Re: Foreign principal for ADAM

Tech-Archive recommends: Fix windows errors by optimizing your registry

---

• From: "Lee Flight" <lef@xxxxxxxxxxxxxxx>
• Date: Tue, 13 Sep 2005 19:41:18 +0100

---

Hi

'ADAM group
groupPath = LDAP://localhost:389/CN=Mygrp,OU=Groups,DC=Mydom,DC=com
'AD user referenced by SID
memberPath =LDAP://<SID=S-1-5-21-xxxxxx-yyyyy-zzzz>

'Add the user to the group
Set objGroup = GetObject(groupPath)
objGroup.Add(memberPath)


Lee Flight

"wilsrx" <wilsrx@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:738718B4-D39E-4B58-92CA-C9E68A75D092@xxxxxxxxxxxxxxxx
> Could you be more specific on the vbscript code to add AD domain account
> to
> group?
>
> "Lee Flight" wrote:
>
>> Hi
>>
>> that's not so easy to do with ldif if you are using ldifde.
>>
>> ADAM allows you to add group members by specifying the
>> DN (if the object exists in ADAM) or in the form
>>
>> <SID=S-1-5...>
>>
>> If you are using ADSI you can add a domain member to an
>> group using just the string form of the SID above which will
>> then create the FSP.
>>
>> With the current version of ldifde you will need to Base64 encode
>> the string form of the SID above and use that.
>>
>> So for a domain account
>>
>> S-1-5-21-3481246173-3943819819-2627901438-2109
>>
>> you would to encode
>>
>> <SID=S-1-5-21-3481246173-3943819819-2627901438-2109>
>>
>> giving
>>
>> PFNJRD1TLTEtNS0yMS0zNDgxMjQ2MTczLTM5NDM4MTk4MTktMjYyNzkwMTQzOC0yMTA5Pj==
>>
>> and the LDF would
>>
>> have
>>
>> member::
>> PFNJRD1TLTEtNS0yMS0zNDgxMjQ2MTczLTM5NDM4MTk4MTktMjYyNzkwMTQzOC0yMTA5Pj==
>>
>>
>> ignore line wraps and note :: after member.
>>
>>
>> Lee Flight
>>
>> <dumchikov@xxxxxxxxx> wrote in message
>> news:1126598630.768244.312050@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> Thank you Lee for the answer, but I didn't understand how to add new
>> security principal.
>> As I understood if I want to assign the Administrator role to a foreign
>> principal I must add new value to the attribute member of the entry
>> cn=Administrators,cn=Roles,cn=Configuration,cn={GUID}.
>> So LDIF file will look like
>>
>> dn: cn=Administrators,cn=Roles,cn=Configuration,CN=X
>> changetype: modify
>> add: member
>> member: {value}
>> -
>> What is {value} in my case? It should be dn FSP. But this entry doesn't
>> exist.
>>
>>
>> Lee Flight ?????(?):
>>
>> > Hi
>> >
>> > in general FSPs are created for you by the system. When
>> > you add a Windows principal to a group the corresponding
>> > FSP is created.
>> >
>> > The problem you are having below (that the system handles
>> > for you) is that you are attempting to specify the objectSID.
>> >
>> > Lee Flight
>> >
>> > <dumchikov@xxxxxxxxx> wrote in message
>> > news:1126513636.779946.276560@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> > > Hi
>> > >
>> > > When I try to add a new entry to the
>> > > CN=ForeignSecurityPrincipals,CN=Configuration container using
>> > > ldifde.exe tool I recieve next error message:
>> > >
>> > > Add error on line 2: Unwilling To Perform
>> > >
>> > > The server side error is: 0x20e7 The modification was not permitted
>> > > for
>> > > security reasons.
>> > >
>> > > The extended server error is:
>> > >
>> > > 000020E7: SvcErr: DSID-03152972, problem 5003 (WILL_NOT_PERFORM),
>> > > data
>> > > 8358
>> > >
>> > > LDIF file is:
>> > > dn:
>> > > CN=S-1-5-21-3481246173-3943819819-2627901438-2109,CN=ForeignSecurityPrincipals,CN=Configuration,CN=X
>> > > objectClass: foreignSecurityPrincipal
>> > > cn: S-1-5-21-3481246173-3943819819-2627901438-2109
>> > > distinguishedName:
>> > > CN=S-1-5-21-3481246173-3943819819-2627901438-2109,CN=ForeignSecurityPrincipals,CN=Configuration,CN=X
>> > > instanceType: 4
>> > > name: S-1-5-21-3481246173-3943819819-2627901438-2109
>> > > objectSid:: AQUAAAAAAAUVAAAA3Zl/zyvqEev+l6KcPQgAAA==
>> > > objectCategory:
>> > > CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,CN=X
>> > >
>> > > What could It be?
>> > >
>>
>>
>>


.

---

• References:
  • Foreign principal for ADAM
    • From: dumchikov
  • Re: Foreign principal for ADAM
    • From: Lee Flight
  • Re: Foreign principal for ADAM
    • From: dumchikov
  • Re: Foreign principal for ADAM
    • From: wilsrx

• Prev by Date: Re: External Trusts / Adding Members Prompts for Authentication
• Next by Date: Re: Restrict to 1 concurrent logon
• Previous by thread: Re: Foreign principal for ADAM
• Next by thread: How to Install Software Automatically To my Server Clients ?!!!
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: ADAM installed ... "Lee Flight" wrote: ... After a successful sync the copy will be read and write (although any write ... the ADAM copy does not go back to AD as the sync is one-way). ... Saved configuration file. ... (microsoft.public.windows.server.active_directory) Re: Granting permissions in ADAM ... Try creating a clean ADAM instance, ... "Lee Flight" wrote: ... Thanks for the info about the ADAM account and WAB. ... Users to the Readers role makes use of the FSP container. ... (microsoft.public.windows.server.active_directory) Re: Granting permissions in ADAM ... "Lee Flight" wrote: ... to add the Authenticated Users group to the Readers role. ... You might want to create yourself a clean ADAM ... convert my users into proxy users the command completed successfully. ... (microsoft.public.windows.server.active_directory) Re: Granting permissions in ADAM ... I will like to ask you a question about hinding ou's or folders in ADAM. ... "Lee Flight" wrote: ... Thanks for the info about the ADAM account and WAB. ... Users to the Readers role makes use of the FSP container. ... (microsoft.public.windows.server.active_directory) Re: ADAM installed ... Will this step extend my ADAM schema to match my AD's?? ... "Lee Flight" wrote: ... Note that version of ADAMSync is good for sync from W2K3 AD be it ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2005-09