1 Reply Latest reply on Jul 23, 2009 9:19 AM by SafeBoot

    AD Connector Modification

      Hi
      I hope this isn't a typo :)
      Looking for thoughts on some changes to our ad connector

      Currently connector searches one AD group which contains two other nested groups and a list of users. The connectors group mappings are set to look at the memberOf attribute of users and there is a hierarchy of definitions starting with sysadmins, then recovery admins and then if no mapping exists add to the standard users group.

      My aim is to divide up the standard users group into say four subgroups smaller user groups to smaller computer groups, my intention was to create four new ad groups, divide the users amongst these and add additional group mappings to the existing one connector.

      On initial tests I am not getting the results I would expect

      Firstly I get "...change attribute older than current users: Ignoring other changes" in the connector log. I understand that this relates to uSNChanged value being higher in SB than AD and verified this with adsi edit, the value in ad being lower. I've pinned this down to a recent change in our ad environment which required the connector to be pointed at a different DC, I wasn't aware that the uSNChanged value was not replicated between DCs ( http://msdn.microsoft.com/en-us/library/ms677627(VS.85).aspx).

      If i manually edit the Change SbAdCon0.changes to 0 for one account the connector log looks better as i get "...No changes needed." but changes in AD group membership don't get replicated to changes in SB user group membership. So I am thinking I've got a mistake some where elese aswell. It looks as if memberOf wants the fully distinguished value, I thought it was working with the common name but could be poor memory. A Typo !

      So this is a long way of asking if there is a script to reset the SbAdCon0.changes to 0 ?

      Thanks

      Simon
        • 1. RE: AD Connector Modification
          the api can indeed set the binding value, but there's no script to do specifically that, I guess you could hack the "linkuser" script to do it though? If not, just make a simple batch file to do it or something.

          re the member of, you are right it's not substring searched by default - you can add this though by changing the attribute properties (general/attribute types).

          personally with memberships though, I always use the DN.