Ok, so I need a really Active Directory expert for this one.
I am encoutering a problem where I view different things from different LDAP Browsers.
I want to view the deleted objects container.
When I access Active Directory through ADExplorer I can see this container. When I access the same Active Directory, with the same user from JXplorer I cannot see the deleted objects container.
Also from Softera LDAP Browser happens the same as JXPlorer
Do you have any idea why this is happening?
Do you have maybe any other LDAP Browser you can reccomend?
Thanks
The ability to enumerate the deleted objects container in Active Directory will depend on the software in use (as you found out). To be able to view the deleted objects container (and any deleted objects in general), the software needs to use the LDAP control called LDAP_SERVER_SHOW_DELETED_OID. From the MSDN page:
LDAP_SERVER_SHOW_DELETED_OID control code
The LDAP_SERVER_SHOW_DELETED_OID control is used with an extended LDAP
search function to specify that the search results include any deleted
objects that match the search filter.
Unless the software lets you use a custom LDAP control when connecting to AD (or has builtin support for viewing deleted objects in AD), then it wont be able to see them at all.
Related
When I try querying extensionAttribute with Graph API (Hybrid Exchange), I cannot get any value.
E.g., if I try: https://graph.microsoft.com/v1.0/users/<userid or upn>?$select=extensionAttribute2, I cannot see the value even I know it’s there.
Do you know how to get it properly (or a workaround)?
Thank you
Are these values synced to Azure Active Directory? All properties for the AAD User can be found in the Microsoft Graph API docs here : https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0
It sounds like these are being synced from an AAD Connect environment, so it's most likely you are trying to get the onPremisesExtensionAttributes.
Per the description:
Contains extensionAttributes 1-15 for the user. Note that the individual extension attributes are neither selectable nor filterable. For an onPremisesSyncEnabled user, this set of properties is mastered on-premises and is read-only. For a cloud-only user (where onPremisesSyncEnabled is false), these properties may be set during creation or update.
I suggest taking a look more thoroughly through the documentation in regards to this. In addition to that, as you mentioned Exchange, note that the custom attributes from exchange are the same as the extension attributes. For more info on this see : https://github.com/microsoftgraph/microsoft-graph-docs/issues/5950
This is a separate sort of "Extension Attribute" but I figured I would include this in the answer as well. There is a different extensibility section for the Microsoft Graph, and the docs on this can be found here : https://learn.microsoft.com/en-us/graph/extensibility-overview
If you see information on these extensions, know that this is separate from the on-prem extensions.
I'm retrieving info from an Active Directory setup via LDAP (using Python, although that's probably not important). I can retrieve a specific user account via a search command, and I get a few dozen attributes, presumably the ones that Active Directory is set to return by default. These do not include "msDS-UserPasswordExpiryTimeComputed" attribute, which is an AD computed attribute that doesn't come back by default.
I can request it by using the attrlist parameter in the Python search call (attrlist=["msDS-UserPasswordExpiryTimeComputed", "sAMAccountName"]), but I then have to know and enumerate all the attributes I'm interested in. I was wondering if there is any LDAP syntax for 'attrlist' that would indicate that I want all the default attributes that would have come back anyway, plus any others I might explicitly indicate? Perhaps some sort of wildcard like attrlist=['*', 'msDS-UserPasswordExpireTimeComputed'], for instance. Or do I have to make one call to get all the default attributes, and a second to retrieve others?
Also, how does an AD installation determine what attributes are returned by default? Is it standard to AD, or customizable by admins?
I use Exchange 2003 and I have been searching a lot and found related queries like
(&(UserAccountControl:1.2.840.113556.1.4.803:=2)(msExchHomeServerName=*)(objectClass=User))
Which enumerates disabled user accounts with mailboxes, but what I want is quite the opposite, user accounts (enabled or disabled) with CLOSED mailboxes. Thanks beforehand for any help!
Exchange and Active Directory are separate, if user is created on AD doesn’t mean that it will have mailbox account too but usually both are used together.
You can use any LDAP browser like JXplorer or LDAPadmin to check the settings for your users on Active Directory. You will find disabled users on AD moved to different OU or there should be some attribute which will differentiate it from active users.
You can export LDIF file (by LDAP browser like LDAPadmin) for one active user and one disabled user and compare both to find relevant attribute for disabled entity and use it for your query filter. You can consult your IT team also who is managing Active directory for more details. HTH :)
For the CQ5 environment I work on we have a farm of publisher servers. Some of the content on these servers is restricted so only users who belong to certain groups can see the content. I'd like to script the setting of permissions for the folders (nodes) that are to be secured so I don't have to manually repeat the steps of applying security using the Access Control Editor of Content Explorer (This Adobe documentation has instructions for doing it manually via Access Control Editor). The scenario is that sometimes new folders are to be created to hold secure pages, and we want to apply permissions to the folders prior to activating any content into those folders.
Since the environment has several publishers, it is repetitive, manual, and error-prone work to open Content Explorer and set the permissions on each one. I'd like to do be able to automate this so I could roll out permissions to all the servers via a script--perhaps via a curl command or some other mechanism (perhaps a package?) that can be automated.
I found the Sling jackrabbit-accessmanager bundle that seems like it will facilitate automation of this, but it seems like it opens a security hole. If I put this bundle on my publishers, it seems like I would be providing an REST interface to let anyone modify the permissions and grant access to folders/nodes that should be secured or to add security restrictions on nodes that should have none.
How can I automate the creation/modification of node permissions via a script--and do so in a way that only allows an administrator to apply the permissions changes?
This tool lets you manage permissions in a centralised way, they can also be installed automatically at deploy time:
https://github.com/Netcentric/accesscontroltool
Regarding permissions applied to new folders, the solution is setting permission properly on their parent folder. CQ/AEM will automatically apply the same permissions to all children unless another rule break the inheritance.
I found one alternative I hadn't considered before: using the Day CQ ACL Setup Service. It is mentioned at http://dev.day.com/docs/en/cq/5-5/developing/security_model_changes.html.
AclSetupService allows one to add permission to a single path or a given user/group. This will be applied on each restart of CQ to guaranteed a certain permission state within CQ. For example, "allow;inherit;everyone;/" prevent everyone from accessing CQ (i.e. it forces all users to login first). As noted in the description of AclSetupService, you will need the following pattern per entry:
( "allow" | "deny" ) ";" ( privileges | "inherit" ) ";" principal ";" path
Choose either "allow" or "deny" for the first part.
Next enter one of the privilege below or set it to inherit permission from ancestor.
Then enter a single user/group.
Finally enter a single path to apply the permission to.
Using this will replace permission set within the repository when you restart CQ. These could be scripted by using the process outlined here and here.
Privileges can be:
jcr:read
rep:write
jcr:all
crx:replicate
imp:setComplete
jcr:addChildNodes
jcr:lifecycleManagement
jcr:lockManagement
jcr:modifyAccessControl
jcr:modifyProperties
jcr:namespaceManagement
jcr:nodeTypeDefinitionManagement
jcr:nodeTypeManagement
jcr:readAccessControl
jcr:removeChildNodes
jcr:removeNode
jcr:retentionManagement
jcr:versionManagement
jcr:workspaceManagement
jcr:write
rep:privilegeManagement
If you would like to use the Sling jackrabbit-accessmanager bundle on a publish instance it is possible. You would want to make sure your dispatcher which sits in front of the publish instance does not allow the permission requests (/.modifyAce., .deleteAce., etc) and the publish instances can only be accessed directly from inside your network. It's standard practice to deny all requests in the dispatcher and specify what is allowed.
Is there are reason you are not just replicating the permissions when the folder is activated? There should be a rep:policy node underneath the secure folder which gets replicated.
I have 50+ report parts which have specific AD Groups assigned to them as Browser.
This is so only certain people have access to the data.
To accomplish this, on the security settings I changed it by clicking 'Edit Item Security'
This resulted in SSRS not inheriting the security anymore (i.e If I put an individuals AD name for the project folder they would be given access to everything)
So all my report parts have individual groups as it stands, the problems is I now need to give 1 individual access to everything.
With the current set up this would mean adding them 1 by 1 to all the report parts however there is a button called 'Revert to parent security'.
My question is, if i click this will it remove all the individual group security settings I have applied or will it allow me to add 1 person to all whilst leaving all the others the same?
According to Books Online ( http://msdn.microsoft.com/en-us/library/ms180265.aspx )
Revert to Parent Security will remove all the individual group security settings
Click to reset the security settings to that of the immediate parent
folder. If inheritance is unbroken throughout the report server folder
hierarchy, the security settings of the top-level folder, Home, are
used.
In your scenario, it seems that you have to add user individually to every secured item. You could do it programmatically using Reporting Services scripting host (see http://msftrsprodsamples.codeplex.com/wikipage?title=SS2008%21Script%20Samples%20%28Reporting%20Services%29 for some sample scripts) or Powershell ( see Using Powershell to set user permissions in Reporting Services for a sample)