Re: [ActiveDir] MS Schema GUIDS different from my Forest to MSDN

Tue, 15 Aug 2006 15:05:06 -0700

MS Schema GUIDS different from my Forest to MSDNobjectGUID and schemaIDGUID are not the same thing. objectGUID will always be randomly generated when an object is created and will differ between different forests for schema. schemaIDGUID can and usually is (at least for schema from MS) set when the object is created, so those tend to be the same between all installations*. 

Did you look at the schemaIDGUID attribute to compare there?

Joe K.
* If schemaIDGUID isn't specified at create time, AD and ADAM will happily create a random one for you. It is generally considered to be a best practice to specify the schemaIDGUID though so that it can be published as a static value. Letting the directory create it for you is generally considered "hackish". ----- Original Message ----- From: Bernier, Brandon (.) 
To: ActiveDir@mail.activedir.org
Sent: Tuesday, August 15, 2006 4:26 PM
Subject: [ActiveDir] MS Schema GUIDS different from my Forest to MSDN
Answer to my question below: I'm missing an ACE for ms-DS-Az-Admin-Manager. but what's interesting is that I'm using the Schema GUID from MSDN and for some reason that different from what I have in production (verified using ADFind to dump all the Classes ObjectGUID in the Schema). I asked someone who implemented the Schema here why and they said they ran across the same issue and it was told it wasn't a big deal...I disagree, since if that was the case my code would be working and this note wouldn't exist. Anyone seen this before? 
-Brandon



_____________________________________________
From:   Bernier, Brandon (.)
Sent:   Tuesday, August 15, 2006 1:24 PM
To:     'ActiveDir@mail.activedir.org'
Subject: ADSIEdit unable to enumerate list of objects that a group can create
OK..I'm probably doing something silly here but I need more insight on how ADSIEdit enumerates what object types you can create.. The scenario is I have 1 OU and in that OU I have a Group that I've ACL'd to create/delete ms-DS-Az-Admin-Manager objects and mod some attributes on it in that OU . So I bind up as a User in this Group using ADSIEdit and try to create a instance of this object, well that list is empty..so I can't create jack. What am I missing? I'll write a quick little VBScript to test that out, but in the meantime what gives? Thanks! 
-Brandon


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Reply via email to