UnLock Ad user from all Domain controllers

Similar Messages

• Help with Powershell script to gather eventlogs from all Domain Controllers

  I am trying to write a script to grab the last 5 days of application, security and system logs from all domain controllers. The script runs but only pulls the logs from the local server. The $Computer variable has all of my DC's so it is querying fine. I
  assume it is an issue with my ForEach-Object line but it doesn't error out. See the script below.
  $log = "Application"
  $date = get-date -format MM-dd-yyyy
  $now = get-date
  $subtractDays = New-Object System.TimeSpan 5,0,0,0,0
  $then = $Now.Subtract($subtractDays)
  $Computers = Get-ADDomainController -filter *
  ForEach-Object -InputObject $Computers  -Process {Get-EventLog -LogName $log -After $then -Before $now -EntryType Error | select EventID,MachineName,Message,Source,TimeGenerated | ConvertTo-html | Out-File $env:TEMP\Applicationlog.htm}
  Invoke-Expression $env:TEMP\Applicationlog.htm
  Thanks,
  Rich

  Also, you're missing the -ComputerName parameter in the Get-EventLog Cmdlet. 
  I would re-write the loop part of the script like this:
  $log = "Application"
  $date = get-date -format MM-dd-yyyy
  $now = get-date
  $subtractDays = New-Object System.TimeSpan 5,0,0,0,0
  $then = $Now.Subtract($subtractDays)
  $Computers = Get-ADDomainController -filter *
  foreach ($Computer in $computers) {
  Get-EventLog -ComputerName $Computer -LogName $log -After $then -Before $now -EntryType Error |
  select EventID,MachineName,Message,Source,TimeGenerated | ConvertTo-html | Out-File .\Applicationlog.htm -append
  Invoke-Expression .\Applicationlog.htm
  Sam Boutros, Senior Consultant, Software Logic, KOP, PA http://superwidgets.wordpress.com (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable)

• How to grant access to sharepoint for the user from different Domain

  Hi All
      I need to grant access to user from different domain. 
      Where I can able to view the users in people picker (different domain).
  Thanks in Advance.
  Raj

   Hi
  Trevor Seward
  Sorry to disturb
  you again.
    I am trying to restrict user from search from other domain, say we have domain A and Domain B, where I am trying to restrict all the user from domain B (Search users)for a site collection. I have found couple of stsadmin command to do so. but none
  of them works. Below are the commands I have tried
  STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv "domain:<Name>.domain" -url "http://Site URL"
  stsadm -o setproperty -pn peoplepicker-searchadcustomquery -pv “(canonicalName=<Name>.domain*)” -url "Site URL"
  we have two way trust.
  Can you suggest any solution.
  Thanks 
  Raj

• Grant access to users from different Domains

  Hi,
  Recently my company was merged with another. All users from my company are setup in our Domain (DomainA). Sharepoint is able to see the users in this domain and grant access to the users as well. When the merger happened, we created a Group (Test - Sharepoint)
  in our AD to add groups from other companie's domain:DomainB, totally different Forest. There is a two way trust setup between these domains. The group Test-Sharepoint is "domain local" and it is able to see the groups/users from other domain: DomainB.
  The other users are now able to access our sharepoint environment once access is granted to DomainA\Test-Sharepoint.
  Problem came when we applied Audience targetting around few web parts. The users from DomainB who are added as object in DomainA\Test-Sharepoint (group in DomainA) are not able to see the web parts that have audience targeting for this group. Someone
  suggested that AD groups should be Global or Universal but that is not our case. Most of the groups in our AD are domain local and SP is able to see the users within it.
  Please suggest how we can resolve audience targeting issue?
  Regards, Kapil ***Please mark answer as Helpful or Answered after consideration***

  My apologies, yes that is correct you'll have to use Domain Local in this case. http://technet.microsoft.com/en-us/library/cc755692(v=WS.10).aspx
  Actually what you'll need to do is not use Groups in your domain at all, as the users are Foreign Security Principals. Instead, use a group in the trusted domain, or attributes of the users you intend to target directly.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Remove users from all distribution groups in Microsoft 365

  Hello
  I would like to know if there is a way I can remove a user from all distribution groups in Microsoft 365. I have a rather large list of users that this would need to be applied to though.
  Any help would be greatly appreciated.
  John

  I would assume yes since there is a cmdlet called, "Remove-DistributionGroupMember", you usually have to have to post some code of what you have
  tried or working on to get further help from most other people here. 

• Fetch client IP addresses from the Netlogon.log file of all domain controllers in the domain

  Hi,
  The event ID 5807 is logged in the system logs of domain controllers as a result of which the IP addresses for the missing subnets are logged in Netlogon.log under %systemroot%/debug. The end goal is to fetch the IP addresses along with rest of the respective
  attributes from the Netlogon.log for all the domain controllers in the domain. I have the following script however, it gives me a 0KB file despite the fact that the Netlogon.log on the DC contains ample entries from last two months. 
  function GetDomainControllers {
      $DCs=[system.directoryservices.activedirectory.domain]::GetCurrentDomain() | ForEach-Object {$_.DomainControllers} | ForEach-Object {$_.Name}
      return $DCs
  function GetNetLogonFile ($server) {
      $path= '\\' + $server + '\c$\windows\debug\netlogon.log'
      try {$netlogon=get-content -Path $path -ErrorAction stop}
      catch { "Can't open $path"}
      #reverse the array's order to the end of the file
      [array]::Reverse($netlogon)
      $IPs=@()
      foreach ($line in $netlogon) {
          #split the line into pieces using a space as the delimiter
          $splitline=$line.split(' ')
          #Get the date stamp which is in the mm/dd format
          $logdate=$splitline[0]
          #split the date
          $logdatesplit=($logdate.split('/'))
          [int]$logmonth=$logdatesplit[0]
  #last month and this month
          if (($logmonth -eq $thismonth) -or ($logmonth -eq $lastmonth)) {
              #only push it into an array if it matches an IP address format
              if ($splitline[5] -match '\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b'){
                  $objuser = new-object system.object
                  $objuser | add-member -type NoteProperty -name IPaddress -value $splitline[5]
                  $objuser | add-member -type NoteProperty -name Computername -value $splitline[4]
                  $objuser | add-member -type NoteProperty -name Server -value $server
                  $objuser | add-member -type NoteProperty -name Date -value $splitline[0]
                  $objuser | add-member -type NoteProperty -name Time -value $splitline[1]
                  $IPs+=$objuser
          } else {
              #break out of loop if the date is not this month or last month
              break
      return $IPs
  #Get last month's date
  $thismonth=(get-date).month
  $lastmonth=((get-date).addmonths(-1)).month
  #get all the domain controllers
  $DomainControllers=GetDomainControllers
  #Get the Netlogon.log from each DC
  Foreach ($DomainController in $DomainControllers) {
      $IPsFromDC=GetNetLogonFile($DomainController)
      $allIPs+=$IPsFromDC
  $allIPs | Sort-Object -Property IPaddress -Unique | Export-Csv "E:\bin\NetlogonIPs.csv"
  PLEASE HELP!!

  Hi jrv,
  Thanks a lot for your help.
  I understand you cannot keep on iterating the code for me. However, I am stuck at this error :-
  ERROR : Exception calling "Parse" with "1" argument(s): "String was not recognized as a valid DateTime."
  After the following code finishes executing, I get the following output :-
  $csv=cat c:\windows\debug\netlogon.log |
  %{'{0}|{1}' -f $_.SubString(0,14),$_.SubString(15,$_.Length-15)}|
  ConvertFrom-Csv -Delimiter '|' -header time,message
  time message
  04/14 01:18:45
  NO_CLIENT_SITE: ServerX 10.x.x.x
  04/14 01:17:45
  NO_CLIENT_SITE: ServerY 10.x.x.x
  04/14 01:17:44
  NO_CLIENT_SITE: ServerY 10.x.x.x
  04/14 01:17:43
  NO_CLIENT_SITE: ServerX 10.x.x.x
  However, I get the above mentioned error at the following line :-
  $csv|%{$_.time=[datetime]::Parse(($_.time -replace ' ','/2015 '))}
  I would later want to run the query just for logs from past day.
  Entire code is as follows :-
  function GetDomainControllers {
      $DCs=[system.directoryservices.activedirectory.domain]::GetCurrentDomain() | ForEach-Object {$_.DomainControllers} | ForEach-Object {$_.Name}
      return $DCs
  function GetNetLogonFile ($server) {
      $path= 'C:\Test\netlogon.log'
      try {$netlogon=get-content -Path $path -ErrorAction stop}
      catch { "Can't open $path"}
      #reverse the array's order to the end of the file
      [array]::Reverse($netlogon)
      foreach ($line in $netlogon) {
     $csv=  $netlogon | %{'{0}|{1}' -f $_.SubString(0,14),$_.SubString(15,$_.Length-15)}| ConvertFrom-Csv -Delimiter '|' -header time,message | Out-Gridview
     $csv|%{$_.time=[datetime]::Parse(($_.time -replace ' ','/2015 '))}
  #get all the domain controllers
  $DomainControllers=GetDomainControllers
  #Get the Netlogon.log from each DC
  Foreach ($DomainController in $DomainControllers) {
      GetNetLogonFile($DomainController)
  Please help!! Any help will be highly appreciated.

• Migrating users from one domain to another(Interforest)

  Scenario- Two Domains A & B in two different forests.
  A - holds exchange server in DMZ and 2 domain controllers in A used by exchange also in DMZ
  B holds all users and computers and 2 Domain controllers used for authentication .
  Now I want to migrate all users and computers  in B domain to A domain using ADMT
  My question here is
  1. Can I use the DCs used by exchange to authenticate if I migrate users and computers from B to A.
  2. If not what is the work around here. I want to build  an action plan on this.

  After the migration users will be in Domain A.  Authentication will happen locally in Domain A using Domain A DCs.   Make sure you have correct DNS server (DNS from domain A) for these workstations. 
  Santhosh Sivarajan | Houston, TX | www.sivarajan.com
  ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
  Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
  Blogs: Blogs
  Twitter: Twitter
  LinkedIn: LinkedIn
  Facebook: Facebook
  Microsoft Virtual Academy:
  Microsoft Virtual Academy
  This posting is provided AS IS with no warranties, and confers no rights.

• Setting up Time Sync when all domain controllers are virtual machines?

  We have 2 existing server 2008 domain controllers on 2008 Hyper-V.  We plan to set up a third domain controller in a new AD site at a remote site that will be Server 2012 R2 on 2012R2 Hyper-V.
  PDC role DC is on one of the DCs in the original site.
  How should time syncing be set?
  From what I've read, all Hyper-V time synchronization between the virtual domain controllers and their Hyper-V host should be disabled.
  So, do we set up the PDC virtual machine to sync to an external site source and then expect the other 3 domain controllers to automatically sync with the time of the PDC?
  What happens with this process during a PDC reboot or if that PDC role domain controller becomes unavailable for any other reason? Does one of the other DCs then take over the role of domain time source even through they don't have access to the external
  time source?
  Should we also turn off Hyper-V time syncing for every Hyper-V guest that is a member of our domain (since they should also be getting their time from a domain controller) or only turn off the Hyper-V time sync for the domain controllers alone?

  We have 2 existing server 2008 domain controllers on 2008 Hyper-V.  We plan to set up a third domain controller in a new AD site at a remote site that will be Server 2012 R2 on 2012R2 Hyper-V.
  PDC role DC is on one of the DCs in the original site.
  How should time syncing be set?
  Simply make sure that time sync is disabled on your Hyper-V VM. For time configuration in AD domain, I have documented that here: http://social.technet.microsoft.com/wiki/contents/articles/18573.time-synchronization-in-active-directory-forests.aspx
  From what I've read, all Hyper-V time synchronization between the virtual domain controllers and their Hyper-V host should be disabled.
  So, do we set up the PDC virtual machine to sync to an external site source and then expect the other 3 domain controllers to automatically sync with the time of the PDC?
  They don't take over the role of PDC. The downtime of your PDC should not take a long time. That is why it is important to regularly monitor the health status of your DCs using SCOM or third party tools. The one I usually recommend is
  Lepide Auditor - Active Directory: http://www.lepide.com/lepideauditor/active-directory.html. The solution allows you also to trackchanges
  in your AD domain.
  Should we also turn off Hyper-V time syncing for every Hyper-V guest that is a member of our domain
  (since they should also be getting their time from a domain controller) or only turn off the Hyper-V time sync for the domain controllers alone?
  I would recommend turning off the Hyper-V time sync on all your Hyper-V VMs that are domain-joined.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Read group membership for a user object and populate every group with matching user from another domain

  I have LON\JSmith in LON domain and DEL\JimSmith in DEL domain
  I would like to extract group memberships of LON\JSmith in LON domain and append matching by email (i.e. DEL\JimSmith) user object in every group in LON domain.
  for instance
  LON\JSmith and DEL\JimSmith is the same person and has same email address [email protected]
  LON\JSmith belongs to 3 groups - LON\localadmingroup;LON\univdesktop;LON\globalsurvey
  The outcome of the script should be
  LON\JSmith; DEL\JimSmith    should be in 3 groups - LON\localadmingroup;LON\univdesktop;LON\globalsurvey.
  How can i do it?
  Navgup

  Hi Navgup,
  Please refer to the script below, to query users in other domain by specifying the parameter "-Server" in the cmdlet "get-aduser", and also note I haven't tested the script below:
  import-module activedirectory
  get-adgroupmember "group"|foreach{
  $email=(get-aduser $_.samaccountname -properties *).EmailAddress#get the user email
  Get-ADUser -filter {EmailAddress -eq $email} -properties * -server DomainB.company.com|select samaccountname, memberof}#filter user name and group with the email in other domain
  To get users across domain, please also refer this blog:
  Adding/removing members from another forest or domain to groups in Active Directory:
  http://blogs.msdn.com/b/adpowershell/archive/2010/01/20/adding-removing-members-from-another-forest-or-domain-to-groups-in-active-directory.aspx?Redirected=true
  I hope this helps.

• Issue using ADSI in powershell to load users from another domain into a group

  I am trying to load users into a domain local security group from another domain using ADSI and powershell. For users who have an existing foreign security principal I can load that without issue, but the users who do not have a foreign security principal
  I am unable to load.
  These work fine, assuming the group domain is fabrikam:
  $Group.psbase.invoke("Add",[ADSI]"LDAP://CN=$external_user_sid_who_has_a_FPN,CN=ForeignSecurityPrincipals,DC=fabrikam,DC=com")
  $Group.psbase.invoke("Add",[ADSI]"LDAP://$userDN,DC=fabrikam,DC=com")
  These does not:
  $Group.psbase.invoke("Add",[ADSI]"LDAP://CN=$externaluser_sid_who_does_not_have_a_FPN,CN=ForeignSecurityPrincipals,DC=fabrikam,DC=com")
  $Group.psbase.invoke("Add",[ADSI]"LDAP://<SID=$external_user_sid_who_does_not_have_a_FPN>")
  $Group.psbase.invoke("Add",[ADSI]"LDAP://<SID=$external_user_hex_sid_who_does_not_have_a_FPN>")
  Any help would be greatly appreciated.
  Thank you

  Thank you for your reply,
  I started with that thread and it ultimately recommends using the [ADSI]"LDAP://<SID=$hexsid>, this bind is not working for me. The page it points to for conversion of sid to hexsid is in VBS, but I have used the below powershell to duplicate its function.
  $sid = "S-1-5-21-2127521184-1604012920-1887927527-72713"
  $parts = $sid.Remove(0,6).Split("-")
  foreach ($part in $parts)
  $hex = ([Convert]::ToString($part, 16)).ToUpper()
  While ($hex.length -lt 8)
  $hex = "0" + $hex
  for ($i=1; $i -lt 5; $i++)
  $reverseEndian = $reverseEndian + $hex.substring($hex.length -2, 2)
  $hex = $hex.Remove($hex.length -2, 2)
  $hexSid = "0105000000000005" + $reverseEndian
  For example SID S-1-5-21-2127521184-1604012920-1887927527-72713 needs
  to be turned into raw hex sid 010500000000000515000000A065CF7E784B9B5FE77C8770091C0100 according to that article and
  then put in the ADSI bind like this: [ADSI ]"LDAP://<SID=010500000000000515000000A065CF7E784B9B5FE77C8770091C0100>". 
  When I put that bind in (with an actual sid and not an example sid) I get the following error:
  format-default : The following exception occurred while retrieving member "PSComputerName": "There is no such object on
  the server.
  + CategoryInfo : NotSpecified: (:) [format-default], ExtendedTypeSystemException
  + FullyQualifiedErrorId : CatchFromBaseGetMember,Microsoft.PowerShell.Commands.FormatDefaultCommand
  For users who are on another domain but already have a foreign principal name created, I can add them easily enough by converting their sid to the appropriate foreign principal name format. I haven't yet had any success adding someone who doesn't have a
  foreign principal name though, even after trying the solution referenced in the article.
  Thank you in advance for any help.

• People Picker Showing Users From Both Domains

  We recently have begun setting up and laying out SharePoint 2010 Standard. It was brought to my attention that when using the search/browse function of the 'people picker' it is showing users from both the domains currently available on our network. Our
  current domain is a *.local domain and the old one which is no longer used for very much is a *.com domain. I have researched this issue and tried running the stsadm 'getproperty' and 'setproperty' commands. The 'getproperty' command for "peoplepicker-distributionlistsearchdomains",
  "peoplepicker-searchadforests", "searchadfilter", etc; always returns "<Property Exist="No" />" even after I have just run a set command and it reports that the command had run successfully. I read something
  about setting the stsadm -o setapppassword -password command, but I am unsure what this does to the current sharepoint configuration.
  Hopefully someone can help me fix this issue so that when people select browse/search only users from the *.local domain are shown.
  Thank you very much to anyone who can help me with this. I have been researching this issue for some time, but my knowledge regarding SharePoint is very limited, and I do not want to continue trying other more in-depth approaches I have found that may resolve
  this issue until I am better informed.

  This is normal when there is a trust between the domains. It is also normal if you previously added users from the .com domain to a SharePoint site as they'll be in the ULS logs.
  To resolve the first type of issue, where a trust does exist, run:
  stsadm -o setproperty -pn peoplepicker-searchadforests -pv "forest:domain.local" -url http://webAppUrl
  To resolve the second issue, run:
  $user = Get-SPUser -Identity "COMdomain\username" -Web http://webUrl
  Move-SPUser -Identity $user -NewAlias "LOCALdomain\username" -IgnoreSid
  Trevor Seward, MCC
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Migrate existing users from local domains to Open Directory.

  Here is the environment I'm working with:
  Small local environment (8-10) users. Everyone is on their own laptop, everyone is authenticating to their local directories. Network files are stored on a server, with everyone using a single shared user ID to authenticate and access the files.
  I have just installed a Xserve, and it is now serving DNS, DHCP, NTP, WWW. I want to setup Open Directory in Master mode, create user IDs for everyone, and then assign permissions to the shared files area.
  The one part that I'm not sure how to approach is the local laptops. If user "John Doe" has a local ID "jdoe" that he has been using on his local laptop, how does he migrate over to being "jdoe" in the OD domain, while reatining his "local" home directory and files? The problem I think I'll have is that when I create "jdoe" on the domain, he will have a UID of (say) 10001, but his local UID is 501 (as is the UID of all the other employees since they are all the first user on each of their respective laptops.) so when he logs back into his laptop after it has been attached to the OD domain, I assume that the laptop will see "jdoe" from the OD domain as a new user and create a new home for him (with the UID:10001), so now John cannot see any of his old files and such.
  Also, as a side question: I've worked with Windows ID before, and I know once you join a windows computer to a domain and then login to it, it creates a new user and caches the authentication info, so that when the laptop is not connected to the corporate network, the user can still login and work. Does Open Directory do the same on the laptops?
  Thanks for any help.

  Retaining password is a manual process of asking the user what his or her password is and then creating it in OD.
  As for migration of account, it is rather simple, provided the short name of the user remains consistent across directory systems. For example, if you have a user named Joe User and his short name is juser with a home folder in /Users/juser. And you create the same account in OD. You can do these few short actions.
  1: Bind system to the domain
  2: From the Admin account, and using Terminal from root, navigate to /var/db/dslocal/nodes/Default/users and find the plist file for the user (in our example, juser.plist).
  3: Delete the file using rm
  4: Restart the machine or restart Open Directory
  5: Log in as the admin user and change ownership of the users home folder. Recall that when the user is in the local domain, the UID was likely 502, 503, etc (you do have a standard local admin at 501 right?) Now that the user is in OD, the UID will be 4 digits, something like 1027. So understanding that user attributes and user data are independent, you now have a folder in /Users titled juser and owned by uid 50x. You need to make it owned by juser from the OD domain. User this:
  sudo chown -R juser /Users/juser
  6: Log out of the admin account
  7: Log in as the user after choosing Other at login window.
  Assuming you have your OD account set up properly, you will likely be asked to confirm the caching of the users credentials. This will path you right back into the user's home folder and all will be right with the world.
  This is simple and quick. If the shortnames are different, throw an mv into the mix to rename the home folder to match the domain shortname. If you have no local admin, then you will need to reset DSLocal and start again.

• Error trying to import users from NT Domain Auth source

  Hi all,We cannot login to the portal using Auth source after NT administrator changed administrative password.We are trying to run NT Domain auth source in 5.0.3. Getting following error. It was working before. Any clue?? Thanks for any help.
  5/10/05 12:06:30- Starting to run operations (1 total) for job 'NT User Import Job - Run Once (2)'. Will stop on errors. (PID=3596) 5/10/05 12:06:48- *** Job Operation #1 of 1: Authentication source (for synching users and groups) 'BWSC' [Run as owner 'Administrator'] 5/10/05 12:06:48- Creating the Everyone In Auth Source group (if one doesn't already exist). 5/10/05 12:06:48- Need to create an Everyone Group for this auth source. 5/10/05 12:06:48- Error IDispatch error #16132 (0x80044104): SQL Execute Error (0x80004005): DELETE FROM PTOBJECTSECURITY WHERE OBJECTID=? AND CLASSID=?
  ADO Error: count = 1, return code = 0x80004005
  Unspecified error (SQL State (null)) 5/10/05 12:06:48- *** Job Operation #1 failed: Error IDispatch error #16132 (0x80044104): SQL Execute Error (0x80004005): DELETE FROM PTOBJECTSECURITY WHERE OBJECTID=? AND CLASSID=?
  ADO Error: count = 1, return code = 0x80004005
  Unspecified error (SQL State (null)) (0x4) 5/10/05 12:06:48- Done with job operations. 5/10/05 12:06:48- Error IDispatch error #16132 (0x80044104): SQL Execute Error (0x80004005): DELETE FROM PTOBJECTSECURITY WHERE OBJECTID=? AND CLASSID=?
  ADO Error: count = 1, return code = 0x80004005
  Unspecified error (SQL State (null))

  Yes. Other instrinsic jobs are failed too. Does this related to Job Dispatcher service? Thank you for your help.

• How to create user from one domain to remote domain

  Hi All,
  I want to create user in Security Realm from my own domain to a remote domain programatically. Can you suggest the entire process.
  Thanks in Advance.

  Not sure why but for me all the errors were resolved .
  import java.util.Hashtable;
  import javax.management.AttributeNotFoundException;
  import javax.management.InstanceNotFoundException;
  import javax.management.IntrospectionException;
  import javax.management.MBeanException;
  import javax.management.MBeanServer;
  import javax.management.MalformedObjectNameException;
  import javax.management.ObjectName;
  import javax.management.ReflectionException;
  import javax.management.modelmbean.ModelMBeanInfo;
  import javax.naming.Context;
  import javax.naming.InitialContext;
  import javax.naming.NamingException;
  public class Test {
       * @param args
       * @throws NamingException
       * @throws NullPointerException
       * @throws MalformedObjectNameException
       * @throws ReflectionException
       * @throws MBeanException
       * @throws InstanceNotFoundException
       * @throws AttributeNotFoundException
       * @throws IntrospectionException
       public static void main(String[] args) throws NamingException, MalformedObjectNameException, NullPointerException, AttributeNotFoundException, InstanceNotFoundException, MBeanException, ReflectionException, IntrospectionException {
            // TODO Auto-generated method stub
            Hashtable env = new Hashtable();
            env.put(Context.INITIAL_CONTEXT_FACTORY,"weblogic.jndi.WLInitialContextFactory");
            env.put(Context.SECURITY_PRINCIPAL, "weblogic");
            env.put(Context.SECURITY_CREDENTIALS, "weblogic1");
            env.put(Context.PROVIDER_URL, "t3://localhost:7001");
            InitialContext ctx = new InitialContext(env);
            MBeanServer wls = (MBeanServer) ctx.lookup("java:comp/env/jmx/runtime");
            ObjectName userEditor = null;
            ObjectName MBTservice = new ObjectName("com.bea:Name=MBeanTypeService," + "Type=weblogic.management.mbeanservers.MBeanTypeService");
            ObjectName rs = new ObjectName("com.bea:Name=RuntimeService,"+"Type=weblogic.management.mbeanservers.runtime.RuntimeServiceMBean");
            ObjectName domainMBean = (ObjectName) wls.getAttribute(rs,"DomainConfiguration");
            ObjectName securityConfig = (ObjectName) wls.getAttribute(domainMBean,"SecurityConfiguration");
            ObjectName defaultRealm = (ObjectName) wls.getAttribute(securityConfig,"DefaultRealm");
            ObjectName[] atnProviders = (ObjectName[]) wls.getAttribute(defaultRealm,"AuthenticationProviders");
            for (ObjectName providerName : atnProviders) {
            if (userEditor == null) {
            ModelMBeanInfo info = (ModelMBeanInfo) wls.getMBeanInfo(providerName);
            String className = (String) info.getMBeanDescriptor().getFieldValue("interfaceClassName");
            if (className != null) {
            String[] mba = (String[]) wls.invoke( MBTservice, "getSubtypes", new Object[] {"weblogic.management.security.authentication.UserEditorMBean" }, new String[] { "java.lang.String" });
            for (String mb : mba)
            if (className.equals(mb)) userEditor = providerName;
            if (userEditor == null) throw new RuntimeException("Could not retrieve user editor");
            try{
            System.out.println("Creating User : testuser");
            wls.invoke(userEditor,"createUser",new Object[] {"testuser","password","test user"},new String[] {"java.lang.String", "java.lang.String","java.lang.String"});
            System.out.println("Created User : testuser");
            catch(Exception e){
            e.printStackTrace();
            ctx.close();
  }

• Why do we need a disabled AD object prior to migrating user from one domain to another.

  Say i am migrating a user 'Mr.A' mailbox from abc.com to xyz.com in exchange 2010 environemnt, why do i need a disabled AD object for Mr. A in xyz.com prior to migrating  ? please suggest.
  Aditya Mediratta

  Hi ,
  To be frank i am not aware of quest but i can suggest you in ADMT and also in exchange cross forest migration.
  I hope you are doing the cross forest migration from exchange forest to exchange forest , so on such case by using the prepare-moverequest.ps1  we can have
  only have the disabled MEU on the target exchange forest until the remaining attributes of the user object was migrated from ADMT.
  While running the prepare-moverequest.ps1  it will not completely move all the active directory user attributes from the source forest to the target forest
  but it will move all the exchange attributes to the target forest and finally it will make the MEU object in the disabled state. Since
  all the exchange attributes are already migrated to the target forest ,so prior to use ADMT user account migration we need to exclude the exchange attributes
  by running the script on the ADMT server .After doing so exchange attributes will not be migrated but the required user attributes will be migrated to make the MEU to the enabled state.
  Reference Link for types of exchange migration between the forest :
  http://blogs.technet.com/b/exchange/archive/2010/08/10/3410619.aspx
  Thanks & Regards S.Nithyanandham