I have an AD with 71 computers.
However, there are actually less than 50 physical computers, so I'm doing some cleanup. But, up until now when renaming PC's, I've only renamed them at the workstation through Control Panel->System.
So, the displayed name of computers in AD does not match the workstation's computer name. The displayed name, the "Canonical name of object" under Properties->Object, and the cn attribute in Attribute Editor are all the old name, while the "Computer name" and "DNS name" under Properties->General are the updated name also found at the workstation.
How do I reconcile the two different sets of names for each computer? I cannot edit the "Canonical name of object" in Properties, nor can I edit the cn attribute:
Operation failed. Error code: 0x2016; The directory service cannot
perform the requested operation on the RDN attribute of an object.
00002016: Modify of RDN 'CN' on CN=COMP,OU=TEST,DC=DOMAIN,DC=local not
permitted, must use 'rename operation instead.
Going forward, what is the proper way to rename a PC so that it updates both at the workstation and throughout AD?
There is a command line available (reference here: https://technet.microsoft.com/en-us/library/cc788029.aspx) that people will use to automate the renaming of domain-joined workstations.
It's a two-step process: first you rename the computer, and then rename its OU/CN. netdom renamecomputer doesn't rename the AD object, and I assume that Rename-Computer doesn't either (please edit this answer if that's incorrect).
PowerShell
Rename-Computer
[ Get-ADComputer | ] Rename-ADObject
CMD
netdom renamecomputer
dsmove
Related
How can I set UID, GID & home directory value relatively, in Active Directory under unix attributes tab?
For example, instead of writing:
/home/ann.white
/home/marie.jones
/home/Jessica.Cox
I want to format like this:
/home/%u
For all 300 user in Active Directory, I tried with %u but it returns user relative identifier (RID), so what is the variable for username & group relative identifier?
%<givenName>.%<sn>
http://www.kouti.com/tables/userattributes.htm <- sorry it's 3rd party, the table is huge and MS doesn't seem to have one available on their website.
How to connect database in $DLC in progress openedge. for details see below image.
Thanks,
Purushottam
Databases in $DLC (the directory that Progress was installed in) are templates -- you must make a copy of the template db in some other directory in order to use it. You cannot run databases directly from $DLC.
Usually you use a command such as:
proenv> prodb sports sports
To make a local copy of the default "sports" db.
Or you can just type "prodb" and you will be prompted for the new db name and the template name. The new name can be different from the template name.
You must have to create a copy of sports database in other directory (not in openedge installation directory) using procopy or prodb command.
For Ex : in proenv
procopy Sports2000 D:\spdb Or,
prodb D:\spdb Sports2000.
Now, you can easily connect to the database...
Currently I'm using OpenDS and have to migrate to Active Directory (AD LDS).
I have a few custom attributes/objects that are defined in .ldif files in the OpenDS/config/schema directory like this:
attributeTypes: ( 1.3.6.1.4.1.99.1
NAME 'myNewAttribute'
DESC 'some text'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
objectClasses: ( 1.3.6.1.4.1.99.2
NAME 'myNewClass'
SUP top STRUCTURAL
MUST ( person $ myNewAttribute )
MAY someOtherAttribute
)
Unfortunately ldifde does not understand this format, so I used ADSI Edit to import my definitions manually one by one (cumbersome!) - but encountered some problems:
It seems AD supports only a handful of different SYNTAX definitions, like 2.5.5.12. How can I map something like 1.3.6.1.4.1.1466.115.121.1.15 to AD?
oMSyntax: Seems to be AD specific and not known to the rest of the LDAP world. oMSyntax in combination with attributeSyntax seems to define the data type in the AD world.
things like EQUALITY seem to be missing completely in AD! How to deal with this?
Question: Is there a tool to convert an LDIF file with attribute/object definitions to a format that is understood by MS / AD / ldifde?
Or a more general question: What is the best practice to migrate attribute/object definitions from OpenDS, OpenLDAP, etc. to the Microsoft world?
Welcome to the Diretories compatibility world. First of all the following syntax :
attributeTypes: ( 1.3.6.1.4.1.99.1
NAME 'myNewAttribute'
DESC 'some text'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
is not an LDIF syntax. it's a syntax used in Netscape like Directories to specify the Schema (OpenLDAP, Ex Sun directory service etc.). As far as you want to introduce new attributes and classes in Active Directory, you can do it using one of these 3 ways :
Manualy using the common ADSIEDIT.MSC (I never do it like that) :
Manualy using the specific Active Directory Scema Editor MMC (Microsoft Management Console)
This is the way I use in the development phase.
MMC.EXE -> File -> Open Component -> Active Directory Schema
If you are using an old server this MMC is only available recording an Active X component :
Regsvr32 c:\windows\system32\schmmgmt.msc
This way is much easier, it's the way I use on a development VM to create my attributes, I Then export the LDIF description with LDIFDE.EXE tool in order to clean it (remove system attributes) and import it on the production servers.
Programaticaly using LDIF
Here is an example of the LDIF syntax of an attribute
dn: CN=SlxChapitres,CN=Schema,CN=Configuration,DC=XXXX
changetype: add
objectClass: top
objectClass: attributeSchema
cn: SlxChapitres
distinguishedName: CN=SlxChapitres,CN=Schema,CN=Configuration,DC=XXXX
instanceType: 4
attributeID: 1.3.6.1.4.1.10558.2.1.6
attributeSyntax: 2.5.5.4
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: SlxChapitres
oMSyntax: 20
lDAPDisplayName: SlxChapitres
name: SlxChapitres
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=XXXX
This code is LDIF, I can inject it using LDIDE.EXE program the DC=XXXX syntax allowing me to use the -c DNSrc DNTarget of the LDIFFDE.EXE program option to locate it to the right DN.
As far as the Syntax and the matching rules are concerned, In my opinion Active-Directory is not so standard. Microsoft use a kind of combination between these to concepts to give one thing they call Syntax. Whenever you create a new attribute, you must specify its syntax. To uniquely identify the syntax among the total set of 21 syntaxes, you must specify 2 pieces of information: the OID of the syntax and a so-called OM syntax. This pair of values must be set together and correctly correlate with Mictosoft documention.
I'm trying to retrieve user information in Active Directory, but am finding some things to be poorly documented. For example, the LDAP connection strings I have seen contain some keywords that I don't know the meaning of. Here's a sample:
LDAP://ofmdcoly302.ofm.wa.lcl/ou=employees,dc=ofm,dc=wa
What are the keywords "ou" and "dc" supposed to signify? In our case "ou=employees" seems to identify a particular AD node. However when I try to do a .FindAll() on the above directory entry, I get "A referral was returned from the server". I guess that means it couldn't find what I was looking for, but it might be available somewhere else? In one place I read "A referral is AD's way of saying, 'this object probably exists in another domain'".
What are "ou" and "dc" supposed to mean? And if I had this A/D structure, how would I code the LDAP connetion string to retrieve information in the "AR" node:
ou and dc are not keywords, they are attributes, "organizational unit" and "domain component", respectively. Attributes are defined in the directory server schema. Attributes are gathered together into entries, of which the distinguished name is the primary key.
Taken in this context, ou and dc are "distinguished name components", together comprising a "distinguished name", which is the aforementioned primary key of an LDAP entry. ou=employees,dc=ofm,dc=wa is a distinguished name composed of the various relative distinguished name components.
This entry has two mistakes: it's not using root (dc=lcl), you also skipped one ou, should be ou=employees,ou=Users - OFMGOV,dc=ofm,dc=wa,dc=lcl
TBH if your really want to understand this notation I would suggest using ADSI Edit instead of ADUC that you probably use ATM - it will show you path the same way, so it will be easier to translate. It will also prevent you from shooting yourself in a foot with special containers like 'CN=Users' and 'CN=Computers':
For the OU you have highlighted it would most likely be:
ou=AR,ou=Citrix,ou=Users - OFMGOV,dc=ofm,dc=wa,dc=lcl
Is there any way to programmatically get the current user's email address?
I know the email is usually user#hostname but is there any I can get the email?
I know how to get the username and the hostname so I can build it myself, but I want to be sure that I get the email address even when the email is not user#hostname.
Code in C is appreciated.
Thanks
There is no such standard mapping of user account to email address - at least not for ordinary /etc/passwd derived accounts. Consider that a user might not even have an email address.
Nobody's mentioned the GECOS fields in the /etc/passwd file.
You'll notice that the fifth field in your entry in /etc/passwd is either blank, or a comma-separated list the first element of which is your full name. Originally in Bell Labs (before the days of email) the GECOS fields were:
User's full name (or application name, if the account is for a
program)
Building and room number or contact person
Office telephone
number
Any other contact information (pager number, fax, etc.)
Some Linux distributions store the user's default email address in the 4th GECOS field, and if your system doesn't do this by default, you can set it up yourself. Ordinary users without superuser privilege can edit their GECOS fields using the command line command chfn. To access this field, you can then do
grep ${USER}: /etc/passwd | awk -F\: '{print $5}' | awk -F\, '{print $4}'
or whatever floats your boat in your language of choice (No, I am NOT going to write C. This is the twenty-first century!).
There is no standard mapping of user accounts to RFC822 (i.e. user#domain) email addresses. Generally, a default setup of typical mail transfer agents will accept local mail to addresses without a domain and deliver it to the user account of the same name. But even that can't be relied on, as you may not even have an MTA.
The UNIX way of doing this is to send email through the local mail-transfer-agent - simply invoking /usr/bin/mail is enough. The system administrator is responsible for configuring the local MTA to make sure email works properly.
If you want to send email to the local user, just send it to their username - if they read their email somewhere other than locally, the MTA should be configured to forward it to them.
If you just want to use the right "from" email address when sending email on behalf of a local user, so they get replies in the right place - again, just use their username. The MTA should be configured to do the right translation.
This way of doing things is good, because it means that this configuration only has to be done in one place (the MTA), rather than having to manually configure every single application on the box that sends or recieves email.
Just to complement Simon's answer and given I don't have enough reputation to make a comment on it, GECOS stands for General Comprehensive Operating System aka General Electric Comprehensive Operating Supervisor and the most portable way I found to get the user GECOS field (As it might not be defined in your /etc/passwd file directly depending on your system's configuration) is the following:
getent passwd <USERNAME> | awk -F ':' '{print $5}'
It depends how the user is stored. In a simple passwd file there's no email address, only a username. But you can have additional information with other authentication method like LDAP or SQL.
Prompt the user for their email. If you have no guarantee that the email is user#hostname, then how else do you expect to determine what their email is other than asking them?
You can't get the actual email address in any standard way. I would try to send the mail to just username. Chanses that it will end up on the correct domain are actually not that bad ...
Check in the terminal you're using, that is :
root#peter-laptop#
for root users it is shown before the # sign, that is
root#peter-laptop or peter#peter-laptop# for user peter
Try to get to /var/mail/ and there you should have a file for each user that has (not all users have to have it) an email address. And you can indeed read the mail from those files.
Then you can redirect the mail to anywhere else with the sendmail tool.