I set different values for accounts[Legacy Resource].email and accounts[Newer Resource].email when I want to push the attribute down to the resource. I also avoid the global namespace like the plague. I've had so many problems with it mapping data incorrectly that it's just easier to set the individual attributes directly.
The attributes set in the accounts[Resource] namespace is a perfectly valid way to both reference attributes on a resource as well as set them.
As has been suggested, don't use a default but rather use an expansion. -
Looking for list of standard Active Directory attributes
Hey all,
where can I find a standard list of active dir attributes? I'm not too familiar with AD, so I'd like to know my standard options which I can query.
I'm going to read all the adler_steven posts, so that should get me a little more aquatinted with JNDI, but I'll be back to ask some more questions!
Thanks,
ryanThanks all.
I got all the info I need.
A main point to keep in mind is that connecting & searching through a OpenLDAP server is much different than connecting to an AD server.
I couldn't find much info on the major differences, so it was tough for me to figure.
A good adsi browser helps more than the typical LDAP browsers that are available. Also, make sure you know of the out-of-the-box settings for AD win 2003 server.
thanks again all!
ryan. -
Need to Pass Active Directory Attributes into OBIEE for use in Report Query
Hi,
We're using OBIEE 11.1.1.5 and have integrated it with AD security. Users successfully log into OBIEE and BIP (which is integrated with OBIEE) using their network/AD accounts.
Next step for us is to be able to pass some AD attributes that are on the user accounts into OBIEE and BIP so we can restrict data queries for the person logged in.
I've searched the web and so far have only come up with specific steps for setting this up in BIP. Since BIP is integrated with OBIEE, we have not set any of the MSAD/LDAP security up there - it is all in OBIEE. I have been unable to find the equivalent for adding the attribute names for data query bind variables.
With our current setup, we are unable to filter the report data automatically based on who has logged into the application (analytics and BIP). We have security setup within the catalog so only certain AD groups can access objects, but beyond that we need to be able to secure the data using AD attribute information. For example, all of our users should be able to access an Open Purchase Order report, but they should only be able to see their own purchase orders - not everyone in the company.
Anyway, we're looking to be able to pass AD attributes into OBIEE so that we can use this data in our Analytics and BIP queries.
How can we get this setup?
Thank you in advance!
SuzanneA fairly common problem, see:
http://www.williamrobertson.net/documents/comma-separated.html
http://www.oracle-base.com/articles/misc/DynamicInLists.php
http://tkyte.blogspot.com/2006/06/varying-in-lists.html -
Sccm 2012 extent the active directory schema error
Hello
I am experiecing an issue when attempting to extend my AD Schema for SCCM 2012
<12-10-2014 20:04:33> Modifying Active Directory Schema - with SMS extensions.
<12-10-2014 20:04:33> DS Root:CN=Schema,CN=Configuration,DC=,DC=com
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Site-Code. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Assignment-Site-Code. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Site-Boundaries. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Roaming-Boundaries. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Default-MP. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Device-Management-Point. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-MP-Name. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-MP-Address. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Health-State. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Source-Forest. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Ranged-IP-Low. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Ranged-IP-High. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Version. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Capabilities. Error code = 8224.
<12-10-2014 20:04:33> Failed to create class cn=MS-SMS-Management-Point. Error code = 8202.
<12-10-2014 20:04:33> Failed to create class cn=MS-SMS-Server-Locator-Point. Error code = 8202.
<12-10-2014 20:04:33> Failed to create class cn=MS-SMS-Site. Error code = 8202.
<12-10-2014 20:04:33> Failed to create class cn=MS-SMS-Roaming-Boundary-Range. Error code = 8202.
<12-10-2014 20:04:33> Failed to extend the Active Directory schema, please find details in "C:\ExtADSch.log".
any one help me to fix this issueHi,
It is most likley due to a replication Issue in your AD, check the previous thread on the topic:https://social.technet.microsoft.com/Forums/systemcenter/en-US/1d377109-4fa9-4608-8a3a-cefd436e82ee/error-8224-when-extending-active-directory-schema
Make sure that all replication issues are solved and try again.
Regards,
Jörgen
-- My System Center blog ccmexec.com -- Twitter
@ccmexec -
Active Directory cn field not updated from sap HR using ldap.
Hi,
Apologies if this is in the wrong forum area.
I am using the LDAP facility to create and modify Active Directory records from sap HR. Initially, the name field cn that was coming across into AD was in the format of the logical system and employee number, eg, RD4CLNT22000000711.
I then implemented the BADI HRLDAP_ATTRIBUTES which then changed this name field cn in the active directory listing to the format; surname, forename.
It works fine when I create a new user, however the problem comes when I update the persons name in the sap hr module. The data that comes across into Active Directory shows the change to the persons surname sn, forename and displayname fields is there but the cn field is still showing as the previous name.
In short, when a new user is created, the cn field in active directory is correct
(surname, forename) but when the employees name is modified, that change is not brought across to the cn field even though the surname, forename and displayname fields are updated correctlyon AD.
We are on release 4.70.
Anyway, if anyone could help I would be very grateful.
Thanks
DavidHi
The problem it is causing us is that the cn field is incorrect and does not mirror the change in sap HR, therefore the Active Directory entry for the employee is not totally accurate.
When an employee changes their name in SAP HR - usually their surname, we would then want to update the employees active directory account to show this change and this includes the cn field also. At the moment the firstname, lastname fields do get updated with the change so we would want the cn field to show this as well otherwise the cn field would be incorrect and not match up with the employee's AD firstname & lastname fields.
Dave -
Add more than one value in info attribute (Active Directory)
Hello Guys, good evening!
Please, maybe you can help us.
We have a co-worker and she is visually impaired. So we think use the power shell, because the software "Jaws" can read the command line without problems.
One of her responsabilities is disable users and add some information at the field "info" in Active Directory
If this field is empty the script below works fine
Set-ADUser -Identity john.silva -Enabled $False -add @{info="User disabled Ticket 12345"}
But when this field has another information (example: User created Ticket 00123, User modified Ticket 01234), we receive the message: "Set-ADUser : The specified directory service attribute or value already exists"
If we change the string "-add" to "-replace", works fine, but we lost the previous information
Are there some way to keep the previous information and add a new information?
Thanks in advance
Att,
Andersoninfo is not a multi-valued property, so the only way you would be able to keep multiple pieces of information in that attribute is by using a separator character (e.g., ";").
You can, however, read the existing value, append a string to the end of it, and then write it back. Example:
PS C:\> set-aduser kendyer -add @{"info" = "test info 0"}
PS C:\> $info = (get-aduser kendyer -properties info).info
PS C:\> $info
test info 0
PS C:\> $info += ";test info 1"
PS C:\> $info
test info 0;test info 1
PS C:\> set-aduser kendyer -replace @{"info" = $info}
PS C:\> (get-aduser kendyer -properties info).info
test info 0;test info 1
-- Bill Stewart [Bill_Stewart]
Maybe you are looking for
-
Problems after upgrading to v6
I've seen similar posts around and have followed the standard recomendations but no dice. Since i upgraded to 6, itunes will not detect my Ipod or my Moto SLVR w/ Itunes, even though windows detects both of them. I had no problems before the upgrade.
-
Hello Experts, I am using cl_salv_table=>factory to display ALV grid. Now I also want to attach f4 help in one of the field of ALV grid. I am unable to locate any event or method. Please help.
-
Working with WMV's (yes, I know about Flip)
Is it best to convert WMV's to .mov before placing into the timeline to edit? I am editing a video in FCP 5 and have the unfortunate luck of having been given all WMV's, DOZENS of them. I have gotten halfway through converting them to .mov (using Fli
-
Using Skype to call canada while traveling in asia
I am not sure if there is an appropriate skype service for me to use while I travel in Asia (Seoul, Hong Kong, Japan). I will be calling and receiving calls from Canada. Also, do all services require that I am conncected to wifi when making/receiving
-
Hi, I know we can trigger an alert which will send an email to a recipient on some condition, just want to know can we send an attachment with that, or if not possible then a link to URL to directly open the attachment in webui ? Rgds, Shobhit