Re: Oh.... I'm just wondering who's seen this stumper...
- From: "Joe_SMS" <jw_nagy@xxxxxxxxxxx>
- Date: 28 Jul 2006 19:35:55 -0700
Its always been the same problem. A guy running code under an account
gets failure audits for writing to user attributes that he has both
read/write effective permissions. I can test the account, with now up
to 10 separate products and successfully write to the same attributes.
He did have "write all properties" for user objects and he claimed he
had no problems. I unchecked samaccountname and upn, removing that
account's write permissions. Now his code fails writing to OTHER
attributes as he is not even attempting to write those other 2.
Found out that he was deleting the AD user attribute before writing the
new value. Then saw a correllation between which attributes for which
users failed, and the fact that the attributes all had NULL values.
So I know he was trying to delete NULL values. When I tested, I don't
have a method to recreate what he's doing cause I really don't know, so
the only way I know how to script clearing a null works for me.
The problem is why he could delete a null value(if there were any) with
"write all properties" permissions for an attribute, but not be able to
delete it with just read/write permissions. Is there something about
the NULL value that requires extra juice ?
I don't know why the dummy wants to delete NOTHING. Its like me trying
to kick him in his A** and he had no A**. I don't want to waste
anymore time on him but I would like to know what the deal with that
is.
This is done in a testing domain that sort of mirrors production. I
know we didn't include all attributes in the sync to the testing
domain, so maybe he's just noticing that its failing more cause in
products those attributes have values so he doesn't try to delete NULLS
nearly as often.
The code makes a meta-directory authoritative. You make a change in
META, the attribute changes in AD. You make a change to the attribute
in AD, it changes it back to what the META has for the value.
Al Mulnick wrote:
Intriguing. I wonder what the original problem was?
"Joe_SMS" <jw_nagy@xxxxxxxxxxx> wrote in message
news:1154130352.549253.76210@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Okay.... something to add. We found out that his code was deleting the
attribute value before writing to it. Some attributes, we don't sync
to testing domain.
Failure audits were coming on attributes that had NULL values in AD.
Instead of running his code, we had him test the process with ldifde
and then we found out. When we were testing with the account he's
using, we were wrting values and deleting existing values with no
problem. Never bothered trying deleting NOTHING.
Question, he claims there wasn't a problem when "write all properties"
was set on the user objects. All that was done different permission
wise was that samaccountname and upn were "unchecked", which of course,
led to "write all properties" being unchecked.
Would something give him the ability to clear a NULL with "write all
properties". I almost believe him....but he's been wrong too many
times. Who deletes nothing ? Thats why I see nothing posted out there
I guess. Hope this narrows it...
Who's got that nugget ?
Joe, I appreciate your help immensely. I'm enterprise admin of 40,000
seats. My email address jnat514@xxxxxxxxxx I don't wanna get into a
thing about your products here with your MS MVP hat on.
Joe Richards [MVP] wrote:
There won't be a requirement to auth with say the UPN as any of the
credential mechanisms will result in the same token, however, if say for
instance the userid is specified with a blank password they would be
authenticated as anonymous.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Ace Fekay [MVP] wrote:
In news:eKrq18esGHA.4784@xxxxxxxxxxxxxxxxxxxx,
Joe Richards [MVP] <humorexpress@xxxxxxxxxxx> stated, which I commented
on
below:
Oh, to add on, using LDAP to update attributes works in a delegated
manner, I have seen it in hundreds of production forests and thousands
of test forests. If delegating specific attributes to a user and that
user can't write them then they
a. Aren't authenticating properly
b. Aren't using LDAP properly
c. Aren't just updating those attributes or are updating those
attibutes incorrectly.
Joe,
I was following this thread and initially I thought to ask how
authentication is written in the script. Now you mentioned A above, I
wonder
if it matters, especially in a multi-domain forest, or the fact that
LDAP
requires it, to authenticate using the UPN (username@xxxxxxxxxx)
instead of
an NTLM method (domain\user)? I think if it were the domain admin that
cached credentials are used, but any other account would require
specific
authentication? Am I off base?
.
- Follow-Ups:
- Re: Oh.... I'm just wondering who's seen this stumper...
- From: Joe Richards [MVP]
- Re: Oh.... I'm just wondering who's seen this stumper...
- References:
- Oh.... I'm just wondering who's seen this stumper...
- From: Joe_SMS
- Re: Oh.... I'm just wondering who's seen this stumper...
- From: Joe Richards [MVP]
- Re: Oh.... I'm just wondering who's seen this stumper...
- From: Joe_SMS
- Re: Oh.... I'm just wondering who's seen this stumper...
- From: Joe Richards [MVP]
- Re: Oh.... I'm just wondering who's seen this stumper...
- From: Ace Fekay [MVP]
- Re: Oh.... I'm just wondering who's seen this stumper...
- From: Joe Richards [MVP]
- Re: Oh.... I'm just wondering who's seen this stumper...
- From: Joe_SMS
- Re: Oh.... I'm just wondering who's seen this stumper...
- From: Al Mulnick
- Oh.... I'm just wondering who's seen this stumper...
- Prev by Date: Re: Computers Leaving the domain..?
- Next by Date: LingeringObjects... anyone have a slicker way ?
- Previous by thread: Re: Oh.... I'm just wondering who's seen this stumper...
- Next by thread: Re: Oh.... I'm just wondering who's seen this stumper...
- Index(es):
Relevant Pages
|
