I need help for my AD Integration.
I’m using Spiceworks for the system and there is a portion there for AD Integration.
The problem is that I need to sync two different OU’s
Base DN for LDAP search:
DC=dc1,DC=dc2
LDAP user filter:
(&(objectCategory=person)(|(ou=OU1)(ou=OU2)))
And its not working.
My AD Structure is
dc1.dc2
— OU1
— OU2
— OU3
dc1.dc2 is the top level.
OU1, OU2, OU3 are on the same level.
The reason is I don’t want to include OU3 in the syncing
LDAP filters are generally only applicable to attributes that are in the user entries.
If you want to include attributes that are part of the DN (the path to entries), you need to use extensible filters such as:
(&(objectCategory=person)(|(ou:dn:=OU1)(ou:dn:=OU2)))
Note that while this is standard LDAP filters, not all servers support this.
Active Directory doesn't support filters based on OU. In this instance, it's an "extensible match filter" that some LDAP implementations support, but not all (including AD). More info here.
By the way, you can't do a wildcard search on the distinguishedName, if you're tempted to try.
To be honest, this is why it's best to have all your "person" user accounts in one OU (maybe subdivided further down), groups in another, etc. In your case, if you can, it might be a good idea to move your "synching" account OUs under a new OU. If you have a enterprise environment, you will want to be careful there are no dependencies on the OU structure before making such a change. Or that you can identify any such dependencies and fix them before or at the time of making the change.
Otherwise, you'll need to make your searchbase the root of the domain. If you have other user account attributes you can use to search, such as department names or similar, that will work. If it's employee accounts, do they all have a common field that's populated, such as "employeeID" or "streetAddress" or something? Or do the accounts you want to exclude have a specific name format (such as all the service accounts starting with "SVC")? By combining things like that, you can generally get it pretty good.
Finally, for searching normal user accounts, a more efficient basic query is:
(samAccountType=805306368)
Your query of (objectCategory=person) returns User and Contact objects. The usual way to scope it property is (&(objectClass=user)(objectCategory=person)), but the two clauses makes it less efficient than my recommendation (which is using an indexed attribute as well).
Related
Retrieve all the groups of a specific user in Active directory. May I use which one is the efficient filter?
Depending on the server version your AD environment is running on, it won't make a bit of difference.
Take a look at the documentation for objectClass, sAMAccountName and sAMAccountType. You will notice that one property it lists on those pages is "Is Indexed". That tells you if that attribute is indexed in each server version. sAMAccountName and sAMAccountType have always been indexed, and objectClass started being indexed in Windows Server 2008.
If you're trying to find a specific account, you only need the sAMAccountName in the query:
(sAMAccountName=userName)
That will perform very fast, since sAMAccountName is indexed. The only reason you might want to include sAMAccountType or objectClass is if you don't know the type of object it is, and you want to make sure you only get a user account.
You mention you want to retrieve all the groups for a user, so take a look at the article I wrote about that: Finding all of a user’s groups. The code examples are C#, but the principles apply to any language.
I am currently trying to find out AD users password expiry date.
Using the methods described on numerous pages for e.g. here work fine until a user or group in AD is using a fine grained password policy that does not follow the users domain password policy.
I found a property called msDS-UserPasswordExpiryTimeComputed that figures that all out without trying to do any calculations.
This works well, until we are using a global catalog since this property is not replicated by default. When I attempting to replicate the msDS-UserPasswordExpiryTimeComputed property in my global catalog, I get the following error:
Is there anyway to replicate this property or is something wrong with my setup that is not allowing me to replicate this property? Is there a better way to calculate user password expiry to take into account the fine grained password policy?
I suspect you can't. I can't find any authoritative documentation saying it is not possible, but here are the reasons I think it's not possible:
The attribute is constructed, meaning it's not stored, but it's calculated at the time you ask for it.
The date depends on the policy on the domain, thus the server returning the data needs to know the policy on the domain of the user.
Since a GC may not be on the domain of the user you find, it may not have the information needed to be able to calculate the value.
As a workaround, you can just rebind to a DC to get the value. You didn't say which language you're working with, but usually you can take the path of the object you found, which will start with "GC://", and just replace that with "LDAP://". Then grab the msDS-UserPasswordExpiryTimeComputed value.
I played a bit with AD and schema and was able to made some custom attributes for my users.
For some reason, adding attributes is not enough for me and I would like to know if it is possible to create a new AD object "clearance", with some attributes, and add a 0..* relation betwen user and clearance like this :
I'm a total noob in Active directory so I wasn't able to find some reliable information about the schema meta-model so ... is it even possible ? If yes, how can I do that ?
To get further I need to make a security claim on this relation and then use it in Dynamic Access Control rules ...
Thanks for your help
For example the below will give me a certain things such as Security Groups, and Distribute Groups etc.
OU=Domain Controllers,DC=abc,DC=local OU=Distribution
Groups,OU=MyBusiness,DC=abc,DC=local OU=Security
Groups,OU=MyBusiness,DC=abc,DC=local
OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=abc,DC=local
OU=Microsoft Exchange Security Groups,DC=abc,DC=local
But I want specifically just users that are enabled and have a Job title.
I've tried looking for this type of information, but have some up with mostly other formats which I don't know how to translate to the above examples. I.e. this works as
(&(&(objectCategory=user)(objectClass=user)(title=*)(objectclass=user)(objectcategory=person))(!(userAccountControl=514)))
Well, in Microsoft Active Directory, you do not. At least not in a single LDAP Query.
There is an ExtensibleMatch search filter that can allow this, but at least the last time I checked, it is NOT supported by Microsoft Active Directory
You will need to perform a search to each OU and combine the results within "Code".
I use the following query to find the groups each user is a member of:
(&(objectClass=group)(|(member=cn=UID,OU=ServiceAccounts,OU=MC,DC=ads,DC=myCompany,DC=com,DC=au)(member=cn=UID,OU=BTLY,OU=Sites,OU=MC,DC=ads,DC=myCompany,DC=com,DC=au)))
This query works and runs using the following Base DN:
OU=MC,DC=ads,DC=myCompany,DC=com,DC=au
I have few problems with the query:
I don't like having to use the OR operator to find Service Account users and BTLY users.
I don't want to hard-code the BTLY site, there are others, too.
Ideally, I'd just like to have the query as:
(&(objectClass=group)(|(member=cn=UID,OU=MC,DC=ads,DC=myCompany,DC=com,DC=au))
This way, I don't care whether the user account is a service account nor which site the account belongs to. Unfortunately, that query doesn't work.
Can someone please help me generalise the LDAP query? I'm a bit of a newbie, so I'm most likely missing something completely obvious!
Thanks!
Thanks for the reply. What you've said makes sense, but it doesn't help me, unfortunately. We're using GlassFish (a Java app server), and have configured it to point to the local AD server. Normally, a person can tell GlassFish how to retrieve users, eg
(&(objectCategory=user)(CN=UID))
and GlassFish will pick up all the groups (perhaps by using the memberOf attribute).
This time round we're using a different AD server which hosts a different directory of users. GlassFish isn't able to retrieve the groups by itself. So, there is a field where we can give GlassFish a custom query to find groups. In this field, I've put the query I've posted which works, but is ugly and verbose.
What I'd love to be able to do is:
(&(objectClass=group)(member=cn=UID))
but this doesn't work.
Is there anyway to do this?
Thanks,
Muel.
My guess is that using this technique is not possible. You would need to use wildcard here:
(&(objectCategory=group)(member=CN=UID,*))
and this is not acceptable for DN attributes (like the one stored in 'member' property):
http://msdn.microsoft.com/en-us/library/ms676930(v=vs.85).aspx
My suggestion here would be: use some tool to generate 'ugly' query for you (using syntax mentioned above) and "feed" your tool with end result. Can't see any option, sorry...
I just try to reformulate your question, but it's to much text for a comment.
You are trying to find all the groups the user CN=UID belongs to begining from the nod OU=MC,DC=ads,DC=myCompany,DC=com,DC=au.
This can be done by retreiving the memberOf attribute of the user itself. The only problem (perhaps not in your case) is that the primary group is not in this list of DN, it's coded appart using primaryGroupId attribute.
so
(&(objectCategory=user)(CN=UID))
Will do the job test :
ldifde -f t.ldf -D "OU=MC,DC=ads,DC=myCompany,DC=com,DC=au" -r "(&(objectCategory=user)(CN=UID))" -l memberof
Remark : samAccountName or userPrincipalName are attributes you can rely on for uniqueness of the entry in Active-Directory, that is not the case of CN (an admin can change it)