Re: Add Windows User to ADAM Role using LDIFDE.exe

From: "Lee Flight" <lef@xxxxxxxxxxxxxxx>
Date: Fri, 19 Jan 2007 21:20:53 -0000

Hi

unfortunately <SID=....> syntax only works with base64 encoding
the #member line in Dmitri's post indicates a comment. More here:

http://groups.google.com/group/microsoft.public.windows.server.active_directory/msg/fb2e9d9e691d646c

Note that if you having been testing this by against your ADAM instance and
already imported the Windows user the foreignSecurityPrincipal will have
already been
created in your ADAM instance and that will cause a violation when you try
the ldf
import even using the correct encoding. For a clean test delete any matching
FSP, the ldf import will create it for you as you say.

Lee Flight

"Jeremy Wiebe" <jeremy.wiebe@xxxxxxxxx> wrote in message
news:1169228507.640926.157200@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I'm trying to add a Windows user to an ADAM role by creating an LDIF
file and importing it into ADAM using ldifde.exe. I found this post
which seems to be exactly what I need, but I can't get it to work
(http://groups.google.ca/group/microsoft.public.windows.server.active_directory/browse_frm/thread/d670e854e40cec46?tvc=1).

Here's my LDIF file:
dn: CN=Readers,CN=Roles,CN=MyApp,DC=MyCompany,DC=COM
changetype: modify
add: member
# member: <SID=S-1-5-21-1644491937-113007714-1957994488-1007>
-

I got the SID by manually adding a windows user to a role using
ADAM-AdsiEdit and then exporting that role using ldifde.exe

The error I'm getting is:
===
There is a syntax error in the input file

Failed on line 5. The last token starts with 'm'.

An error has occurred in the program
===

In the post I mentioned above Dmitri's (last poster) LDIF specifies the
SID using both the <SID=XYZ> and base64 encoded method. Is that
required? (If it is, I couldn't get that working either).

So, am I missing something obvious here or does LDIFDE.exe actually not
support this?

Also, I'm under the impression that LDIFDE.exe (or probably ADAM) will
automatically create a ForeignSecurityPrincipal for me, if needed, when
I add the user to the role.

Follow-Ups:
- Re: Add Windows User to ADAM Role using LDIFDE.exe
  - From: Jeremy Wiebe
- Re: Add Windows User to ADAM Role using LDIFDE.exe
  - From: Jeremy Wiebe

References:
- Add Windows User to ADAM Role using LDIFDE.exe
  - From: Jeremy Wiebe

Prev by Date: Re: Password restriction in forest
Next by Date: Re: ADAM accounts and access
Previous by thread: Add Windows User to ADAM Role using LDIFDE.exe
Next by thread: Re: Add Windows User to ADAM Role using LDIFDE.exe
Index(es):
- Date
- Thread

Relevant Pages

Re: ADAM user object limitations?
... The member attribute is a linked value attribute, ... Joe Richards Microsoft MVP Windows Server Directory Services ... >>>my ADAM instance runs on a Domain Controller. ... make sure you don't have too many connections hanging around. ...
(microsoft.public.windows.server.active_directory)
Re: ADAM user object limitations?
... Here's the KB on what I think you're talking about there Joe: ... > Are you just setting the member attribute with S.DS? ... >>> because user objects beyond 1500 are not added to the Reader Role. ... >>>> my ADAM instance runs on a Domain Controller. ...
(microsoft.public.windows.server.active_directory)
Re: ADAM DSDIAG only displays Identified ADAM Configuration Set
... If the account you are using is a windows domain account, ... in a member of the Administrators role for the ADAM instance ... for dsdiag to return anything interesting. ...
(microsoft.public.windows.server.active_directory)