We are using a product which integrates with Active Directory via LDAP.
Due the way the integration works we need 2 DNs for every user.
I have been researching and I think this may be possible via alias (objectClass:alias) however I can't find any information on how to actually create these in AD.
This is sort of what I want to do:
dn: cn=UsersAlias,dc=internal,dc=company,dc=com
changetype: add
objectClass: alias
objectClass: top
objectClass: extensibleObject
uid: UsersAlias
aliasedObjectName: cn=Users,dc=internal,dc=company,dc=com
This will mean user Joe Bloggs will end up with 2 DNs, e.g.
CN=Joe Bloggs,CN=Users,DC=internal,DC=company,DC=com
CN=Joe Bloggs,CN=UsersAlias,DC=internal,DC=company,DC=com
Related
I want to create a dynamic group based on the domain of the primary user assigned on the device.
I have managed to create a group with all the devices with the following dynamic membership rules:
(device.devicePhysicalIDs -any (_ -contains "[ZTDId]"))
I have users from two domains in my AAD, for example:
domain1.com
domain2.com
What I want is to create a group called "Devices - Domain1" and another called "Devices - Domain2".
In "Devices - Domain1" I want the devices to be linked to users who have domain1 in their username, for example pepe#domain1.com
And the same for domain2.
I don't know how to add the users part.
Any ideas?
• Users and devices cannot be in the same group according to the architecture and given provisions in Azure AD and Intune. Dynamic group can be either user based, or device based but you can't mix both users and devices in the same group.
• Though, according to your query, you can get a list of the devices and their associated primary users for those devices through a powershell script as below. Through the output of this script, you can manually create the groups according to your requirements.
#Get All Windows 10 Intune Managed Devices for the Tenant
$Devices = Get-Win10IntuneManagedDevice
Foreach ($Device in $Devices) {
Write-Host "Device name:" $device."deviceName" -ForegroundColor Cyan
$IntuneDevicePrimaryUser = Get-IntuneDevicePrimaryUser -deviceId $Device.id
#Check if there is a Primary user set on the device already
if($IntuneDevicePrimaryUser -eq $null){
Write-Host "No Intune Primary User Id set for Intune Managed Device" $Device."deviceName" -f Red
}
• Also, you can create a user group based on the user’s domain by classifying through the User Principal Name attribute in dynamic user group expression. You can do this by setting the property column as ‘userPrincipalName’ attribute, operator should be ‘contains’ and the value should be domain name in ‘#yourdomain.com’ format. This will create a user group with the specified domain containing all users of that domain.
Please refer to the below links for official documentation: -
https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership
https://learn.microsoft.com/en-us/powershell/module/azuread/get-azureaddeviceregisteredowner?view=azureadps-2.0
Thanking you,
I need an LDAP query which returns the single OU in an Active Directory which in turn contains a given username (based on the samAccountName). Is that possible using a single LDAP query to an Active Directory?
Example: User with samAccountName abcd1234 is in OU=HR created under the main AD. I need a query returning the OU including its attributes, the only allowed parameter is the username.
This will require two LDAP queries. One to retrieve the DN of the user, then another that queries for the OU/container of the user based on a portion of the user's DN (minus their RDN). There is no way around it (That I'm familiar with anyway).
If I query the AD then for some users the attribute memberOf does not contains any builtin groups. The users with the problem are all moved in a separate OU.
The query is simple:
(&(objectClass=person)(uid=xyz))
But the "Active Directory Users and Computers" tool from Microsoft show this members. Where can be the problem? Is this an access right problem?
There is a notion of a Primary group in AD. The default is usually Domain Users.
This is represented on the user object as an attribute called PrimaryGroupID, and 513 is Domain Users.
There can and must be only one primary group, and to remove the current one, you need to first add another group as a member, to then swap with the primary group ID.
I have a situation whereby Active Directory groups are prefixed with a unique code. For instance
12345 Users
12345 Admins
67890 Users
67890 Admins
I'm currently using LDAP to get all groups but I would like to restrict this to only those prefixed with the id.
Effectively get groups beginning with 12345.
How can I achieve this with LDAP?
Using LDAP a filter like:
&(ObjectClass=Group)(cn=12345*))
Will retrieve groups beginning with 12345.
-jim
We have a JIRA in our company configured to connect to our Active Directory filtering users by the AD Group "JIRA Users".
This works perfectly fine, but our company has more than 1000 groups that would be imported if I don't set a filter for groups. So I set an additional filter for specific groups I want to import on a different subtree.
Not all users in group JIRA Users are in a group in this subtree I want to select for the group import.
Now the problem is, that users in a group in my import subtree are correctly importet into JIRA. But if the user only is in groups in another subtree. The user does not get importet to JIRA.
Base DN: OU=company-shortname,DC=companyname,DC=de
Additional Group DN: OU=Subgroup,OU=Groups
User filter is:
(&(objectCategory=Person)(sAMAccountName=*)(&(memberOf=CN=JIRA User,OU=Groups,OU=company-shortname,DC=companyname,DC=de)))
Groupobjectfilter is:
(&(objectCategory=Group)(cn=*))
I can't go up one level on the additional group DN because then I have all 1000 groups. Ho can I set this correct?
Can you solve it by 'tagging' the groups you need to import, say by adding JIRA to the description or info (Notes) field and then pointing the group search to the top level OU and using (&(objectCategory=group)(info=JIRA*)) or similar?