• State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 93 subscribers
  • Views 13672 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD group managed by a group not an account

Jonathan M
over 11 years ago

Hi,

I am working with a customer to put their AD groups into IT Shop & have come across an issue that I had not considered before.   In AD users and groups I can see that some groups are managed by other AD groups rather than an AD user account.

This is perfectly legal in AD.   However, our mapping connects the managedBy AD property to uid_ADSAccountManager (via a search of the FK table ADSAccount for the DN) so, when the managedBy is a group, our Manager parameter in the ADSGroup object is NULL

The knock on effect is that the product owner is not set in IT Shop.

This must have been encountered before.   Has anyone got any suggestions as to the best way to handle this ?

Thanks

Jon.

  • 0 over 11 years ago

    Jonathan

    The most likely way to handle this would be the following approach:

    1. Use the SchemaExtension tool to extend the Q1IM database schema for the ADSGroup table with an FK column to the ADSGroup table itself

    2. Change the Mapping of your AD domain. Remove the connection between UID_ADSAccountManager and managedBy and establish an connection between your new column and managedBy. As FK table you would name ADSGroup, the search column for the FK table would be DistinguishedName.

    3. Publish the mapping.

    4. Sync (without update optimization at least once) and be happy

    Steps 1 to 3 could be done in less than 10 minutes depending on how familiar you are with the tool.

    Regards

    Carsten

  • 0 over 11 years ago

    Thanks Carsten, but perhaps I wasn't clear enough.   The managedBy property is not always an AD group.   It could be an AD group OR, as is normal, an AD account.

    So when the managedBy is an AD group we currently get NULL as the uid_ADSAccountManager.

    The dilemma is that we don't know what the value will be (group or account) until the data is synced in.

    Jon.

  • 0 over 11 years ago

    This might turn out as a problem. :-)

    Other idea to serve your problem:

    1. extend the schema with an new schema column to take the DN of the managing object

    2. create a process that kicks off on INSERT / UPDATE in case of an FULLSYNC, that takes that value into an dialogscript

    3. The dialogscript is determining if there is a object having exactly this DN in ADSGroup, to set the reference in the custom specific column <Customer-Prefix>_ManagedByGroup or otherwise set the UID_ADSAccount in the column UID_ADSAccountManager.

    Regards

    Carsten

  • 0 over 5 years ago

    Using PowerShell:

     

    Create an adsisearcher object: - you would have to filter on the specific object or could use this code for a bulk import:

     

    #assumes the service account has appropriate rights and thread is running on a domain joined system

    $IDMsearcher=[adsisearcher]'objectcategory=group'

    #add more properties if needed, basic is fine

    $IDMsearcher.PropertiesToLoad.Add('')

    #you will get multiple paged results – hence the do loop

    $IDMsearcher.PageSize = 512

     

    Do {

       $res = $searcher.FindAll()

       $res | %{

       $group=$_.GetDirectoryEntry()

     

    #data needed in: (insert your logic here)

          

    $group.sAMAccountName

    $group.ObjectSecurity.Owner

     

           }  

       } while ( $results.count > 0 )