SAM logic attributes - Tech Support

SAM logic attributes: Posted by Kirill Kovalenko on March 5th, 2004; Hello,

We are aware of the fact that some SAM owned attributes cannot be present in
an attributes list of an entry being added with help of the LDAP add
operation. How can we obtain the whole list of attributes which presence
will cause an AD server error on add operation? Looks like that the article
Q276382 gives an incomplete list of them. So far, we compose our own list of
such attributes based on information we found on the Web and ldifde.exe tool
investigation.

objectGUID,
objectSID,
dBCSPwd,
ntPwdHistory,
lmPwdHistory,
badPasswordTime,
badPwdCount,
lastLogon,
lastLogoff,
logonCount,
pwdLastSet,
rid,
sAMAccountType,
supplementalCredentials,
isCriticalSystemObject,
domainReplica,
creationTime,
modifiedCount,
modifiedCountAtLastPromotion,
nextRid,
serverState,
uASCompat,
revision,
primaryGroupID,
memberOf

Is it an exhaustive and correct list? For example, as we noticed, ldifde
tool with -m option removes last two attributes (primaryGroupID, memberOf)
from user entries, but we wonder is it a correct behaviour that user is
losing its group membership via export/import operation?

Or is there a way to obtain such attributes from server schema or perhaps
some registry key? And if this list exists only as "well known SAM
attributes" does it mean that future implementations of AD won't alter it
with new attribute types?

Sincerely yours,

Kirill Kovalenko
LDAP Administrator Team
http://www.ldapadministrator.com; Posted by Richard Mueller [MVP] on March 5th, 2004; Hi,

I think there are different reasons why various attributes cannot be
modified with ldifde. Some attributes are protected by the system, such as
objectGUID and objectSID. They are essentially read-only. Others are only
set by the System, like lastLogon and badPwdCount. Even an administrator
cannot assign a value, but the system can. Others in your list can be
modified. For example primaryGroupID and memberOf can be modified, just not
with ldifde. Some, like pwdLastSet, can be assigned some values (0 and -1 in
this cases), but not others. Some, like distinguishedName cannot be set
directly, but are modifed when you move or rename the object.

If you use ADSI Edit and attempt to modify badPwdCount for a user, you get
the message "Access to the attribute is not permitted because the attribute
is owned by the SAM". Same with objectSID. However, when I attempt to modify
objectGUID the message is "The attribute cannot be modified because it is
owned by the system". If you attempt to modify pwdLastSet, the message is
"The attribute syntax specified by the directory service is invalid". I was
able to assign a value to "revision".

I doubt there is any property of the attribute that will tell you if ldifde
can modify it. You almost have to try. However, if you experiment with ADSI
Edit you can see which attributes raise the "owned by SAM" error. I don't
know what it really means, so I don't know how else to tell.

--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--
"Kirill Kovalenko" <kirill@softerra.com> wrote in message
news:b3f80464.0403050217.5ce09f4e@posting.google.c om...

Similar Posts

File attributes: Modifying and user-created file attributes (Customizing) by Marceepoo
Logic & Logic Pro updated to v 1.2 (Software & Applications) by aafuss
Babya Logic available for Apple Logic (Software & Applications) by narcippias
Seeking software for Bitwise Designs 'logic 20' logic analyzer board (Microprocessors) by Michael Grigoni
Quadrature Encoder to up/down pulses with discrete logic - paging logic gate gurus (Microprocessors) by Spehro Pefhany