Active Directory Cookbook for windows server 2003- P14 pps

Fill in the information for the naming context, container, or OU that contains the object you want to rename.. 4.19.3.1 Using a graphical user interface If the parent container of the o

Trang 1

4.19.2 Solution

4.19.2.1 Using a graphical user interface

1 Open ADSI Edit

2 If an entry for the naming context you want to browse is not already displayed, do the following:

3 Right-click on ADSI Edit in the right pane and click Connect to

4 Fill in the information for the naming context, container, or OU that contains the object you want to rename Click on the Advanced button if you need to enter alternate

credentials

5 In the left pane, browse to the container or OU that contains the object you want to modify Once you've found the object, right-click on it and select Rename

6 Enter the new name and click OK

4.19.2.2 Using a command-line interface

> dsmove "<ObjectDN>" -newname "<NewName>"

4.19.2.3 Using VBScript

' This code renames an object and leaves it in the same location

' - SCRIPT CONFIGURATION -

strCurrentParentDN = "<CurrentParentDN>"

strObjectOldName = "cn=<OldName>"

strObjectNewName = "cn=<NewName>"

' - END CONFIGURATION -

set objCont = GetObject("LDAP://" & strCurrentParentDN)

objCont.MoveHere "LDAP://" & strObjectOldName & "," & _

strCurrentParentDN, strObjectNewName

4.19.3 Discussion

Before you rename an object, ensure no applications reference it by name You can make objects rename-safe by requiring all applications that must store a reference to objects to use the GUID

of the object, not the name The GUID (stored in the objectGUID attribute) is guaranteed to be unique and does not change when an object is renamed

If the parent container of the object you want to rename has a lot of objects in it, you may want

to add a new connection entry for the DN of the object you want to rename This may save you time searching through the list of objects in the container You can do this by right-clicking ADSI Edit and selecting Connect to Under Connection Point, select Distinguished Name and enter the DN of the object you want to rename

Trang 2

The two parameters that are needed to rename an object are the original DN of the object and the new RDN (-newname) The -s option can also be used to specify a server name to work against

The MoveHere method can be tricky to use, so an explanation of how to use it to rename objects

is in order First, you need to call GetObject on the parent container of the object you want to rename Then call MoveHere on the parent container object and specify the ADsPath of the object

to rename as the first parameter The new RDN including prefix (e.g., cn=) of the object should

be the second parameter

4.19.4 See Also

MSDN: IADsContainer::MoveHere

Recipe 4.20 Deleting an Object

4.20.1 Problem

You want to delete an object

4.20.2 Solution

1 Open ADSI Edit

2 If an entry for the naming context you want to browse is not already displayed, do the following:

a Right-click on ADSI Edit in the right pane and click Connect to

b Fill in the information for the naming context, container, or OU that contains the object you want to delete Click on the Advanced button if you need to enter alternate credentials

3 In the left pane, browse to the object you want to delete

4 Right-click on the object and select Delete

5 Click Yes to confirm

> dsrm "<ObjectDN>"

strObjectDN = "<ObjectDN>"

set objUser = GetObject("LDAP://" & strObjectDN)

objUser.DeleteObject(0)

Trang 3

This recipe covers deleting individual objects If you want to delete a container or OU and all the objects in it, take a look at Recipe 4.21

If the parent container of the object you want to delete has a lot of objects in it, you may want to add a new connection entry for the DN of the object you want to delete This may save you time searching through the list of objects in the container and could help avoid accidental deletions You can do this by right-clicking ADSI Edit and selecting Connect to Under Connection Point, select Distinguished Name and enter the DN of the object you want to delete

The dsrm utility can be used to delete any type of object (no limitations based on object type as with dsadd and dsmod) The only required parameter is the DN of the object to delete You can also specify -noprompt to keep it from asking for confirmation before deleting The -s parameter can be used as well to specify a specific server to target

Using the DeleteObject method is straightforward Passing 0 as a parameter is required, but does not have any significance at present

An alternate and perhaps safer way to delete objects is to use the IADsContainer::Delete method To use this method, you must first bind to the parent container of the object You can then call Delete by passing the object class and RDN of the object you want to delete Here is an example for deleting a user object:

set objCont = GetObject("LDAP://ou=Sales,dc=rallencorp,dc=com")

objCont.Delete "user", "cn=rallen"

Delete is safer than DeleteObject because you have to be more explicit about what you are deleting With DeleteObject you only need to specify a distinguished name and it will delete it

If you happen to type the DN or the user input to a web page that uses this method is mis-typed, the result could be disastrous

4.20.4 See Also

Recipe 4.21 for deleting a container, MS KB 258310 (Viewing Deleted Objects in Active

Directory), MSDN: IADsContainer::Delete, and MSDN: IADsDeleteOps::DeleteObject

Trang 4

Recipe 4.21 Deleting a Container That Has Child

Objects

4.21.1 Problem

You want to delete a container or organizational unit and all child objects contained within

4.21.2 Solution

Open ADSI Edit and follow the same steps as in Recipe 4.20 The only difference is that you'll

be prompted to confirm twice instead of once before the deletion occurs

> dsrm "<ObjectDN>" -subtree

The same code from Recipe 4.20 will also delete containers and objects contained within them

As you can see from the solutions, there is not much difference between deleting a leaf node versus deleting a container that has child objects However, there is a distinction in what is happening in the background

Deleting an object that has no children can be done with a simple LDAP delete operation On the other hand, to delete a container and its children, the tree-delete LDAP control has to be used If you were to do the deletion from an LDAP-based tool like LDP, you would first need to enable the "Subtree Delete" control, which has an OID of 1.2.840.113556.1.4.805 LDP provides

another option to do a "Recursive Delete" from the client side That will essentially iterate through all the objects in the container, deleting them one by one The Subtree Delete is much more efficient, especially when dealing with large containers

4.21.4 See Also

Recipe 4.20 for deleting objects and MSDN: IADsDeleteOps::DeleteObject

Trang 5

Recipe 4.22 Viewing the Created and Last Modified Timestamp of an Object

4.22.1 Problem

You want to determine when an object was either created or last updated

4.22.2 Solution

1 Follow the steps in Recipe 4.2

2 Ensure that createTimestamp and modifyTimestamp are included in the list of attributes

to be returned by looking at Attributes under Options Search

> dsquery * "<ObjectDN>" -attr name createTimestamp modifyTimestamp

' This code prints the created and last modified timestamp

' for the specified object

strObjectDN = "<ObjectDN>"

' - END CONFIGURATION -

set objEntry = GetObject("LDAP://" & strObjectDN)

Wscript.Echo "Object Name: " & objEntry.Get("name")

Wscript.Echo " Created: " & objEntry.Get("createTimestamp")

Wscript.Echo " Changed: " & objEntry.Get("modifyTimestamp")

When an object is created or modified in Active Directory, the createTimestamp and

modifyTimestamp attributes get set with the current time Those two attributes are replicated, so assuming the latest modification of the object in question has replicated to all domain controllers, they will contain the absolute create and last modified timestamps

You may have also run across the whenCreated and whenChanged attributes They also contain create and modify timestamps, but these values are local to the domain controller and are not replicated

4.22.4 See Also

Recipe 4.2 for viewing the attributes of an object

Trang 6

Recipe 4.23 Modifying the Default LDAP Query Policy

4.23.1 Problem

You want to view or modify the default LDAP query policy of a forest The query policy

contains settings that restrict search behavior, such as the maximum number of entries that can

be returned from a search

4.23.2 Solution

1 Open ADSI Edit

2 In the Configuration partition, browse to Services Windows NT Directory Service

Query Policies

3 In the left pane, click on the Query Policies container, then right-click on the Default Query Policy object in the right pane, and select Properties

4 Double-click on the lDAPAdminLimits attribute

5 Click on the attribute you want to modify and click Remove

6 Modify the value in the Value to add box and click Add

7 Click OK twice

To view the current settings, use the following command:

> ntdsutil "ldap pol" conn "con to server <DomainControllerName>" q "show

values"

To change the MaxPageSize value to 2000, you can do the following:

> ntdsutil "ldap pol" conn "con to server <DomainControllerName>" q

ldap policy: set MaxPageSize to 2000

ldap policy: Commit Changes

' This code modifies a setting of the default query policy for a forest

pol_attr = "MaxPageSize" ' Set to the name of the setting you want to modify new_value = 1000 ' Set to the value of the setting you want modify ' - END CONFIGURATION -

Const ADS_PROPERTY_APPEND = 3

Const ADS_PROPERTY_DELETE = 4

Trang 7

rootDSE.Get("configurationNamingContext") )

set regex = new regexp

regex.IgnoreCase = true

regex.Pattern = pol_attr & "="

for Each prop In ldapPol.GetEx("ldapAdminLimits")

if regex.Test(prop) then

if prop = pol_attr & "=" & new_value then

WScript.Echo pol_attr & " already equal to " & new_value

else

ldapPol.PutEx ADS_PROPERTY_APPEND, "lDAPAdminLimits", _

Array( pol_attr & "=" & new_value )

ldapPol.SetInfo

ldapPol.PutEx ADS_PROPERTY_DELETE, "lDAPAdminLimits", Array(prop) ldapPol.SetInfo

WScript.Echo "Set " & pol_attr & " to " & new_value

end if

Exit For

end if

The LDAP query policy contains several settings that control how domain controllers handle searches By default, one query policy is defined for all domain controllers in a forest, but you can create additional ones and apply them to a specific domain controller or even at the site level (so that all domain controllers in the site use that policy)

Query policies are stored in the Configuration NC as queryPolicy objects The default query policy is located at: cn=Default Query Policy, cn=Query-Policies, cn=Directory Service, cn=Windows NT, cn=Services, <ConfigurationPartitionDN> The lDAPAdminLimits

attribute of a queryPolicy object is multivalued and contains each setting for the policy in name-value pairs Table 4-4 contains the available settings

Table 4-4 LDAP query policy settings

MaxPoolThreads 4 per proc Maximum number of threads that are created by the DC

for query execution

MaxDatagramRecv 4096 Maximum number of datagrams that can be

simultaneously processed by the DC

MaxReceiveBuffer 10485760

Maximum size in bytes for an LDAP request that the server will attempt to process If the server receives a request that is larger then this value, it will close the connection

Trang 8

Table 4-4 LDAP query policy settings

MaxConnections 5000 Maximum number of open connections

MaxConnIdleTime 900 secs Maximum amount of time a connection can be idle MaxActiveQueries 20 Maximum number of queries that can be active at one

time

MaxPageSize 1000 Maximum page size that is supported for LDAP

responses

MaxQueryDuration 120 secs Maximum length of time the domain controller can

execute a query

MaxTempTableSize 10000 Maximum size of temporary storage that is allocated to

execute queries

MaxResultSetSize 262144 Maximum size of the LDAP Result Set

MaxNotificationPerConn 5 Maximum number of notifications that a client can

request for a given connection

Since the settings are stored as name/value pairs inside a single attribute, also referred to as AVAs, the VBScript solution has to iterate over each value and use a regular expression to determine when the target setting has been found It does this by matching <SettingName>= at the beginning of the string See Recipe 4.16 for more on AVAs

You should not change the default query policy in production unless you've done plenty of testing Changing some of the settings may result in

unexpected application or domain controller behavior

Instead of modifying the default LDAP query policy, you can create a new one In the Query Policies container (where the default query policy object is located), create a new

queryPolicy object and set the lDAPAdminLimits attribute as just described based on the

settings you want configured Then modify the queryPolicyObject attribute on the nTDSDSA object of a domain controller you want to apply the new policy to This can be done via the Active Directory Sites and Services snap-in by browsing to the nTDSDSA object of a domain controller (cn=NTDS Settings), right-clicking on it, and selecting Properties You can then select the new policy from a drop-down menu beside Query Policy Click OK to apply the new policy

4.23.4 See Also

Trang 9

Recipe 4.24 Exporting Objects to an LDIF File

4.24.1 Problem

You want to export objects to an LDAP Data Interchange Format (LDIF) file

4.24.2 Solution

None of the standard Microsoft tools support exporting LDIF from a GUI

> ldifde -f output.ldf -l <AttrList> -p <Scope> -r "<Filter>" -d "<BaseDN>"

There are no COM or VBScript-based interfaces to LDIF With Perl you can use the

Net::LDAP::LDIF module, which supports reading and writing LDIF files

The LDIF specification defined in RFC 2849 describes a well-defined file-based format for representing directory entries The format is intended to be both human and machine parseable, which adds to its usefulness LDIF is the de facto standard for importing and exporting a large number of objects in a directory and is supported by virtually every directory vendor including Microsoft

The -f switch specifies the name of the file to use to save the entries to, -s is the DC to query, -l

is the comma-separated list of attributes to include, -p is the search scope, -r is the search filter, and -d is the base DN If you encounter any problems using ldifde, the -v switch enables verbose mode and can help identify problems

4.24.4 See Also

Recipe 4.25 for importing objects using LDIF, RFC 2849 (The LDAP Data Interchange Format (LDIF)—Technical Specification), and MS KB 237677 (Using LDIFDE to Import and Export Directory Objects to Active Directory)

Trang 10

Recipe 4.25 Importing Objects Using an LDIF File

4.25.1 Problem

You want to import objects into Active Directory using an LDIF file The file could contain object additions, modifications, and/or deletions

4.25.2 Solution

To import objects using the ldifde utility, you must first create an LDIF file with the objects to add, modify, or delete Here is an example LDIF file that adds a user, modifies the user twice, and then deletes the user:

dn: cn=jsmith,cn=users,dc=rallencorp,dc=com

changetype: add

objectClass: user

samaccountname: jsmith

sn: JSmith

useraccountcontrol: 512

changetype: modify

add: givenName

givenName: Jim

-

replace: sn

sn: Smith

-

changetype: delete

Once you've created the LDIF file, you just need to run the ldifde command to import the new objects

> ldifde -i -f input.ldf

For more information on the LDIF format, check RFC 2849

To import with ldifde, simply specify the -i switch to turn on import mode and -f<filename>

Tiêu đề	Active Directory Cookbook for Windows Server 2003
Trường học	University of Information Technology
Chuyên ngành	Computer Science
Thể loại	cookbook
Năm xuất bản	2003
Thành phố	Ho Chi Minh City

Định dạng
Số trang	10
Dung lượng	36,82 KB