Querying deleted objects container in Active Directory using JNDI
Hi,
I am trying to query deleted objects container using JNDI which fails with error 64.
Has anyone seen this or knows how to query AD using binary data in JNDI.
Seems to me there is some problem with the search base.
search base: <GUID=18E2EA80684F11D2B9AA00C04F79F805,dc=engserver,dc=com>.
filter: objectclass=*
search scope: subtree
This is the error:
Search example failed.
javax.naming.InvalidNameException: <GUID=18E2EA80684F11D2B9AA00C04F79F805,dc=eng
server,dc=com>: [LDAP: error code 64 - 00000057: LdapErr: DSID-0C090563, comment
: Error processing name, data 0, v893 ]; remaining name '<GUID=18E2EA80684F11D2B
9AA00C04F79F805,dc=engserver,dc=com>'
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2802)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2616)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1744)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1667)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirCon
text.java:368)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCom
positeDirContext.java:328)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCom
positeDirContext.java:313)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.jav
a:245)
at jSearch.main(jSearch.java, Compiled Code)
Thanks,
Chetan
I thought I had posted one of these. How remiss of me !/**
* deleted.java
* 5 July 2001
* Sample JNDI application to search for deleted objects
* Modified December 2004 to add Win2K3 lastKnownParent
import java.util.Hashtable;
import javax.naming.*;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import com.sun.jndi.ldap.ctl.*;
class DeletedControl implements Control {
public byte[] getEncodedValue() {
return new byte[] {};
public String getID() {
return "1.2.840.113556.1.4.417";
public boolean isCritical() {
return true;
public class deleted {
public static void main (String[] args) {
Hashtable env = new Hashtable();
String adminName = "CN=Administrator,CN=Users,DC=ANTIPODES,DC=COM";
String adminPassword = "XXXXXX";
String ldapURL = "ldap://mydc.antipodes.com:389";
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//set security credentials, note using simple cleartext authentication
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL,adminName);
env.put(Context.SECURITY_CREDENTIALS,adminPassword);
//connect to my domain controller
env.put(Context.PROVIDER_URL,ldapURL);
try {
//Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
//Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the attributes to return
String returnedAtts[]={"distinguishedName","lastKnownParent"};
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//specify the LDAP search filter
String searchFilter = "(&(objectClass=user)(isDeleted=TRUE))";
//Specify the Base for the search
String searchBase = "DC=antipodes,DC=com";
//initialize counter to total the results
int totalResults = 0;
//specify the Deleted control
Control[] rqstCtls = new Control[] {new DeletedControl()};
ctx.setRequestControls(rqstCtls);
//Search for objects using the filter
NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
//Loop through the search results
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult)answer.next();
totalResults++;
System.out.println(totalResults + ". " + sr.getName().toString());
// Print out some of the attributes, catch the exception if the attributes have no values
Attributes attrs = sr.getAttributes();
if (attrs != null) {
try {
for (NamingEnumeration ae = attrs.getAll();ae.hasMore();) {
Attribute attr = (Attribute)ae.next();
System.out.println("Attribute: " + attr.getID());
for (NamingEnumeration e = attr.getAll();e.hasMore();System.out.println(" " + e.next().toString()));
catch (NullPointerException e) {
System.err.println("Problem listing attributes: " + e);
System.out.println("Deleted objects: " + totalResults);
ctx.close();
catch (NamingException e) {
System.err.println("Problem searching directory: " + e);
}
Similar Messages
-
Cfldap and deleted objects container in Active Directory
Hello,
I am trying to use a CFLDAP query to bind and search in the
Deleted Objects container of Active Directory. This would allow me
to get the sAMAccountname values of the users who have been deleted
within the last default 60 days (searching tombstone objects in
Deleted Objects).
I have tried various methods including <cfldap
start="CN=Deleted Objects, DC=<domain>, DC=<com>> (I
am omitting the rest of the CFLDAP attributes in the example
above). I'm not sure if CFLDAP can even query the deleted objects
container. Has anyone had any experience with this?
Thanks,
BenHi Michael,
Thanks for your help! I have however already explored those
solutions offered by Microsoft. Sadly, they only work in separate
programs (i.e. ldap.exe which comes with Windows Server tools).
After lots of research I have found a Java method that can bind
with the container and return the results. CFLDAP, I'm afraid is
just not capable of doing this - or at least I have had no luck
with it (I was connecting as domain admin btw).
The challenge now is to get the Java class to communicate
with the rest of my cf code.
Thanks again,
Ben -
Creating MailBox-enabled Users In Active Directory Using JNDI
Thanks to the Various code samples i have come across in this forum i have been able to use the JNDI API to add a new user to the Microsoft Active directory.
The user account that was added using a combination of the various code samples was already enabled. but the problem is that the user does not have an Exchange MailBox created/enabled as well.
When attempts were made to access the users IMAP mailbox from an external webmail client, the following message:
"No Such Object On The Server"
Was Recieved.
I am wondering wether there is an attribute i am missing out. or something.
i would welcome any suggestions.
please treat as urgent.
thank you in anticipation
Below is the list of attributes i set:
BasicAttributes ba=new BasicAttributes();
ba.put(new BasicAttribute("userPrincipalName","[email protected]"));
ba.put(new BasicAttribute("sAMAccountName","fagu"));
ba.put(new BasicAttribute("title","Anyhow"));
ba.put(new BasicAttribute("mail","[email protected]"));
ba.put(new BasicAttribute("mailNickname","fagu"));
ba.put(new BasicAttribute("objectClass","user"));
ba.put(new BasicAttribute("displayName","Festus Agu"));
ba.put(new BasicAttribute("sn","Agu"));
ba.put(new BasicAttribute("userAccountControl","66048"));
//ba.put(new BasicAttribute("unicodePwd ","fagu"));
ba.put(new BasicAttribute("mDBUseDefaults","TRUE"));
ba.put(new BasicAttribute("homeMTA","CN=Microsoft MTA,CN=XSOCKET2,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=SocketWorks,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=socketworkscorp,DC=localdomain"));
ba.put(new BasicAttribute("msExchHomeServerName", "/o=SocketWorks/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=XSOCKET2"));
ba.put(new BasicAttribute("distinguishedName","CN=Festus"));I am trying to create a MailBox enabled user in AD.I am setting all the attributes that are mentioned above.
Still i am unable to create a user.I guess i am messing up with password and getting error "javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-031D0AAB,
problem 5003 (WILL_NOT_PERFORM), data 0"
Is it that SSL is must to create a user.I saw a certificate on Exchange server.But i am using a simple protocal to create a user.
Please help me with the steps needed to create a user if i have to use SSL or is there is any settings to be turned on the server.
Thanks!!
-
Authentication on Active Directory using JNDI (A Proffessional Appraoch)
I am using following code for getting authenticated on Active Directory by user logon name.
Can any one tell me a more proffessional and fool proof appraoch for authenticating a user on Active Dir through my web interface ???
thanks in advance
* Created on Nov 10, 2004
package auth;
import java.util.Hashtable;
import javax.naming.AuthenticationException;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
* @author Tushar Agrawal
* Created On Nov 10, 2004
public class UserAuthentication {
public UserAuthentication() {
super();
public NamingEnumeration loginToActiveDirectory(
String logonName,
String password,
String domain) {
boolean success = false;
NamingEnumeration attrs = null;
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.PROVIDER_URL, "ldap://domain:389/dc=SECLORE,dc=com");
env.put(Context.SECURITY_PRINCIPAL, logonName + "@" + domain);
env.put(Context.SECURITY_CREDENTIALS, password);
//env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put("java.naming.ldap.version", "3");
env.put(Context.REFERRAL, "follow");
try {
String base = "";
DirContext ctx = new InitialDirContext(env);
SearchControls controls = new SearchControls();
controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
controls.setReturningAttributes(
new String[] {
"sAMAccountName",
"userPrincipalName",
"displayName",
"memberOf",
"objectSid",
"title" });
NamingEnumeration e =
ctx.search(base, "sAMAccountName=" + logonName, controls);
if (e.hasMore()) {
SearchResult r = (SearchResult) e.next();
attrs = r.getAttributes().getAll();
/*while (attrs.hasMore()) {
System.out.println(attrs.next());
ctx.close();
} catch (AuthenticationException e) {
System.err.println("Problem getting attribute: " + e);
success = false;
} catch (NamingException e) {
System.err.println("Problem getting attribute: " + e);
success = false;
return attrs;
tushar agrawalYou''l find more info at :
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/catalina/funcspecs/fs-jndi-realm.html
http://jakarta.apache.org/tomcat/tomcat-4.0-doc/realm-howto.html
That's the right way to do it. -
Arbitration Mailbox is pointing to the Deleted Objects container
Recently completed a migration from Exchange 2010 to 2013. We are occationally receiving the following message. Could someone point me in the right direction? Thanks!
Process w3wp.exe (EWS) (PID=10092). Object [CN=_mailgroup,OU=Groups,DC=localdomain,DC=local]. Property [ArbitrationMailbox] is set to value [localdomain.local/Deleted Objects/SystemMailbox{1f05a927-b82d-41fe-b690-eb9b4350207a}
DEL:e43a17d1-7c97-4ae9-9bfb-17c730878662], it is pointing to the Deleted Objects container in Active Directory. This property should be fixed as soon as possible.Hi,
Please run the Get-Mailbox -Arbitration cmdlet to check result. Make sure these system mailboxes are in existing Exchange server.
And please check if you can find the object "CN=_mailgroup,OU=Groups,DC=localdomain,DC=local", you can compare this object with another normal object to see if there is any defference on property settings.
Best regards,
If you have feedback for TechNet Subscriber Support, contact
[email protected]
Belinda Ma
TechNet Community Support -
Problem in provisioning user from oim to active directory using ssl
hi,
problem in provisioning user from oim to active directory using ssl i am getting following error while provisioning user to AD.
15:18:12,984 ERROR [ADCS] Communication Errorsimple bind failed: 172.16.30.35:636
15:18:12,984 ERROR [ADCS] The error occured in tcADUtilLDAPController::connectTo
AvailableAD():simple bind failed: 172.16.30.35:636
15:18:13,015 ERROR [SERVER] Class/Method: tcProperties/tcProperties encounter so
me problems: Must set a query before executing
com.thortech.xl.dataaccess.tcDataSetException: Must set a query before executing
at com.thortech.xl.dataaccess.tcDataSet.checkExecute(Unknown Source)
at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataobj.util.tcProperties.<init>(Unknown Source)
at com.thortech.xl.dataobj.util.tcProperties.initialize(Unknown Source)
at Thor.API.tcUtilityFactory.getLocalUtility(Unknown Source)
at Thor.API.tcUtilityFactory.getUtility(Unknown Source)
at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.co
nnectToAvailableNextAD(Unknown Source)
at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.se
archResultPageEnum(Unknown Source)
at com.thortech.xl.schedule.tasks.ADLookupRecon.performReconciliation(Un
known Source)
at com.thortech.xl.schedule.tasks.ADLookupReconTask.execute(Unknown Sour
ce)
at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.run(Unknown Source)
at com.thortech.xl.scheduler.core.quartz.QuartzWrapper$TaskExecutionActi
on.run(Unknown Source)
at Thor.API.Security.LoginHandler.jbossLoginSession.runAs(Unknown Source
at com.thortech.xl.scheduler.core.quartz.QuartzWrapper.execute(Unknown S
ource)
at org.quartz.core.JobRunShell.run(JobRunShell.java:203)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.j
ava:520)
can any one help.
Thanks and Regards,
praveen,Are you able to connect to AD over SSL through some LDAP Browser ?
Check the validity of Certificate ?
Does your certificate appear in the list ? -
Cannot find the object "CrossRef" in Active Directory
I am trying to install Lync 2013. I'm getting the following error: Error:
An error
occurred: "Microsoft.Rtc.Management.Deployment.ActiveDirectoryException" "Cannot
find the object "CrossRef" in Active Directory."
WARNING: Enable-CSAdForest failed.
This error is at "Step 3: Prepare Current Forest" of the install.I've tried to run the forest prep as a local domain and I get the following:
Creating new log file "C:\Users\administrator.xxx\AppData\Local\Temp\2\Enable-CSAdForest-052cfe14-7f42-4969-88da-83279413ab8c.xml".Enable the Active Directory forest to host Lync Server 2013 deployments.
Prepare Forest Active Directory settings execution failed on an unrecoverable error.Creating new log file "C:\Users\administrator.xxx\AppData\Local\Temp\2\Enable-CSAdForest-[2013_05_30][13_25_56].html".WARNING:
Enable-CSAdForest failed.WARNING: Detailed results can be found at "C:\Users\administrator.xxx\AppData\Local\Temp\2\Enable-CSAdForest-[2013_05_30][13_25_56].html".Command
execution failed: Container CN=Microsoft,CN=Program Data,DC=xxx,DC=local not found -
IDOC : Message Function 003: Delete Object contains message to be deleted.
Hi,
I am trying to process a Customer master Icreation DOC (OILDEB06) which has a Message function 003: with the description Delete Object contains message to be deleted.
I am testing my IDOC, when should I be using this message function.
If you can detail with the example,
it does not mark the customer for deletion for sure. when it is recommended to use this message function.
Thanks
Regardsyes your object was locked in the another session ... please close all the remaining sessions ...
and for cross check in SM12 tcode ....see the lock list ...delete all the list ...
now you can delete the object from the list ..
it happens some times for all ... when you work with multiple sessions.
reward points if is is usefull .
Girish -
Best way to restore "deleted objects" container's ACLs?
Hi,
I haven noticed, when using the the LDP for reading the security description of "Deleted Objects" container that LDP returns to me "Error: Security: No Such Attribute <16>". Should it be readable or not? At least all other environments
I can read it.
And if it should be readable, then what is the best way to fix it? Take the ownership, and etc... If I take the ownership, then I assume some ACLs are reseted and installations like Exchange and Lync requires domain preparations, right?
Petri> description of "Deleted Objects" container that LDP returns to me
> "Error: Security: No Such Attribute <16>". Should it be readable or not?
AFAIK, deleted objects lose their ACL.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
How to save HR data in Active Directory using ABAP i.e thru LDAP Connector
Hi All,
Can any one please help me out how
to save HR data in Active directory
using LDAP Connector ?
Please help ASAP as it is very urgent .
Thanks
JitendraThere are 100 of such scripts are there online.
here are few tips and codes. you will get more.
https://gallery.technet.microsoft.com/scriptcenter/Feeding-data-to-Active-0227d15c
http://blogs.technet.com/b/heyscriptingguy/archive/2012/10/31/use-powershell-to-modify-existing-user-accounts-in-active-directory.aspx
http://powershell.org/wp/forums/topic/ad-import-csv-update-attributes-script/
Please mark this as answer if it helps -
How to save hr data in Active directory using abap
Hi all
can any one please help me out how to save hr data in Active directory using LDAP connector
please help as this is very urgent requirement
thanks in advance
Thanks
ChantiWhat form do you have the user's name in ?
ANTIPODES\alberteString searchFilter = "(&(objectClass=user)(samAccountName=alberte))";[email protected] searchFilter = "(&(objectClass=user)(userPrincipalName=[email protected]))";Albert EinsteinString searchFilter = (&(objectClass=user)(givenName=Albert)(sn=Einstein))";or using Ambiguous Name Resolution (anr)String searchFilter = "(&(objectClass=user)(anr=Albert Einstein))";or it's even clever enough to useString searchFilter = "(&(objectClass=user)(anr=Einstein Albert))"; -
Please Help. How can you monitor a directory using jndi connection to a ldap server?
How can you monitor a directory using jndi connection to a ldap server? I
want the ldap server to monitor the content change in a file system
directory on another computer on the network. Can someone please help.
Thanks
FredHi,
Why do you want to use LDAP for Hard disk monitoring..???
U can do this by creating a MD5 checksum for all the files existing in some
perticular
directory and every hour or any configurable period u can recalculate the
checksum
to find out the change in the content.
I guess all u need is to get the code for "updatedb" utility of Linux and
instrument it for ur needs..
Hope it helps...
-aseem
mr wrote:
How can you monitor a directory using jndi connection to a ldap server? I
want the ldap server to monitor the content change in a file system
directory on another computer on the network. Can someone please help.
Thanks
Fred -
How can I capture delete user event in Active Directory 2008 using Powershell command
Hi,
In my Active Directory every user have own home drive in the file server. When I delete user I also need to delete folder from the server.
My target is make the process automated, so that when I delete user account form AD, the folder associate with user also delete.
Can I write any power shell script to grep the delete event and remove folder from file server.
Thanks
Tamim KhanYou can setup event viewer to provide alerts (email alerts) for event id 630.
Find an existing Event ID 630 entry, right click on it and "Attach Task To This Event...."
Follow the wizard.
** Event ID Sample **
Event ID: 630
Type: Success Audit
Description: User Account Deleted:
Target Account Name: %1 Target Domain: %2
Target Account ID: %3 Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6
Privileges: %7
- Chris Ream -
**Remember, if you find a post that is helpful, or is the answer, please mark it appropriately.** -
Add user to Active directory using SAP ABAP
Hi Experts,
I am currently working on a security refractor project where we are planning on automating the user creation process in business object and Oracle Hyperion using GRC-BW.
Our Hyperion user management is based on active directory/LDAP groups.
So say for example - we have a new user say ABC and in GRC he select the SAP-BW role 'HYP_FINANCE_USA' then I want to write a program in BW which will see who all users are assigned to 'HYP_FINANCE_USA' role and will go an update the active directory distribution list group named 'HYP_FINANCE_USA'.
Has anyone written a ABAP program or used standard function modules/BADI's etc to add/delete user from active directory/LDAP group ?Would you post your code? I have yet to see any working jndi code to add a user to AD. Thanks.
-
A SharePoint Domain Account(farm admin account) was deleted and recreated with the same absolute credentials in AD due to this i cannot navigate to certain sites, not even able to edit web parts and cant view site actions menu.
The account has full permissions across the site and is a site admin.
I have tried to import the old login to the new login
stsadm -o migrateuser-oldlogin <domain\name>-newlogin <domain\name> [-ignoresidhistory]
But this did not help as it didnt resolve the SID's issues.
I couldn't restore the deleted object(AD acc) too.
Is there a way that i can use to get this account to work again?
There option of creating a new domain accout and give it full permissions is not recommened by the client.
So i must find a to get this account to work again.
Thank you in Advance.
CalvinHi,
I would have a look in Active Directory first. Because a new account can't have same IDs that an old one, your new account can't be used instead of the old one, even if login, password and group memberships seems to be set all the same.
If your forest functionnal level is 2008R2 or more, and if Active Directory Recycle bin has been enabled, you can probably restore the deleted account.
you can find the way to restore a deleted account here :
https://technet.microsoft.com/en-us/library/dd379509%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
If your forest is set to a previous functionnal level or the recycle bin is not enabled, you could give a chance to authoritative restore, as described here :
https://technet.microsoft.com/fr-fr/library/cc816878(v=ws.10).aspx
hope it helps
Sébastien
Maybe you are looking for
-
Opening an Attachment in Human Task Giving Error.
Hi All, We have 2 servers. one for ADF and other for SOA. We deployed TaskDetails related EAR files into ADF server and BPM and SOA projects on SOA Server. When we attach a file in taskForm it works fine and we could see it getting added correctly. T
-
Access to Palm data after re-creation of user ID in Win XP Pro
Hi, I am using Win XP Pro on my laptop. I had installed Palm Desktop under my user id e.g "ajitshah". Due to problem with user profile not functioning correctly, my administrator recreated user profile "ajitshah". Now I am able to access all other p
-
This is what I have: a multithreaded C++ app on solaris/sparc with multiple threads writing to a single socket descriptor: write(global_fd, data, len). On the other side of the connection I receive the stream. Writer threads have no mutex when they w
-
Re getting a 2011 version of Photoshop Elements
My friends..... I purchased a downloaded version of Adobe Photoshop Elements 9 in 2011. More recently, due to some problems with OSX Mavericks, I had my operating system re-installed. During that process, I lost said version of Photoshop Elements 9
-
Maintain settlement Rule for CJ20N
Hi Experts, How can i maintain settlement rule for sales order and item in cj20n. Is there any t.code or BAPI available..?, Please help me. Thanks.