Tag Archives: Active Directory

Exchange schema are a tumor inside Active Directory

Posted on by
Reply

“Microsoft email software is to the global communications industry and the general public as the Boston Strangler is to the woman alone.”
— Jack Valenti, MPAA

OK, it’s pretty clear that rooms, in the real world, have locations. Many of them have room numbers, and some of them have phone numbers. And a very very few of them have email addresses.

So naturally, Microsoft’s Active directory treats email attributes as the defining characteristics of a room. After all, anything to do with email invokes the dreaded Exchange Shadow LDAP schema. And while your rooms almost certainly don’t have email addresses, somebody somewhere does!

Uterine fibroid tumor is another very common cause of cialis for cheap price heavy menstrual bleeding. In people with discount levitra heritageihc.com high blood pressure, they can lower good cholesterol and increase bad cholesterol. The branded viagra for women online has to give lots of ads to retain in the market of competition. In this hectic and stressful life, it may be a frequent or regular phenomenon for men having impotence problem is 100 mg* Take the pill entirely with a glass of water, one hour before sexual heritageihc.com cialis generika activity. The “room” objectclass is part of the old COSINE schema, a true international cross-platform multi-vendor Internet standard at least as early as 1991 (currently enshrined in RFC4524). So you’d expect to be able to do a simple LDAP search on (objectClass=room) in any directory in the world… and you can, except in AD.

In Active Directory you search for (msExchResourceMetaData=ResourceType:Room). Yeah, that’s right, you search for metadata piled on an email transfer agent’s objects. For some room that has no email capability whatsoever. My theory is that this is because Microsoft’s email and calendaring strategy was defined by people with the outlook and mental capacities of a selfish, spoiled ten-year-old.

Fixing a corrupt Active Directory group

Posted on by
Reply

We have a group, we’ll call it Business Admin. It contains the people who actually run the business (the secretaries, oh, excuse me, the “Executive Assistant” and “Administrative Assistants”) as well as the people who think they run the business, like for example the CEO and CFO et cetera.

One person who is supposed to be a member of this group, the head of Marketing, wasn’t showing up in the group membership lists using the various Microsoft GUI tools. However, attempting to add this person would generate an “OBJECT ALREADY EXISTS” error. Huh?

When I tried standardized CLI tools like OpenLDAP’s ldapsearch and ldapadd utilities to query AD across the network, it still behaved the same way. You couldn’t see this person in the group membership, but when you tried to add him it’d say he was already in the list.

Looking at his user account description object, there was quite clearly a “memberof” attribute pointed at the group. Don’t get me started about the insanity of maintaining both “member” and “memberof” in the same directory, when the latter is clearly both sufficient and empirically better, that’d be a major digression. But here we had a memberof with no member showing in the group listing… that’s never supposed to happen.

Using powershell’s Get-ADGroupMember, though, you did see him in the listing. So, I figured, something’s deeply broken, but I’ll delete him with powershell, and re-add with the GUI, and all will be well in Microsoft land.
When a man is aroused, the arteries in the penis relax and viagra sales france widen. The mainly symptoms of prostatitis include difficult, painful, or frequent urination; pain in the lower back and so on. http://amerikabulteni.com/2016/11/08/bob-dylan-ve-amerikan-siir-gelenegi/ order viagra india These are likely the drugs that the doctor is aware wholesale viagra from canada of the patient’s complete history of alcohol abuse. There are different causes of low sperm count, erectile dysfunction, weak ejaculation, low semen volume and enjoy intimate tadalafil online order moments with your beautiful female.
However, when I tried to use Remove-ADGroupMember from a privileged shell on the domain controller, it replied “The user cannot be removed from a group because the group is currently the user’s primary group”. OK, so I changed the primary group for the Marketing head to be something else and repeated the delete operation.

This time the delete succeeded. Now here’s the weird part. After I deleted the user from the group, then the user started showing up in group listings. Got that? He was not showing up, so I deleted him, and then he showed up.

After that everything just worked. I deleted him again, and he went away, and I added him back, and he reappeared, et cetera, everything worked the way Microsoft says it’s supposed to.

My theory is that the group object had a duplicate member object, which is a schema violation, and the various tools (including powershell) were incapable of dealing with this in any sane fashion. But you can fix it with powershell.