ADAM, objectGUID, and userProxy

Discussion in 'Active Directory' started by Andrew Blyler, Dec 31, 2003.

  1. I have created userProxy objects in ADAM, and they work great! The only
    issue I have is the application we are trying to move from AD to ADAM
    relies heavly on the objectGUID property. Is there any way to set the
    objectGUID value after the userProxy object is created? I have tried to
    do this and get the following error:

    Error 0x20B1 The attribute cannot be modified because it is owned by the
    system.

    Thanks,
    Andy
     
    Andrew Blyler, Dec 31, 2003
    #1
    1. Advertisements

  2. What are you trying to set it to?
    ObjectGUID's are going to be automatically generated and as such can't be
    set by hand. THis ensures uniqueness.

    What is your reason for trying to set this attribute?

    ~Eric
     
    Eric Fleischman [MSFT], Dec 31, 2003
    #2
    1. Advertisements

  3. I am trying to sync the objectGUID of the userProxy object in ADAM with
    the objectGUID of the user object in AD.

    The reason for this is: A application we have written uses the
    objectGUID heavily for identification. The current LDAP directory is AD
    and we wish to migrate to the userProxy object in ADAM. In order for
    this migration to happen successfully we will have to find a way to set
    the objectGUIDs manually in ADAM so that they match the old objectGUID
    in AD.

    The last resort option would be to migrate the data from the old AD
    objectGUIDs to the new ADAM objectGUIDs

    - Andy
     
    Andrew Blyler, Dec 31, 2003
    #3
  4. There's a way to write objectGuid, although it is disabled by default and we
    discourage it, because you can easily shoot yourself in the foot and break
    the directory if you write a duplicate objectGuid.

    First, you need to enable objectGuid writing via a dsHeuristics bit. You
    need to set 11th bit. So, the value should look like XXXXXXXXX11XXX (10th
    bit must always be set). This is on the DirectoryService object in config
    partition.

    Then, you need to grant AddGuid right on the partition head. Admins have it
    by default.



    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], Jan 2, 2004
    #4
  5. I changed the value of dsHeuristics to a value of '00000000011000' and
    then stop and started ADAM.

    After starting ADAM back up I tried to modify a user's objectGUID via
    LDP. The output was:

    ***Call Modify...
    ldap_modify_s(ld, 'CN=c-user,CN=Users,O=Domain,C=US',[1] attrs);
    Error: Modify: Constraint Violation. <19>
    Server error: 000020B1: AtrErr: DSID-030F0C58, #1:
    0: 000020B1: DSID-030F0C58, problem 1005 (CONSTRAINT_ATT_TYPE), data 0,
    Att 90002 (objectGUID)

    Error 0x20B1 The attribute cannot be modified because it is owned by the
    system.

    I am assuming that the objectGUID can only be modified when the object
    is created? I am correct in this assumption?

    I then tried to create a user object with a specific objectGUID using
    LDP and got the following output:

    ***Calling Add...
    ldap_add_ext_s(ld, 'CN=ablyler2,CN=Users,O=Domain,C=US',[2] attrs,
    SvrCtrls, ClntCtrls);
    Error: Add: Constraint Violation. <19>
    Server error: 00002081: AtrErr: DSID-03151266, #1:
    0: 00002081: DSID-03151266, problem 1005 (CONSTRAINT_ATT_TYPE), data 0,
    Att 90002 (objectGUID)

    Error 0x2081 Multiple values were specified for an attribute that can
    have only one value.
     
    Andrew Blyler, Jan 5, 2004
    #5
  6. That is working great, thanks. Is there any similiar bit to allow
    creation of a user object with a specific objectSID?

    Thanks again,
    Andy
     
    Andrew Blyler, Jan 5, 2004
    #6
  7. That's right. You can't change the guid once the object is created. But you
    can specify a guid at creation time. And you can only supply a single value.
    How did your add look like? I mean which attributes and values did you
    supply?

    BTW, you did not need a restart for dsHeuristics to take effect.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], Jan 5, 2004
    #7
  8. I tried to create a user object with the DN, objectClass, and
    objectGUID. I only had single values for each of the attributes.

    After LDP failed, I tried using ADSI and it worked just fine. :)
     
    Andrew Blyler, Jan 5, 2004
    #8
  9. No, not the SID. Why would you want that?
    Allowing to stamp a sid is a security risk. Say, you read the SID off your
    CEO user object, then create yourself a user with the same SID. Now you got
    the same rights as your CEO!

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], Jan 5, 2004
    #9
  10. Well, there actually is a way, but it is very VERY dangerous. It is disabled
    by default. If you have replicating instances, assigning a guid on obj
    creation (especially a guid that has been in use previously), is probably
    the easiest way to cause replication meltdown.

    Why do you need this? Please describe your scenario, perhaps we will be able
    to suggest something more civilized. For example, you can "undelete" an
    object that has not yet been garbage-collected. It will retain the guid.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], Dec 7, 2004
    #10
  11. There is an application that was built in house that uses ObjectGUID as
    the unique identifier for Active Directory users. We are moving to
    using ADAM (single instance, no replication) with userProxy objects for
    AD users. Contractors will also be included into ADAM as user objects,
    since they may only be with the company for a week and management does
    not want them to have an account in AD.

    We are trying to decided whether to use the objectGUID field or try to
    use another field for identification of user objects. Maybe we should
    sync the objectGUID field from AD to a different field in ADAM?

    On the topic of undeleting objects from ADAM. I tried to follow
    http://support.microsoft.com/default.aspx?scid=kb;en-us;840001#5 But ldp
    is not allowing me to remove, or modify, the isDeleted attribute from
    the userProxy object that is in the Deleted Objects OU. Is there a
    trick to making this work in ADAM?

    Thanks,
    Andy
     
    Andrew Blyler, Dec 8, 2004
    #11
  12. Andrew Blyler

    Lee Flight Guest

    Hi

    I have managed to reanimate deleted userProxy objects in ADAM
    using the recipe in KB840001.

    You do need to be an ADAM Administrator to do it.

    Lee Flight
     
    Lee Flight, Dec 8, 2004
    #12
  13. The user account I am binding with is an Administrator in ADAM.

    When I try to delete the "isDeleted" attribute from the deleted
    userProxy object the following error is returned in LDP:

    ***Call Modify...
    ldap_modify_s(ld,
    'CN=ablyler\0ADEL:51077827-8da4-4e29-9214-6a51d9992f4e,CN=Deleted
    Objects,DC=domain,DC=com',[0] attrs);
    Error: Modify: Unwilling To Perform. <53>
    Server error: 00000057: LdapErr: DSID-0C090A04, comment: Error in
    attribute conversion operation, data 0, vece
    Error 0x57 The parameter is incorrect.
     
    Andrew Blyler, Dec 8, 2004
    #13
  14. Andrew Blyler

    Lee Flight Guest

    Hi

    you need to delete isDeleted and replace the distinguishedName
    in a single run as per the article, see the note to step 9b. Also
    you need to check the Extended box on the modify page, step
    9h in the article.

    Does that help?
    Lee Flight
     
    Lee Flight, Dec 8, 2004
    #14
  15. 9b is where I am getting that error, and I am hitting return on the
    keyboard not hitting the "run" button.

    Lee Flight said the following on 12/08/2004 11:20 AM:
     
    Andrew Blyler, Dec 8, 2004
    #15
  16. Andrew Blyler

    Lee Flight Guest

    No, no

    "Click the Delete option button, and then click Enter to make the first of
    two entries in the Entry List dialog."

    "Enter" there is the Enter button on the modify dialog pane...

    HTH
    Lee Flight
     
    Lee Flight, Dec 8, 2004
    #16
  17. Ah, good call. Now I am getting a different error:

    ***Call Modify...
    ldap_modify_ext_s(ld,
    'CN=ablyler\0ADEL:51077827-8da4-4e29-9214-6a51d9992f4e,CN=Deleted
    Objects,DC=domain,DC=com',[2] attrs, SvrCtrls, ClntCtrls);
    Error: Modify: Unwilling To Perform. <53>
    Server error: 00002077: SvcErr: DSID-030F1606, problem 5003
    (WILL_NOT_PERFORM), data 0

    Error 0x2077 Illegal modify operation. Some aspect of the modification
    is not permitted.

    Lee Flight said the following on 12/08/2004 11:42 AM:
     
    Andrew Blyler, Dec 8, 2004
    #17
  18. You are hitting a rare codepath. It is disallowed to undelete yourself.
    Undelete is blocked when the SID of the object being undeleted matches the
    user sid in your token. This is a security measure. If an admin has deleted
    your user account, you should not be able to undelete yourself. This
    especially applies to fired admins.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm

     
    Dmitri Gavrilov [MSFT], Dec 8, 2004
    #18
  19. Regarding your objectGUID question. You have two options:
    1) sync AD's objectGuid into some other (indexed!) attribute in ADAM
    or
    2) use objectSid as the reference. These are writable on proxies on
    creation.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], Dec 8, 2004
    #19
  20. Thank you Dmitri and Lee, after binding as a different Administrative
    account I was able to undelete the object. :)

    Dmitri Gavrilov [MSFT] said the following on 12/08/2004 12:20 PM:
     
    Andrew Blyler, Dec 8, 2004
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.