Do you mean the memberof attribute?
I have seen quite a few backlinks included in the property sets. I figured
it was for read access because as you note, you obviously, can't write the
info. Ditto for constructed attributes like tokenGroups, etc. At least in
that case, both linked attributes are in the same property set, there are
incidents of the linked attributes in two different property sets. One I
just ran into is publicDelegate and publicDelegateBL. One is in personal
info and the other is in public info.
F:\temp>adfind -schema -f ldapdisplayname=publicdelegate*
attributesecurityguid
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
Using server: 2k3dc01.joe.com
Directory: Windows Server 2003
Base DN: CN=Schema,CN=Configuration,DC=joe,DC=com
dn:CN=ms-Exch-Public-Delegates,CN=Schema,CN=Configuration,DC=joe,DC=com
>attributeSecurityGUID: {77B5B886-944A-11D1-AEBD-0000F80367C1}
dn:CN=ms-Exch-Public-Delegates-BL,CN=Schema,CN=Configuration,DC=joe,DC=com
>attributeSecurityGUID: {E48D0154-BCF8-11D1-8702-00C04FB96050}
2 Objects returned
F:\temp>adfind -config -rb cn=extended-rights -f
rightsguid=77B5B886-944A-11D1-AEBD-0000F80367C1 displayname
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
Using server: 2k3dc01.joe.com
Directory: Windows Server 2003
Base DN: cn=extended-rights,CN=Configuration,DC=joe,DC=com
dn:CN=Personal-Information,CN=Extended-Rights,CN=Configuration,DC=joe,DC=com
>displayName: Personal Information
1 Objects returned
F:\temp>adfind -config -rb cn=extended-rights -f
rightsguid=E48D0154-BCF8-11D1-8702-00C04FB96050 displayname
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
Using server: 2k3dc01.joe.com
Directory: Windows Server 2003
Base DN: cn=extended-rights,CN=Configuration,DC=joe,DC=com
dn:CN=Public-Information,CN=Extended-Rights,CN=Configuration,DC=joe,DC=com
>displayName: Public Information
1 Objects returned
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Thursday, May 12, 2005 10:59 AM
To: [email protected]
Subject: RE: [ActiveDir] [OnTopic] Active Directory Property Set Madness
joe wrote:
> Another mistake with the property sets in the base OEM setup is the
> property set called Phone and Mail Options
> (E45795B2-9455-11d1-AEBD-0000F80367C1) - no attributes in this
> property set at all... Must not have any phone or mail attributes in
> AD.
I actually reported this to Microsoft five years ago, along with another
bug, where Group Membership property set contained the membership property.
However, checking this permission didn't affect anything, because membership
is a property of a group object and this property set was attached to user
object.
They fixed Group Membership for WS2003, but for "Phone and Mail Options" the
reply was that it will be used once the Exchange folks start to use it (so
it was a placeholder). However, even Ex2003 doesn't use it, so it seems that
this placeholder was not needed, after all.
If someone actually wants to read on, here are three samples of the prop set
peculiarities:
- givenName and sn are part of "Public Information" but initials is part of
"Personal Information".
- displayName is part of "General Information" but cn is part of "Public
Information". Quite confusing to an administrator.
- Country/region is stored in three attributes (c, co, and countryCode).
These three all belong to different property sets (Personal Information,
Public Information, and General Information).
So, some wishes about prop sets:
- There were different prop sets for "internal" attributes and the ones
visible in ADUC.
- Exchange would not mess the builtin prop sets, but would add its own, that
would use a Ex prefix.
- The prop set would at least somewhat correspond to the tabs in ADUC.
Yours, Sakari
PS. I acknowledge that those wishes may also have some drawbacks, such if
Exchange added its own prop sets, the existing accounts would need new ACEs.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
