global catalog and searching for AD objects

global catalog and searching for AD objects

Post by Dun Kar » Tue, 05 Nov 2002 22:59:02



Hello,

I am doing a search for users on the GC.

From what I understood, the GC contains a copy of all the directory objects
in all forests connected to the GC, however, it only contains a subset of
the attributes for each object.

My question is, how could I get a list of this subset of attributes so that
I could know what to search on? Is this subset configurable by the admin?
Could it be set programatically?

Thanks,
Jeremy.

 
 
 

global catalog and searching for AD objects

Post by Jeff Jones [MS » Wed, 06 Nov 2002 01:51:24


The attributes that are copied to the GC have the
isMemberOfPartialAttributeSet attribute set to TRUE in the schema definition
for that attribute. You can search for all these attributes using a search
filter similar to
(&(objectClass=attributeSchema)(isMemberOfPartialAttributeSet=TRUE))
You can also change which attributes are replicated by changing the value of
this attribute.

One small correction to your statement below. The GC contains a copy of all
objects in a particular forest, but not objects of trusted/trusting forests.

--
Jeff Jones [MS]
Active Directory Administration Tools Development
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.


Quote:> Hello,

> I am doing a search for users on the GC.

> From what I understood, the GC contains a copy of all the directory
objects
> in all forests connected to the GC, however, it only contains a subset of
> the attributes for each object.

> My question is, how could I get a list of this subset of attributes so
that
> I could know what to search on? Is this subset configurable by the admin?
> Could it be set programatically?

> Thanks,
> Jeremy.


 
 
 

global catalog and searching for AD objects

Post by Richard Muelle » Wed, 06 Nov 2002 02:02:57



>Hello,

>I am doing a search for users on the GC.

>From what I understood, the GC contains a copy of all the
directory objects
>in all forests connected to the GC, however, it only

contains a subset of
Quote:>the attributes for each object.

>My question is, how could I get a list of this subset of
attributes so that
>I could know what to search on? Is this subset

configurable by the admin?
Quote:>Could it be set programatically?

>Thanks,
>Jeremy.

Hi,

To list the attributes that are replicated to the GC, use
ADO to search the schema container for ojbects with the
attribute "isMemberOfPartialAttributeSet" equal to True.
The code below is designed to be run at a command prompt
with cscript. The output can be redirected to a text file.
It lists the "cn" of all replicated attributes.

Set oRoot = GetObject("LDAP://RootDSE")
sSchema = oRoot.Get("SchemaNamingContext")
Set oSchema = GetObject("LDAP://" & sSchema)

Set oCommand = CreateObject("ADODB.Command")
Set oConnection = CreateObject("ADODB.Connection")
oConnection.Provider = "ADsDSOObject"
oConnection.Open = "Active Directory Provider"
oCommand.ActiveConnection = oConnection
sQuery = "SELECT cn FROM '" & oSchema.AdsPath _
  & "' WHERE isMemberOfPartialAttributeSet = TRUE " _
  & "AND objectCategory = 'attributeSchema'"
oCommand.CommandText = sQuery
oCommand.Properties("Page Size") = 100
oCommand.Properties("Timeout") = 30
oCommand.Properties("Searchscope") = 2
oCommand.Properties("Cache Results") = False
Set oResults = oCommand.Execute
If oResults.EOF Then
  Wscript.Echo "No attributes found"
  Wscript.Quit
End If

Do Until oResults.EOF
  Wscript.Echo oResults.Fields("cn")
  oResults.MoveNext
Loop

Richard

 
 
 

global catalog and searching for AD objects

Post by Joe Richards [MVP » Wed, 06 Nov 2002 08:42:11


Get adfind from www.joeware.net free win32 tools...

then run the following:

adfind -b "cn=schema,cn=configuration,dc=domain,dc=com" -f
"&(objectCategory=attributeSchema)(isMemberOfPartialAttributeSet=TRUE)"
lDAPDisplayName

and if you just want to see the lDAPDisplayNames you can do a

adfind -b "cn=schema,cn=configuration,dc=domain,dc=com" -f
"&(objectCategory=attributeSchema)(isMemberOfPartialAttributeSet=TRUE)"
lDAPDisplayName |grep -i ldapdisplayname:

Ex:

[Mon 11/04/2002 18:40:45.16]
G:\Dev\cpp\SecData>adfind -b
"cn=schema,cn=configuration,dc=joehome,dc=com" -f
"&(objectCategory=attributeSchema)(isMemberOfPartialAttributeSet=TRUE)"
lDAPDisplayName |grep -i l
displayname:


File STDIN:

Quote:>lDAPDisplayName: altSecurityIdentities
>lDAPDisplayName: cACertificate
>lDAPDisplayName: cACertificateDN
>lDAPDisplayName: certificateTemplates
>lDAPDisplayName: cn
>lDAPDisplayName: c
>lDAPDisplayName: description
>lDAPDisplayName: displayName
>lDAPDisplayName: dNSHostName
>lDAPDisplayName: dc
>lDAPDisplayName: driverName
>lDAPDisplayName: dSCorePropagationData
>lDAPDisplayName: mail
>lDAPDisplayName: flags
>lDAPDisplayName: frsComputerReference
>lDAPDisplayName: fRSMemberReference
>lDAPDisplayName: givenName
>lDAPDisplayName: gPLink
>lDAPDisplayName: groupType
>lDAPDisplayName: instanceType
>lDAPDisplayName: isDeleted
>lDAPDisplayName: keywords
>lDAPDisplayName: lDAPDisplayName
>lDAPDisplayName: legacyExchangeDN
>lDAPDisplayName: l
>lDAPDisplayName: location
>lDAPDisplayName: manager
>lDAPDisplayName: meetingBlob
>lDAPDisplayName: meetingDescription
>lDAPDisplayName: meetingName
>lDAPDisplayName: meetingProtocol
>lDAPDisplayName: member
>lDAPDisplayName: msRRASAttribute
>lDAPDisplayName: mS-SQL-Name
>lDAPDisplayName: mS-SQL-Version
>lDAPDisplayName: mS-SQL-Database
>lDAPDisplayName: mS-SQL-Alias
>lDAPDisplayName: mSMQAuthenticate
>lDAPDisplayName: mSMQBasePriority
>lDAPDisplayName: mSMQDependentClientServices
>lDAPDisplayName: mSMQDigests
>lDAPDisplayName: mSMQDigestsMig
>lDAPDisplayName: mSMQDsServices
>lDAPDisplayName: mSMQEncryptKey
>lDAPDisplayName: mSMQForeign
>lDAPDisplayName: mSMQInRoutingServers
>lDAPDisplayName: mSMQJournal
>lDAPDisplayName: mSMQLabel
>lDAPDisplayName: mSMQLabelEx
>lDAPDisplayName: mSMQOSType
>lDAPDisplayName: mSMQOutRoutingServers
>lDAPDisplayName: mSMQOwnerID
>lDAPDisplayName: mSMQPrivacyLevel
>lDAPDisplayName: mSMQQueueJournalQuota
>lDAPDisplayName: mSMQQueueNameExt
>lDAPDisplayName: mSMQQueueQuota
>lDAPDisplayName: mSMQQueueType
>lDAPDisplayName: mSMQRoutingServices
>lDAPDisplayName: mSMQServiceType
>lDAPDisplayName: mSMQSignCertificates
>lDAPDisplayName: mSMQSignCertificatesMig
>lDAPDisplayName: mSMQSignKey
>lDAPDisplayName: mSMQSites
>lDAPDisplayName: mSMQTransactional
>lDAPDisplayName: mSMQUserSid
>lDAPDisplayName: netbootGUID
>lDAPDisplayName: netbootMachineFilePath
>lDAPDisplayName: nTSecurityDescriptor
>lDAPDisplayName: distinguishedName
>lDAPDisplayName: objectCategory
>lDAPDisplayName: objectClass
>lDAPDisplayName: objectGUID
>lDAPDisplayName: objectSid
>lDAPDisplayName: o
>lDAPDisplayName: ou
>lDAPDisplayName: partialAttributeDeletionList
>lDAPDisplayName: partialAttributeSet
>lDAPDisplayName: homePhone
>lDAPDisplayName: otherIpPhone
>lDAPDisplayName: ipPhone
>lDAPDisplayName: pKICriticalExtensions
>lDAPDisplayName: pKIDefaultCSPs
>lDAPDisplayName: pKIDefaultKeySpec
>lDAPDisplayName: pKIEnrollmentAccess
>lDAPDisplayName: pKIExpirationPeriod
>lDAPDisplayName: pKIExtendedKeyUsage
>lDAPDisplayName: pKIKeyUsage
>lDAPDisplayName: pKIMaxIssuingDepth
>lDAPDisplayName: pKIOverlapPeriod
>lDAPDisplayName: possSuperiors
>lDAPDisplayName: primaryGroupID
>lDAPDisplayName: printColor
>lDAPDisplayName: printDuplexSupported
>lDAPDisplayName: printMaxResolutionSupported
>lDAPDisplayName: printMediaReady
>lDAPDisplayName: printPage*inute
>lDAPDisplayName: printShareName
>lDAPDisplayName: printStaplingSupported
>lDAPDisplayName: printerName
>lDAPDisplayName: proxiedObjectName
>lDAPDisplayName: rangeLower
>lDAPDisplayName: rangeUpper
>lDAPDisplayName: name
>lDAPDisplayName: replPropertyMetaData
>lDAPDisplayName: replUpToDateVector
>lDAPDisplayName: repsFrom
>lDAPDisplayName: repsTo
>lDAPDisplayName: sAMAccountName
>lDAPDisplayName: sAMAccountType
>lDAPDisplayName: serverName
>lDAPDisplayName: serviceBindingInformation
>lDAPDisplayName: serviceClassID
>lDAPDisplayName: serviceClassInfo
>lDAPDisplayName: serviceInstanceVersion
>lDAPDisplayName: servicePrincipalName
>lDAPDisplayName: shortServerName
>lDAPDisplayName: sIDHistory
>lDAPDisplayName: signatureAlgorithms
>lDAPDisplayName: st
>lDAPDisplayName: street
>lDAPDisplayName: subRefs
>lDAPDisplayName: sn
>lDAPDisplayName: systemPossSuperiors
>lDAPDisplayName: telephoneNumber
>lDAPDisplayName: uNCName
>lDAPDisplayName: userAccountControl
>lDAPDisplayName: userCert
>lDAPDisplayName: userPrincipalName
>lDAPDisplayName: userSMIMECertificate
>lDAPDisplayName: uSNChanged
>lDAPDisplayName: uSNCreated
>lDAPDisplayName: uSNLastObjRem
>lDAPDisplayName: versionNumber
>lDAPDisplayName: wellKnownObjects
>lDAPDisplayName: whenChanged
>lDAPDisplayName: whenCreated
>lDAPDisplayName: winsockAddresses
>lDAPDisplayName: userCertificate

[Mon 11/04/2002 18:41:38.36]
G:\Dev\cpp\SecData>

--
Joe Richards
www.joeware.net
---


- Show quoted text -

Quote:> Hello,

> I am doing a search for users on the GC.

> From what I understood, the GC contains a copy of all the directory
objects
> in all forests connected to the GC, however, it only contains a subset of
> the attributes for each object.

> My question is, how could I get a list of this subset of attributes so
that
> I could know what to search on? Is this subset configurable by the admin?
> Could it be set programatically?

> Thanks,
> Jeremy.