The syntax (or type) of an attribute usually determines whether the attribute is supported. In general, Waveset supports Boolean, string, and integer syntaxes, and provides limited support for binary string syntax.
This section provides information about supported and unsupported account syntaxes.
The following table lists the Active Directory syntax supported by Waveset:
AD Syntax |
Waveset Syntax |
Syntax ID |
OM ID |
ADS Type |
---|---|---|---|---|
Boolean |
Boolean |
2.5.5.8 |
1 |
ADSTYPE_BOOLEAN |
Enumeration |
String |
2.5.5.9 |
10 |
ADSTYPE_INTEGER |
Integer |
Int |
2.5.5.9 |
2 |
ADSTYPE_INTEGER |
DN String |
String |
2.5.5.1 |
127 |
ADSTYPE_DN_STRING |
Presentation Address |
String |
2.5.5.13 |
127 |
ADSTYPE_CASE_IGNORE_STRING |
IA5 String |
String |
2.5.5.5 |
22 |
ADSTYPE_PRINTABLE_STRING |
Printable String |
String |
2.5.5.5 |
19 |
ADSTYPE_PRINTABLE_STRING |
Numeric String |
String |
2.5.5.6 |
18 |
ADSTYPE_NUMERIC_STRING |
OID String |
String |
2.5.5.2 |
6 |
ADSTYPE_CASE_IGNORE_STRING |
Case Ignore String (teletex) |
String |
2.5.5.4 |
20 |
ADSTYPE_CASE_IGNORE_STRING |
Unicode String |
String |
2.5.5.12 |
64 |
ADSTYPE_OCTET_STRING |
Interval |
String |
2.5.5.16 |
65 |
ADSTYPE_LARGE_INTEGER |
LargeInteger |
String |
2.5.5.16 |
65 |
ADSTYPE_LARGE_INTEGER |
The following table lists the Active Directory syntaxes that are not supported by Waveset:
Syntax |
Syntax ID |
OM ID |
ADS Type |
---|---|---|---|
DN with Unicode string |
2.5.5.14 |
127 |
ADSTYPE_DN_WITH_STRING |
DN with binary |
2.5.5.7 |
127 |
ADSTYPE_DN_WITH_BINARY |
OR-Name |
2.5.5.7 |
127 |
ADSTYPE_DN_WITH_BINARY |
Replica Link |
2.5.5.10 |
127 |
ADSTYPE_OCTET_STRING |
NT Security Descriptor |
2.5.5.15 |
66 |
ADSTYPE_NT_SECURITY_DESCRIPTOR |
Octet String |
2.5.5.10 |
4 |
ADSTYPE_OCTET_STRING |
SID String |
2.5.5.17 |
4 |
ADSTYPE_OCTET_STRING |
UTC Time String |
2.5.5.11 |
23 |
ADSTYPE_UTC_TIME |
Object(Access-Point) |
2.5.5.14 |
127 |
n/a |
Waveset supports the jpegPhoto and thumbnailPhoto account attributes.
This section provides information about supported and unsupported account syntaxes for Microsoft Exchange 2007 only.
Waveset supports the following PowerShell syntaxes:
Syntax |
Description |
---|---|
String |
A Unicode string. |
Integer |
Represented as String in Exchange 2007. |
Nullable |
An attribute which does not have to contain a value. If used without another type a String is indicated. |
Boolean |
A standard Boolean value of “True” or “False.” |
Unlimited |
An integer represented as a String, with as a special allowed value the string “Unlimited.”. |
ByteQuantifiedSize |
An integer size represented as a String with or without a size quantifier. Allowed quantifiers: none, B (default), KB, MB or GB. |
The combination of Unlimited and ByteQuantifiedSize is supported.
The following list describes the PowerShell syntaxes that are not supported by Waveset:
Syntax |
Description |
---|---|
SwitchParameter |
Special command line form of a Boolean value. |
Encrypted |
Password attributes |
This section provides information about the Active Directory account attributes that are supported and those not supported by Waveset.
The following table lists the account attributes supported by Waveset: Other attributes, such as those for Exchange, might also be supported.
Schema Name |
Attribute Type |
Description |
---|---|---|
accountExpires |
String |
The date when the user’s account expires. |
AccountLocked |
Boolean |
Whether or not an account is locked out. Cannot be set to true; only the Windows system can set to true. |
accountNameHistory |
String |
The length of time that the account has been active. Read-only. |
aCSPolicyName |
String |
String name of an ACS policy that applies to this user. |
adminCount |
String |
Indicates that a given object has had its ACLs changed to a more secure value by the system because it was a member of one of the administrative groups (directly or transitively). Set by system. Read-only. |
adminDescription |
String |
The description displayed on admin screens. |
adminDisplayName |
String |
The name to be displayed on admin screens. |
altSecurityIdentities |
String |
Contains mappings for X.509 certificates or external Kerberos user accounts to this user for the purpose of authentication. |
assistant |
String |
The distinguished name of a user’s administrative assistant. |
badPasswordTime |
String |
The last time the user tried to log on to the account using an incorrect password. |
badPwdCnt |
String |
Read-only. Number of login attempts with incorrect password. The value may only be for those logins that failed at the domain controller that is being queried. |
businessCategory |
String |
Describes the kind of business performed by an organization. |
c |
String |
The two-character country code in the address of the user. |
cn |
String |
Common Name. This attribute is set from the CN value in the DN. Read-only. |
co |
String |
Text-Country (country name) |
company |
String |
The user’s company name. |
codePage |
Int |
Specifies the code page for the user’s language of choice. |
countryCode |
String |
Specifies the country code for the user’s language of choice. |
Database |
String |
This attribute is required if the value of RecipientType is UserMailbox. It is not displayed by default. You must add it to manage Exchange 2007 accounts. The full database path, in the format Server\Storage\Database. |
defaultClassStore |
String |
The default Class Store for a given user. |
department |
String |
Contains the name for the department in which the user works. |
description |
String |
Contains the description to display for an object. This value is treated as single-valued by the system. |
desktopProfile |
String |
The location of the desktop profile for a user or group of users. |
destinationIndicator |
String |
Not used by Active Directory. |
displayName |
String |
The name displayed in the address book for a particular user. This is usually the combination of the user’s first name, middle initial, and last name. |
displayNamePrintable |
String |
Printable version of the displayName. |
distinguishedName |
String |
Cannot be set directly. Read only. Set the DN on create using the DN template or the accountId account attribute. |
division |
String |
The user’s division. |
dynamicLDAPServer |
String |
DNS name of server handing dynamic properties for this account. |
employeeID |
String |
The ID of an employee. |
extensionName |
String |
The name of a property page used to extend the UI of a directory object. |
ExternalEmailAddress |
String |
This attribute is required if the value of RecipientType is MailUser. It is not displayed by default. You must add it to manage Exchange 2007 accounts. A email address that is unique in the Exchange server and in the form User@Domain. |
facsimileTelephoneNumber |
String |
Contains telephone number of the user’s business fax machine. |
flags |
Int |
To be used by the object to store bit information. |
garbageCollPeriod |
Int |
This attribute is located on the CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,... object. It represents the period in hours between DS garbage collection runs. |
generationQualifier |
String |
Indicates a person’s generation; for example, Jr. or II. |
givenName |
String |
Contains the given name (first name) of the user. |
groupPriority |
String |
Not used |
groups |
String |
Windows security and distribution groups |
groupsToIgnore |
String |
Not used |
homeDirectory |
String |
The user’s home directory. If homeDrive is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC path of the form \\server\share\directory. This value can be a null string. The user’s home directory will be created if:
|
homeDrive |
String |
The drive letter (including the colon) that the home directory should be mapped to (for example, “Z:”). It should be specified only if homeDirectory is a UNC path. |
homeMDB |
String |
The distinguished name of the message database (MDB) for this mailbox. It has a format similar to CN=Mailbox Store (SERVERNAME),CN=First Storage Group, CN=InformationStore, CN=SERVERNAME,CN=Servers, CN=First Administrative Group, CN=Administrative Groups, CN=EXCHANGE ORG, CN=Microsoft Exchange, CN=Services, CN=Configuration,DC=DOMAIN, DC=YOURCOMPANY,DC=com’ |
homeMTA |
String |
Points to the message transfer agent (MTA) that services this object. It has a format similar to CN=Microsoft MTA, CN=SERVERNAME, CN=Servers, CN=First Administrative Group, CN=Administrative Groups, CN=EXCHANGE ORG, CN=Microsoft Exchange, CN=Services, CN=Configuration,DC=DOMAIN, DC=YOURCOMPANY,DC=com |
homePhone |
String |
The user’s main home phone number. |
homePostalAddress |
String |
A user’s home address. |
info |
String |
The user’s comments. This string can be a null string. |
initials |
String |
Contains the initials for parts of the user’s full name. |
internationalISDNNumber |
String |
Specifies an International ISDN number associated with an object. |
ipPhone |
String |
The TCP/IP address for the phone. Used by Telephony. |
jpegPhoto |
Binary |
An image of the user. (Requires Windows 2003 Server or higher) |
l |
String |
Contains the locality, such as the town or city, in the user’s address. |
lastLogon |
String |
The last time the user logged on at a DC. |
lastLogonTimestamp |
String |
The time that the user last logged into the domain. This value is only updated when the user logs in if a week has passed since the last update. |
lastLogoff |
String |
The last time the user logged off. |
legacyExchangeDN |
String |
The distinguished name previously used by Exchange. |
localeID |
Int |
This attribute contains a list of locale IDs supported by this application. A locale ID represents a geographic location like France. |
lockoutTime |
String |
The number of minutes to wait before resetting the invalid logon count. |
logonCount |
Int |
The number of successful times the user tried to log on to this account. This property is maintained separately on each domain controller in the domain. |
|
String |
One or more email addresses. |
mailNickName |
String |
Exchange nickname. |
managedObjects |
String |
Contains the list of objects that are managed by the user. Set by the system. Read only. |
manager |
String |
Directory name of the user’s manager. |
maxStorage |
String |
The maximum amount of disk space the user can use. |
mDBOverHardQuotaLimit |
String |
The maximum mailbox size, in KB, over which sending and receiving mail is disabled. |
mDBOverQuotaLimit |
String |
The mailbox quota overdraft limit, in KB. |
mDBStorageQuota |
String |
The message database quota, in KB. |
mDBUseDefaults |
String |
Indicates whether the store should use the default quota, rather than the per-mailbox quota. |
mhsORAddress |
String |
X.400 address. |
middleName |
String |
The user’s middle name. |
mobile |
String |
The primary cell phone number. |
msCOM-PartitionSetLink |
String |
A link used to associate a COM+ Partition with a COM+ PartitionSet object. Read only. |
msCOM-UserLink |
String |
A link used to associate a COM+ PartitionSet with a User object. Read only. |
msCOM-UserPartitionSetLink |
String |
A link used to associate a User with a COM+ PartitionSet. Read only. |
msDS-AllowedToDelegateTo |
String |
Contains a list of Service Principal Names (SPN). This attribute is used to configure a service to be able to obtain service tickets usable for Constrained Delegation. |
ms-DS-Approx-Immed-Subordinates |
Int |
The approximate number of subordinates for this user. Read only. |
msDS-Cached-Membership-Time-Stamp |
String |
Used by the Security Accounts Manager for group expansion during token evaluation. Read only. |
mS-DS-ConsistencyChildCount |
Int |
This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects. |
msExchHomeServerName |
String |
The name of the Exchange server. It has a format similar to /o=EXCHANGEORG/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=SERVERNAME |
ms-DS-KeyVersionNumber |
Int |
The Kerberos version number of the current key for this account. This is a constructed attribute. Read only. |
ms-DS-Mastered-By |
String |
Back link for msDS-hasMasterNCs. Read only. |
ms-DS-Members-For-Az-Role-BL |
String |
Back-link from member application group or user to Az-Role object or objects linking to it. Read only. |
ms-DS-NC-Repl-Cursors |
String |
A list of past and present replication partners, and how up to date you are with each of them. Read only. |
ms-DS-NC-Repl-Inbound-Neighbors |
String |
Replication partners for this partition. This server obtains replication data from these other servers, which act as sources. Read only. |
ms-DS-NC-Repl-Outbound-Neighbors |
String |
Replication partners for this partition. This server sends replication data to these other servers, which act as destinations. This server will notify these other servers when new data is available. Read only. |
ms-DS-Non-Members-BL |
String |
Back link from non-member group/user to Az group or groups linking to it. Read only. |
ms-DS-Operations-For-Az-Role-BL |
String |
Back-link from Az-Operation to Az-Role object or objects linking to it. Read only. |
ms-DS-Operations-For-Az-Task-BL |
String |
Back-link from Az-Operation to Az-Task object or objects linking to it. Read only. |
ms-DS-Repl-Attribute-Meta-Data |
String |
A list of metadata for each replicated attribute. Read only. |
ms-DS-Repl-Value-Meta-Data |
String |
A list of metadata for each value of an attribute. Read only. |
ms-DS-Tasks-For-Az-Role-BL |
String |
Back-link from Az-Task to Az-Role object or objects linking to it. Read only. |
ms-DS-Tasks-For-Az-Task-BL |
String |
Back-link from Az-Task to the Az-Task object or objectslinking to it. Read only. |
ms-DS-User-Account-Control-Computed |
Int |
A computed attribute to expose user password expired and user account locked out. |
msExchMailboxSecurityDescriptor |
String |
This attribute determines Exchange Mailbox rights for the user. For more information, see Managing ACL Lists |
ms-Exch-Owner-BL |
String |
The back-link to the owner attribute. Contains a list of owners for an object. Read only. |
ms-IIS-FTP-Dir |
String |
The user home directory relative to the file server share. It is used in conjunction with ms-IID-FTP-Root to determine the FTP user home directory. |
ms-IIS-FTP-Root |
String |
This attribute determines the file server share. It is used in conjunction with ms-IID-FTP-Dir to determine the FTP user home directory. |
name |
String |
The Relative Distinguished Name (RDN) of the user. Cannot be set directly. Read only. Set the RDN on create using the DN template or the accountId account attribute. Do not use “name” for the left-hand side of the schema map as it is a reserved attribute name. |
networkAddress |
String |
The TCP/IP address for a network segment. |
nTSecurityDescriptor |
String |
The NT security descriptor for the schema object. For more information, see Managing ACL Lists. |
o |
String |
The name of the company or organization. |
objectCategory |
N/A |
An object class name used to groups objects of this or derived classes. Set by the system. Read-only. |
objectClass |
N/A |
The list of classes from which this class is derived. The value of this attribute should be set using the Object Class resource attribute. Read-only. |
objectVersion |
Int |
A version number for the object. |
operatorCount |
Int |
The number of operators on the computer. |
otherFacsimileTelephoneNumber |
String |
A list of alternate facsimile numbers. |
otherHomePhone |
String |
A list of alternate home phone numbers. |
otherIpPhone |
String |
The list of alternate TCP/IP addresses for the phone. Used by Telephony. |
otherLoginWorkstations |
String |
Non-NT or LAN Manager workstations from which a user can log in. |
otherMailbox |
String |
Contains other additional mail addresses in a form such as CCMAIL: JohnDoe. |
otherMobile |
String |
Additional mobile phone numbers |
otherPager |
String |
Additional pager numbers |
otherTelephone |
String |
Additional telephone numbers |
ou |
String |
Organizational unit |
outOfOfficeEnabled |
Boolean |
Enables the out-of-office autoreply function |
outOfOfficeMessage |
String |
The text of an out-of-office message. |
pager |
String |
Pager number |
personalTitle |
String |
User’s title |
PasswordNeverExpires |
Boolean |
Indicates whether the user’s password will expire. |
physicalDeliveryOfficeName |
String |
The office where deliveries are routed to. |
postalAddress |
String |
The office location in the user’s place of business. |
postalCode |
String |
The postal or zip code for mail delivery. |
postOfficeBox |
String |
The P.O. Box number for this object. |
preferredDeliveryMethod |
String |
The X.500. preferred way to deliver to addressee |
preferredOU |
String |
The Organizational Unit to show by default on user’ s desktop. |
primaryGroupID |
Int |
If the user is not already a member of the group, then the primaryGroupID must be set in two steps: add the user to the group then set the primaryGroupId. |
primaryInternationalISDNNumber |
String |
The primary ISDN number. |
primaryTelexNumber |
String |
The primary telex number. |
profilePath |
String |
Specifies a path to the user’s profile. This value can be a null string, a local absolute path, or a UNC path. |
proxyAddresses |
String |
A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects such as custom recipients and distribution lists. |
pwdLastSet |
String |
This attribute indicates the last time the user modified the password. This value is stored as a large integer that represents the number of seconds elapsed since 00:00:00, January 1, 1601 (FILETIME). If this value is set to zero and the user account has the password never expires property set to false, then the user must set the password at the next logon. |
RecipientType |
String |
Required for all Exchange 2007 account types The possible values are User, UserMailbox or MailUser. This attribute is not displayed by default. You must add it to manage Exchange 2007 accounts. |
revision |
Int |
The revision level for a security descriptor or other change. Read only. |
rid |
Int |
The relative Identifier of an object. Read only. |
sAMAccountName |
String |
Login name. |
sAMAccountType |
Int |
This attribute contains information about every account type object. Set by system. Read only. |
scriptPath |
String |
The path for the user’s logon script. The string can be null. |
seeAlso |
String |
DNs of related objects |
serialNumber |
String |
User’s serial number. Not used by Active Directory. |
servicePrincipalName |
String |
List of distinguished names that are related to an object. |
showInAddressBook |
String |
This attribute is used to indicate which MAPI address books an object will appear in. It is normally maintained by the Exchange Recipient Update Service. |
showInAdvancedViewOnly |
Boolean |
True if this attribute is to be visible in the Advanced mode of the UI. |
sn |
String |
Family or last name |
st |
String |
State or province name |
street |
String |
Street address |
Structural-Object-Class |
String |
Stores a list of classes contained in a class hierarchy, including abstract classes. Read only. |
telephoneNumber |
String |
Primary telephone number. |
Terminal Services Initial Program |
String |
The path of the initial program that runs when the user logs on. |
Terminal Services Initial Program Directory |
String |
The path of working directory for the initial program |
Terminal Services Inherit Initial Program |
Boolean |
Indicates whether the client can specify an initial program true - The client can specify program. false - The Terminal Services Initial Program value is used and client is logged off when exiting that program. |
Terminal Services Allow Logon |
Boolean |
false - The user cannot logon. true - The user can logon. |
Terminal Services Active Session Timeout |
Integer |
Duration in milliseconds. A value of 0 indicates the connection timer is disabled. |
Terminal Services Disconnected Session Timeout |
Integer |
The maximum duration, in milliseconds, that a terminal server retains a disconnected session before the logon is terminated. A value of 0 indicates the disconnection timer is disabled. |
Terminal Services Idle Timeout |
Integer |
The maximum idle time, in milliseconds. If there is no keyboard or mouse activity for the specified interval, the user’s session is disconnected or terminated depending on the value specified in Terminal Services End Session On Timeout Or Broken Connection. A value of 0 indicates the idle timer is disabled. |
Terminal Services Connect Client Drives At Logon |
Boolean |
Indicates whether the terminal server automatically reestablishes client drive mappings at logon. false - The server does not automatically connect to previously mapped client drives. true - The server automatically connects to previously mapped client drives at logon. |
Terminal Services Connect Client Printers At Logon |
Boolean |
Indicates whether the terminal server automatically reestablishes client printer mappings at logon. false - The server does not automatically connect to previously mapped client printers. true - The server automatically connects to previously mapped client printers at logon. |
Terminal Services Default To Main Client Printer |
Boolean |
Indicates whether the client printer is the default printer. false - The client printer is not the default printer. true - The client printer is the default printer. |
Terminal Services End Session On Timeout Or Broken Connection |
Boolean |
Specifies the action when the connection or idle timers expire, or when a connection is lost due to a connection error. false - The session is disconnected. true - The session is terminated. |
Terminal Services Allow Reconnect From Originating Client Only |
Boolean |
Indicates how a disconnected session for this user can be reconnected. false - The user can log on to any client computer to reconnect to a disconnected session. true - The user can reconnect to a disconnected session by logging on to the client computer used to establish the disconnected session. |
Terminal Services Callback Settings |
Integer |
Indicates the configuration for dialup connections in which the terminal server hangs up and then calls back the client to establish the connection. 0 - Callback connections are disabled. 1 - The server prompts the user to enter a phone number and calls the user back at that phone number. 2 - The server automatically calls the user back at the phone number specified by the Terminal Services Callback Phone Number attribute. |
Terminal Services Callback Phone Number |
String |
The phone number to use for callback connections. |
Terminal Services Remote Control Settings |
Integer |
Indicates whether the user session can be shadowed. Shadowing allows a user to remotely monitor the on-screen operations of another user. 0 - Disable 1 - Enable input, notify 2 - Enable input, no notify 3 - Enable no input, notify 4 - Enable no input, no notify |
Terminal Services User Profile |
String |
The path of the user’s profile for terminal server logon. |
Terminal Services Local Home Directory |
String |
The path of the user’s home directory for terminal server logon. |
Terminal Services Home Directory Drive |
String |
A drive name (a drive letter followed by a colon) to which the UNC path specified in the Terminal Services Local Home Directory attribute is mapped. |
textEncodedORAddress |
String |
Supports X.400 addresses in a text format. |
thumbnailPhoto |
Binary |
An image of the user. |
title |
String |
Contains the user’s job title. This property is commonly used to indicate the formal job title, such as Senior Programmer, rather than occupational class, such as programmer. It is not typically used for suffix titles such as Esq. or DDS. |
userAccountControl |
Int |
Specifies flags that control password, lockout, disable/enable, script, and home directory behavior for the user. This property also contains a flag that indicates the account type of the object. The flags are defined in LMACCESS.H. |
userParameters |
String |
Parameters of the user. Points to a Directory string that is set aside for use by applications. This string can be a null string, or it can have any number of characters before the terminating null character. |
userPassword |
Encrypted |
The user’s password in UTF-8 format. This is a write-only attribute. |
userPrincipalName |
String |
An Internet-style login name for a user based on the Internet standard RFC 822. The UPN is shorter than the distinguished name and easier to remember. By convention, this should map to the user e-mail name. |
userSharedFolder |
String |
Specifies a UNC path to the user’s shared documents folder. The path must be a network UNC path of the form \\server\share\directory. This value can be a null string. |
userSharedFolderOther |
String |
Specifies a UNC path to the user’s additional shared documents folder. The path must be a network UNC path of the form \\server\share\directory. This value can be a null string. |
userWorkstations |
String |
NetBIOS or DNS names of computers user can log into, separated by commas. |
usnChanged |
String |
USN value assigned by the local directory for the latest change, including creation. Read only. |
usnCreated |
String |
USN-Changed value assigned at object creation. |
USNIntersite |
Int |
The USN for inter-site replication. |
uSNLastObjRem |
String |
Indicates when the last object was removed from a server. Read only. |
uSNSource |
String |
Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server. Read only. |
WS_PasswordExpired |
Boolean |
Indicates whether to expire the user’s password. |
WS_USER_PASSWORD |
Encrypted |
Contains the user password. See the Usage Notes for more information. |
wbemPath |
String |
References to objects in other ADSI namespaces. |
whenChanged |
String |
The date when this object was last changed. Read only. |
whenCreated |
String |
The date when this object was created. Read only. |
wWWHomePage |
String |
The user’s primary web page. |
url |
String |
A list of alternate web pages. |
x121Address |
String |
The X.121 address for an object. |
These attributes are Exchange Server 2007 specific and are ignored if the RecipientType attribute is not set to UserMailbox or MailUser.
Schema Name |
Attribute Type |
Description |
---|---|---|
AcceptMessagesOnlyFrom |
String |
A list of users who are allowed to send mail to this user |
AcceptMessagesOnlyFromDLMembers |
String |
A list of distribution groups whose members are allowed to send mail to this user |
Alias |
String |
Alias of the user |
AntispamBypassEnabled |
Boolean |
Specifies whether to skip anti-spam processing on this mailbox. (RecipientType UserMailbox only) |
CustomAttribute1 through CustomAttribute15 |
String |
Attribute to store additional information. |
DeliverToMailboxAndForward |
Boolean |
Specifies whether messages sent to this mailbox will be forwarded to another address. (RecipientType UserMailbox only) |
DisplayName |
String |
The name that will be displayed in Microsoft Outlook |
DowngradeHighPriorityMessagesEnabled |
Boolean |
Prevents the mailbox from sending high priority messages. (RecipientType UserMailbox only) |
EmailAddress |
String |
SMTP mail address, cannot be used with PrimarySMTPAddress |
EmailAddresses |
String |
List of email addresses. Not to be used in conjunction with PrimarySmtpAddress or EmailAddressPolicyEnabled set to “True” |
EmailAddressPolicyEnabled |
Boolean |
Should be set to “True” as a default, will cause a primary email address to be generated for the user and will prohibit the use of - PrimarySmtpAddress - WindowsEmailAddress |
EndDateForRetentionHold |
Nullable |
The end date for retention hold for messaging records management (MRM) (RecipientType UserMailbox only) |
ExternalOofOptions |
String |
Sending an Out of Office message to external senders. Values limited to: “InternalOnly” or “External” (RecipientType UserMailbox only) |
ForwardingAddress |
String |
Address to forward mail to if DeliverToMailboxAndForward is set to “True” (RecipientType UserMailbox only) |
GrantSendOnBehalfTo |
String |
The distinguished name (DN) of other recipients that can send messages on behalf of this user |
HiddenFromAddressListsEnabled |
Boolean |
Hide the email address from address lists |
IssueWarningQuota |
Unlimited ByteQuantifiedSize |
The mailbox size at which to issue a quota warning. (RecipientType UserMailbox only) |
Languages |
String |
List of preference languages for display. (RecipientType UserMailbox only) |
MaxBlockedSenders |
Nullable |
The maximum number of senders that can be included in the blocked senders list. |
MaxReceiveSize |
Unlimited ByteQantifiedSize |
The maximum size of messages that this user can receive. |
MaxSafeSenders |
Nullable |
The maximum number of senders that can be included in the safe senders list. (RecipientType UserMailbox only) |
MaxSendSize |
Unlimited ByteQantifiedSize |
The maximum size of messages that this user can send. |
OfflineAddressBook |
String |
The associated address book. (RecipientType UserMailbox only) |
PrimarySmtpAddress |
String |
The address that external users will see when they receive a message from this user. Not to be used in conjunction with EmailAddresses: the EmailAddresses list contains the PrimarySmtpAddress. Can not be used with EmailAddressPolicyEnabled set to “True” |
ProhibitSendQuota |
Unlimited ByteQantifiedSize |
The mailbox size at which the user associated with this mailbox can no longer send messages. (RecipientType UserMailbox only) |
ProhibitSendReceiveQuota |
Unlimited ByteQantifiedSize |
The mailbox size at which the user associated with this mailbox can no longer send or receive messages. (RecipientType UserMailbox only) |
RecipientLimits |
Unlimited |
The maximum number of recipients per message to which this mailbox can send. |
RejectMessagesFrom |
String |
The recipients from whom messages will be rejected. |
RejectMessagesFromDLMembers |
String |
Messages from any member of these distribution lists will be rejected. |
RequireSenderAuthenticationEnabled |
Boolean |
Senders must be authenticated. |
RetainDeletedItemsFor |
String |
Timespan represented in a string form "dd.hh:mm:ss" specifying the length of time to keep the deleted items. (RecipientType UserMailbox only) |
RetainDeletedItemsUntilBackup |
Boolean |
Retain deleted items until the next backup. (RecipientType UserMailbox only) |
RetentionHoldEnabled |
Boolean |
Turn retention hold on or off (RecipientType UserMailbox only) |
RulesQuota |
ByteQuantifiedSize |
The limit for the size of rules for this mailbox. Maximum value is 256 KB (RecipientType UserMailbox only) |
SCLDeleteEnabled |
Nullable Boolean |
Delete messages that meet the SCL delete threshold (RecipientType UserMailbox only) |
SCLDeleteThreshold |
Nullable |
The Spam Confidence Level at which a mail will be deleted, allowed values: 0-9. (RecipientType UserMailbox only) |
SCLJunkEnabled |
Nullable Boolean |
Junk messages that meet the SCL junk threshold (RecipientType UserMailbox only) |
SCLJunkThreshold |
Nullable |
The Spam Confidence Level at which a mail will be marked as junk, allowed values: 0-9 (RecipientType UserMailbox only) |
SCLQuarantineEnabled |
Nullable Boolean |
Quarantine messages that meet the SCL quarantine threshold (RecipientType UserMailbox only) |
SCLQuarantineThreshold |
Nullable |
The Spam Confidence Level at which a mail will be quarantined, allowed values: 0-9 (RecipientType UserMailbox only) |
SCLRejectEnabled |
Nullable Boolean |
Reject messages that meet the SCL reject threshold (RecipientType UserMailbox only) |
SCLRejectThreshold |
Nullable |
The Spam Confidence Level at which a mail will be rejected, allowed values: 0-9 (RecipientType UserMailbox only) |
SimpleDisplayName |
String |
An ASCII only version of the DisplayName. |
StartDateForRetentionHold |
Nullable |
The start date for retention hold for MRM. (RecipientType UserMailbox only) |
UseDatabaseQuotaDefaults |
Boolean |
Specifies that this mailbox uses the quota attributes specified for the mailbox database where this mailbox resides. (RecipientType UserMailbox only) |
UseDatabaseRetentionDefaults |
Boolean |
Specifies that this mailbox uses the MailboxRetention attribute specified for the mailbox database where this mailbox resides. (RecipientType UserMailbox only) |
UserPrincipalName |
String |
This is the logon name for the user. The UPN consists of a user name and a suffix. |
The nTSecurityDescriptor and the msExchMailboxSecurityDescriptor attribute values contain ACL lists that you must specify in a special way.
For example, the following shows a user form a company might use to assign a default set of permissions to each user they provision:
<Field name=’attributes[AD].nTSecurityDescriptor’ hidden=’true’> <Expansion> <list> <s>Domain Admins|983551|0|0|NULL|NULL</s> <s>NT AUTHORITY\SYSTEM|983551|0|0|NULL|NULL</s> <s>Account Operators|983551|0|0|NULL|NULL</s> <s>NT AUTHORITY\Authenticated Users|131220|0|0|NULL|NULL</s> <s>NT AUTHORITY\Authenticated Users|256|5|0| {AB721A55-1E2F-11D0-9819-00AA0040529B}|NULL</s> <s>NT AUTHORITY\SELF|131220|0|0|NULL|NULL</s> </list> </Expansion> </Field>
The entries in the nTSecurityDescriptor list are in the following format:
Trustee|Mask|aceType|aceFlags|objectType|InheritedObjectType
Where:
Trustee is the DOMAIN\Account of the user.
Mask is a flag specifying access permissions (read, write, etc. ).
aceType is a flag indicating the access-control entry (ACE) types.
ADS_ACETYPE_ACCESS_ALLOWED = 0, ADS_ACETYPE_ACCESS_DENIED = 0x1, ADS_ACETYPE_SYSTEM_AUDIT = 0x2, ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 0x5, ADS_ACETYPE_ACCESS_DENIED_OBJECT = 0x6, ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = 0x7, ADS_ACETYPE_SYSTEM_ALARM_OBJECT = 0x8 ADS_ACETYPE_ACCESS_ALLOWED
Where:
ADS_ACETYPE_ACCESS_ALLOWED: The ACE is of the standard ACCESS ALLOWED type, where the ObjectType and InheritedObjectType fields are NULL.
ADS_ACETYPE_ACCESS_DENIED: The ACE is of the standard system-audit type, where the ObjectType and InheritedObjectType fields are NULL.
ADS_ACETYPE_SYSTEM_AUDIT: The ACE is of the standard system type, where the ObjectType and InheritedObjectType fields are NULL.
ADS_ACETYPE_ACCESS_ALLOWED_OBJECT: On Windows 2000, ACE grants access to an object or a subobject of the object, such as a property set or property.
ObjectType, InheritedObjectType, or both contain a GUID that identifies a property set, property, extended right, or type of child object.
ADS_ACETYPE_ACCESS_DENIED_OBJECT: Windows 2000, ACE denies access to an object or a subobject of the object, such as a property set or property.
ObjectType, InheritedObjectType, or both contain a GUID that identifies a property set, property, extended right, or type of child object.
ADS_ACETYPE_SYSTEM_AUDIT_OBJECT: Windows 2000, ACE audits access to an object or a subobject of the object, such as a property set or property.
ObjectType, InheritedObjectType, or both contain a GUID that identifies a property set, property, extended right, or type of child object.
ADS_ACETYPE_SYSTEM_ALARM_OBJECT: Not used on Windows 2000/XP at this time.
aceFlags is a flag specifying whether other containers or objects can inherit the ACE from the ACL owner.
ADS_ACEFLAG_INHERIT_ACE = 0x2, ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = 0x4, ADS_ACEFLAG_INHERIT_ONLY_ACE = 0x8, ADS_ACEFLAG_INHERITED_ACE = 0x10, ADS_ACEFLAG_VALID_INHERIT_FLAGS = 0x1f, ADS_ACEFLAG_SUCCESSFUL_ACCESS = 0x40,
Where:
ADS_ACEFLAG_FAILED_ACCESS = 0x80 ADS_ACEFLAG_INHERIT_ACE: Indicates child objects that will inherit this access-control entry (ACE).
The inherited ACE is inheritable unless you set the ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE flag.
ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE: Causes the system to clear the ADS_ACEFLAG_INHERIT_ACE flag for the inherited ACEs of child objects, which prevents the ACE from being inherited by subsequent generations of objects.
ADS_ACEFLAG_INHERIT_ONLY_ACE: Indicates an inherit-only ACE that does not exercise access control on the object to which it is attached.
If you do not set this flag, the ACE is an effective ACE that exerts access control on the object to which it is attached.
ADS_ACEFLAG_INHERITED_ACE: Indicates whether the ACE was inherited. The system sets this bit.
ADS_ACEFLAG_VALID_INHERIT_FLAGS: Indicates whether the inherited flags are valid. The system sets this bit.
ADS_ACEFLAG_SUCCESSFUL_ACCESS: Generates audit messages for successful access attempts, used with ACEs that audit the system in a system access-control list (SACL).
ADS_ACEFLAG_FAILED_ACCESS: Generates audit messages for failed access attempts, used with ACEs that audit the system in a SACL.
objectType is a flag indicating the ADSI object type. the objectType value is a GUID to a property or an object in string format.
The GUID refers to a property when you use ADS_RIGHT_DS_READ_PROP and ADS_RIGHT_DS_WRITE_PROP access masks.
The GUID specifies an object when you use ADS_RIGHT_DS_CREATE_CHILD and ADS_RIGHT_DS_DELETE_CHILD access masks.
InheritedObjectType is a flag indicating the child object type of an ADSI object. The InheritedObjectType value is a GUID to an object in string format. When you set such a GUID, the ACE applies only to the object referred to by the GUID.
The objectType and InheritedObjectType flags specify the GUID of other objects in the form:
{BF9679C0-0DE6-11D0-A285-00AA003049E2}
The object/attribute GUID is wrapped in brackets { }. This format is returned during a fetch. Within ADSI there are GUIDs to represent specific attributes to grant access and also a way to describe an inherited relationship.
The best method in which to find the correct string to pass down, is to do the following:
Add the attribute to your schema, and then add the following field to your user form, as follows:
<Field name=’accounts[AD].nTSecurityDescriptor’> <Display class=’TextArea’> <Property name=’title’ value=’NT User Security Descriptor’/> <Property name=’rows’ value=’20’/> <Property name=’columns’ value=’100’/> </Display> </Field> |
or
<Field name=’accounts[AD].msExchMailboxSecurityDescriptor’> <Display class=’TextArea’> <Property name=’title’ value=’Mailbox Security Descriptor’/> <Property name=’rows’ value=’20’/> <Property name=’columns’ value=’100’/> </Display> </Field> |
Edit a user’s object in Active Directory and set the corresponding ACL lists for all users to establish a baseline.
Edit the user in Waveset on the Edit User form.
You should see a text area with the corresponding values, which have been pulled from the user object in Active Directory.
Using the preceding method will help you determine which values you must add to the form, for the settings you want.
The following table lists the account attributes that are not supported by Waveset:
Schema Name |
Notes |
---|---|
allowedAttributes |
Operational attribute |
allowedAttributesEffective |
Operational attribute |
allowedChildClasses |
Operational attribute |
alowedChildClassesEffective |
Operational attribute |
bridgeheadServerListBL |
System usage |
canonicalName |
Operational attribute |
controlAccessRights |
String(Octet) |
createTimeStamp |
String(UTC-Time) |
dBCSPwd |
String(Octet) |
directReports |
System usage. Set using the manager attribute of the users that are managed by this user. |
dSASignature |
Object(Replica-Link) |
dSCorePropagationData |
String(UTC-Time) |
fromEntry |
Operational attribute |
frsComputerReferenceBL |
System usage |
fRSMemberReferenceBL |
System usage |
fSMORoleOwner |
System usage |
groupMembershipSAM |
String(Octet) |
instanceType |
System usage |
isCriticalSystemObject |
System usage |
isDeleted |
System usage |
isPrivilegeHolder |
System usage |
lastKnownParent |
System usage |
lmPwdHistory |
String(Octet) |
logonHours |
String(Octet) |
logonWorkstations |
String(Octet) |
masteredBy |
System usage. |
memberOf |
System usage. Use the “groups” attribute. |
modifyTimeStamp |
String(UTC-Time) |
MS-DRM-Identity-Certificate |
String(Octet) |
ms-DS-Cached-Membership |
String(Octet) |
mS-DS-ConsistencyGuid |
String(Octet) |
mS-DS-CreatorSID |
String(Sid) |
ms-DS-Site-Affinity |
String(Octet) |
mSMQDigests |
String(Octet) |
mSMQDigestsMig |
String(Octet) |
mSMQSignCertificates |
String(Octet) |
mSMQSignCertificatesMig |
String(Octet) |
msNPAllowDialin |
Use RAS MPR API to read and update values. |
msNPCallingStation |
Use RAS MPR API to read and update values. |
msNPSavedCallingStationID |
Use RAS MPR API to read and update values. |
msRADIUSCallbackNumber |
Use RAS MPR API to read and update values. |
msRADIUSFramedIPAddress |
Use RAS MPR API to read and update values. |
msRADIUSFramedRoute |
Use RAS MPR API to read and update values. |
msRADIUSServiceType |
Use RAS MPR API to read and update values. |
msRASSavedCallbackNumber |
Use RAS MPR API to read and update values. |
msRASSavedFramedIPAddress |
Use RAS MPR API to read and update values. |
msRASSavedFramedRoute |
Use RAS MPR API to read and update values. |
netbootSCPBL |
System usage |
nonSecurityMemberBL |
System usage |
ntPwdHistory |
System usage |
objectGUID |
String(Octet). The GUID is stored in the Waveset user object in the ResourceInfo for the account. |
objectSid |
String(Sid) |
otherWellKnownObjects |
Object(DN-Binary) |
partialAttributeDeletionList |
System usage |
partialAttributeSet |
System usage |
possibleInferiors |
System usage |
proxiedObjectName |
Object(DN-Binary) |
queryPolicyBL |
System usage |
registeredAddress |
String(Octet) |
replPropertyMetaData |
System usage |
replUpToDateVector |
System usage |
repsFrom |
System usage |
repsTo |
System usage |
sDRightsEffective |
Operational attribute |
securityIdentifier |
String(Sid) |
serverReferenceBL |
System usage |
sIDHistory |
String(Sid) |
siteObjectBL |
System usage |
subRefs |
System usage |
subSchemaSubEntry |
System usage |
supplementalCredentials |
System usage |
systemFlags |
System usage |
telexNumber |
String(Octet) |
teletexTerminalIdentifier |
String(Octet) |
terminalServer |
String(Octet) |
thumbnailLogo |
String(Octet) |
tokenGroups |
String(Sid) / Operational attribute |
tokenGroupsGlobalAndUniversal |
String(Sid) |
tokenGroupsNoGCAcceptable |
String(Sid) / Operational attribute |
unicodePwd |
String(Octet). Use userPassword to set the user’s password. |
userCert |
String(Octet) |
userCertificate |
String(Octet) |
userSMIMECertificate |
String(Octet) |
wellKnownObjects |
Object(DN-String) |
x500uniqueIdentifier |
String(Octet) |