Querying deleted objects container in Active Directory using JNDI

Similar Messages

• Cfldap and deleted objects container in Active Directory

  Hello,
  I am trying to use a CFLDAP query to bind and search in the
  Deleted Objects container of Active Directory. This would allow me
  to get the sAMAccountname values of the users who have been deleted
  within the last default 60 days (searching tombstone objects in
  Deleted Objects).
  I have tried various methods including <cfldap
  start="CN=Deleted Objects, DC=<domain>, DC=<com>> (I
  am omitting the rest of the CFLDAP attributes in the example
  above). I'm not sure if CFLDAP can even query the deleted objects
  container. Has anyone had any experience with this?
  Thanks,
  Ben

  Hi Michael,
  Thanks for your help! I have however already explored those
  solutions offered by Microsoft. Sadly, they only work in separate
  programs (i.e. ldap.exe which comes with Windows Server tools).
  After lots of research I have found a Java method that can bind
  with the container and return the results. CFLDAP, I'm afraid is
  just not capable of doing this - or at least I have had no luck
  with it (I was connecting as domain admin btw).
  The challenge now is to get the Java class to communicate
  with the rest of my cf code.
  Thanks again,
  Ben

• Creating MailBox-enabled Users In Active Directory Using JNDI

  Thanks to the Various code samples i have come across in this forum i have been able to use the JNDI API to add a new user to the Microsoft Active directory.
  The user account that was added using a combination of the various code samples was already enabled. but the problem is that the user does not have an Exchange MailBox created/enabled as well.
  When attempts were made to access the users IMAP mailbox from an external webmail client, the following message:
  "No Such Object On The Server"
  Was Recieved.
  I am wondering wether there is an attribute i am missing out. or something.
  i would welcome any suggestions.
  please treat as urgent.
  thank you in anticipation
  Below is the list of attributes i set:
  BasicAttributes ba=new BasicAttributes();
  ba.put(new BasicAttribute("userPrincipalName","[email protected]"));
  ba.put(new BasicAttribute("sAMAccountName","fagu"));
  ba.put(new BasicAttribute("title","Anyhow"));
  ba.put(new BasicAttribute("mail","[email protected]"));
  ba.put(new BasicAttribute("mailNickname","fagu"));
  ba.put(new BasicAttribute("objectClass","user"));
  ba.put(new BasicAttribute("displayName","Festus Agu"));
  ba.put(new BasicAttribute("sn","Agu"));
  ba.put(new BasicAttribute("userAccountControl","66048"));
  //ba.put(new BasicAttribute("unicodePwd ","fagu"));
  ba.put(new BasicAttribute("mDBUseDefaults","TRUE"));
  ba.put(new BasicAttribute("homeMTA","CN=Microsoft MTA,CN=XSOCKET2,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=SocketWorks,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=socketworkscorp,DC=localdomain"));
  ba.put(new BasicAttribute("msExchHomeServerName", "/o=SocketWorks/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=XSOCKET2"));
  ba.put(new BasicAttribute("distinguishedName","CN=Festus"));

  I am trying to create a MailBox enabled user in AD.I am setting all the attributes that are mentioned above.
  Still i am unable to create a user.I guess i am messing up with password and getting error "javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-031D0AAB,
  problem 5003 (WILL_NOT_PERFORM), data 0"
  Is it that SSL is must to create a user.I saw a certificate on Exchange server.But i am using a simple protocal to create a user.
  Please help me with the steps needed to create a user if i have to use SSL or is there is any settings to be turned on the server.
  Thanks!!
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             

• Authentication on Active Directory using JNDI (A Proffessional Appraoch)

  I am using following code for getting authenticated on Active Directory by user logon name.
  Can any one tell me a more proffessional and fool proof appraoch for authenticating a user on Active Dir through my web interface ???
  thanks in advance
  * Created on Nov 10, 2004
  package auth;
  import java.util.Hashtable;
  import javax.naming.AuthenticationException;
  import javax.naming.Context;
  import javax.naming.NamingEnumeration;
  import javax.naming.NamingException;
  import javax.naming.directory.DirContext;
  import javax.naming.directory.InitialDirContext;
  import javax.naming.directory.SearchControls;
  import javax.naming.directory.SearchResult;
  * @author Tushar Agrawal
  * Created On Nov 10, 2004
  public class UserAuthentication {
       public UserAuthentication() {
            super();
       public NamingEnumeration loginToActiveDirectory(
            String logonName,
            String password,
            String domain) {
            boolean success = false;
            NamingEnumeration attrs = null;
            Hashtable env = new Hashtable(11);
            env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.SECURITY_AUTHENTICATION, "simple");
            env.put(Context.PROVIDER_URL, "ldap://domain:389/dc=SECLORE,dc=com");
            env.put(Context.SECURITY_PRINCIPAL, logonName + "@" + domain);
            env.put(Context.SECURITY_CREDENTIALS, password);
            //env.put(Context.SECURITY_PROTOCOL, "ssl");
            env.put("java.naming.ldap.version", "3");
            env.put(Context.REFERRAL, "follow");
            try {
                 String base = "";
                 DirContext ctx = new InitialDirContext(env);
                 SearchControls controls = new SearchControls();
                 controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
                 controls.setReturningAttributes(
                      new String[] {
                           "sAMAccountName",
                           "userPrincipalName",
                           "displayName",
                           "memberOf",
                           "objectSid",
                           "title" });
                 NamingEnumeration e =
                      ctx.search(base, "sAMAccountName=" + logonName, controls);
                 if (e.hasMore()) {
                      SearchResult r = (SearchResult) e.next();
                      attrs = r.getAttributes().getAll();
                      /*while (attrs.hasMore()) {
                           System.out.println(attrs.next());
                      ctx.close();
            } catch (AuthenticationException e) {
                 System.err.println("Problem getting attribute: " + e);
                 success = false;
            } catch (NamingException e) {
                 System.err.println("Problem getting attribute: " + e);
                 success = false;
            return attrs;
  tushar agrawal

  You''l find more info at :
  http://jakarta.apache.org/tomcat/tomcat-5.5-doc/catalina/funcspecs/fs-jndi-realm.html
  http://jakarta.apache.org/tomcat/tomcat-4.0-doc/realm-howto.html
  That's the right way to do it.

• Arbitration Mailbox is pointing to the Deleted Objects container

  Recently completed a migration from Exchange 2010 to 2013. We are occationally receiving the following message. Could someone point me in the right direction? Thanks!
  Process w3wp.exe (EWS) (PID=10092). Object [CN=_mailgroup,OU=Groups,DC=localdomain,DC=local]. Property [ArbitrationMailbox] is set to value [localdomain.local/Deleted Objects/SystemMailbox{1f05a927-b82d-41fe-b690-eb9b4350207a}
  DEL:e43a17d1-7c97-4ae9-9bfb-17c730878662], it is pointing to the Deleted Objects container in Active Directory. This property should be fixed as soon as possible.

  Hi,
  Please run the Get-Mailbox -Arbitration cmdlet to check result. Make sure these system mailboxes are in existing Exchange server.
  And please check if you can find the object "CN=_mailgroup,OU=Groups,DC=localdomain,DC=local", you can compare this object with another normal object to see if there is any defference on property settings.
  Best regards,
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Belinda Ma
  TechNet Community Support

• Problem in provisioning user from oim to active directory using ssl

  hi,
  problem in provisioning user from oim to active directory using ssl i am getting following error while provisioning user to AD.
  15:18:12,984 ERROR [ADCS] Communication Errorsimple bind failed: 172.16.30.35:636
  15:18:12,984 ERROR [ADCS] The error occured in tcADUtilLDAPController::connectTo
  AvailableAD():simple bind failed: 172.16.30.35:636
  15:18:13,015 ERROR [SERVER] Class/Method: tcProperties/tcProperties encounter so
  me problems: Must set a query before executing
  com.thortech.xl.dataaccess.tcDataSetException: Must set a query before executing
  at com.thortech.xl.dataaccess.tcDataSet.checkExecute(Unknown Source)
  at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.dataobj.util.tcProperties.<init>(Unknown Source)
  at com.thortech.xl.dataobj.util.tcProperties.initialize(Unknown Source)
  at Thor.API.tcUtilityFactory.getLocalUtility(Unknown Source)
  at Thor.API.tcUtilityFactory.getUtility(Unknown Source)
  at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.co
  nnectToAvailableNextAD(Unknown Source)
  at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.se
  archResultPageEnum(Unknown Source)
  at com.thortech.xl.schedule.tasks.ADLookupRecon.performReconciliation(Un
  known Source)
  at com.thortech.xl.schedule.tasks.ADLookupReconTask.execute(Unknown Sour
  ce)
  at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.run(Unknown Source)
  at com.thortech.xl.scheduler.core.quartz.QuartzWrapper$TaskExecutionActi
  on.run(Unknown Source)
  at Thor.API.Security.LoginHandler.jbossLoginSession.runAs(Unknown Source
  at com.thortech.xl.scheduler.core.quartz.QuartzWrapper.execute(Unknown S
  ource)
  at org.quartz.core.JobRunShell.run(JobRunShell.java:203)
  at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.j
  ava:520)
  can any one help.
  Thanks and Regards,
  praveen,

  Are you able to connect to AD over SSL through some LDAP Browser ?
  Check the validity of Certificate ?
  Does your certificate appear in the list ?

• Cannot find the object "CrossRef" in Active Directory

  I am trying to install Lync 2013. I'm getting the following error: Error:
  An error
  occurred: "Microsoft.Rtc.Management.Deployment.ActiveDirectoryException" "Cannot
  find the object "CrossRef" in Active Directory."
  WARNING: Enable-CSAdForest failed.
  This error is at "Step 3: Prepare Current Forest" of the install.

  I've tried to run the forest prep as a local domain and I get the following:
  Creating new log file "C:\Users\administrator.xxx\AppData\Local\Temp\2\Enable-CSAdForest-052cfe14-7f42-4969-88da-83279413ab8c.xml".Enable the Active Directory forest to host Lync Server 2013 deployments.
  Prepare Forest Active Directory settings execution failed on an unrecoverable error.Creating new log file "C:\Users\administrator.xxx\AppData\Local\Temp\2\Enable-CSAdForest-[2013_05_30][13_25_56].html".WARNING:
  Enable-CSAdForest failed.WARNING: Detailed results can be found at "C:\Users\administrator.xxx\AppData\Local\Temp\2\Enable-CSAdForest-[2013_05_30][13_25_56].html".Command
  execution failed: Container CN=Microsoft,CN=Program Data,DC=xxx,DC=local not found

• IDOC : Message Function 003: Delete Object contains message to be deleted.

  Hi,
  I am trying to process a Customer master Icreation DOC (OILDEB06) which has a Message function 003: with the description Delete Object contains message to be deleted.
  I am testing my IDOC, when should I be using this message function.
  If you can detail with the example,
  it does not mark the customer for deletion for sure. when it is recommended to use this message function.
  Thanks
  Regards

  yes   your object was  locked  in the  another session ... please  close  all the  remaining sessions  ...
  and for cross check  in  SM12   tcode   ....see the  lock list  ...delete  all the list  ...
  now you can  delete the object from the  list ..
  it happens  some  times  for all   ... when you work  with multiple sessions.
  reward points  if is is usefull .
  Girish

• Best way to restore "deleted objects" container's ACLs?

  Hi,
  I haven noticed, when using the the LDP for reading the security description of "Deleted Objects" container that LDP returns to me "Error: Security: No Such Attribute <16>". Should it be readable or not? At least all other environments
  I can read it.
  And if it should be readable, then what is the best way to fix it? Take the ownership, and etc... If I take the ownership, then I assume some ACLs are reseted and installations like Exchange and Lync requires domain preparations, right?
  Petri

  > description of "Deleted Objects" container that LDP returns to me
  > "Error: Security: No Such Attribute <16>". Should it be readable or not?
  AFAIK, deleted objects lose their ACL.
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• How to save HR data in Active Directory using ABAP i.e thru LDAP Connector

  Hi All,
         Can any one please help me out how
         to save HR data in Active directory
         using LDAP Connector ?             
         Please help ASAP as it is very urgent .
  Thanks
  Jitendra

  There are 100 of such scripts are there online.
  here are few tips and codes. you will get more.  
  https://gallery.technet.microsoft.com/scriptcenter/Feeding-data-to-Active-0227d15c
  http://blogs.technet.com/b/heyscriptingguy/archive/2012/10/31/use-powershell-to-modify-existing-user-accounts-in-active-directory.aspx
  http://powershell.org/wp/forums/topic/ad-import-csv-update-attributes-script/
  Please mark this as answer if it helps

• How to save hr data in Active directory  using abap

  Hi all
  can any one please help me out how to save hr data in Active directory using LDAP connector
  please help as this is very urgent requirement
  thanks in advance
  Thanks
  Chanti

  What form do you have the user's name in ?
  ANTIPODES\alberteString searchFilter = "(&(objectClass=user)(samAccountName=alberte))";[email protected] searchFilter = "(&(objectClass=user)(userPrincipalName=[email protected]))";Albert EinsteinString searchFilter = (&(objectClass=user)(givenName=Albert)(sn=Einstein))";or using Ambiguous Name Resolution (anr)String searchFilter = "(&(objectClass=user)(anr=Albert Einstein))";or it's even clever enough to useString searchFilter = "(&(objectClass=user)(anr=Einstein Albert))";

• Please Help.  How can you monitor a directory using jndi connection to a ldap server?

  How can you monitor a directory using jndi connection to a ldap server? I
  want the ldap server to monitor the content change in a file system
  directory on another computer on the network. Can someone please help.
  Thanks
  Fred

  Hi,
  Why do you want to use LDAP for Hard disk monitoring..???
  U can do this by creating a MD5 checksum for all the files existing in some
  perticular
  directory and every hour or any configurable period u can recalculate the
  checksum
  to find out the change in the content.
  I guess all u need is to get the code for "updatedb" utility of Linux and
  instrument it for ur needs..
  Hope it helps...
  -aseem
  mr wrote:
  How can you monitor a directory using jndi connection to a ldap server? I
  want the ldap server to monitor the content change in a file system
  directory on another computer on the network. Can someone please help.
  Thanks
  Fred

• How can I capture delete user event in Active Directory 2008 using Powershell command

  Hi,
  In my Active Directory every user have own home drive in the file server. When I delete user I also need to delete folder from the server. 
  My target is make the process automated, so that when I delete user account form AD, the folder associate with user also delete.
  Can I write any power shell script to grep the delete event  and remove folder from file server.
  Thanks
  Tamim Khan

  You can setup event viewer to provide alerts (email alerts) for event id 630.
  Find an existing Event ID 630 entry, right click on it and "Attach Task To This Event...."
  Follow the wizard.
  ** Event ID Sample **
  Event ID: 630
  Type: Success Audit
  Description: User Account Deleted:
  Target Account Name: %1 Target Domain: %2
  Target Account ID: %3 Caller User Name: %4
  Caller Domain: %5 Caller Logon ID: %6
  Privileges: %7
  - Chris Ream -
  **Remember, if you find a post that is helpful, or is the answer, please mark it appropriately.**

• Add user to Active directory using SAP ABAP

  Hi Experts,
  I am currently working on a security refractor project where we are planning on automating the user creation process in business object and Oracle Hyperion using GRC-BW.
  Our Hyperion user management is based on active directory/LDAP groups.
  So say for example - we have a new user say ABC and in GRC he select the SAP-BW role 'HYP_FINANCE_USA' then I want to write a program in BW which will see who all users are assigned to 'HYP_FINANCE_USA' role and will go an update the active directory distribution list group named 'HYP_FINANCE_USA'.
  Has anyone written a ABAP program or used standard function modules/BADI's etc to add/delete user from active directory/LDAP group ?

  Would you post your code? I have yet to see any working jndi code to add a user to AD. Thanks.

• Farm Account gets Access Denied error when accessing SharePoint Subsites after Account was deleted and recreated in Active Directory .

  A SharePoint Domain Account(farm admin account) was deleted and recreated with the same absolute credentials in AD due to this i cannot navigate to certain sites, not even able to edit web parts and cant view site actions menu.
  The account has full permissions across the site and is a site admin.
  I have tried to import the old login to the new login 
  stsadm -o migrateuser-oldlogin <domain\name>-newlogin <domain\name> [-ignoresidhistory]
  But this did not help as it didnt resolve  the SID's issues.
  I couldn't restore the deleted object(AD acc) too.
  Is there a way that i can use to get this account to work again?
  There option of creating a new domain accout and give it full permissions is not recommened by the client.
  So i must find a to get this account to work again.
  Thank you in Advance.
  Calvin

  Hi,
  I would have a look in Active Directory first. Because a new account can't have same IDs that an old one, your new account can't be used instead of the old one, even if login, password and group memberships seems to be set all the same.
  If your forest functionnal level is 2008R2 or more, and if Active Directory Recycle bin has been enabled, you can probably restore the deleted account.
  you can find the way to restore a deleted account here :
  https://technet.microsoft.com/en-us/library/dd379509%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
  If your forest is set to a previous functionnal level or the recycle bin is not enabled, you could give a chance to authoritative restore, as described here :
  https://technet.microsoft.com/fr-fr/library/cc816878(v=ws.10).aspx
  hope it helps
  Sébastien