How does AD Users and Computers tool recognize a user?

How does the AD Users and Computers tool recognize a user from any other
object?

I ask because I've got a user that has all the same attributes as a user
created by the AD U/C tool itself, with the exception of an additional
custom structural objectclass. The tool refuses to look at this user.

--
Brandon Hume - hume -> BOFH.Ca, http://WWW.BOFH.Ca/

Hello hume.spamfilter@bofh.ca,

What do you mean with "any other object"? I can not understand this. How
was the other user account created?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> How does the AD Users and Computers tool recognize a user from any
> other object?
>
> I ask because I've got a user that has all the same attributes as a
> user created by the AD U/C tool itself, with the exception of an
> additional custom structural objectclass. The tool refuses to look at
> this user.
>

<hume.spamfilter@bofh.ca> wrote in message
news:hehf1u$epk$1@Kil-nws-1.UCIS.Dal.Ca...
> How does the AD Users and Computers tool recognize a user from any other
> object?
>
> I ask because I've got a user that has all the same attributes as a user
> created by the AD U/C tool itself, with the exception of an additional
> custom structural objectclass. The tool refuses to look at this user.
>
> --
> Brandon Hume - hume -> BOFH.Ca, http://WWW.BOFH.Ca/

ADUC uses objectClass. I think it looks at the lowest level class. For
example, if you use ADSI Edit, you will see the following for objectClass:

top
person
organizationalPerson
user

But for a comuter object, you will see the following for objectClass:

top
person
organizationalPerson
user
computer

The only difference is the last entry. Your custom objectClass makes the
object not a user but a custom object to ADUC.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

Richard Mueller [MVP] <rlmueller-nospam@ameritech.nospam.net> wrote:
> ADUC uses objectClass. I think it looks at the lowest level class. For
> example, if you use ADSI Edit, you will see the following for objectClass:

It must be a bit more complex than that... I suspect it only looks at
structural object classes. I changed my custom class to auxilary, and
now ADUC sees it properly.

I have no real desire to have my class be structural, but it seems like
that's the only way to allow me to have my own rdnAttId. It looks like
I'll have to make a choice between one or the other.

> The only difference is the last entry. Your custom objectClass makes the
> object not a user but a custom object to ADUC.

That's interesting, since as far as I've been lead to understand there's
no inherent ordering to attribute values in LDAP.

--
Brandon Hume - hume -> BOFH.Ca, http://WWW.BOFH.Ca/

Meinolf Weber [MVP-DS] <meiweb@(nospam)gmx.de> wrote:
> What do you mean with "any other object"? I can not understand this. How
> was the other user account created?

Programmatically, via LDAP transactions. When/If I convert over, I
certainly won't be importing 180k users by hand. The ideal will be to
export a huge LDIF file from OpenLDAP, massage it a bit, and then import
it, either via script or ldifde. It's necessary to keep compatibility as
much as possible with existing LDAP-using processes... this includes
Sendmail, a large number of management web applets, and other utilities.
However, I'm willing to work a bit harder if it means it keeps the option
of using Windows' stock management tools to a degree.

--
Brandon Hume - hume -> BOFH.Ca, http://WWW.BOFH.Ca/

>
>> The only difference is the last entry. Your custom objectClass makes the
>> object not a user but a custom object to ADUC.
>
> That's interesting, since as far as I've been lead to understand there's
> no inherent ordering to attribute values in LDAP.
>
> --
> Brandon Hume - hume -> BOFH.Ca, http://WWW.BOFH.Ca/

You are correct, generally there is no order to multi-valued attributes. But
there is an objectClass hierarchy. The objectClass attribute is the only one
with ordered values. The first value is at the top of the hierarchy, the
last is the most derived class, which is the class the object is an instance
of. The Class method exposed by the IADs interface returns one value. For
example:

user objects:
objectCategory=person; objectClass=top,person,organizationalPerson,user;
Class=user

computer objects:
objectCategory=computer;
objectClass=top,person,organizationalPerson,user,computer; Class=computer

contact objects:
objectCategory=person; objectClass=top,person,organizationalPerson,contact;
Class=contact

If you filter on objects of class "user" (either with objectClass=user or
with the Filter method of IADs), you get both user and computer objects. If
you retrieve all objects with objectCategory=person, you get user and
contact objects.

From the documentation I find that classes can be structural, abstract, or
auxiliary. Only structural class can be instantiated. Auxiliary classes just
add attributes the object can have. Abstract classes are templates to derive
new classes.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

Richard Mueller [MVP] <rlmueller-nospam@ameritech.nospam.net> wrote:
> with ordered values. The first value is at the top of the hierarchy, the
> last is the most derived class, which is the class the object is an instance

Aha! So, currently I'm subclassing inetOrgPerson... pretty arbitrary. If
I subClass top, I might push my custom class back and let user/inetOrgPerson
take precedence?

I'm operating under the assumption that only structural classes are allowed
to declare and use a custom attribute as rdnAttId. When my class was only
auxilary, I wasn't allowed to use my dalUUID attribute as RDN for any objects.

--
Brandon Hume - hume -> BOFH.Ca, http://WWW.BOFH.Ca/

hume.spamfilter@bofh.ca wrote:
> Aha! So, currently I'm subclassing inetOrgPerson... pretty arbitrary. If
> I subClass top, I might push my custom class back and let user/inetOrgPerson
> take precedence?

No answer my own question, no, I can't do that. I have to inherit from
inetOrgPerson as a structural or I mess up the inheritance chain and AD
rejects the user object.

So it looks like I'm down to my choice of either using a structural so
that I can have my custom RDN, or letting ADUC understand the object.
(The fact that ADUC apparently doesn't understand that a subclass can
be treated like the parent class is quite a bit annoying...)

--
Brandon Hume - hume -> BOFH.Ca, http://WWW.BOFH.Ca/