Sun Identity Manager 8.1 Resources Reference

Chapter 6 Active Directory

The Windows 2000/Active Directory resource adapter is defined in the com.waveset.adapter.ADSIResourceAdapter class.

Adapter Details

Resource Configuration Notes

This section provides instructions for configuring the following Active Directory resources for use with Identity Manager, including the following:

Sun Identity Manager Gateway Location

Unless the LDAP Hostname resource attribute is set, the Gateway will perform a serverless bind to the directory. In order for the serverless bind to work, the Gateway needs to be installed on a system that is in a domain and that “knows” about the domain/directory to be managed. All Windows domains managed by a gateway must be part of the same forest. Managing domains across forest boundaries is unsupported. If you have multiple forests, install at least one gateway in each forest.

The LDAP Hostname resource attribute tells the Gateway to bind to a particular DNS hostname or IP address. This is the opposite of a serverless bind. However, the LDAP Hostname does not necessarily have to specify a specific domain controller. The DNS name of an AD domain can be used. If the Gateway system’s DNS server is configured to return multiple IP addresses for that DNS name, then one of them will be used for the directory bind. This avoids having to rely on a single domain controller.

Some operations, including pass-through authentication and before and after actions, require that the Gateway system be a member of a domain.

Sun Identity Manager Gateway Service Account

By default, the Gateway service runs as the local System account. This is configurable through the Services MMC Snap-in.

If the gateway is used by an Active Directory adapter which has Exchange Server 2007 support turned on the account which is used to run the gateway must have special privileges.

The account must be a domain account from the domain which has Exchange Server 2007 installed. The account used must also be a member of the standard Exchange Server 2007 group Exchange Recipient Administrators. The account performs all Exchange Server 2007-specific actions by the gateway. It will not use the administrative account specified in the resource.

This limitation in the allowed gateway account is caused by limitations in the Exchange Server 2007 API.

When this is not configured correctly, a PowerShell error message similar to "PowerShell exception: Access to the address list service on all Exchange 2007 servers has been denied." will be displayed, followed by a stack trace.

If you run the Gateway as an account other than Local System, then Gateway service account requires the “Act As Operating System” and “Bypass Traverse Checking” user rights. It uses these rights for pass-through authentication and for changing and resetting passwords in certain situations.

Most of the management of AD is done using the administrative account specified in the resource. However, some operations are done as the Gateway service account. This means that the Gateway service account must have the appropriate permissions to perform these operations. Currently, these operations are:

The Authentication Timeout resource attribute (provided for pass-through authentication only) prevents the adapter from hanging if a problem occurs on the Gateway side.

When performing before and after action scripts, the gateway may need the Replace a process level token right. This right is required if the gateway attempts to run the script subprocess as another user, such as the resource administrative user. In this case, the gateway process needs the right to replace the default token associated with that subprocess.

If this right is missing, the following error may be returned during subprocess creation:

"Error creating process: A required privilege is not held by the client"

The Replace a process level token right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers. To set this right on a system, open the Local Security Policies application within the Administrative Tools folder, then navigate to Local Policies > User Rights Assignment > Replace a process level token.

Out of Office Messages

The outOfOfficeEnabled and outofOfficeMessage account attributes can be used to enable the out of office autoreply function and set the out-of-office message, respectively. These can be used for Exchange 2000 or 2003 accounts. These attributes are only set on account updates and not account creates.

The adapter requires that the Messaging Application Programming Interface (MAPI) be installed on the gateway machine. There are at least two ways to install the MAPI subsystem. The simplest way is to install the Microsoft Outlook client on the gateway machine. No other configuration is necessary.

Another way is to install the Exchange System Management Tools, which are located on the Exchange Server CD. The management tools are installed as a component of the normal Exchange Server install. However, this installs the MAPI subsystem files, but it does not complete the configuration.

The mapisvc.inf file (typically located in c:\winnt\system32) contains the available MAPI services, and it must be updated to include the Exchange message service entries. The msems.inf file, which is contained in the gateway zip file, contains the entries that need to be merged into the mapisvc.inf file to configure the Exchange message server. The msems.inf file can be merged into the mapisvc.inf file manually using a text file editor such as notepad. Alternatively, a tool named MergeIni.exe is available on the Microsoft Platform SDK and can be found in the Windows Core SDK in the Microsoft SDK\Bin directory.

Use the following command to run MergeIni:

MergeIni msems.inf -m

Out of Office attributes cannot be retrieved when the msExchHideFromAddressLists attribute is enabled. If a user form attempts to display the Out of Office attributes when msExchHideFromAddressLists is true, the values will be undefined. The sample Active Directory user form contains logic that prevents Identity Manager from displaying Out of Office attrbutes when msExchHideFromAddressLists is enabled.

Exchange Server 2007 does not support setting the Out Of Office message for a user. The messages are no longer stored as part of the user entry and form a part of the user’s mailbox. Outlook or Outlook Web Access should be used by the end user to manage the Out of Office replies.

Requirements for Exchange Server 2007

Exchange Server 2007 provides a supported provisioning API using the Exchange Management Shell only. The shell provides a command line interface to manage and provision users and servers. It is built on top of Microsoft Windows PowerShell.

The gateway must be run on a Microsoft Windows 32-bit operating system. In addition, the following items must be installed on the gateway machine:

These requirements are discussed in more detail in the following sections.

Microsoft Exchange Server 2007 "Management Tools", 32-Bit

The Exchange management shell is a part of the management tools for Exchange. Microsoft does not support running Exchange Server 2007 on a 32-bit version of Windows in a production environment. An exception is made for the Management Tools, as documented in the "Exchange Server 2007 System Requirements".

Install only the 32-bit version of the Management Tools on the gateway machine. Installing the 32-bit version of the tools on a 64-bit version of the operating system, or installing both versions of the tools can lead to unpredictable behavior.

The 32-bit version of the management tools can be downloaded from the Microsoft website:

http://go.microsoft.com/fwlink/?LinkID=82335

The version of the tools you download and install should correspond to the Exchange Server 2007 version installed in the rest of the Exchange environment.

Before starting the installation of the management tools make sure that Microsoft Windows PowerShell 1.0 and Microsoft .NET 2.0 Framework

the two required packages have been installed:

Microsoft Windows PowerShell 1.0

The Exchange management tools are implemented as an extension, or snapin, of Microsoft PowerShell. Currently only PowerShell version 1.0 is supported and needs to be installed on the server:

http://go.microsoft.com/fwlink/?LinkID=75790&clcid=0x09

The PowerShell environment logs messages to the event viewer. There are two event logs created for PowerShell in a standard installation: the “PowerShell” and “Windows PowerShell” event logs. The “PowerShell” event log is used when the gateway creates a PowerShell runtime environment. When a write operation fails to write to the event log, the PowerShell environment will not start up, and all PowerShell-related actions of the gateway will fail. To prevent this failure, you should monitor and clean up the event log regularly or configure it to overwrite messages.

Microsoft .NET 2.0

To use PowerShell, you must install the Microsoft .NET 2.0 Framework. This Framework is not installed by default and can be downloaded from the Microsoft Download Center at:

http://www.microsoft.com/downloads/details.aspx?familyid=0856EACB-4362-
4B0D-8EDD-AAB15C5E04F5

Identity Manager Installation Notes

No additional installation procedures are required on this resource.

Usage Notes

This section lists dependencies and limitations related to using the Active Directory resource adapter, including:

Checking Password History

To check the password history for an Active Directory account when an end-user changes his or her password, the user must provide an AD password. This functionality is enabled on an AD resource by setting the User Provides Password On Change resource attribute to 1 and adding the WS_USER_PASSWORD attribute to the account attributes with type encrypted. WS_USER_PASSWORD must be added as a Identity Manager User Attribute and as a Resource User Attribute.

The sources.ResourceName.hosts property in the waveset.properties file can be used to control which host or hosts in a cluster will be used to execute the synchronization portion of a resource adapter using Active Sync. ResourceName must be replaced with the name of the Resource object.

Supporting Microsoft Exchange Server 2000 and 2003

To support Microsoft Exchange Server 2000 and 2003, the following account attributes must be enabled:

The following account attributes are displayed in the schema map by default and are also used for managing Exchange accounts:

If your Active Directory resource is not being used to manage Exchange Server attributes, then you must remove these attributes from the schema map for these adapters to successfully provision Active Directory accounts with Identity Manager.

Managing a mixed Microsoft Exchange environment with Exchange Server 2000/2003 and 2007 installed is possible. If this Active Directory resource is not used to manage a mixed environment and only Exchange Server 2007 is present, then follow the directions above and remove the Exchange attributes from the schema.

The Active Directory adapter can be modified to support printer, computer, or other Active Directory objects. The following example illustrates how to modify the XML code in the appropriate Java class to support printer objects.

<ObjectType name=’Printer’ icon=’group’>
    <ObjectClasses operator=’AND’>
       <ObjectClass name=’printQueue’/>
    </ObjectClasses>
    <ObjectFeatures>
       <ObjectFeature name=’create’/>
       <ObjectFeature name=’update’/>
       <ObjectFeature name=’delete’/>
    </ObjectFeatures>
    <ObjectAttributes idAttr=’distinguishedName’ displayNameAttr=’cn’ 
        descriptionAttr=’description’>
       <ObjectAttribute name=’cn’ type=’string’/>
       <ObjectAttribute name=’description’ type=’string’/>
       <ObjectAttribute name=’managedby’ type=’string’/>
       <ObjectAttribute name=’distinguishedName’ type=’string’/>
    </ObjectAttributes>
 </ObjectType>

In addition, you must create at least one new form to support printer objects.

The Windows Active Directory resource can manage Exchange 2000 contacts by changing the object class to contact and removing the password, accountId, and expirePassword resource attributes.

Supporting Exchange 2007

Microsoft Exchange Server 2007 is only supported on Windows Server 2003 R2 or Windows Server 2003 Service Pack 1 or newer.

The Active Directory adapter does not manage Exchange 2007 email accounts by default. To enable support for these accounts:

Attribute Name  

Description  

RecipientType (String) 

The user type on the resource. It is required during creation of the account on an Exchange 2007-enabled resource. Allowed values are: 

- User (Active Directory only user) 

- UserMailbox (Active Directory and Exchange user with local mail storage) 

- MailUser (Active Directory and Exchange user without local mail storage) 

This attribute is read-only during later actions, except when changing from an Active Directory-only user (RecipientType equals User) to an Exchange user type (RecipientType UserMailbox or MailUser). You can not change the RecipientType back to User or from MailUser to UserMailbox and vice versa. 

Database (String) 

The Database to store the users Mailbox. This value must be of the form: Server\StorageGroup\MailboxDatabase. This attribute must have a value when the RecipientType is set to UserMailbox. The attribute is ignored for other values of RecipientType.

ExternalEmailAddress (String) 

An e-mail address outside of the Exchange organization. This attribute must be set to a unique value in the Exchange organization for the RecipientType MailUser. The attribute is ignored for other values of RecipientType. 

Configuring Active Sync

If the Search Child Domains resource parameter is NOT selected, the LDAP Hostname must be configured to specify the hostname of a specific Domain Controller, because Active Sync must always connect to the same Domain Controller. If the Search Child Domains option is selected, then the Global Catalog Hostname must be set to a specific Global Catalog server.

See Chapter 52, Active Directory Synchronization Failover for information about limiting the number of repeated events that occur when you switch to a new domain controller.

Specifying a Domain for Pass-Through Authentication

In a default configuration, pass-through authentication is accomplished by sending the user ID and password only. These two attributes are configured in the AuthnProperties element in the resource object’s XML as w2k_user and w2k_password. Without a domain specification, the gateway searches all known domains and tries to authenticate the user in the domain that contains the user.

In a trusted multi-domain environment, there can be two possible situations:

When the user/password combination is synchronized, configure your Active Directory resources so that they are common resources. See Business Administrator's Guide for more information about setting up common resources.

If the user/password combination is domain-dependent, and if users can be expected to know the domain information, you can allow users to enter the domain information on the login screen. This option can be used in combination with common resources.

To allow the user to enter the domain on the login page, add the following property to the <AuthnProperties> element in the resource object’s XML:

<AuthnProperty name=’w2k_domain’ displayName=’Domain:’ formFieldType=’text’ 
dataSource=’user’ doNotMap=’true’/>

In an environment with multiple trusted domains and Active Directory forests, the authentication can fail using any of these configurations because the Global Catalog does not contain cross-forest information. If a user supplies a wrong password, it could also lead to account lockout in the user’s domain if the number of domains is greater than the lockout threshold.

User management across forests is only possible when multiple gateways, one for each forest, are deployed. In this case, you can configure the adapters to use a predefined domain for authentication per adapter without requiring the user to specify a domain. To accomplish this, add the following authentication property to the <AuthnProperties> element in the resource object’s XML:

<AuthnProperty name=’w2k_domain’ dataSource=’resource attribute’ 
value=’MyDomainName’/>

Replace MyDomainName with the domain that will authenticate users.

Login failures will occur in domains if the user exists in the domain and the password is not synchronized.

It is not possible to use multiple data sources for the domain information in one Login Module Group.

Gateway Timeouts

The Active Directory adapter allows you to use the RA_HANGTIMEOUT resource attribute to specify a timeout value, in seconds. This attribute controls how long before a request to the gateway times out and is considered hung.

You must manually add this attribute to the Resource object as follows:

<ResourceAttribute name=’Hang Timeout’ displayName=’com.waveset.adapter.RAMessages:
   RESATTR_HANGTIMEOUT’ type=’int’ description=’com.waveset.adapter.RAMessages:
   RESATTR_HANGTIMEOUT_HELP’ value=’NewValue’>
 </ResourceAttribute>

The default value for this attribute is 0, indicating that Identity Manager will not check for a hung connection.

Security Notes

This section provides information about supported connections and privilege requirements.

Supported Connections

The Encryption Type resource parameter allows you to enter the encryption type that the Identity Manager gateway will use to communicate with the Active Directory server. Valid values for this field are None (the default value), Kerberos, and SSL.

To use SSL, a certificate authority must be set up in the domain. In addition, the username used to access Active Directory must be in UPN format (for example, DomainName\UserName).

Required Administrative Privileges

This section describes Active Directory permission and reset password permission requirements.

Active Directory Permissions

The administrative account configured in the Active Directory resource must have the appropriate permissions in Active Directory.

Identity Manager Functionality

Active Directory Permissions

Create Active Directory User accounts 

Create User Objects 

To create the account enabled, you must have the ability to Read/Write the userAccountControl property. To create with the password expired, you must be able to Read/Write the Account Restrictions property set (includes the userAccountControl property). 

Delete Active Directory User accounts 

Delete User Objects 

Update Active Directory User accounts 

  • Read All Properties

  • Write All Properties

    Note: If only a subset of the properties are to be managed from Identity Manager, then Read/Write access can be given to just those properties.

Change/Reset AD User account passwords 

Unlock AD User accounts 

Expire AD User accounts 

User Object permissions: 

  • List Contents

  • Read All Properties

  • Read Permissions

  • Change Password

  • Reset Password

    User Property permissions:

  • Read/Write lockoutTime Property

  • Read/Write Account Restrictions Property set

  • Read accountExpires Property

    To set permissions for the lockoutTime property, you should use the cacls.exe program available in the Windows 2000 Server resource kit.

Reset Password

The permissions to perform Create, Delete, and Update of resource objects are as expected. The account needs the Create and Delete permissions for the corresponding object type and you need appropriate Read/Write permissions on the properties that need to be updated.

Pass-Through Authentication

To support Active Directory (AD) pass-through authentication:


Note –

If you must update user rights, there might be a delay before the updated security policy is propagated. Once the policy has been propagated, you must restart the Gateway.


The Gateway uses the LogonUser function with the LOGON32_LOGON_NETWORK log-on type and the LOGON32_PROVIDER_DEFAULT log-on provider to perform pass-through authentication. The LogonUser function is provided with the Microsoft Platform Software Development Kit.

Accessing Deleted Objects

The administrative account must have access to the Deleted Objects container in the active directory. By default, only Administrators and the System account have access to this container. Other users can be granted access to this container. For information on granting access to the Deleted Objects container, see Microsoft Knowledge Base article 892806.

Provisioning Notes

The following table summarizes the provisioning capabilities of this adapter.

Feature  

Supported?  

Enable/disable account 

Yes 

Rename account 

Yes 

Pass-through authentication 

Yes 

The Authentication Timeout resource attribute (provided for pass-through authentication only) prevents the Active Directory adapter from hanging if a problem occurs on the Gateway side. 

Before/after actions 

Yes. 

The Active Directory resource supports before and after actions, which use batch scripts to perform activities on the Active Directory gateway system during a user create, update, or delete request. For more information, see Chapter 50, Adding Actions to Resources

Data loading methods 

  • Import directly from resource

  • Reconcile with resource

  • Active Sync

Account Attributes

The syntax (or type) of an attribute usually determines whether the attribute is supported. In general, Identity Manager supports Boolean, string, and integer syntaxes. Binary strings and similar syntaxes are not supported.

Attribute Syntax Support

This section provides information about supported and unsupported account syntaxes.

Supported Syntaxes

The following table lists the Active Directory syntax supported by Identity Manager:

AD Syntax  

Identity Manager Syntax  

Syntax ID  

OM ID  

ADS Type  

Boolean 

Boolean 

2.5.5.8 

ADSTYPE_BOOLEAN

Enumeration 

String 

2.5.5.9 

10 

ADSTYPE_INTEGER

Integer 

Int 

2.5.5.9 

ADSTYPE_INTEGER

DN String 

String 

2.5.5.1 

127 

ADSTYPE_DN_STRING

Presentation Address 

String 

2.5.5.13 

127 

ADSTYPE_CASE_IGNORE_STRING

IA5 String 

String 

2.5.5.5 

22 

ADSTYPE_PRINTABLE_STRING

Printable String 

String 

2.5.5.5 

19 

ADSTYPE_PRINTABLE_STRING

Numeric String 

String 

2.5.5.6 

18 

ADSTYPE_NUMERIC_STRING

OID String 

String 

2.5.5.2 

ADSTYPE_CASE_IGNORE_STRING

Case Ignore String (teletex) 

String 

2.5.5.4 

20 

ADSTYPE_CASE_IGNORE_STRING

Unicode String 

String 

2.5.5.12 

64 

ADSTYPE_OCTET_STRING

Interval 

String 

2.5.5.16 

65 

ADSTYPE_LARGE_INTEGER

LargeInteger 

String 

2.5.5.16 

65 

ADSTYPE_LARGE_INTEGER

Unsupported Syntaxes

The following table lists the Active Directory syntaxes that are not supported by Identity Manager:

Syntax

Syntax ID

OM ID

ADS Type

DN with Unicode string  

2.5.5.14 

127 

ADSTYPE_DN_WITH_STRING

DN with binary 

2.5.5.7 

127 

ADSTYPE_DN_WITH_BINARY

OR-Name 

2.5.5.7 

127 

ADSTYPE_DN_WITH_BINARY

Replica Link 

2.5.5.10 

127 

ADSTYPE_OCTET_STRING

NT Security Descriptor 

2.5.5.15 

66 

ADSTYPE_NT_SECURITY_DESCRIPTOR

Octet String 

2.5.5.10 

ADSTYPE_OCTET_STRING

SID String 

2.5.5.17 

ADSTYPE_OCTET_STRING

UTC Time String 

2.5.5.11 

23 

ADSTYPE_UTC_TIME

Object(Access-Point) 

2.5.5.14 

127 

n/a 

Identity Manager supports the jpegPhoto and thumbnailPhoto account attributes, which use the Replica Link syntax. Other Replica Link attributes might be supported, but they have not been tested.

Microsoft Exchange 2007 Attribute Syntax Support

This section provides information about supported and unsupported account syntaxes for Microsoft Exchange 2007 only.

Supported Syntaxes

Identity Manager supports the following PowerShell syntaxes:

Syntax  

Description  

String 

A Unicode string. 

Integer 

Represented as String in Exchange 2007. 

Nullable 

An attribute which does not have to contain a value. If used without another type a String is indicated. 

Boolean 

A standard Boolean value of "True" or "False". 

Unlimited 

An integer represented as a String, with as a special allowed value the string "Unlimited". 

ByteQuantifiedSize 

An integer size represented as a String with or without a size quantifier. Allowed quantifiers: none, B (default), KB, MB or GB. 

The combination of Unlimited and ByteQuantifiedSize is supported.

Unsupported Syntaxes

The following list describes the PowerShell syntaxes that are not supported by Identity Manager:

Syntax  

Description  

SwitchParameter 

Special command line form of a Boolean value. 

Encrypted 

Password attributes 

Account Attribute Support

This section provides information about the Active Directory account attributes that are supported and those not supported by Identity Manager.

Supported Account Attributes

The following table lists the account attributes supported by Identity Manager: Other attributes, such as those for Exchange, might also be supported.

Schema Name  

Attribute Type  

Description  

accountExpires 

String 

The date when the user’s account expires. 

AccountLocked 

Boolean 

Whether or not an account is locked out. Cannot be set to true; only the Windows system can set to true. 

accountNameHistory 

String 

The length of time that the account has been active. Read-only. 

aCSPolicyName 

String 

String name of an ACS policy that applies to this user. 

adminCount 

String 

Indicates that a given object has had its ACLs changed to a more secure value by the system because it was a member of one of the administrative groups (directly or transitively). Set by system. Read-only. 

adminDescription 

String 

The description displayed on admin screens. 

adminDisplayName 

String 

The name to be displayed on admin screens. 

altSecurityIdentities 

String 

Contains mappings for X.509 certificates or external Kerberos user accounts to this user for the purpose of authentication.

assistant 

String 

The distinguished name of a user’s administrative assistant. 

badPasswordTime 

String 

The last time the user tried to log on to the account using an incorrect password. 

badPwdCnt 

String 

Read-only. Number of login attempts with incorrect password. The value may only be for those logins that failed at the domain controller that is being queried. 

businessCategory 

String 

Describes the kind of business performed by an organization. 

String 

The two-character country code in the address of the user. 

cn 

String 

Common Name. This attribute is set from the CN value in the DN. Read-only. 

co 

String 

Text-Country (country name) 

company 

String 

The user’s company name. 

codePage 

Int 

Specifies the code page for the user’s language of choice. 

countryCode 

String 

Specifies the country code for the user’s language of choice. 

Database 

String 

This attribute is required if the value of RecipientType is UserMailbox. It is not displayed by default. You must add it to manage Exchange 2007 accounts. 

The full database path, in the format Server\Storage\Database.

defaultClassStore 

String 

The default Class Store for a given user. 

department 

String 

Contains the name for the department in which the user works. 

description 

String 

Contains the description to display for an object. This value is treated as single-valued by the system. 

desktopProfile 

String 

The location of the desktop profile for a user or group of users. 

destinationIndicator 

String 

Not used by Active Directory. 

displayName 

String 

The name displayed in the address book for a particular user. This is usually the combination of the user’s first name, middle initial, and last name. 

displayNamePrintable 

String 

Printable version of the displayName. 

distinguishedName 

String 

Cannot be set directly. Read only. Set the DN on create using the DN template or the accountId account attribute. 

division 

String 

The user’s division. 

dynamicLDAPServer 

String 

DNS name of server handing dynamic properties for this account. 

employeeID 

String 

The ID of an employee. 

extensionName 

String 

The name of a property page used to extend the UI of a directory object. 

ExternalEmailAddress 

String 

This attribute is required if the value of RecipientType is MailUser. It is not displayed by default. You must add it to manage Exchange 2007 accounts. 

A email address that is unique in the Exchange server and in the form User@Domain.

facsimileTelephoneNumber 

String 

Contains telephone number of the user’s business fax machine. 

flags 

Int 

To be used by the object to store bit information. 

garbageCollPeriod 

Int 

This attribute is located on the CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,... object. It represents the period in hours between DS garbage collection runs. 

generationQualifier 

String 

Indicates a person’s generation; for example, Jr. or II. 

givenName 

String 

Contains the given name (first name) of the user. 

groupPriority 

String 

Not used 

groups 

String 

Windows security and distribution groups 

groupsToIgnore 

String 

Not used 

homeDirectory 

String 

The user’s home directory. If homeDrive is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC path of the form \\server\share\directory. This value can be a null string. 

The user’s home directory will be created if: 

  • The value is a UNC path that is not a share name (it specifies a directory on a share)

  • Any and all parent directories exist

  • The Create Home Directory resource attribute is set to 1

  • The user that the gateway service is running as must have permission to create the directory

    The user will be given Full Control of the created directory.

homeDrive 

String 

The drive letter (including the colon) that the home directory should be mapped to (for example, “Z:”). It should be specified only if homeDirectory is a UNC path. 

homeMDB 

String 

The distinguished name of the message database (MDB) for this mailbox. It has a format similar to CN=Mailbox Store (SERVERNAME),CN=First Storage Group, CN=InformationStore, CN=SERVERNAME,CN=Servers, CN=First Administrative Group, CN=Administrative Groups, CN=EXCHANGE ORG, CN=Microsoft Exchange, CN=Services, CN=Configuration,DC=DOMAIN, DC=YOURCOMPANY,DC=com’

homeMTA 

String 

Points to the message transfer agent (MTA) that services this object. It has a format similar to CN=Microsoft MTA, CN=SERVERNAME, CN=Servers, CN=First Administrative Group, CN=Administrative Groups, CN=EXCHANGE ORG, CN=Microsoft Exchange, CN=Services, CN=Configuration,DC=DOMAIN, DC=YOURCOMPANY,DC=com

homePhone 

String 

The user’s main home phone number. 

homePostalAddress 

String 

A user’s home address. 

info 

String 

The user’s comments. This string can be a null string. 

initials 

String 

Contains the initials for parts of the user’s full name. 

internationalISDNNumber 

String 

Specifies an International ISDN number associated with an object. 

ipPhone 

String 

The TCP/IP address for the phone. Used by Telephony. 

jpegPhoto 

Binary 

An image of the user. (Requires Windows 2003 Server or higher) 

String 

Contains the locality, such as the town or city, in the user’s address. 

lastLogon 

String 

The last time the user logged on at a DC. 

lastLogonTimestamp 

String 

The time that the user last logged into the domain. This value is only updated when the user logs in if a week has passed since the last update. 

lastLogoff 

String 

The last time the user logged off. 

legacyExchangeDN 

String 

The distinguished name previously used by Exchange. 

localeID 

Int 

This attribute contains a list of locale IDs supported by this application. A locale ID represents a geographic location like France. 

lockoutTime 

String 

The number of minutes to wait before resetting the invalid logon count. 

logonCount 

Int 

The number of successful times the user tried to log on to this account. This property is maintained separately on each domain controller in the domain. 

mail 

String 

One or more email addresses. 

mailNickName 

String 

Exchange nickname. 

managedObjects 

String 

Contains the list of objects that are managed by the user.Set by the system. Read only. 

manager 

String 

Directory name of the user’s manager. 

maxStorage 

String 

The maximum amount of disk space the user can use. 

mDBOverHardQuotaLimit 

String 

The maximum mailbox size, in KB, over which sending and receiving mail is disabled. 

mDBOverQuotaLimit 

String 

The mailbox quota overdraft limit, in KB. 

mDBStorageQuota 

String 

The message database quota, in KB. 

mDBUseDefaults 

String 

Indicates whether the store should use the default quota, rather than the per-mailbox quota. 

mhsORAddress 

String 

X.400 address. 

middleName 

String 

The user’s middle name. 

mobile 

String 

The primary cell phone number. 

msCOM-PartitionSetLink 

String 

A link used to associate a COM+ Partition with a COM+ PartitionSet object. Read only. 

msCOM-UserLink 

String 

A link used to associate a COM+ PartitionSet with a User object. Read only. 

msCOM-UserPartitionSetLink 

String 

A link used to associate a User with a COM+ PartitionSet. Read only. 

msDS-AllowedToDelegateTo 

String 

Contains a list of Service Principal Names (SPN). This attribute is used to configure a service to be able to obtain service tickets usable for Constrained Delegation. 

ms-DS-Approx-Immed-Subordinates 

Int 

The approximate number of subordinates for this user. Read only. 

msDS-Cached-Membership-Time-Stamp 

String 

Used by the Security Accounts Manager for group expansion during token evaluation. Read only. 

mS-DS-ConsistencyChildCount 

Int 

This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects. 

msExchHomeServerName 

String 

The name of the Exchange server. It has a format similar to /o=EXCHANGEORG/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=SERVERNAME

ms-DS-KeyVersionNumber 

Int 

The Kerberos version number of the current key for this account. This is a constructed attribute. Read only. 

ms-DS-Mastered-By 

String 

Back link for msDS-hasMasterNCs. Read only. 

ms-DS-Members-For-Az-Role-BL 

String 

Back-link from member application group or user to Az-Role object(s) linking to it. Read only. 

ms-DS-NC-Repl-Cursors 

String 

A list of past and present replication partners, and how up to date we are with each of them. Read only. 

ms-DS-NC-Repl-Inbound-Neighbors 

String 

Replication partners for this partition. This server obtains replication data from these other servers, which act as sources. Read only. 

ms-DS-NC-Repl-Outbound-Neighbors 

String 

Replication partners for this partition. This server sends replication data to these other servers, which act as destinations. This server will notify these other servers when new data is available. Read only. 

ms-DS-Non-Members-BL 

String 

Back link from non-member group/user to Az group(s) linking to it. Read only. 

ms-DS-Operations-For-Az-Role-BL 

String 

Back-link from Az-Operation to Az-Role object(s) linking to it. Read only. 

ms-DS-Operations-For-Az-Task-BL 

String 

Back-link from Az-Operation to Az-Task object(s) linking to it. Read only. 

ms-DS-Repl-Attribute-Meta-Data 

String 

A list of metadata for each replicated attribute. Read only. 

ms-DS-Repl-Value-Meta-Data 

String 

A list of metadata for each value of an attribute. Read only. 

ms-DS-Tasks-For-Az-Role-BL 

String 

Back-link from Az-Task to Az-Role object(s) linking to it. Read only. 

ms-DS-Tasks-For-Az-Task-BL 

String 

Back-link from Az-Task to the Az-Task object(s) linking to it. Read only. 

ms-DS-User-Account-Control-Computed 

Int 

A computed attribute to expose user password expired and user account locked out. 

msExchMailboxSecurityDescriptor 

String 

This attribute determines Exchange Mailbox rights for the user. 

For more information, see Managing ACL Lists

ms-Exch-Owner-BL 

String 

The back-link to the owner attribute. Contains a list of owners for an object. Read only. 

ms-IIS-FTP-Dir 

String 

The user home directory relative to the file server share. It is used in conjunction with ms-IID-FTP-Root to determine the FTP user home directory. 

ms-IIS-FTP-Root 

String 

This attribute determines the file server share. It is used in conjunction with ms-IID-FTP-Dir to determine the FTP user home directory. 

name 

String 

The Relative Distinguished Name (RDN) of the user. Cannot be set directly. Read only. Set the RDN on create using the DN template or the accountId account attribute. Do not use “name” for the left-hand side of the schema map as it is a reserved attribute name. 

networkAddress 

String 

The TCP/IP address for a network segment. 

nTSecurityDescriptor 

String 

The NT security descriptor for the schema object. 

For more information, see Managing ACL Lists.

String 

The name of the company or organization. 

objectCategory 

N/A 

An object class name used to groups objects of this or derived classes. 

Set by the system. Read-only. 

objectClass 

N/A 

The list of classes from which this class is derived. 

The value of this attribute should be set using the Object Class resource attribute. Read-only. 

objectVersion 

Int 

A version number for the object. 

operatorCount 

Int 

The number of operators on the computer. 

otherFacsimileTelephoneNumber 

String 

A list of alternate facsimile numbers. 

otherHomePhone 

String 

A list of alternate home phone numbers. 

otherIpPhone 

String 

The list of alternate TCP/IP addresses for the phone. Used by Telephony. 

otherLoginWorkstations 

String 

Non-NT or LAN Manager workstations from which a user can log in. 

otherMailbox 

String 

Contains other additional mail addresses in a form such as CCMAIL: JohnDoe. 

otherMobile 

String 

Additional mobile phone numbers 

otherPager 

String 

Additional pager numbers 

otherTelephone 

String 

Additional telephone numbers 

ou 

String 

Organizational unit 

outOfOfficeEnabled 

Boolean 

Enables the out-of-office autoreply function 

outOfOfficeMessage 

String 

The text of an out-of-office message. 

pager 

String 

Pager number 

personalTitle 

String 

User’s title 

PasswordNeverExpires 

Boolean 

Indicates whether the user’s password will expire. 

physicalDeliveryOfficeName 

String 

The office where deliveries are routed to. 

postalAddress 

String 

The office location in the user’s place of business. 

postalCode 

String 

The postal or zip code for mail delivery. 

postOfficeBox 

String 

The P.O. Box number for this object. 

preferredDeliveryMethod 

String 

The X.500. preferred way to deliver to addressee 

preferredOU 

String 

The Organizational Unit to show by default on user’ s desktop. 

primaryGroupID 

Int 

If the user is not already a member of the group, then the primaryGroupID must be set in 2 steps: add the user to the group then set the primaryGroupId. 

primaryInternationalISDNNumber 

String 

The primary ISDN number. 

primaryTelexNumber 

String 

The primary telex number. 

profilePath 

String 

Specifies a path to the user’s profile. This value can be a null string, a local absolute path, or a UNC path. 

proxyAddresses 

String 

A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects such as custom recipients and distribution lists. 

pwdLastSet 

String 

This attribute indicates the last time the user modified the password. This value is stored as a large integer that represents the number of seconds elapsed since 00:00:00, January 1, 1601 (FILETIME). If this value is set to zero and the user account has the password never expires property set to false, then the user must set the password at the next logon. 

RecipientType 

String 

Required for all Exchange 2007 account types The possible values are User, UserMailbox or MailUser. 

This attribute is not displayed by default. You must add it to manage Exchange 2007 accounts. 

revision 

Int 

The revision level for a security descriptor or other change. Read only. 

rid 

Int 

The relative Identifier of an object. Read only. 

sAMAccountName 

String 

Login name. 

sAMAccountType 

Int 

This attribute contains information about every account type object. Set by system. Read only. 

scriptPath 

String 

The path for the user’s logon script. The string can be null. 

seeAlso 

String 

DNs of related objects 

serialNumber 

String 

User’s serial number. Not used by Active Directory. 

servicePrincipalName 

String 

List of distinguished names that are related to an object. 

showInAddressBook 

String 

This attribute is used to indicate which MAPI address books an object will appear in. It is normally maintained by the Exchange Recipient Update Service. 

showInAdvancedViewOnly 

Boolean 

True if this attribute is to be visible in the Advanced mode of the UI. 

sn 

String 

Family or last name 

st 

String 

State or province name 

street 

String 

Street address 

Structural-Object-Class 

String 

Stores a list of classes contained in a class hierarchy, including abstract classes. Read only. 

telephoneNumber 

String 

Primary telephone number. 

Terminal Services Initial Program 

String 

The path of the initial program that runs when the user logs on. 

Terminal Services Initial Program Directory 

String 

The path of working directory for the initial program 

Terminal Services Inherit Initial Program 

Boolean 

Indicates whether the client can specify an initial program 

true - The client can specify program. 

false - The Terminal Services Initial Program value is used and client is logged off when exiting that program.

Terminal Services Allow Logon 

Boolean 

false - The user cannot logon. 

true - The user can logon. 

Terminal Services Active Session Timeout 

Integer 

Duration in milliseconds. A value of 0 indicates the connection timer is disabled. 

Terminal Services Disconnected Session Timeout 

Integer 

The maximum duration, in milliseconds, that a terminal server retains a disconnected session before the logon is terminated. A value of 0 indicates the disconnection timer is disabled. 

Terminal Services Idle Timeout 

Integer 

The maximum idle time, in milliseconds. If there is no keyboard or mouse activity for the specified interval, the user’s session is disconnected or terminated depending on the value specified in Terminal Services End Session On Timeout Or Broken Connection. A value of 0 indicates the idle timer is disabled. 

Terminal Services Connect Client Drives At Logon 

Boolean 

Indicates whether the terminal server automatically reestablishes client drive mappings at logon. 

false - The server does not automatically connect to previously mapped client drives. 

true - The server automatically connects to previously mapped client drives at logon. 

Terminal Services Connect Client Printers At Logon 

Boolean 

Indicates whether the terminal server automatically reestablishes client printer mappings at logon. 

false - The server does not automatically connect to previously mapped client printers. 

true - The server automatically connects to previously mapped client printers at logon. 

Terminal Services Default To Main Client Printer 

Boolean 

Indicates whether the client printer is the default printer. 

false - The client printer is not the default printer. 

true - The client printer is the default printer. 

Terminal Services End Session On Timeout Or Broken Connection 

Boolean 

Specifies the action when the connection or idle timers expire, or when a connection is lost due to a connection error. 

false - The session is disconnected. 

true - The session is terminated. 

Terminal Services Allow Reconnect From Originating Client Only 

Boolean 

Indicates how a disconnected session for this user can be reconnected. 

false - The user can log on to any client computer to reconnect to a disconnected session. 

true - The user can reconnect to a disconnected session by logging on to the client computer used to establish the disconnected session. 

Terminal Services Callback Settings 

Integer 

Indicates the configuration for dialup connections in which the terminal server hangs up and then calls back the client to establish the connection. 

0 - Callback connections are disabled. 

1 - The server prompts the user to enter a phone number and calls the user back at that phone number. 

2 - The server automatically calls the user back at the phone number specified by the Terminal Services Callback Phone Number attribute. 

Terminal Services Callback Phone Number 

String 

The phone number to use for callback connections. 

Terminal Services Remote Control Settings 

Integer 

Indicates whether the user session can be shadowed. Shadowing allows a user to remotely monitor the on-screen operations of another user. 

0 - Disable 

1 - Enable input, notify 

2 - Enable input, no notify 

3 - Enable no input, notify 

4 - Enable no input, no notify 

Terminal Services User Profile 

String 

The path of the user’s profile for terminal server logon. 

Terminal Services Local Home Directory 

String 

The path of the user’s home directory for terminal server logon. 

Terminal Services Home Directory Drive 

String 

A drive name (a drive letter followed by a colon) to which the UNC path specified in the Terminal Services Local Home Directory attribute is mapped. 

textEncodedORAddress 

String 

Supports X.400 addresses in a text format. 

thumbnailPhoto 

Binary 

An image of the user. 

title 

String 

Contains the user’s job title. This property is commonly used to indicate the formal job title, such as Senior Programmer, rather than occupational class, such as programmer. It is not typically used for suffix titles such as Esq. or DDS. 

userAccountControl 

Int 

Specifies flags that control password, lockout, disable/enable, script, and home directory behavior for the user. This property also contains a flag that indicates the account type of the object. The flags are defined in LMACCESS.H. 

userParameters 

String 

Parameters of the user. Points to a Directory string that is set aside for use by applications. This string can be a null string, or it can have any number of characters before the terminating null character. 

userPassword 

Encrypted 

The user’s password in UTF-8 format. This is a write-only attribute. 

userPrincipalName 

String 

An Internet-style login name for a user based on the Internet standard RFC 822. The UPN is shorter than the distinguished name and easier to remember. By convention, this should map to the user e-mail name. 

userSharedFolder 

String 

Specifies a UNC path to the user’s shared documents folder. The path must be a network UNC path of the form \\server\share\directory. This value can be a null string. 

userSharedFolderOther 

String 

Specifies a UNC path to the user’s additional shared documents folder. The path must be a network UNC path of the form \\server\share\directory. This value can be a null string. 

userWorkstations 

String 

NetBIOS or DNS names of computers user can log into, separated by commas. 

usnChanged 

String 

USN value assigned by the local directory for the latest change, including creation. Read only. 

usnCreated 

String 

USN-Changed value assigned at object creation. 

USNIntersite 

Int 

The USN for inter-site replication. 

uSNLastObjRem 

String 

Indicates when the last object was removed from a server. Read only. 

uSNSource 

String 

Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.Read only. 

WS_PasswordExpired 

Boolean 

Indicates whether to expire the user’s password. 

WS_USER_PASSWORD 

Encrypted 

Contains the user password. See the Usage Notes for more information. 

wbemPath 

String 

References to objects in other ADSI namespaces. 

whenChanged 

String 

The date when this object was last changed. Read only. 

whenCreated 

String 

The date when this object was created. Read only. 

wWWHomePage 

String 

The user’s primary web page. 

url 

String 

A list of alternate web pages. 

x121Address 

String 

The X.121 address for an object. 

Supported Account Attributes for Exchange Server 2007

These attributes are Exchange Server 2007 specific and are ignored if the RecipientType attribute is not set to UserMailbox or MailUser.

Schema Name  

Attribute Type 

Description  

AcceptMessagesOnlyFrom 

String 

A list of users who are allowed to send mail to this user 

AcceptMessagesOnlyFromDLMembers 

String 

A list of distribution groups whose members are allowed to send mail to this user 

Alias 

String 

Alias of the user 

AntispamBypassEnabled 

Boolean 

Specifies whether to skip anti-spam processing on this mailbox. (RecipientType UserMailbox only) 

CustomAttribute1 through CustomAttribute15 

String 

Attribute to store additional information. 

DeliverToMailboxAndForward 

Boolean 

Specifies whether messages sent to this mailbox will be forwarded to another address. (RecipientType UserMailbox only) 

DisplayName 

String 

The name that will be displayed in Microsoft Outlook 

DowngradeHighPriorityMessagesEnabled 

Boolean 

Prevents the mailbox from sending high priority messages. (RecipientType UserMailbox only) 

EmailAddress 

String 

SMTP mail address, cannot be used with PrimarySMTPAddress 

EmailAddresses 

String 

List of email addresses. Not to be used in conjunction with PrimarySmtpAddress or EmailAddressPolicyEnabled set to "True" 

EmailAddressPolicyEnabled 

Boolean 

Should be set to "True" as a default, will cause a primary email address to be generated for the user and will prohibit the use of 

- PrimarySmtpAddress 

- WindowsEmailAddress 

EndDateForRetentionHold 

Nullable 

The end date for retention hold for messaging records management (MRM) (RecipientType UserMailbox only) 

ExternalOofOptions 

String 

Sending an Out of Office message to external senders. Values limited to: "InternalOnly" or "External" (RecipientType UserMailbox only) 

ForwardingAddress 

String 

Address to forward mail to if DeliverToMailboxAndForward is set to "True" (RecipientType UserMailbox only) 

GrantSendOnBehalfTo 

String 

The distinguished name (DN) of other recipients that can send messages on behalf of this user 

HiddenFromAddressListsEnabled 

Boolean 

Hide the email address from address lists 

IssueWarningQuota 

Unlimited ByteQuantifiedSize 

The mailbox size at which to issue a quota warning. (RecipientType UserMailbox only) 

Languages 

String 

List of preference languages for display. (RecipientType UserMailbox only) 

MaxBlockedSenders 

Nullable 

The maximum number of senders that can be included in the blocked senders list. 

MaxReceiveSize 

Unlimited ByteQantifiedSize 

The maximum size of messages that this user can receive. 

MaxSafeSenders 

Nullable 

The maximum number of senders that can be included in the safe senders list. (RecipientType UserMailbox only) 

MaxSendSize 

Unlimited ByteQantifiedSize 

The maximum size of messages that this user can send. 

OfflineAddressBook 

String 

The associated address book. (RecipientType UserMailbox only) 

PrimarySmtpAddress 

String 

The address that external users will see when they receive a message from this user. Not to be used in conjunction with EmailAddresses: the EmailAddresses list contains the PrimarySmtpAddress. Can not be used with EmailAddressPolicyEnabled set to "True" 

ProhibitSendQuota 

Unlimited ByteQantifiedSize 

The mailbox size at which the user associated with this mailbox can no longer send messages. (RecipientType UserMailbox only) 

ProhibitSendReceiveQuota 

Unlimited ByteQantifiedSize 

The mailbox size at which the user associated with this mailbox can no longer send or receive messages. (RecipientType UserMailbox only) 

RecipientLimits 

Unlimited 

The maximum number of recipients per message to which this mailbox can send. 

RejectMessagesFrom 

String 

The recipients from whom messages will be rejected. 

RejectMessagesFromDLMembers 

String 

Messages from any member of these distribution lists will be rejected. 

RequireSenderAuthenticationEnabled 

Boolean 

Senders must be authenticated. 

RetainDeletedItemsFor 

String 

Timespan represented in a string form "dd.hh:mm:ss" specifying the length of time to keep the deleted items. (RecipientType UserMailbox only) 

RetainDeletedItemsUntilBackup 

Boolean 

Retain deleted items until the next backup. (RecipientType UserMailbox only) 

RetentionHoldEnabled 

Boolean 

Turn retention hold on or off (RecipientType UserMailbox only) 

RulesQuota 

ByteQuantifiedSize 

The limit for the size of rules for this mailbox. Maximum value is 256 KB (RecipientType UserMailbox only) 

SCLDeleteEnabled 

Nullable Boolean 

Delete messages that meet the SCL delete threshold (RecipientType UserMailbox only) 

SCLDeleteThreshold 

Nullable 

The Spam Confidence Level at which a mail will be deleted, allowed values: 0-9. (RecipientType UserMailbox only) 

SCLJunkEnabled 

Nullable Boolean 

Junk messages that meet the SCL junk threshold (RecipientType UserMailbox only) 

SCLJunkThreshold 

Nullable 

The Spam Confidence Level at which a mail will be marked as junk, allowed values: 0-9 (RecipientType UserMailbox only) 

SCLQuarantineEnabled 

Nullable Boolean 

Quarantine messages that meet the SCL quarantine threshold (RecipientType UserMailbox only) 

SCLQuarantineThreshold 

Nullable 

The Spam Confidence Level at which a mail will be quarantined, allowed values: 0-9 (RecipientType UserMailbox only) 

SCLRejectEnabled 

Nullable Boolean 

Reject messages that meet the SCL reject threshold (RecipientType UserMailbox only) 

SCLRejectThreshold 

Nullable 

The Spam Confidence Level at which a mail will be rejected, allowed values: 0-9 (RecipientType UserMailbox only) 

SimpleDisplayName 

String 

An ASCII only version of the DisplayName. 

StartDateForRetentionHold 

Nullable 

The start date for retention hold for MRM. (RecipientType UserMailbox only) 

UseDatabaseQuotaDefaults 

Boolean 

Specifies that this mailbox uses the quota attributes specified for the mailbox database where this mailbox resides. (RecipientType UserMailbox only) 

UseDatabaseRetentionDefaults 

Boolean 

Specifies that this mailbox uses the MailboxRetention attribute specified for the mailbox database where this mailbox resides. (RecipientType UserMailbox only) 

UserPrincipalName 

String 

This is the logon name for the user. The UPN consists of a user name and a suffix. 

Managing ACL Lists

The nTSecurityDescriptor and the msExchMailboxSecurityDescriptor attribute values contain ACL lists that you must specify in a special way.

For example, the following shows a user form a company might use to assign a default set of permissions to each user they provision:

<Field name=’attributes[AD].nTSecurityDescriptor’ hidden=’true’>
  <Expansion>
      <list>
        <s>Domain Admins|983551|0|0|NULL|NULL</s>
        <s>NT AUTHORITY\SYSTEM|983551|0|0|NULL|NULL</s>
         <s>Account Operators|983551|0|0|NULL|NULL</s>
         <s>NT AUTHORITY\Authenticated Users|131220|0|0|NULL|NULL</s>
        <s>NT AUTHORITY\Authenticated Users|256|5|0|
{AB721A55-1E2F-11D0-9819-00AA0040529B}|NULL</s>
         <s>NT AUTHORITY\SELF|131220|0|0|NULL|NULL</s>
      </list>
   </Expansion>
</Field>

The entries in the nTSecurityDescriptor list are in the following format:

Trustee|Mask|aceType|aceFlags|objectType|InheritedObjectType

Where:

The best method in which to find the correct string to pass down, is to do the following:

ProcedureFinding the Correct String to Pass Down

  1. Add the attribute to your schema, and then add the following field to your user form, as follows:


    <Field name=’accounts[AD].nTSecurityDescriptor’>
      <Display class=’TextArea’>
        <Property name=’title’ value=’NT User Security Descriptor’/>
        <Property name=’rows’ value=’20’/>
        <Property name=’columns’ value=’100’/>
      </Display>
    </Field>

    or


    <Field name=’accounts[AD].msExchMailboxSecurityDescriptor’>
      <Display class=’TextArea’>
        <Property name=’title’ value=’Mailbox Security Descriptor’/>
        <Property name=’rows’ value=’20’/>
        <Property name=’columns’ value=’100’/>
      </Display>
    </Field>
  2. Edit a user’s object in Active Directory and set the corresponding ACL lists for all users to establish a baseline.

  3. Edit the user in Identity Manager on the Edit User form.

    You should see a text area with the corresponding values, which have been pulled from the user object in Active Directory.

    Using the preceding method will help you determine which values you must add to the form, for the settings you want.

Unsupported Attributes

The following table lists the account attributes that are not supported by Identity Manager:

Schema Name  

Notes  

allowedAttributes 

Operational attribute 

allowedAttributesEffective 

Operational attribute 

allowedChildClasses 

Operational attribute 

alowedChildClassesEffective 

Operational attribute 

bridgeheadServerListBL 

System usage 

canonicalName 

Operational attribute 

controlAccessRights 

String(Octet) 

createTimeStamp 

String(UTC-Time) 

dBCSPwd 

String(Octet) 

directReports 

System usage. Set using the manager attribute of the users that are managed by this user. 

dSASignature 

Object(Replica-Link) 

dSCorePropagationData 

String(UTC-Time) 

fromEntry 

Operational attribute 

frsComputerReferenceBL 

System usage 

fRSMemberReferenceBL 

System usage 

fSMORoleOwner 

System usage 

groupMembershipSAM 

String(Octet) 

instanceType 

System usage 

isCriticalSystemObject 

System usage 

isDeleted 

System usage 

isPrivilegeHolder 

System usage 

lastKnownParent 

System usage 

lmPwdHistory 

String(Octet) 

logonHours 

String(Octet) 

logonWorkstations 

String(Octet) 

masteredBy 

System usage. 

memberOf 

System usage. Use the “groups” attribute. 

modifyTimeStamp 

String(UTC-Time) 

MS-DRM-Identity-Certificate 

String(Octet) 

ms-DS-Cached-Membership 

String(Octet) 

mS-DS-ConsistencyGuid 

String(Octet) 

mS-DS-CreatorSID 

String(Sid) 

ms-DS-Site-Affinity 

String(Octet) 

mSMQDigests 

String(Octet) 

mSMQDigestsMig 

String(Octet) 

mSMQSignCertificates 

String(Octet) 

mSMQSignCertificatesMig 

String(Octet) 

msNPAllowDialin 

Use RAS MPR API to read and update values. 

msNPCallingStation 

Use RAS MPR API to read and update values. 

msNPSavedCallingStationID 

Use RAS MPR API to read and update values. 

msRADIUSCallbackNumber 

Use RAS MPR API to read and update values. 

msRADIUSFramedIPAddress 

Use RAS MPR API to read and update values. 

msRADIUSFramedRoute 

Use RAS MPR API to read and update values. 

msRADIUSServiceType 

Use RAS MPR API to read and update values. 

msRASSavedCallbackNumber 

Use RAS MPR API to read and update values. 

msRASSavedFramedIPAddress 

Use RAS MPR API to read and update values. 

msRASSavedFramedRoute 

Use RAS MPR API to read and update values. 

netbootSCPBL 

System usage 

nonSecurityMemberBL 

System usage 

ntPwdHistory 

System usage 

objectGUID 

String(Octet). The GUID is stored in the Identity Manager user object in the ResourceInfo for the account. 

objectSid 

String(Sid) 

otherWellKnownObjects 

Object(DN-Binary) 

partialAttributeDeletionList 

System usage 

partialAttributeSet 

System usage 

possibleInferiors 

System usage 

proxiedObjectName 

Object(DN-Binary) 

queryPolicyBL 

System usage 

registeredAddress 

String(Octet) 

replPropertyMetaData 

System usage 

replUpToDateVector 

System usage 

repsFrom 

System usage 

repsTo 

System usage 

sDRightsEffective 

Operational attribute 

securityIdentifier 

String(Sid) 

serverReferenceBL 

System usage 

sIDHistory 

String(Sid) 

siteObjectBL 

System usage 

subRefs 

System usage 

subSchemaSubEntry 

System usage 

supplementalCredentials 

System usage 

systemFlags 

System usage 

telexNumber 

String(Octet) 

teletexTerminalIdentifier 

String(Octet) 

terminalServer 

String(Octet) 

thumbnailLogo 

String(Octet) 

tokenGroups 

String(Sid) / Operational attribute 

tokenGroupsGlobalAndUniversal 

String(Sid) 

tokenGroupsNoGCAcceptable 

String(Sid) / Operational attribute 

unicodePwd 

String(Octet). Use userPassword to set the user’s password. 

userCert 

String(Octet) 

userCertificate 

String(Octet) 

userSMIMECertificate 

String(Octet) 

wellKnownObjects 

Object(DN-String) 

x500uniqueIdentifier 

String(Octet) 

Resource Object Management

Identity Manager supports the following Active Directory objects:

Resource Object  

Supported Features  

Attributes Managed  

Group 

Create, update, delete 

cn, samAccountName, description, managedby, member, mail, groupType, authOrig, name 

DNS Domain 

Find 

dc 

Organizational Unit 

Create, delete, find 

ou 

Container 

Create, delete, find 

cn, description 

The attributes that can be managed on resource objects are also generally dictated by the attribute syntaxes. The attributes for these object types are similar as those for user accounts and are supported accordingly.

Identity Template

Windows Active Directory is a hierarchically based resource. The identity template will provide the default location in the directory tree where the user will be created. The default identity template is

CN=$fullname$,CN=Users,DC=mydomain,DC=com

The default template must be replaced with a valid value.

Sample Forms

This section lists the sample forms provided for the Active Directory resource adapter.

Built-In

Also Available

ADUserForm.xml

Troubleshooting

Use the Identity Manager debug pages to set trace options on the following class:

com.waveset.adapter.ADSIResourceAdapter

In addition, tracing can be enabled on the Gateway service through the Identity Manager debug pages. (InstallDir/idm/debug/Gateway.jsp). This page allows you to specify the level of trace, location of the trace file, and the maximum size of the trace file. This page also allows you to remotely retrieve the gateway trace file and display the version information for the Gateway.

The Gateway service may also be started from the console with debug tracing through various command line switches. Use -h to review the usage for the Gateway service.

Tracing can also be enabled on the following methods to diagnose connection problems: