Active Directory Attributes

Considering Active Directory Migration?

2009-02-06T10:26:00.001-08:00

Whether migrating or restructuring to meet specific economic challenges, undergoing acquisition, mergers or divestitures, Winzero Active Directory Migrator provides the features necessary to meet your evolving needs and budget.

Winzero has released the next solution in Active Directory Migration Challenges - Winzero Active Directory Migrator, ensuring coexistence between migrated and un-migrated users, simplifing the migration processes with automated resource updating and continued support during and after the migration process.

Exchange Server 2007 New Property Sets

2008-10-26T09:43:00.000-07:00

Property sets in Exchange Server 2007 for attribute grouping enables access control for specific object properties. Property sets use one single Access Control Entry (ACE) instead of an ACE for each individual property.

Exchange Server 2007 creates two new property sets exclusively for itself and doesn’t use existing Active Directory property sets.

Exchange Server 2007 SP1 Schema Extensions
Exchange Server 2007 SP1 comes with a lot of additional Schema extensions:

ms-Exch-Foreign-Forest-Public-Folder-Admin-USG-Sid,

ms-Exch-Internal-NLB-Bypass-Host-Name,

ms-Exch-Mobile-Additional-Flags,

ms-Exch-Mobile-Allow-Bluetooth,

ms-Exch-Mobile-Allow-SMIME-Encryption-Algorithm-Negotiation,

ms-Exch-Mobile-Approved-Application-List,

ms-Exch-Mobile-Max-Calendar-Age-Filter,

ms-Exch-Mobile-Max-Email-Age-Filter,

ms-Exch-Mobile-Max-Email-Body-Truncation-Size,

ms-Exch-Mobile-Max-Email-HTML-Body-Truncation-Size,

ms-Exch-Mobile-Min-Device-Password-Complex-Characters,

ms-Exch-Mobile-Require-Encryption-SMIME-Algorithm,

ms-Exch-Mobile-Require-Signed-SMIME-Algorithm,

ms-Exch-Mobile-Unapproved-In-ROM-Application-List,

ms-Exch-Standby-Copy-Machines,

Completely Removing a Mailbox Enabled User's Mailbox

2008-09-02T13:25:00.000-07:00

If an object is a mailbox enabled user with a valid mailbox, the "Delete Mailbox" option will be available only if there is a mailbox (so a distribution list would have a "Remove email address" option instead).

The "Remove Exchange Attributes" option is available for ANY type of recipient object, mail enabled or not. This option is extremely useful when there is a need to "clear" the attributes in case that some of them were damaged or not valid for some reason. Let's say there is a mailbox enabled user that had some of his attributes changed by some process, and because of that, you cannot use the "Delete Mailbox" option. You can always run AdSearch and "clear out" the values so you can start fresh with mailbox enabling that user again.

Remove Exchange Attributes removes the following attributes as long as they actually exist as available attributes of that schema object:

You can use ADSearch to report the status of each attribute by copying the list below and adding it to the objects attribute properties.

adminDisplayName
altRecipient
authOrig
autoReplyMessage (ILS Settings)
deletedItemFlags
delivContLength
deliverAndRedirect
displayNamePrintable
dLMemDefault
dLMemRejectPerms
dLMemSubmitPerms
extensionAttribute1
extensionAttribute10
extensionAttribute11
extensionAttribute12
extensionAttribute13
extensionAttribute14
extensionAttribute15
extensionAttribute2
extensionAttribute3
extensionAttribute4
extensionAttribute5
extensionAttribute6
extensionAttribute7
extensionAttribute8
extensionAttribute9
folderPathname (Outlook Web Access Server)
garbageCollPeriod
homeMDB (Exchange Mailbox Store)
homeMTA
internetEncoding
legacyExchangeDN
mail (E-Mail Address)
mailNickname (Alias)
mAPIRecipient
mDBOverHardQuotaLimit
mDBOverQuotaLimit
mDBStorageQuota
mDBUseDefaults
msExchADCGlobalNames
msExchControllingZone
msExchExpansionServerName
msExchFBURL
msExchHideFromAddressLists
msExchHomeServerName (Exchange Home Server)
msExchMailboxGuid
msExchMailboxSecurityDescriptor
msExchPoliciesExcluded
msExchPoliciesIncluded
msExchRecipLimit
msExchResourceGUID
protocolSettings
proxyAddresses (Proxy Addresses)
publicDelegates
securityProtocol
showInAddressBook
submissionContLength
targetAddress
textEncodedORAddress
unauthOrig

In addition to removing the attributes above, the Delete Mailbox option also removes the mailbox information from the dsaccess cache. Note that this actually leaves the mailbox in place with the expectation that the mailbox cleanup task will take care of it at the appropriate time. So the mailbox is actually NOT deleted (purged) from the Information Store as part of this process. Although it will be purged by the mailbox cleanup task later, or as specified by the "Deletion settings" for mailboxes on the database's Limits tab in ESM.

Windows Groups

2008-04-16T14:54:00.000-07:00

Account Operators
SID: S-1-5-32-548
TYPE: BUILTIN
Exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units (OUs) of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.

Administrators
SID: S-1-5-32-544
TYPE: BUILTIN
After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group. The Administrators group has built-in capabilities that give its members full control over the system. The group is the default owner of any object that is created by a member of the group.

Authenticated Users
SID: S-1-5-11
A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system.

Backup Operators
SID: S-1-5-32-551
TYPE: BUILTIN
By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.

Batch
SID: S-1-5-3
A group that implicitly includes all users who have logged on through a batch queue facility such as task scheduler jobs. Membership is controlled by the operating system.

Cert Publishers
SID: S-1-5-domain-517
TYPE: Global Group
Includes all computers that are running an enterprise certificate authority. Cert Publishers are authorized to publish certificates for User objects in Active Directory.

Cert Requesters
SID: S-1-5-domain-517
TYPE: Domain Local Group
Members can request certificates

Creator Group
SID: S-1-3-1
A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object's current owner. The primary group is used only by the POSIX subsystem.

Dialup
SID: S-1-5-1
A group that implicitly includes all users who are logged on to the system through a dial-up connection. Membership is controlled by the operating system.

Distributed COM Users
SID: S-1-5-32-562
TYPE: BUILTIN
An alias. A group for COM to provide computerwide access controls that govern access to all call, activation, or launch requests on the computer.

Domain Admins
SID: S-1-5-domain-512
TYPE: Global Group
Members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created in the domain's Active Directory by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.

Domain Computers
SID: S-1-5-domain-515
TYPE: Global Group
Includes all computers that have joined the domain, excluding domain controllers.

Domain Controllers
SID: S-1-5-domain-516
TYPE: Global Group
Includes all domain controllers in the domain. New domain controllers are added to this group automatically.

Domain Guests
SID: S-1-5-domain-514
TYPE: Global Group
By default, has only one member, the domain's built-in Guest account.

Domain Users
SID: S-1-5-domain-513
TYPE: Global Group
By default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group automatically.

Enterprise Admins
SID: S-1-5-root domain-519
TYPE: Universal Group
A group that exists only in the root domain of an Active Directory forest of domains. It is a universal group if the domain is in native mode, a global group if the domain is in mixed mode. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain.

Enterprise Controllers
SID: S-1-5-9
A group that includes all domain controllers an Active Directory directory service forest of domains. Membership is controlled by the operating system.

Everyone
SID: S-1-1-0
A group that includes all users, even anonymous users and guests. Membership is controlled by the operating system.

Group Policy Creators Owners
SID: S-1-5-domain-520
TYPE: Global Group
Authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator. The default owner of a new Group Policy object is usually the user who created it. If the user is a member of Administrators or Domain Admins, all objects that are created by the user are owned by the group. Owners have full control of the objects they own.

Guests
SID: S-1-5-32-546
TYPE BUILTIN
By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.

HelpServicesGroup
Group for the Help and Support Center

Incoming Forest Trust Builders
SID: S-1-5-32-557
TYPE: BUILTIN
An alias. Members of this group can create incoming, one-way trusts to this forest.

Interactive
SID: S-1-5-4
A group that includes all users who have logged on interactively. Membership is controlled by the operating system.

Network
SID: S-1-5-2
A group that implicitly includes all users who are logged on through a network connection. Membership is controlled by the operating system.

Network Configuration Operators
SID: S-1-5-32-556
TYPE: BUILTIN
An alias. Members in this group can have some administrative privileges to manage configuration of networking features.

Performance Monitor Users
SID: S-1-5-32-558
TYPE: BUILTIN
An alias. Members of this group have remote access to monitor this computer.

Performance Log Users
SID: S-1-5-32-559
TYPE: BUILTIN
An alias. Members of this group have remote access to schedule logging of performance counters on this computer.

Power Users
SID: S-1-5-32-548
TYPE: BUILTIN
By default, the group has no members. This group does not exist on domain controllers. Power Users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power Users also can install most applications; create, manage, and delete local printers; and create and delete file shares.

Pre-Windows 2000 Compatible Access
SID: S-1-5-32-554
A backward compatibility group which allows read access on all users and groups in the domain

Principal Self or Self
SID: S-1-5-10
A placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal represented by the object.

Print Operators
SID: S-1-5-32-550
TYPE: BUILTIN
Exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.

RAS and IAS Servers
SID: S-1-5-domain-533
TYPE: Domain Local Group
By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically. Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.

Remote Desktop Users
SID: S-1-5-32-555
Members in this group are granted the right to logon remotely

Replicators
SID: S-1-5-32-552
Windows NT domains, this group is called Replicators and is used by the directory replication service. In 2K/XP the group is present but is not used.

Schema Admins
SID: S-1-5-root domain-518
TYPE: Universal Group
A group that exists only in the root domain of an Active Directory forest of domains. It is a universal group if the domain is in native mode , a global group if the domain is in mixed mode . The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.

Server Operators
SID: S-1-5-32-549
TYPE: BUILTIN
Exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.

Service
SID: S-1-5-6
A group that includes all security principals that have logged on as a service. Membership is controlled by the operating system.

Terminal Server License Servers
SID: S-1-5-32-561
TYPE: BUILTIN
An alias. A group for Terminal Server License Servers. When Windows Server 2003 Service Pack 1 is installed, a new local group is created.

Terminal Server Users
SID: S-1-5-13
TYPE: BUILTIN
A group that includes all users who have logged on to a Terminal Services server. Membership is controlled by the operating system.

Users
SID: S-1-5-32-545
TYPE: BUILTIN
After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer. Users can perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer. Users can install applications that only they are allowed to use if the installation program of the application supports per-user installation.

Windows Authorization Access Group
SID: S-1-5-32-560
TYPE: BUILTIN
An alias. Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects.

To better understand, report or manage Windows groups see: Winzero GroupManagerPlus

New Attributes in Windows 2008

2008-02-25T16:23:00.000-08:00

ms-DS-AuthenticatedAt-DC
Forward link for ms-DS-AuthenticatedTo-Accountlist; for a User, identifies which DC a user has authenticated to

ms-DS-AuthenticatedTo-Accountlist
Back link for ms-DS-AuthenticatedAt-DC; for a Computer, identifies which users have authenticated to this Computer

ms-DS-Az-Object-Guid
The unique and portable identifier of AzMan objects

ms-DS-Az-Generic-Data
AzMan specific generic data

ms-DS-isGC
For a Directory instance (DSA), Identifies the state of the Global Catalogue on the DSA

ms-DS-isRODC
For a Directory instance (DSA), Identifies whether the DSA is a Read-Only DSA

ms-DS-Maximum-Password-Age
Maximum password age for user accounts.

ms-DS-Minimum-Password-Age
Minimum password age for user accounts.

ms-DS-Minimum-Password-Length
Minimum password length for user accounts.

ms-DS-Password-History-Length
Password history length for user accounts.

ms-DS-Password-Complexity-Enabled
Password complexity status for user accounts.

ms-DS-Password-Reversible-Encryption-Enabled
Password reversible encryption status for user accounts.

ms-DS-Lockout-Observation-Window
Observation window for lockout of user accounts.

ms-DS-Lockout-Duration
Duration of lockout for locked out user accounts.

ms-DS-Lockout-Threshold
Lockout threshold for user accounts

ms-DS-PSO-Applies-To
Links to objects that this password settings object applies to.

ms-DS-PSO-Applied
Password settings object applied to this object.

ms-DS-Resultant-PSO
Resultant password settings object applied to this object.

ms-DS-Password-Settings-Precedence
Password settings precedence.

ms-DS-NC-Type
A bit field that maintains information about aspects of a NC replica that is relevant to replication.

ms-DS-Phonetic-First-Name
Contains the phonetic given name or first name of the person.

ms-DS-Phonetic-Last-Name
Contains the phonetic last name of the person.

ms-DS-Phonetic-Department
Contains the phonetic department name where the person works.

ms-DS-Phonetic-Company-Name
Contains the phonetic company name where the person works.

ms-DS-Phonetic-Display-Name
The phonetic display name of an object. In the absence of a phonetic display name the existing display name is used.

ms-DS-HAB-Seniority-Index
Contains the seniority index as applied by the organization where the person works.

ms-DS-Promotion-Settings
For a Computer, contains a XML string to be used for delegated DSA promotion

ms-DS-SiteName
For a Directory instance (DSA), Identifies the site name that contains the DSA

ms-DS-Supported-Encryption-Types
The encryption algorithms supported by user, computer or trust accounts. The KDC uses this information while generating a service ticket for this account. Services/Computers may automatically update this attribute on their respective accounts in Active Directory, and therefore need write access to this attribute.

ms-DS-Principal-Name
Account name for the security principal (constructed).

ms-DS-NC-RO-Replica-Locations
A linked attribute on a cross ref object for a partition. This attribute lists the DSA instances which should host the partition in a read-only manner.

ms-DS-NC-RO-Replica-Locations-BL
Back link attribute for ms-DS-NC-RO-Replica-Locations

ms-DS-User-Password-Expiry-Time-Computed
Contains the expiry time for the user's current password

ms-DS-KrbTgt-Link
For a computer, Identifies the user object (krbtgt), acting as the domain or secondary domain master secret. Depends on which domain or secondary domain the computer resides in.

ms-DS-Revealed-Users
For a Directory instance (DSA), Identifies the user objects whose secrets have been disclosed to that instance

ms-DS-Has-Full-Replica-NCs
For a Directory instance (DSA), identifies the partitions held as full replicas

ms-DS-Never-Reveal-Group
For a Directory instance (DSA), identifies the security group whose users will never have their secrets disclosed to that instance

ms-DS-Reveal-OnDemand-Group
For a Directory instance (DSA), identifies the security group whose users may have their secrets disclosed to that instance

ms-DS-Secondary-KrbTgt-Number
For a user object (krbtgt), acting as a secondary domain master secret, identifies the protocol identification number associated with the secondary domain.

ms-DS-Revealed-DSAs
Back link for ms-DS-Revealed-Users; for a user, identifies which Directory instances (DSA) hold that user's secret

ms-DS-KrbTgt-Link-BL
Back link for ms-DS-KrbTgt-Link; for a user object (krbtgt) acting as a domain or secondary domain master secret, identifies which computers are in that domain or secondary domain

ms-DS-Is-Full-Replica-For
Back link for ms-Ds-Has-Full-Replica-NCs; for a partition root object, identifies which Directory instances (DSA) hold that partition as a full replica

ms-DS-Is-Domain-For
Back link for ms-DS-Has-Domain-NCs; for a partition root object, identifies which Directory instances (DSA) hold that partition as their primary domain

ms-DS-Is-Partial-Replica-For
Back link for has-Partial-Replica-NCs; for a partition root object, identifies which Directory instances (DSA) hold that partition as a partial replica

ms-DS-Is-User-Cachable-At-Rodc
For a Read-only (RO) directory Instance (DSA) identifies whether the specified user's secrets are cacheable

ms-DS-Revealed-List
For a Directory instance (DSA), Identifies the user objects whose secrets have been disclosed to that instance

ms-DS-Revealed-List-BL
Back link attribute for ms-DS-Revealed-List.

ms-DS-Last-Successful-Interactive-Logon-Time
The time that the correct password was presented during a C-A-D logon.

ms-DS-Last-Failed-Interactive-Logon-Time
The time that an incorrect password was presented during a C-A-D logon.

ms-DS-Failed-Interactive-Logon-Count
The total number of failed interactive logons since this feature was turned on.

ms-DS-Failed-Interactive-Logon-Count-At-Last-Successful-Logon
The total number of failed interactive logons up until the last successful C-A-D logon.

ms-DFSR-Priority
Priority level

ms-DFSR-DeletedPath
Full path of the Deleted directory

ms-DFSR-DeletedSizeInMb
Size of the Deleted directory in MB

ms-DFSR-ReadOnly
Specify whether the content is read-only or read-write

ms-DFSR-CachePolicy
On-demand cache policy options

ms-DFSR-MinDurationCacheInMin
Minimum time in minutes before truncating files

ms-DFSR-MaxAgeInCacheInMin
Maximum time in minutes to keep files in full form

ms-FVE-RecoveryPassword
This attribute contains the password required to recover a Full Volume

ms-FVE-VolumeGuid
This attribute contains the GUID that is associated with the Bit locker-supported volume

ms-FVE-KeyPackage
This attribute contains a volume's Bit locker encryption key, secured by the corresponding password.

ms-FVE-RecoveryGuid
This attribute contains the GUID associated with a Full Volume Encryption (FVE) recovery password.

ms-TPM-OwnerInformation
This attribute contains the owner information for a particular TPM.

ms-net-ieee-80211-GP-PolicyGUID
This attribute contains a GUID which identifies a specific 802.11 group policy object on the domain.

ms-net-ieee-80211-GP-PolicyData
This attribute contains all of the settings and data which comprise a group policy configuration for 802.11 wireless networks.

ms-net-ieee-80211-GP-PolicyReserved
Reserved for future use

ms-net-ieee-8023-GP-PolicyGUID
This attribute contains a GUID which identifies a specific 802.3 group policy object on the domain.

ms-net-ieee-8023-GP-PolicyData
This attribute contains all of the settings and data which comprise a group policy configuration for 802.3 wired networks.

ms-net-ieee-8023-GP-PolicyReserved
Reserved for future use

ms-PKI-RoamingTimeStamp
Time stamp for last change to roaming tokens

ms-PKI-DPAPIMasterKeys
Storage of encrypted DPAPI Master Keys for user

ms-PKI-AccountCredentials
Storage of encrypted user credential token blobs for roaming

ms-RADIUS-FramedInterfaceId
This Attribute indicates the IPv6 interface identifier to be configured for the user.

ms-RADIUS-SavedFramedInterfaceId
This Attribute indicates the IPv6 interface identifier to be configured for the user.

ms-RADIUS-FramedIpv6Prefix
This Attribute indicates an IPv6 prefix (and corresponding route) to be configured for the user.

ms-RADIUS-SavedFramedIpv6Prefix
This Attribute indicates an IPv6 prefix (and corresponding route) to be configured for the user.

ms-RADIUS-FramedIpv6Route
This Attribute provides routing information to be configured for the user on the NAS.

ms-RADIUS-SavedFramedIpv6Route
This Attribute provides routing information to be configured for the user on the NAS.

SAM-Domain-Updates
Contains a bitmask of performed SAM operations on active directory

ms-TS-Profile-Path
Terminal Services Profile Path specifies a roaming or mandatory profile path to use when the user logs on to the Terminal Server. The profile path is in the following network path format: \\servername\profiles folder name\username

ms-TS-Home-Directory
Terminal Services Home Directory specifies the Home directory for the user. Each user on a Terminal Server has a unique home directory. This ensures that application information is stored separately for each user in a multi-user environment. To set a home directory on the local computer, specify a local path; for example, C:\Path. To set a home directory in a network environment, you must first set the TerminalServicesHomeDrive property, and then set this property to a UNC path.

ms-TS-Home-Drive
Terminal Services Home Drive specifies a Home drive for the user. In a network environment, this property is a string containing a drive specification (a drive letter followed by a colon) to which the UNC path specified in the TerminalServicesHomeDirectory property is mapped. To set a home directory in a network environment, you must first set this property and then set the TerminalServicesHomeDirectory property.

ms-TS-Allow-Logon
Terminal Services Allow Logon specifies whether the user is allowed to log on to the Terminal Server. The value is 1 if logon is allowed and 0 if logon is not allowed.

ms-TS-Remote-Control
Terminal Services Remote Control specifies the whether to allow remote observation or remote control of the user's Terminal Services session. For a description of these values, see the RemoteControl method of the Win32_TSRemoteControlSetting WMI class.
0 – Disable
1 – EnableInputNotify
2 – EnableInputNoNotify
3 - EnableNoInputNotify
4 - EnableNoInputNoNotify

ms-TS-Max-Disconnection-Time
Terminal Services Session Maximum Disconnection Time is maximum amount of time, in minutes, that a disconnected Terminal Services session remains active on the Terminal Server. After the specified number of minutes has elapsed, the session is terminated.

ms-TS-Max-Connection-Time
Terminal Services Session maximum Connection Time is Maximum duration, in minutes, of the Terminal Services session. After the specified number of minutes has elapsed, the session can be disconnected or terminated.

ms-TS-Max-Idle-Time
Terminal Services Session Maximum Idle Time is maximum amount of time, in minutes, that the Terminal Services session can remain idle. After the specified number of minutes has elapsed, the session can be disconnected or terminated.

ms-TS-Reconnection-Action
Terminal Services Session Reconnection Action specifies whether to allow reconnection to a disconnected Terminal Services session from any client computer. The value is 1 if reconnection is allowed from the original client computer only and 0 if reconnection from any client computer is allowed.

ms-TS-Broken-Connection-Action
Terminal Services Session Broken Connection Action specifies the action to take when a Terminal Services session limit is reached. The value is 1 if the client session should be terminated and 0 if the client session should be disconnected.

ms-TS-Connect-Client-Drives
Terminal Services Session Connect Client Drives At Logon specifies whether to reconnect to mapped client drives at logon. The value is 1 if reconnection is enabled and 0 if reconnection is disabled.

ms-TS-Connect-Printer-Drives
Terminal Services Session Connect Printer Drives At Logon specifies whether to reconnect to mapped client printers at logon. The value is 1 if reconnection is enabled and 0 if reconnection is disabled.

ms-TS-Default-To-Main-Printer
Terminal Services Default To Main Printer specifies whether to print automatically to the client's default printer. The value is 1 if printing to the client's default printer is enabled and 0 if it is disabled.

ms-TS-Work-Directory
Terminal Services Session Work Directory specifies the working directory path for the user. To set an initial application to start when the user logs on to the Terminal Server, you must first set the TerminalServicesInitialProgram property, and then set this property.

ms-TS-Initial-Program
Terminal Services Session Initial Program specifies the Path and file name of the application that the user wants to start automatically when the user logs on to the Terminal Server. To set an initial application to start when the user logs on, you must first set this property and then set the TerminalServicesWorkDirectory property. If you set only the TerminalServicesInitialProgram property, the application starts in the user's session in the default user directory.

MS-TS-Property01
Placeholder Terminal Server Property

MS-TS-Property02
Placeholder Terminal Server Property

MS-TS-ExpireDate
TS Expiration Date

MS-TS-ExpireDate2
Expiration date of the second TS per user CAL.

MS-TS-ExpireDate3
Expiration date of the third TS per user CAL.

MS-TS-ExpireDate4
Expiration date of the third TS per user CAL.

MS-TS-LicenseVersion
TS License Version

MS-TS-LicenseVersion2
Version of the second TS per user CAL.

MS-TS-LicenseVersion3
Version of the third TS per user CAL

MS-TS-LicenseVersion4
Version of the fourth TS per user CAL.

MS-TS-ManagingLS
TS Managing License Server

MS-TS-ManagingLS2
Issuer name of the second TS per user CAL.

MS-TS-ManagingLS3
Issuer name of the third TS per user CAL.

MS-TS-ManagingLS4
Issuer name of the fourth TS per user CAL.

MS-TSLS-Property01
Placeholder Terminal Server Property 01

MS-TSLS-Property02
Placeholder Terminal Server Property 01

ms-DFSR-DisablePacketPrivacy
Disable packet privacy on a connection

ms-DFSR-DefaultCompressionExclusionFilter
Filter string containing extensions of file types not to be compressed

ms-DFSR-OnDemandExclusionFileFilter
Filter string applied to on demand replication files

ms-DFSR-OnDemandExclusionDirectoryFilter
Filter string applied to on demand replication directories

ms-DFSR-Options2
Object Options2

ms-DFSR-CommonStagingPath
Full path of the common staging directory

ms-DFSR-CommonStagingSizeInMb
Size of the common staging directory in MB

ms-DFSR-StagingCleanupTriggerInPercent
Staging cleanup trigger in percent of free disk space

New Classes in Windows 2008

2008-02-23T09:51:00.000-08:00

New Classes in Windows 2008

ms-DS-Password-Settings
ms-DS-Password-Settings-Container
NTDS-DSA-RO
ms-net-ieee-80211-GroupPolicy
ms-net-ieee-8023-GroupPolicy
ms-FVE-RecoveryInformation

New Inclusions in the GC for Windows 2008

Last-Logon-Timestamp
This is the time that the user last logged into the domain. Whenever a user logs on, the value of this attribute is read from the DC. If the value is older [current_time - msDS-LogonTimeSyncInterval], the value is updated. The initial update after the raise of the domain functional level is calculated as 14 days minus random percentage of 5 days

MS-DRM-Identity-Certificate
The XrML digital rights management certificates for this user.

ms-DS-Phonetic-First-Name
Contains the phonetic given name or first name of the person

ms-DS-Phonetic-Last-Name
Contains the phonetic last name of the person.

ms-DS-Phonetic-Department
Contains the phonetic department name where the person works

ms-DS-Phonetic-Company-Name
Contains the phonetic company name where the person works.

ms-DS-Phonetic-Display-Name
The phonetic display name of an object. In the absence of a phonetic display name the existing display name is used.

ms-DS-HAB-Seniority-Index
Contains the seniority index as applied by the organization where the person works.

ms-FVE-VolumeGuid
This attribute contains the GUID that is associated with the Bit locker-supported volume.

ms-FVE-RecoveryGuid
This attribute contains the GUID associated with a Full Volume Encryption (FVE) recovery password.

Windows tips

2007-11-30T13:15:00.001-08:00

Watch the latest videos on YouTube.com

How to Change System Only Attributes

2007-11-13T18:31:00.000-08:00

Using ADSearch allows you to extract object properties, however, not all properties of an object are changable. If you need to change Active Directory object properties that are set as system only there is a registry key setting that will allow you to set these properties.

I strongly recommend caution when changing system only properties.

By adding a registry key to the PDC Emulator or FSMO DC the registry key will allow you to change system-only attributes.

Key: HKEY_LOCAL_MACHINE
Path: System\CurrentControlSet\Services\NTDS\Parameters
Value name: Allow System Only Change
Data type: REG_DWORD
Value data: 1

AD Group Scope Basics

2007-11-06T10:33:00.000-08:00

Security groups or a distribution groups, are characterized by a scope that identifies how they are applied in the domain tree or forest.

There are three group scopes: universal, global, and domain local.

Universal Groups (type - 2147483640)
Universal groups can include other groups and accounts from any domain in the domain tree or forest and can be assigned permissions in any domain in the domain tree or forest.

Global Groups (type - 2147483646)
Global groups can include other groups and accounts only from the domain in which the group is defined and can be assigned permissions in any domain in the forest.

Domain Local Groups (type - 2147483644)
Domain local groups can include other groups and can be assigned permissions only within a domain.

Functionality Scope
When the domain is set to Windows 2000 native or Windows Server 2003, members of universal groups can include accounts, global groups, and universal groups from any domain.
Global groups can include accounts and global groups from the same domain. Domain local scope can include accounts, global groups, and universal groups from any domain, as well as domain local groups from the same domain.

Groups can be added to other groups and assigned permissions in any domain. Groups can be added to other domain local groups and assigned permissions only in the same domain.

Groups can be converted to domain local scope, to global scope, as long as no other universal groups exist as members. Groups can be converted to universal scope, as long as the group is not a member of any other group with global scope. Groups can be converted to universal scope, as long as the group does not have as its member another group with domain local scope.

When the domain level is set to Windows mixed, security universal groups cannot be created. Global groups can include accounts from the same domain. Domain local groups can include accounts and global groups from any domain.

Domain Local Scope Use
Groups with domain local scope help you define and manage access to resources within a single domain.

Global Scope Use
Use groups with global scope to manage directory objects that require daily maintenance, such as user and computer accounts because groups with global scope are not replicated outside of their own domain.

Universal Scope Use
Use groups with universal scope to consolidate groups that span domains. Add the accounts to groups with global scope and nest these groups within groups having universal scope. Any membership changes in the groups having global scope do not affect the groups with universal scope.
Groups with universal scope should not be changed frequently, since any changes to these group memberships cause the entire membership of the group to be replicated to every global catalog in the forest.

Changing Group Scope
Global to universal. This is only allowed if the group you want to change is not a member of another global scope group.
Domain local to universal. This is only allowed if the group you want to change does not have another domain local group as a member.
Universal to global. This is only allowed if the group you want to change does not have another universal group as a member.
Universal to domain local. No restrictions for this operation.

Clean up Active Directory

2007-11-02T09:43:00.000-07:00

Over time, user and computer accounts become obsolete and need elimination. ADSearch helps identify all inactive or disabled users and computers in Active Directory. Based on your company policy you can delete, disable, enable or move these accounts.

Enhance Active Directory Safety and Performance.

You can run Adsearch to search logonCount for users and computers and report only accounts that never logged on to locate inactive user or computer accounts and then disable, delete or move these accounts.

For detailed reports using Active Directory lastLogon feature, download and use Winzero Computer2User to evaluate every DC in your domain for the true last logon time of any user.

A reliable Active Directory infrastructure should always ensure that the existing accounts are enabled and obsolete accounts are disabled or deleted, for optimum productivity and security.

Deleting Mailbox-Enabled Users

2007-10-25T20:56:00.000-07:00

If you choose to delete a mailbox-enabled user or group, the mailbox in the message store of the Exhange 200x server will not be disabled. To disable the mailbox, you should clear the following attributes in Active Directory before deleting the account:

Attributes to Clear

homeMDB,
mail,
mailNickname,
homeMTA,
legacyExchangeDN,
msExchHomeServerName,
msExchMailboxGuid,
msExchPoliciesIncluded,
proxyAddresses,
textEncodedORAddress

By clearing these 9 attributes from the user properties before deleting the user account, Active Directory will notify the Exchange 200x server that mailbox attached to this account should be disabled.

userPrincipalName (User-Principal-Name)

2007-10-17T23:28:00.000-07:00

The userPrincipalName is a single-valued and indexed property that specifies the user principal name (UPN). The UPN is an Internet-style login name for the user. The UPN is shorter than the distinguished name and easier to remember. The point of the UPN is to consolidate the e-mail and logon namespaces so that the user need only remember a single name.

The UPN as the Preferred Logon Name

Users should use their UPNs to log on to the domain. At logon time, a UPN is validated first by searching the local domain, then the global catalog.
By convention, the UPN should map to the user's e-mail name.

The UPN can be assigned, but is not required. Once assigned, the UPN is unaffected by changes to other properties of the user object. If a parent domain was renamed or a domain was moved the user can keep the same login name, even if the directory is radically restructured.

The UPN Name Structure

The UPN must be unique among all security principal objects within the directory forest.
The user principal name has two parts: the UPN prefix (the user account name) and the UPN suffix (a DNS domain name). The parts are joined together by the @ (at sign) to complete the UPN.

The UPN can consist of any name for the user (such as the sAMAccountName) and the domain tree name or an email domain name

Sample User Principal Name:

name@domain.com, Email.Name@emailAddress.com

Common Active Directory Attributes, Syntaxes, and Meanings

2007-10-17T10:43:00.000-07:00

The following contains a number of commonly used Active Directory attributes, their meanings, their syntax, and what objects contain them in the default Active Directory schema:

accountExpires (user)
The date which a user account will expire. This attribute takes the form of a long (64 bit) integer. To convert this value into a textual date use the ADSearch Convert function.

canonicalName (all objects)
A type of name for an object which takes the form of "domain.com/container/container/object". This style of name is very human readable. This attribute takes the form of a string.

cn (user, group, computer, contact)
The uplevel name of an object. It is the leaf part of a distinguishedName (for example, the "cn=joe" of "cn=joe,ou=someou,dc=domain,dc=com".)

dc (domainDNS)
The uplevel name of a domain. It is the leaf part of the distinguished name of the domain (for example, the "dc=domain" of "dc=domain,dc=com".)

distinguishedName (all objects)
This is the distinguished name of the object. It represents the full path to an object (without the server and provider) in the directory. This attribute takes the form of a single valued string. If you are searching the active directory, this attribute cannot be used as a key to search on. This is because it is a generated attribute (that is, it is generated everytime it is asked for).

isCriticalSystemObject (all objects)
This attribute specifies whether an object is critical for the operation of Active Directory. This attribute takes the form of a Boolean value. If its value is true, the object is critical to Active Directory and is not deletable.

logonHours (user)
The times which a user is allowed to log on. This attribute takes the form of an octet string (a sequence of hexadecimal characters with each set of two characters representing one byte.) To convert this binary data into a more meaningful set of data, use the ADSearch Convert function.

member (group)
The objects which are members of the group. This attribute takes the form of a multi-valued string, with each element being the distinguished name of a member. If the member is a Foreign Security Principal, the distinguished name will be in the form "CN=sid", where sid is the SID of the member.

objectCategory (all objects)
Represents the path to the schema class of which an object is an instance. This attribute takes the form of a single valued string. If searching for objects, it is recommended that this be used instead of the objectClass, as it is an indexed attribute and replicated to the Global Catalog. Note that the whole path need not be used to search on this attribute, rather only the cn of the class (for example, person for user and contact, and organizational-unit for OUs.)

objectClass (all objects)
Represents the inheritance hierarchy of an objects class. This attribute takes the form of a multi-valued string.

objectGUID (all objects)
A GUID which uniquely identifies an object within the directory. This attribute takes the form of a raw binary string, with each set of two characters representing one byte of binary data. To convert the raw binary data that is retrieved from this attribute to a more readable or useful form, use the ADSearch Convert function.

objectSid (all security principals)
Contains the security identifier of an object. This SID can be used to represent an object in various places on the network (Active Directory, File System ACLs, or anywhere else users are added to ACLs.) This attribute takes the form of a raw binary string, with each set of two characters representing one byte of binary data. To convert this binary value into a more useful textual value use the ADSearch Convert function.

ou (organizationalUnit)
The uplevel name of an organizational unit. It is the leaf part of the distinguished name of an organizational unit (for example, the "ou=someou" of "ou=someou,dc=domain,dc=com").

sAMAccountName (user, computer, group)
The downlevel name of the object. This is the name that will be seen by downlevel administrative tools and other pre-windows 200x tools. This attribute takes the form of a single valued string.

userAccountControl (user)
A set of bit flags defining certain properties of a user. This attribute takes the form of a 32-bit integer. This attribute is a combination of the following bit values:
Value Description
1 The logon script will be executed.
2 The user account is disabled.
8 A home directory is required.
16 The account is locked out.
32 The account does not require a password.
64 Account is not allowed to change password.
512 The account is a typical user account.
65536 The account password never expires.

Convert Raw AD Properties

2007-10-15T15:03:00.000-07:00

Adsearch v3.0x features a conversion tool to convert from raw unreadable active Directory properties to readable properties.

GUIDRaw
Convert the raw form of a GUID to The textual form of a GUID.

SIDRaw
Convert the raw form of a SID to The textual form of a SID.

LHRaw
Convert the raw form of hours representation such as the attribute logonHours to the textual form of hours representation such as logonHours. Example: "1-24<-><->8-17<->...."

IRawDate
Convert the raw form of a date in integer format such as accountExpires to the textual form of a date.

Quick How To

Adsearch 3.0x and up allows you to quickly copy and paste the raw information into the conversion tool and convert it to a readable form.

Example:
To get the last password reset date and time in a readable format.

From the menu select Search Active Directory; select the domain and the bindserver to logon to.
Select ObjectType: user
Select SearchBy: name
Select SearchResults: pwdLastSet
Enter ALL for Refine Search

Once the results for all users are returned and the last password set looks like: 128153342196114592, double click an account name. In the popup Copy to Clipboard Window, select 128153342196114592.

Once this is done, select ADSearch Tools from the menu and choose Convert Raw Active Directory Data.

Select the domain to convert the information and choose Convert Raw Date to Textual Date
In the Enter Raw Date popup, right click the textbox and paste the raw date from the clipboard.

The raw date will convert to: 02/07/07@11:03:39

With ADsearch, you can use this method to convert raw Dates, SIDs, GUIDs and compound Times

lastLogon

2007-07-09T15:24:00.000-07:00

Because the lastLogon attribute is not replicated in Active Directory, a different value can be stored in the copy of Active Directory on each Domain Controller. The largest value that is retrieved is the true last logon time for that user.

The lastLogon attribute is stored in Active Directory as Integer8 (8 bytes). This means it is a 64-bit number. This value represents the number of 100 nanosecond intervals since 12:00 AM January 1, 1601. The date represented by this number is in Coordinated Universal Time (UTC). It must be adjusted by the time zone bias in the local machine registry to convert to local time.

lastLogonTimestamp

Ok, here is how it works in Windows 2003 for the new last logon attribute.
One of the new attributes in Windows 2003 is lastLogonTimestamp which can be used to retrieve the last logon time for users, good so we have a new attribute to use! Sounds easy, right?

But the lastLogonTimestamp is not always showing the truth since it is only replicated every 14 days...

Simplifying Matters

So instead of writing VBScripts and performing calculation hurdles, why not download Winzero's Computer2User v3.00 or Winzero Domain Monitor solutions at:

http://www.winzero.ca/downloads.htm

and just use these solutions:

Computer2User version 3.0x will report the last domain logon for all users* from any selected DC, or the last local computer logon for all users by server or workstation.

DomainMonitor version 2.0x will report the last domain logon for all users* from all DCs by collection date.

*note "users" in Active Directory will return both users accounts and computer accounts because AD sees both as accounts.

User Properties and Return Values

2006-08-18T16:21:00.000-07:00

Adsearch User properties and return values that can be returned for a user. The first indicates the names that are indicated on the MMC GUI Users and Computers and the name associated to Active Directory attribute.

The value returned may be a string (textual), multistring (list of textual entries), boolean (True or false, 0 or 1) , binary, or a date.

First name - givenName Single value string
Initials - initials Single value string
Last name - sn Single value string
Display name - displayName Single value string
Description - description Single value string
Office - physicalDeliveryOfficeName Single value string
Telephone number - telephoneNumber Single value string
Other telephone number - otherTelephone Multi value string
Email - mail Single value string
Web page - wWWHomePage Single value string
Other web page url Multi value string

Address:
Street - streetAddress Single value string
P.O. Box - postOfficeBox Single value string
City - l (letter 'L') Single value string
State/province - st Single value string
Zip/Postal Code - postalCode Single value string
Country/region - co Single value string

Account:
User logon name - userPrincipalName Single value string
User logon name (pre W2K) - samAccountName Single value string
Logon Hours - logonHours (see Note 1 below this table) Single value string
Log On To - userWorkstations Multi value string
Account locked out ACT-LockedOut (see Note 2 below this table) "true" or "false"
User must change password at next logon ACT-PassMustChange (see Note 2 below this table) "true" or "false"
User cannot change password ACT-PassNoChange (see Note 2 below this table) "true" or "false"
Password never expires ACT-PassNoExpire (see Note 2 below this table) "true" or "false"
Store password using reversible encryption ACT-ReverseEncrypt (see Note 2 below this table) "true" or "false"
Account is Disabled ACT-AccountDisabled (see Note 2 below this table) "true" or "false"
Smart card is required for interactive logon ACT-SmartCardReq (see Note 2 below this table) "true" or "false"
Account is trusted for delegation ACT-AccountTrusted (see Note 2 below this table) "true" or "false"
Account is sensitive and cannot be delegated ACT-AccountSensitive (see Note 2 below this table) "true" or "false"
Use DES encryption types for this account ACT-UseDES (see Note 2 below this table) "true" or "false"
Do not require Kerberos pre-authentication ACT-KerberosNotReq (see Note 2 below this table) "true" or "false"

Account expires accountExpires date string

1. Output for logonHours is in the textual form of hours representing a 7-day period. The string is divided into 7 slots, each slot representing a day and indicating a mix of hour ranges and/or single hours. Example of allowing logon 9am to 6pm, Monday through Friday, and between 1pm and 2pm Saturday: "<->10-18<->10-18<->10-18<->10-18<->10-18<->14", where "<->" is the delimiter.

2. Most of the 'ACT' attribute names are stored as bit flags in the Active Directory integer attribute userAccountControl. They are uniquely identified here with artificial names to make it easier to get their values.

Profile:
Profile path - profilePath Single value string
Logon script - scriptPath Single value string
Local path - homeDirectory Single value string
Connect - homeDrive Single value string home
Directory (The Connect and To fields created the remote path when applied in MMC Users and Computers) Single value string

Telephones:
Home - homePhone Single value string
Other Home - otherhomePhone Multi value string
Pager - pager Single value string
Other Pager - otherPager Multi value string
Mobile - mobile Single value string
Other Mobile - otherMobile Multi value string
Fax - facsimileTelephoneNumber Single value string
Other Fax - otherfacsimileTelephoneNumber Multi value string
IP Phone - ipPhone Single value string
Other IP Phone - otheripPhone Multi value string Notes info Single value string

Organizations:
Title - title Single value string
Company - company Single value string
Department - department Single value string
Manager - manager Single value string
Direct Reports - directReports Multi value string

Member Of:
Member Of - memberOf Multi value string

Dial-in:
Remote Access Permission msNPAllowDialin "true" or "false"
Callback Options:No Callback/ Set by caller/Always callback to ACT-Callback (see note below this table) "false" means callback is disabled."true" means callback is enabled and the callback number is set by the user."true555-1234" means callback is enabled and the callback number is pre-set.

The 'ACT-Callback' attribute name above is uniquely identified here with an artificial name to make it easier to retrieve the value.

Object:
Fully qualified domain name of object - canonicalName Single value string
Created - whenCreated date string Modified whenChanged date string
Original USN - uSNCreated Single value string
Current USN - uSNChanged Single value string

Other:
SID - objectSID binary (Requies conversion from raw format)
GUID - objectGUID- binary (Requires conversion from raw format)

Object: user ~ MS Exchange Attributes

2006-04-07T13:05:00.000-07:00

Once the Active Directory schema is extended by Microsoft Exchange 2000 or 2003, the user attribute will contain the following additional properties:

homeMDB
Here is where you set the MailStore

legacyExchangeDN
Legacy distinguished name for creating Contacts. In the following example, Guy Thomas is a Contact in the first administrative group of GUYDOMAIN: /o=GUYDOMAIN/ou=first administrative group/cn=Recipients/cn=Guy Thomas

mail
An easy, but important attribute. A simple SMTP address is all that is required billyn@ourdom.com

mAPIRecipient
- FALSE Indicates that a contact is not a domain user.

mailNickname
Normally this is the same value as the sAMAccountName, but could be different if you wished. Needed for mail enabled contacts.

mDBUseDefaults
Another straightforward field, just the value to:True

msExchHomeServer
NameExchange needs to know which server to deliver the mail. Example: /o=YourOrg/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=MailSrv

proxyAddresses
As the name 'proxy' suggests, it is possible for one recipient to have more than one email address. Note the plural spelling of proxyAddresses.

targetAddress
SMTP:@ e-mail address. Note that SMTP is case sensitive. All capitals means the default address.

showInAddressBook
Displays the contact in the Global Address List.

Object: group ~ Attribute: groupType

2006-04-03T21:21:00.000-07:00

The groupType attribute returns the type of group. However the returned value is in RAW format. AdSearch conversion tool will convert the groupType result or for further refernence see the possible return values below:

-2147483646 ~ Global Security Group
-2147483644 ~ Local Security Group
-2147483643 ~ BuiltIn Group
-2147483640 ~ Universal Security Group

2 ~ Global Distribution Group
4 ~ Local Distribution Group
8 ~ Universal Distribution Group

ADSearch Objects

2006-04-03T20:04:00.000-07:00

Winzero ADSearch for Active Dirctory enables IT Professionals using Microsoft Windows 200 and Wndows 2003 to search object property attributes in the Schema for the following objects:

- Users (user)
- Groups (group)
- Domains (domain)
- Organizational Units, OUs (organizationalUnit)
- Computers (computer)
- Published Printers (printQueue)
- Published Shares (volume)

Search queries and search results are based on ADSI LDAP property names