Renaming Active Directory object

Hi guys,
I have search all over the internet to find a solution for this, but I didn't find anything ... is there any way to rename an object in AD?
For example:
CN=my user name, CN=Users, DC=myCompany, DC=comneeds to be renamed to:
CN=John Smith, CN=Users, DC=myCompany, DC=comSo I am trying to change the CN, but I can't figure this out!!!
I know that this is possible because Microsoft has this functionality in C#
try
    // Bind to the user object to modify.
    DirectoryEntry child = new DirectoryEntry("LDAP://CN=My User Name,OU=Marketing,DC=fabrikam,DC=com");
    // Rename the object to Jeff Smith.
    child.Rename("CN=New User Name");
catch (Exception Exception1)
    // If a COMException is thrown, then the following code can capture the text of the error.
    // For more information about handling COM exceptions, see Handling Errors.
    System.Runtime.InteropServices.COMException COMEx =
    (System.Runtime.InteropServices.COMException) Exception1;
    Console.WriteLine(COMEx.ErrorCode);
)Thanks in advance

Of course there is a way to rename an Active Driectory object !
You obviously didn't search very thoroughly, else you would have at least looked up the JNDI tutorial in which you would have found context.rename()
Renaming an object is similar to a move operation as described in a previous post http://forum.java.sun.com/thread.jspa?threadID=628913&tstart=15
Again assuming you have an initial context, the code would sort of look likeString oldUserName = "CN=Albert Einstein";
String newUserName = "CN=Isaac Newton";
String ouPath= "OU=Research,DC=antipodes,DC=com";
LdapContext ouCtx = (LdapContext)ctx.lookup(ouPath);
ouCtx.rename(oldUserName,newUserName);

Similar Messages

[Forum FAQ] Using PowerShell to assign permissions on Active Directory objects

As we all know, the
ActiveDirectoryAccessRule class is used to represent an access control entry (ACE) in the discretionary access control list (DACL) of an Active Directory Domain Services object.
To set the permissions on Active Directory objects, the relevant classes and their enumerations are listed as below:
System.DirectoryServices.ActiveDirectoryAccessRule class:
http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryaccessrule(v=vs.110).aspx
System.DirectoryServices.ActiveDirectoryRights
class:
http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights(v=vs.110).aspx
System.Security.AccessControl.AccessControlType class:
http://msdn.microsoft.com/en-us/library/w4ds5h86(v=vs.110).aspx
System.DirectoryServices.ActiveDirectorySecurityInheritance class:
http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectorysecurityinheritance(v=vs.110).aspx
In this article, we introduce three ways to get and set the ACE on an Active Directory object. In general,
we use Active Directory Service Interfaces (ADSI) or
Active Directory module cmdlets
with the Get-Acl and Set-Acl cmdlets to assign simple permissions on Active Directory objects. In addition, we can use the extended rights and GUID settings to execute
more complex permission settings.
Method 1: Using ADSI
1. Get current permissions of an organization unit (OU)
We can use the PowerShell script below to get current permissions of an organization unit and you just need to define the name of the OU.
$Name = "OU=xxx,DC=com"
$ADObject = [ADSI]"LDAP://$Name"
$aclObject = $ADObject.psbase.ObjectSecurity
$aclList = $aclObject.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])
$output=@()
foreach($acl in $aclList)
$objSID = New-Object System.Security.Principal.SecurityIdentifier($acl.IdentityReference)
     $info = @{
'ActiveDirectoryRights' = $acl.ActiveDirectoryRights;
'InheritanceType' = $acl.InheritanceType;
'ObjectType' = $acl.ObjectType;
'InheritedObjectType' = $acl.InheritedObjectType;
'ObjectFlags' = $acl.ObjectFlags;
'AccessControlType' = $acl.AccessControlType;
'IdentityReference' = $acl.IdentityReference;
'NTAccount' = $objSID.Translate( [System.Security.Principal.NTAccount] );
'IsInherited' = $acl.IsInherited;
'InheritanceFlags' = $acl.InheritanceFlags;
'PropagationFlags' = $acl.PropagationFlags;
$obj = New-Object -TypeName PSObject -Property $info
$output+=$obj}
$output
In the figure below, you can see the results of running the script above:
Figure 1．
2. Assign a computer object with Full Control permission on an OU
We can use the script below to delegate Full Control permission to the computer objects within an OU:
$SysManObj = [ADSI]("LDAP://OU=test….,DC=com") #get the OU object
$computer = get-adcomputer "COMPUTERNAME" #get the computer object which will be assigned with Full Control permission within an OU
$sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
$identity = [System.Security.Principal.IdentityReference] $SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType #set permission
$SysManObj.psbase.ObjectSecurity.AddAccessRule($ACE)
$SysManObj.psbase.commitchanges()
After running the script above, you can check the computer object in Active Directory Users and Computers (ADUC) and it is under the Security tab in OU Properties.
Method 2: Using Active Directory module with the Get-Acl and Set-Acl cmdlets
You can use the script below to get and assign Full Control permission to a computer object on an OU:
$acl = get-acl "ad:OU=xxx,DC=com"
$acl.access #to get access right of the OU
$computer = get-adcomputer "COMPUTERNAME"
$sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
# Create a new access control entry to allow access to the OU
$identity = [System.Security.Principal.IdentityReference] $SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
# Add the ACE to the ACL, then set the ACL to save the changes
$acl.AddAccessRule($ace)
Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
Method 3: Using GUID setting
The scripts above can only help us to complete simple tasks, however, we may want to execute more complex permission settings. In this scenario, we can use GUID settings to achieve
that.
The specific ACEs allow an administrator to delegate Active Directory specific rights (i.e. extended rights) or read/write access to a property set (i.e. a named collection of attributes) by
setting ObjectType field in an object specific ACE to the
rightsGuid of the extended right or property set. The delegation can also be created to target child objects of a specific class by setting the
InheritedObjectType field to the schemaIDGuid of the class.
We choose to use this pattern: ActiveDirectoryAccessRule(IdentityReference, ActiveDirectoryRights, AccessControlType, Guid, ActiveDirectorySecurityInheritance, Guid)
You can use the script below to
assign the group object with the permission to change user password on all user objects within an OU.
$acl = get-acl "ad:OU=xxx,DC=com"
$group = Get-ADgroup xxx
$sid = new-object System.Security.Principal.SecurityIdentifier $group.SID
# The following object specific ACE is to grant Group permission to change user password on all user objects under OU
$objectguid = new-object Guid
00299570-246d-11d0-a768-00aa006e0529 # is the rightsGuid for the extended right User-Force-Change-Password (“Reset Password”)
class
$inheritedobjectguid = new-object Guid
bf967aba-0de6-11d0-a285-00aa003049e2 # is the schemaIDGuid for the user
$identity = [System.Security.Principal.IdentityReference] $SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
$type = [System.Security.AccessControl.AccessControlType]
"Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType,$inheritedobjectguid
$acl.AddAccessRule($ace)
Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
The figure below shows the result of running the script above:
Figure 2．
In addition, if you want to assign other permissions, you can change the GUID values in the script above. The common GUID values are listed as below:
$guidChangePassword
= new-object Guid ab721a53-1e2f-11d0-9819-00aa0040529b
$guidLockoutTime
= new-object Guid 28630ebf-41d5-11d1-a9c1-0000f80367c1
$guidPwdLastSet
= new-object Guid bf967a0a-0de6-11d0-a285-00aa003049e2
$guidComputerObject
= new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2
$guidUserObject
= new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidLinkGroupPolicy
= new-object Guid f30e3bbe-9ff0-11d1-b603-0000f80367c1
$guidGroupPolicyOptions
= new-object Guid f30e3bbf-9ff0-11d1-b603-0000f80367c1
$guidResetPassword
= new-object Guid 00299570-246d-11d0-a768-00aa006e0529
$guidGroupObject
= new-object Guid BF967A9C-0DE6-11D0-A285-00AA003049E2
$guidContactObject
= new-object Guid 5CB41ED0-0E4C-11D0-A286-00AA003049E2
$guidOUObject
= new-object Guid BF967AA5-0DE6-11D0-A285-00AA003049E2
$guidPrinterObject
= new-object Guid BF967AA8-0DE6-11D0-A285-00AA003049E2
$guidWriteMembers
    = new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2
$guidNull
= new-object Guid 00000000-0000-0000-0000-000000000000
$guidPublicInformation
= new-object Guid e48d0154-bcf8-11d1-8702-00c04fb96050
$guidGeneralInformation
= new-object Guid 59ba2f42-79a2-11d0-9020-00c04fc2d3cf
$guidPersonalInformation = new-object Guid 77B5B886-944A-11d1-AEBD-0000F80367C1
$guidGroupMembership
= new-object Guid bc0ac240-79a9-11d0-9020-00c04fc2d4cf
More information:
Add Object Specific ACEs using Active Directory Powershell
http://blogs.msdn.com/b/adpowershell/archive/2009/10/13/add-object-specific-aces-using-active-directory-powershell.aspx
Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

The ActiveDirectoryAccessRule has more than one constructor, but yes, you've interpreted the one that takes six arguments correctly.
Those GUIDs are different (check just before the first dash). Creating that ACE will create an empty GUID for InheritedObjectType, though, because you're telling it to apply to the Object only ([System.DirectoryServices.ActiveDirectorySecurityInheritance]::None).
Since the ACE will only apply to the object, there's no need to worry about what types of objects will inherit it.
If you've got time, check out
this module. It will let you view the security descriptors in a much friendlier format. Try both version 3.0 and the version 4.0 preview:
Sample version 3.0:
# This is going to be kind of slow, and it will take a few seconds the first time
# you run it because it has to build the list of GUID <--> Property/Class/etc objects
Get-ADGroup GroupY |
Get-AccessControlEntry -ObjectAceType member -InheritedObjectAceType group -ActiveDirectoryRights WriteProperty
# Same as the previous command, except limit it to access granted to GroupX
Get-ADGroup GroupY |
Get-AccessControlEntry -ObjectAceType member -InheritedObjectAceType group -ActiveDirectoryRights WriteProperty -Principal GroupX
Here's version 4.0. It's way faster than 3.0, but it's missing the -ObjectAceType and -InheritedObjectAceType parameters on Get-AccessControlEntry (don't worry, when they come back they'll be better than in 3.0):
Get-ADGroup GroupY |
Get-AccessControlEntry
Get-ADGroup GroupY |
Get-AccessControlEntry -ActiveDirectoryRights WriteProperty
Get-ADGroup GroupY |
Get-AccessControlEntry -ActiveDirectoryRights WriteProperty -Principal GroupX
# You can do a Where-Object filter until the parameters are added back to Get-AccessControlEntry:
Get-ADGroup GroupY |
Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
where { $_.AccessMask -match "All Prop|member Prop" }
Get-ADGroup GroupY |
Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
where { $_.ObjectAceType -in ($null, [guid]::Empty, "bf9679c0-0de6-11d0-a285-00aa003049e2") }
Get-ADGroup GroupY |
Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
where { $_.AccessMask -match "All Prop|member Prop" -and $_.AppliesTo -match "group"}
That's just for viewing. Version 3.0 can add and remove access, or you can use New-AccessControlEntry to replace your call to New-Object, and you can still use Get-Acl and Set-Acl. The benefit to New-AccessControlEntry is that you can do something like this:
New-AccessControlEntry -Principal GroupX -ActiveDirectoryRights WriteProperty -ObjectAceType member -InheritedObjectAceType group #-AppliesTo Object

How to list all the Fields for an Active Directory Object

How do I list all the fields that an Active Directory object contains? I know the most common ones, but would like to enumerate through all the fields and obtain the type of fields and their values...

Here is my complete code - I only put snippets so that the post was not too huge...
Option Explicit
Const ADS_SCOPE_SUBTREE = 2
Const ForReading = 1, ForWriting = 2, ForAppending = 8
Dim adoCommand, adoConnection, adoRecordSet
Dim dtmDate, dtmValue
Dim j
Dim lngBias, lngBiasKey, lngHigh, lngLow, lngValue
Dim objADObject, objClass, objDate, objFile, objFSO, objRootDSE, objShell
Dim pathToScript
Dim strAdsPath, strConfig, strDNSDomain, strHex, strItem, strProperty, strValue
Dim strFilter, strQuery
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objShell = CreateObject("Wscript.Shell")
pathToScript = objShell.CurrentDirectory
Set objFile = objFSO.CreateTextFile(pathToScript & "\TestAD.csv")
' Determine Time Zone bias in local registry.
' This bias changes with Daylight Savings Time.
lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\Control\TimeZoneInformation\ActiveTimeBias")
If (UCase(TypeName(lngBiasKey)) = "LONG") Then
lngBias = lngBiasKey
ElseIf (UCase(TypeName(lngBiasKey)) = "VARIANT()") Then
lngBias = 0
For j = 0 To UBound(lngBiasKey)
lngBias = lngBias + (lngBiasKey(j) * 256^j)
Next
End If
' Determine configuration context and DNS domain from RootDSE object.
Set objRootDSE = GetObject("LDAP://RootDSE")
strConfig = objRootDSE.Get("configurationNamingContext")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection
adoCommand.CommandText = "SELECT * FROM 'LDAP://" & strDNSDomain & "'WHERE objectClass=user'"
adoCommand.Properties("Page Size") = 1000
adoCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
Set adoRecordSet = adoCommand.Execute
Set adoRecordSet = adoCommand.Execute
adoRecordSet.MoveFirst
Do Until adoRecordSet.EOF
strAdsPath = adoRecordSet.Fields("ADsPath").Value
' Bind to Active Directory object specified.
Set objADObject = GetObject(strAdsPath)
Set objClass = GetObject(objADObject.Schema)
' Write which object is grabbed from AD
objFile.Write(Replace(strAdsPath, ",", ";;;"))
' Enumerate mandatory object properties.
For Each strProperty In objClass.MandatoryProperties
On Error Resume Next
strValue = objADObject.Get(strProperty)
If (Err.Number = 0) Then
On Error GoTo 0
If (TypeName(strValue) = "String") Or (TypeName(strValue) = "Long") Or (TypeName(strValue) = "Date") Then
objFile.Write("," & strProperty & "|||" & Replace(CStr(strValue), ",", ";;;"))
ElseIf (TypeName(strValue) = "Byte()") Then
strHex = OctetToHexStr(strValue)
objFile.Write("," & strProperty & "|||" & CStr(strHex))
ElseIf (TypeName(strValue) = "Variant()") Then
For Each strItem In strValue
On Error Resume Next
objFile.Write("," & strProperty & "|||" & Replace(CStr(strItem), ",", ";;;"))
If (Err.Number <> 0) Then
On Error GoTo 0
objFile.Write("," & strProperty & "|||Value cannot be displayed")
End If
On Error GoTo 0
Next
ElseIf (TypeName(strValue) = "Boolean") Then
objFile.Write("," & strProperty & "|||" & CBool(strValue))
Else
objFile.Write("," & strProperty & "|||Type:" & TypeName(strValue))
End If
Else
Err.Clear
sColl = objADObject.GetEx(strProperty)
If (Err.Number = 0) Then
For Each strItem In sColl
objFile.Write("," & strProperty & "|||" & CStr(strItem))
If (Err.Number <> 0) Then
objFile.Write("," & strProperty & "|||Value cannot be displayed")
End If
Next
On Error GoTo 0
Else
Err.Clear
Set objDate = objADObject.Get(strProperty)
If (Err.Number = 0) Then
lngHigh = objDate.HighPart
If (Err.Number = 0) Then
lngLow = objDate.LowPart
If (lngLow < 0) Then
lngHigh = lngHigh + 1
End If
lngValue = (lngHigh * (2 ^ 32)) + lngLow
If (lngValue > 120000000000000000) Then
dtmValue = #1/1/1601# + (lngValue / 600000000 - lngBias) / 1440
On Error Resume Next
dtmDate = CDate(dtmValue)
If (Err.Number <> 0) Then
objFile.Write("," & strProperty & "|||<Never>")
Else
objFile.Write("," & strProperty & "|||" & CStr(dtmDate))
End If
Else
objFile.Write("," & strProperty & "|||" & FormatNumber(lngValue, 0))
End If
Else
objFile.Write("," & strProperty & "|||Value cannot be displayed")
End If
Else
On Error GoTo 0
objFile.Write("," & strProperty)
End If
On Error GoTo 0
End If
End If
Next
' Enumerate optional object properties.
For Each strProperty In objClass.OptionalProperties
On Error Resume Next
strValue = objADObject.Get(strProperty)
If (Err.Number = 0) Then
On Error GoTo 0
If (TypeName(strValue) = "String") Then
objFile.Write("," & strProperty & "|||" & Replace(CStr(strValue), ",", ";;;"))
ElseIf (TypeName(strValue) = "Long") Then
objFile.Write("," & strProperty & "|||" & Replace(CStr(strValue), ",", ";;;"))
ElseIf (TypeName(strValue) = "Date") Then
objFile.Write("," & strProperty & "|||" & Replace(CStr(strValue), ",", ";;;"))
ElseIf (TypeName(strValue) = "Byte()") Then
strHex = OctetToHexStr(strValue)
objFile.Write("," & strProperty & "|||" & CStr(strHex))
ElseIf (TypeName(strValue) = "Variant()") Then
For Each strItem In strValue
On Error Resume Next
objFile.Write("," & strProperty & "|||" & Replace(CStr(strItem), ",", ";;;"))
If (Err.Number <> 0) Then
On Error GoTo 0
objFile.Write("," & strProperty & "|||Value cannot be displayed")
End If
On Error GoTo 0
Next
ElseIf (TypeName(strValue) = "Boolean") Then
objFile.Write("," & strProperty & "|||" & CBool(strValue))
Else
objFile.Write("," & strProperty & "|||Type:" & TypeName(strValue))
End If
Else
Err.Clear
sColl = objADObject.GetEx(strProperty)
If (Err.Number = 0) Then
For Each strItem In sColl
objFile.Write("," & strProperty & "|||" & CStr(strItem))
If (Err.Number <> 0) Then
objFile.Write("," & strProperty & "|||Value cannot be displayed")
End If
Next
On Error GoTo 0
Else
Err.Clear
Set objDate = objADObject.Get(strProperty)
If (Err.Number = 0) Then
lngHigh = objDate.HighPart
If (Err.Number = 0) Then
lngLow = objDate.LowPart
If (lngLow < 0) Then
lngHigh = lngHigh + 1
End If
lngValue = (lngHigh * (2 ^ 32)) + lngLow
If (lngValue > 120000000000000000) Then
dtmValue = #1/1/1601# + (lngValue / 600000000 - lngBias) / 1440
On Error Resume Next
dtmDate = CDate(dtmValue)
If (Err.Number <> 0) Then
objFile.Write("," & strProperty & "|||<Never>")
Else
objFile.Write("," & strProperty & "|||" & CStr(dtmDate))
End If
Else
objFile.Write("," & strProperty & "|||" & lngValue)
End If
Else
objFile.Write("," & strProperty & "|||Value cannot be displayed")
End If
Else
On Error GoTo 0
objFile.Write("," & strProperty & "||| ")
End If
On Error GoTo 0
End If
End If
Next
objFile.WriteLine("")
adoRecordSet.MoveNext
Loop
objFile.Close
' Function to convert OctetString (Byte Array) to a hex string.
Function OctetToHexStr(arrbytOctet)
Dim k
OctetToHexStr = ""
For k = 1 To Lenb(arrbytOctet)
OctetToHexStr = OctetToHexStr _
& Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
Next
End Function
I have been able to obtain all the Computer, Contact, Group and OU objects without issue with this code...

What is the default Win2000 Active Directory Object Attribute definition for adding users? I'm using the 4.1 Netscape Directory SDK

The Netscape/NDS AddUser implements inetOrgPerson, and some other objects/Attributes not implemented in Active Directory Object Attributes, and I receive errors about the Attributes. Could you tell me the correct Attribute definition for the default DS, to add a user?

Unsure what you mean. iDS 5 implements the inetOrgPerson as of the RFC. It is made of 4 objects top, person, organizationPerson and inetOrgPerson. The user object in MAD using many more MS specifi attributes in the top class. (53 extras)

Active Directory Object Properties

Maybe I am completely missing something, but is there no way to create an array of properties from get-aduser? I need to iterate through the user properties to find certain criteria. Even if I do:
$user = get-aduser $username -properties *
$user.count
The count returns 1. Now, I know it is only 1 user object, but is there a way to iterate through each property?
Thanks!
Tony

Sorry, I have not yet opened a topic and asked a question, I don't know how.
To answer the question "is there a way to iterate through each property?"
Here is one way. It iterates through the properties (of any object) and create the properties
to create a PS-Object
PS C:\>
Function Get-PSObjectFromObject
[CmdletBinding()]
[OutputType([string])]
param
[Parameter(Mandatory=$true,
ValueFromPipeline=$false,
ValueFromPipelineByPropertyName=$false,
ValueFromRemainingArguments=$false,
Position=0,
ParameterSetName='Object')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[Object]$Object
Try
$Members=Get-Member -InputObject $Object
$ValidPropertyType = @{"{get;set;}"=$True;"{get;}"=$True;}
$ValidReturnType = @{"bool"=$True;"byte"=$True;"string"=$True;"string[]"=$True;
"int"=$True;"int16"=$True;"int32"=$True;"int64"=$True;
"uint"=$True;"uint16"=$True;"uint32"=$True;"uint64"=$True;
"datetime"=$True;"timespan"=$True;
"system.boolean"=$True;"system.byte"=$True;"system.string"=$True;"system.string[]"=$True;
"system.int"=$True;"system.int16"=$True;"system.int32"=$True;"system.int64"=$True;
"system.uint"=$True;"system.uint16"=$True;"system.uint32"=$True;"system.uint64"=$True;
"system.datetime"=$True;"system.timespan"=$True
[string]$String=""
$String=$String+"New-Object PSObject -Property ([Ordered]@{ `r`n"
ForEach ($Member in $Members)
IF ($Member.MemberType -EQ "Property")
[string]$Name=$Member.Name
IF ($Name.Substring(1,1) -NE "_")
IF (-NOT $Name.Contains("-"))
[String[]]$Definition=$Member.Definition.Split(" ")
[string]$PropertyType=$Definition[2]
IF ($ValidPropertyType[$PropertyType])
$ReturnType=$Definition[0]
If ($ValidReturnType[$ReturnType])
$String=$String+" $Name="+"$"+"Object.$Name `r`n"
$String=$String+"}) `r`n"
$String
Catch [System.Exception]
Write-Host $_.Exception.Message
$Object = Get-aduser "Administrator" -Properties *
$PSProperties = Get-PSObjectFromObject $Object
$PSObject = Invoke-Expression $PSProperties
"***********This is PSObject definition"
$PSProperties
"***********This is PSObject"
$PSObject
***********This is PSObject definition
New-Object PSObject -Property ([Ordered]@{
AccountExpirationDate=$Object.AccountExpirationDate
accountExpires=$Object.accountExpires
AccountLockoutTime=$Object.AccountLockoutTime
AccountNotDelegated=$Object.AccountNotDelegated
adminCount=$Object.adminCount
AllowReversiblePasswordEncryption=$Object.AllowReversiblePasswordEncryption
BadLogonCount=$Object.BadLogonCount
badPasswordTime=$Object.badPasswordTime
badPwdCount=$Object.badPwdCount
CannotChangePassword=$Object.CannotChangePassword
CanonicalName=$Object.CanonicalName
City=$Object.City
CN=$Object.CN
codePage=$Object.codePage
Company=$Object.Company
Country=$Object.Country
countryCode=$Object.countryCode
Created=$Object.Created
createTimeStamp=$Object.createTimeStamp
Deleted=$Object.Deleted
Department=$Object.Department
Description=$Object.Description
DisplayName=$Object.DisplayName
DistinguishedName=$Object.DistinguishedName
Division=$Object.Division
DoesNotRequirePreAuth=$Object.DoesNotRequirePreAuth
EmailAddress=$Object.EmailAddress
EmployeeID=$Object.EmployeeID
EmployeeNumber=$Object.EmployeeNumber
Enabled=$Object.Enabled
Fax=$Object.Fax
GivenName=$Object.GivenName
HomeDirectory=$Object.HomeDirectory
HomedirRequired=$Object.HomedirRequired
HomeDrive=$Object.HomeDrive
HomePage=$Object.HomePage
HomePhone=$Object.HomePhone
Initials=$Object.Initials
instanceType=$Object.instanceType
isCriticalSystemObject=$Object.isCriticalSystemObject
isDeleted=$Object.isDeleted
LastBadPasswordAttempt=$Object.LastBadPasswordAttempt
LastKnownParent=$Object.LastKnownParent
lastLogoff=$Object.lastLogoff
lastLogon=$Object.lastLogon
LastLogonDate=$Object.LastLogonDate
lastLogonTimestamp=$Object.lastLogonTimestamp
LockedOut=$Object.LockedOut
logonCount=$Object.logonCount
LogonWorkstations=$Object.LogonWorkstations
Manager=$Object.Manager
MNSLogonAccount=$Object.MNSLogonAccount
MobilePhone=$Object.MobilePhone
Modified=$Object.Modified
modifyTimeStamp=$Object.modifyTimeStamp
Name=$Object.Name
ObjectCategory=$Object.ObjectCategory
ObjectClass=$Object.ObjectClass
Office=$Object.Office
OfficePhone=$Object.OfficePhone
Organization=$Object.Organization
OtherName=$Object.OtherName
PasswordExpired=$Object.PasswordExpired
PasswordLastSet=$Object.PasswordLastSet
PasswordNeverExpires=$Object.PasswordNeverExpires
PasswordNotRequired=$Object.PasswordNotRequired
POBox=$Object.POBox
PostalCode=$Object.PostalCode
PrimaryGroup=$Object.PrimaryGroup
primaryGroupID=$Object.primaryGroupID
ProfilePath=$Object.ProfilePath
ProtectedFromAccidentalDeletion=$Object.ProtectedFromAccidentalDeletion
pwdLastSet=$Object.pwdLastSet
SamAccountName=$Object.SamAccountName
sAMAccountType=$Object.sAMAccountType
ScriptPath=$Object.ScriptPath
sDRightsEffective=$Object.sDRightsEffective
SmartcardLogonRequired=$Object.SmartcardLogonRequired
State=$Object.State
StreetAddress=$Object.StreetAddress
Surname=$Object.Surname
Title=$Object.Title
TrustedForDelegation=$Object.TrustedForDelegation
TrustedToAuthForDelegation=$Object.TrustedToAuthForDelegation
UseDESKeyOnly=$Object.UseDESKeyOnly
userAccountControl=$Object.userAccountControl
UserPrincipalName=$Object.UserPrincipalName
uSNChanged=$Object.uSNChanged
uSNCreated=$Object.uSNCreated
whenChanged=$Object.whenChanged
whenCreated=$Object.whenCreated
***********This is PSObject
AccountExpirationDate :
accountExpires : 9223372036854775807
AccountLockoutTime :
AccountNotDelegated : False
adminCount : 1
AllowReversiblePasswordEncryption : False
BadLogonCount : 0
badPasswordTime : 130524210883000074
badPwdCount : 0
CannotChangePassword : False
CanonicalName : Contoso.com/Users/Administrator
City :
CN : Administrator
codePage : 0
Company :
Country :
countryCode : 0
Created : 6/21/2014 12:48:03 AM
createTimeStamp : 6/21/2014 12:48:03 AM
Deleted :
Department :
Description : Built-in account for administering the computer/domain
DisplayName :
DistinguishedName : CN=Administrator,CN=Users,DC=Contoso,DC=com
Division :
DoesNotRequirePreAuth : False
EmailAddress :
EmployeeID :
EmployeeNumber :
Enabled : True
Fax :
GivenName :
HomeDirectory :
HomedirRequired : False
HomeDrive :
HomePage :
HomePhone :
Initials :
instanceType : 4
isCriticalSystemObject : True
isDeleted :
LastBadPasswordAttempt : 8/13/2014 9:31:28 AM
LastKnownParent :
lastLogoff : 0
lastLogon : 130530452556502145
LastLogonDate : 8/12/2014 2:27:39 AM
lastLogonTimestamp : 130523092594640653
LockedOut : False
logonCount : 714
LogonWorkstations :
Manager :
MNSLogonAccount : False
MobilePhone :
Modified : 8/12/2014 2:27:39 AM
modifyTimeStamp : 8/12/2014 2:27:39 AM
Name : Administrator
ObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=Contoso,DC=com
ObjectClass : user
Office :
OfficePhone :
Organization :
OtherName :
PasswordExpired : False
PasswordLastSet : 6/14/2014 4:55:33 AM
PasswordNeverExpires : True
PasswordNotRequired : False
POBox :
PostalCode :
PrimaryGroup : CN=Domain Users,CN=Users,DC=Contoso,DC=com
primaryGroupID : 513
ProfilePath :
ProtectedFromAccidentalDeletion : False
pwdLastSet : 130472205339962382
SamAccountName : Administrator
sAMAccountType : 805306368
ScriptPath :
sDRightsEffective : 15
SmartcardLogonRequired : False
State :
StreetAddress :
Surname :
Title :
TrustedForDelegation : False
TrustedToAuthForDelegation : False
UseDESKeyOnly : False
userAccountControl : 66048
UserPrincipalName :
uSNChanged : 113679
uSNCreated : 8196
whenChanged : 8/12/2014 2:27:39 AM
whenCreated : 6/21/2014 12:48:03 AM
PS C:\>
The GUI version of this will be uploaded within a day or two.

Logoncount Attribute on Computer objects in Active Directory

Hello,
I have one question about the logoncount Attribute on Active Directory objects. As I understood on user objects this attribute counts the number of logons per DC (because it is not replicating).
My question is:
What exactly is count here on computer objects?
I can see that on a Domain Controller computer object the logoncount is high for the DC itself and low on the other DC objects.
Thank you.
Regards
Dennis

Here is an old thread. You will see some of the explanation from our own Richard :)
http://www.techtalkz.com/windows-server-2003/500367-attributes-update-during-computer-logon.html
Santhosh Sivarajan | Houston, TX | www.sivarajan.com
ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
Blogs: Blogs
Twitter: Twitter
LinkedIn: LinkedIn
Facebook: Facebook
Microsoft Virtual Academy:
Microsoft Virtual Academy
This posting is provided AS IS with no warranties, and confers no rights.

SharePoint 2013 profile service account requirements when using "Use SharePoint Active Directory Import" option

Hi All,
I am trying to configure SharePoint Profile service. We would like a straightforward profile import from Active Directory.
On the "Configure Synchronization Settings" page, we have chosen the option "Use SharePoint Active Directory Import" option.
We have created a connection to the Active Directory using Configure Synchronization Connections page. We have specified the account that would be used for the import process.
Question:
I would like to confirm whether the account configured for the profile import need any special privileges when using "Use SharePoint Active Directory Import" option ?
Thanks,
Saurabh

Grant Replicate Directory Changes permission on a domain
To do this please follows below procedure
On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers.
In Active Directory Users and Computers, right-click the domain, and then click Delegate Control.
On the first page of the Delegation of Control Wizard, click Next.
On the Users or Groups page, click Add.
Type the name of the synchronization account, and then click OK.
Click Next.
On the Tasks to Delegate page, select Create a custom task to delegate, and then click Next.
On the Active Directory Object Type page, select This folder, existing objects in this folder, and creation of new objects in this folder, and then clickNext.
On the Permissions page, in the Permissions box, select Replicating Directory Changes (select Replicate Directory Changes on
Windows Server 2003), and then click Next.
Click Finish.
Thanks & Regards
ShivaPrasad Pola
SharePoint Developer

How to update users to Active Directory using Hyena Active Task List?

Kevin,
thanks for your input. I was able to firgured it out. It need the full path. with the CN=John Doe
Working like a charm!! thx!!

http://www.systemtools.com/HyenaHelp/active_editor.htm"Each Active Directory object is identifiable by its directory path, called the ADsPath. A special symbol, %ADSPATH%, can be inserted in the field order list that can be associated with the directory path in the import file. The ADsPath doesNOThave to be one of the attributes for the directory objects in the Editor if the ADsPath is used as the Key Field in the import file.Using an ADsPath as a match field can be difficult, as it is a long and complex string, and if special characters are used in some directory fields, Active Directory will automatically insert additional special characters into the ADsPath. One method of getting the ADsPath into a file for directory objects is to use Hyena's Edit Copy dialog. A special symbol, %ADSPATH%, can be added to any Active Directory copied...

Exchange trying to resolve external e-mail addresses in local Active Directory

Hi
On all of my Mailbox Database servers, i'm getting the following warning in my Application log:
Level: Warning
Source: MSExchange Mid-Tier Storage
EventID: 2009
Message:
[Process:w3wp PID:6032 Thread:89] Error occurred while resolving the Active Directory object for from email address field: '[email protected]'. Audit log will not be generated for this case. Exception details:
Microsoft.Exchange.Data.Storage.ObjectNotFoundException: The Active Directory user wasn't found.
at Microsoft.Exchange.Data.Storage.ExchangePrincipalFactory.FromProxyAddress(IRecipientSession session, String proxyAddress, RemotingOptions remotingOptions)
at Microsoft.Exchange.Data.Storage.ExchangePrincipalFactory.FromProxyAddress(ADSessionSettings adSettings, String proxyAddress, RemotingOptions remotingOptions)
at Microsoft.Exchange.Data.Storage.ExchangePrincipal.FromProxyAddress(ADSessionSettings adSettings, String proxyAddress)
at Microsoft.Exchange.Data.Storage.COWAudit.GetSubmitEffectiveMailboxOwner(MailboxSession session, CallbackContext callbackContext)
I have three Exchange Server 2013 MBX/CAS servers, and two Exchange Server 2013 Edge Transport servers in front of them.
As mentioned earlier, this warning is on all three of the MBX/CAS servers. The external e-mail address vary.
I've used the Get-MessageTrackingLog to debug, and I can see that this error comes when an internal user sends a "Meeting Forward Notification" to an external e-mail address. Exchange tries to resolve the external e-mail address in Active Directory
and throws this warning, for some reason.
Is there anyone that knows how to fix this?

Hi Allen
Sorry for the late reply.
1. No it's not. It gets the EventID "HADISCARD" and SourceContext "ExplicitlyDiscarded". Here's an example:
RunspaceId : a25e81b2-9f4a-49f2-895b-xxxxxxxxxxxx
Timestamp : 09-02-2015 13:01:02
ClientIp :
ClientHostname :
ServerIp :
ServerHostname : MBX01
SourceContext : ExplicitlyDiscarded
ConnectorId :
Source : SMTP
EventId : HADISCARD
InternalMessageId : 8907762172963
MessageId : <[email protected]>
Recipients : {[email protected]}
RecipientStatus : {}
TotalBytes : 17347
RecipientCount : 1
RelatedRecipientAddress :
Reference :
MessageSubject : Meeting Forward Notification: A subject
Sender : [email protected]
ReturnPath : [email protected]
Directionality : Originating
TenantId :
OriginalClientIp :
MessageInfo :
MessageLatency :
MessageLatencyType : None
EventData : {[DeliveryPriority, None], [PrioritizationReason, ShadowRedundancy]}
2. Yes, and other mails are routed to our Edge Transport Servers, and from there to Office 365 (Exchange Online Protection). It's only occurs when sending Meeting Forward Notifications, Accepting meetings, and so fourth - and it all comes from Outlook 2013
clients (RPC over HTTPS).

Show Active Directory Property Page

Hello everybody,
I hope this topic is published in the correct forum. I try to find the API which shows the native property page of Active Directory objects. If possible with an example (VB.Net)? There exists an similar function named "openquerywindow" which
used by dsquery.dll. Is there a library function that would do this (e.g.
activeds.dll or dsprop.dll)?
Thanks in advance,
Matthias

Hello Matthias,
>> I try to find the API which shows the native property page of Active Directory objects.
I do not quite understand what the native property page of Active Directory objects is, if it means the native Active Directory Service Interfaces (ADSI) object, you then could get it by using
DirectoryEntry class:
DirectoryEntry.NativeObject Property
If not, since it is not very clear what you are trying to query from the active directory, there is a list which you could query from .NET, you could check if there are features that you want:
Search Active Directory
Here is a blog which provides a detail description about how to: Querying Active Directory which I think could be helpful.
Regards.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

Active Directory Domain Services crash after Administrator renames object in Active Directory Users and Computers

Hello.
We have two domain controllers - node1 (Windows 2008 R2) and node2 (Windows 2012 R2). When administrator connects to node2 and tries to rename some object in AD (for example, user) AD Domain Services crashes and reboot server after 60 seconds.
In Events I can see these messages:
Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          04.03.2014 12:37:58
Event ID:      1173
Task Category: Internal Processing
Level:         Warning
Keywords:      Classic
User:          domain\admin
Computer:      NODE2.domain.example
Description:
Internal event: Active Directory Domain Services has encountered the following exception and associated parameters.
Exception:
c0000005
Parameter:
0
Additional Data
Error value:
7ffc7c38e45d
Internal ID:
0
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
    <EventID Qualifiers="32768">1173</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>9</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2014-03-04T06:37:58.116264800Z" />
    <EventRecordID>881</EventRecordID>
    <Correlation />
    <Execution ProcessID="572" ThreadID="2580" />
    <Channel>Directory Service</Channel>
    <Computer>NODE2.domain.example</Computer>
    <Security UserID="S-1-5-21-3794920928-4165619442-305938157-2047" />
</System>
<EventData>
    <Data>c0000005</Data>
    <Data>7ffc7c38e45d</Data>
    <Data>0</Data>
    <Data>0</Data>
</EventData>
</Event>
Log Name:      Application
Source:        Microsoft-Windows-Wininit
Date:          04.03.2014 12:37:58
Event ID:      1015
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      NODE2.domain.example
Description:
A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
    <EventID Qualifiers="49152">1015</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-03-04T06:37:58.000000000Z" />
    <EventRecordID>189578</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>NODE2.domain.example</Computer>
    <Security />
</System>
<EventData>
    <Data>C:\Windows\system32\lsass.exe</Data>
    <Data>c0000005</Data>
</EventData>
</Event>
Log Name:      Application
Source:        Application Error
Date:          04.03.2014 12:37:58
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      NODE2.domain.example
Description:
Faulting application name: lsass.exe, version: 6.3.9600.16384, time stamp: 0x5215e25f
Faulting module name: ntdsai.dll, version: 6.3.9600.16421, time stamp: 0x524fcaed
Exception code: 0xc0000005
Fault offset: 0x000000000019e45d
Faulting process id: 0x23c
Faulting application start time: 0x01cf3773fe973e1b
Faulting application path: C:\Windows\system32\lsass.exe
Faulting module path: C:\Windows\system32\ntdsai.dll
Report Id: 85cfbe32-a367-11e3-80cc-00155d006724
Faulting package full name:
Faulting package-relative application ID:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-03-04T06:37:58.000000000Z" />
    <EventRecordID>189576</EventRecordID>
    <Channel>Application</Channel>
    <Computer>NODE2.domain.example</Computer>
    <Security />
</System>
<EventData>
    <Data>lsass.exe</Data>
    <Data>6.3.9600.16384</Data>
    <Data>5215e25f</Data>
    <Data>ntdsai.dll</Data>
    <Data>6.3.9600.16421</Data>
    <Data>524fcaed</Data>
    <Data>c0000005</Data>
    <Data>000000000019e45d</Data>
    <Data>23c</Data>
    <Data>01cf3773fe973e1b</Data>
    <Data>C:\Windows\system32\lsass.exe</Data>
    <Data>C:\Windows\system32\ntdsai.dll</Data>
    <Data>85cfbe32-a367-11e3-80cc-00155d006724</Data>
    <Data>
    </Data>
    <Data>
    </Data>
</EventData>
</Event>
In node2 we installed all available updates and hotfixes.

Hi Azamat Hackimov,
Regarding to error messages, it seems that the
ntdsai.dll file caused the issue. Based on current situation, please use
sfc /scannow command to scan protected system files and check if find error and repair. Meanwhile, you can also navigate to the location of this DLL file and confirm details.
In addition, Windows Server 2012 R2 has reboot unexpectedly. Please check if you get some dump file and then analysis it. It may help us to find the root reason. Please refer
to the following KB.
How to read the small dump memory dump file that is created by Windows if a crash occurs.
http://support.microsoft.com/kb/315263/en-us
By the way, it is not effective for us to debug the crash dump file here in the forum. If this issues is a state of emergency for you. Please contact Microsoft Customer Service
and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.
To obtain the phone numbers for specific technology request, please refer to the web site listed below:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
Hope this helps.
Best regards,
Justin Gu

Is Active Directory's ExtensionAttributes9 a field in user object and how to retrieve it in the class type userprincipal?

Hi, I'm using VS2012.
I want to use this ExtensionAttributes9 field to store date value for each user object. I use UserPrincipal class, a collection of these objects are then bind to a gridview control. Is ExtensionAttributes9 a field in AD user object?
How can I access it and bind to the gridview?
If this field isn't available then what other field can use?
Thank you.
Thank you

UserPrincipal is basically a wrapper around DirectoryEntry:
http://msdn.microsoft.com/en-us/library/system.directoryservices.directoryentry.aspx and only provides a subset of the Active Directory, although the most common, attributes that are available for the user object. The attribute that you
seek is not one of them.
By utilizing the method that I provided you a link to, it will return the underlying DirectoryEntry that was used to build the UserPrincipal object and should allow you to access the attribute that you seek.
It would be greatly appreciated if you would mark any helpful entries as helpful and if the entry answers your question, please mark it with the Answer link.

"Setup encountered a problem while validating the state of Active Directory: Exchange organization-level objects have not been created, and setup cannot create them because the local computer is not in the same domain and site as the schema master. Run se

Team,
I am trying to Install Exchange on my Lab, getting below error
message.
The Schema Role is installed on Root Domain and trying to install
exchange on Child domain.
1 Root Domain - 1 Child domain. both are located on single site.
“Setup encountered a problem while validating
the state of Active Directory: Exchange organization-level objects have not been created, and setup cannot create them because the local computer is not in the same domain and site as the schema master. Run setup with the /prepareAD parameter and wait for
replication to complete.”
Followed below articles:
http://support.risualblogs.com/blog/2012/02/21/exchange-2010-sp2-upgrade-issue-exchange-organization-level-objects-have-not-been-created-and-setup-cannot-create-them-because-the-local-computer-is-not-in-the-same-domain-and-site-as-the-sche/
http://www.petenetlive.com/KB/Article/0000793.htm
transferred the schema roles to different server on root domain, still no luck.
can someone please help me.
regards
Srinivasa k
Srinivasa K

Hi Srinivasa,
I guess, you didn't completed the initial setup schemaprep and adprep before starting the installation. You can do it as follows:
1. Open command Prompt as administrator and browse to the root of installation cd and run Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
After finishing this,
2. Setup.exe /PrepareAD /OrganizationName:"<organization name>" /IAcceptExchangeServerLicenseTerms
3. To prepare all domains within the forest run Setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms. If you want to prepare a specific domain run Setup.exe /PrepareDomain:<FQDN of the domain you want to prepare> /IAcceptExchangeServerLicenseTerms
4. Once you complete all of the 3 steps, install the pre-requisities for Exchange 2013
5. Finally, run the setup program
Hope this will help you
Regards from Visit ExchangeOnline |
Visit WindowsAdmin

Active Directory error message "the following object is not from a domain listed in the Select location forestB\username

Hello Community
    "forestA" is my forest it is a Windows 2008 Server Enterprise Edition
domain controller using Active Directory and the UI.
    In my forest ("forestA") trust relationship I created a "One-Way, Out-going"
forest trust with Forest-Wide authentication so that a different forest user(s) or
group(s) with a different admin in a forest named “forestB” can access the resources in my “forestA”
    But also forestB needs to create a "One-way, Incoming" forest trust so that
I can either add the user(s) or group(s) from “forestB” into to a "Global Security - Group"
in my "forestA" or I can
add user(s) as "domain user(s)" from “forestB” into my "forestA".
    The problem is that when I right click the global group in my forestA and then
properties, when I click "Members" and then the "Add" button when I type
"forestB\username" I get an error message from Active Directory stating:
    "the following object is not from a domain listed in the Select location
dialog box, and is therefore not valid: forestB\username".
    Am I doing something wrong when creating the one-way trust in my
“forestA” or is the one-way trust being created wrong by the other domain admin in the other “forestB”?
    Or could I possibly need to select "Change Domain" or "Change Domain Controller"
before adding the users or Groups to my forestA from forestB?
    That is why I am asking
how do you add an Active Directory user from one forest into another forest?
    Thank you
    Shabeaut

Hello Denis Cooper
    That is the end result.
    What I was trying to do was that I was trying to
bring in the user(s) and group(s) from “forestB” into
my “forestA” Global group.
    Later on I was going to add the user(s) or Global groups(s) that I brought into my dc in my forestA
into the domain local groups on my member servers in my forestA.
    So since the error message is:
"the following object is not from a domain listed in the Select location dialog box, and is therefore not valid: forestB\username".
Does your response
mean only Global group(s) from forestB not domain user(s) from forestB have
to been added to domain local groups in forestA?
Or is it also possible to add Global group(s) from “forestB” to Global group(s) in my “forestA” and if so
how without getting the above error message?
Thank you
    Shabeaut

Active Directory Rename

I am running into an issue with renames for Active Directory in SIM 8.1.12. I am using the standard RenameUser View and setting the identity and and accountId. The first time I run through the workflow everything works as expected. Any future rename requests, even from the standard Rename action on the Tabbed User Form, fails with a "Missing ResourceInfo" error. I have stood up a fresh installation of 8.1.12, with no customizations and I don't have any issues. So I know that it is something with my custom environment, but am at a loss as to what might be the problem. Any help would be appreciated.
Following is the test workflow that I am executing to rename the user.
<code>
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE TaskDefinition PUBLIC 'waveset.dtd' 'waveset.dtd'>

<TaskDefinition id='#ID#TaskDefinition:0 A Test Workflow' name='0 A Test Workflow' creator='Configurator' createDate='1292254355003' lastModifier='Configurator' lastModDate='1292261470208' lastMod='9' repoMod='1292261470000' primaryObjectClass='TaskDefinition' taskType='Workflow' executor='com.waveset.workflow.WorkflowExecutor' suspendable='true' syncControlAllowed='true' execMode='sync' execLimit='0' resultLimit='0' resultOption='delete' visibility='runschedule' progressInterval='0'>
<Extension>
<WFProcess name='0 A Test Workflow' maxSteps='0'>
<Activity id='0' name='start'>
<Transition to='Test'/>
<WorkflowEditor x='22' y='22'/>
</Activity>
<Activity id='1' name='end'>
<WorkflowEditor x='201' y='37'/>
</Activity>
<Activity id='2' name='Test'>
<Action id='0'>
<expression>
<block>
<set name='accountId'>
<s>00002</s>
</set>
</block>
</expression>
</Action>
<Action id='1' name='getRenameUser View' application='com.waveset.session.WorkflowServices'>
<Argument name='op' value='checkoutView'/>
<Argument name='type' value='RenameUser'/>
<Argument name='id'>
<ref>accountId</ref>
</Argument>
<Return from='view' to='renameView'/>
</Action>
<Action id='2'>
<expression>
<block>
<set name='renameView.resourceAccounts.selectAll'>
<s>false</s>
</set>
<set name='renameView.resourceAccounts.currentResourceAccounts[AD].selected'>
<s>true</s>
</set>
<set name='renameView.accounts[AD].identity'>
<s>CN=Test.User2,ou=DisabledUser,DC=hbcbs,DC=com</s>
</set>
<set name='renameView.accounts[AD].accountId'>
<s>CN=Test.User2,ou=DisabledUser,DC=hbcbs,DC=com</s>
</set>
</block>
</expression>
</Action>
<Action id='3' name='checkIn View' application='com.waveset.session.WorkflowServices'>
<Argument name='op' value='checkinView'/>
<Argument name='view' value='$(renameView)'/>
<Argument name='authorized' value='true'/>
</Action>
<Transition to='end'/>
<WorkflowEditor x='176' y='250'/>
</Activity>
</WFProcess>
</Extension>
<MemberObjectGroups>
<ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/>
</MemberObjectGroups>
</TaskDefinition>
</code>
Thanks,
Pete

This works for me:
<Variable name='accountId' input='true'>
<Variable name='newIdentityAd'/>
<Variable name='renameView'/>
<Activity id='1' name='Move AD user'>
<Variable name='WF_ACTION_ERROR'/>
<Variable name='view'/>
<Action id='0' application='com.waveset.session.WorkflowServices'>
<Argument name='op' value='checkoutView'/>
<Argument name='type' value='RenameUser'/>
<Argument name='id' value='$(accountId)'/>
<Argument name='name' value='$(accountId)'/>
<Variable name='view'/>
<Return from='view' to='renameView'/>
</Action>
<Transition to='Set Naming Attributes'>
<isnull>
<ref>WF_ACTION_ERROR</ref>
</isnull>
</Transition>
<Transition to='end'/>
</Activity>
<Activity id='2' name='Set Naming Attributes' audit='true'>
<Action id='0' name='Set Parameters for Identity Rename'>
<expression>
<block>
<set>
<s>renameView.resourceAccounts.currentResourceAccounts[AD].selected</s>
<s>true</s>
</set>
<set>
<s>renameView.accounts[AD].identity</s>
<ref>newIdentityAd</ref>
</set>
</block>
</expression>
</Action>
<Action id='1' name='Checkin Rename View' application='com.waveset.session.WorkflowServices'>
<Argument name='op' value='checkinView'/>
<Argument name='view' value='$(renameView)'/>
</Action>
<Transition to='end'/>
</Activity>
Greetings,
Marijke

Renaming Active Directory object

Similar Messages

Maybe you are looking for