Re: Unique User Account Across Forest
- From: "Richard Mueller" <rlmueller-NOSPAM@xxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 18 Dec 2006 13:04:50 -0600
Stan wrote:
We have a large forest with 3 regional domains connected to a ADROOT
domain.
With AD User administration delegated to regional offices.
Each office (approx 30+) can create user accounts and manage groups, etc.
Typically userPrincipalName and sAMAccountName are the same
I know with AD Domain a user has to have a unique sAMAccountName and
within
a Forest userPrincipalName@DomainName makes the UPN unique.
My questions are :
1) We have an Global application which requires a unique sAMAccountName
across the forest. Is there any way I can configure AD to have unique
sAMAccountName across the forest, i.e. all child domains ?
2) If (1) is not possible are there any tools available in the open market
which provide this feature ?
3) Has anyone devloped any tools or scripts to find duplicate
sAMAccountName
accounts across a forest ?
4) In AD we can add UPN Suffix so if we had a user in domain
FredBlogs@xxxxxxxxxxxxxxx we can add UPN Suffix so the user could login as
FredBlogs@xxxxxxx Can someone confirm how this would work if we had
duplicate names such as FredBlogs@xxxxxxxxxxxxxxx and
FredBlogs@xxxxxxxxxxx
and FredBlogs@.ccc.com ? There must be a way to direct correct names to
domains.
You can use ADO in a VBScript program to search the Global Catalog, which
has selected attributes (including sAMAccountName) on all objects in the
forest. For example:
=============
' Specify value for sAMAccountName.
strNTName = "JUser"
Option Explicit
Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
Dim strQuery, adoRecordset
Dim objRootDSE, strDNSDomain, strNTName
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection
' Determine DNS name of domain from RootDSE.
Set objRootDSE = GetObject("LDAP://RootDSE";)
strDNSDomain = objRootDSE.Get("defaultNamingContext")
' Use GC to search entire forest.
strBase = "<GC://" & strDNSDomain & ">"
' Filter objects with specified sAMAccountName.
strFilter = "(sAMAccountName=" & strNTName & ")"
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"
' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
' Run the query.
Set adoRecordset = adoCommand.Execute
' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values and display.
strDN = adoRecordset.Fields("distinguishedName").Value
Wscript.Echo "Object found: " & strDN
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop
Wscript.Echo "Done"
adoRecordset.Close
adoConnection.Close
=============
You probably can also use Joe Richards' free ADFind utility. I believe it
has a GC switch.
http://www.joeware.net/win/free/tools/adfind.htm
--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
.
- Prev by Date: Re: Where are DC signatures stored in AD ? Can then be edited using adsiedit ?
- Next by Date: Re: Delegation - Password Reset - Access Denied
- Previous by thread: W2003ENT AD user log in problems.
- Next by thread: Re: Unique User Account Across Forest
- Index(es):
Relevant Pages
|
