扩展AD架构 - 由于约束而无法更新

时间:2012-01-13 16:15:47

标签: active-directory

为了测试目的,我正在添加一些从live到staging的属性,我正在使用ldifde:

D:\Shared>ldifde -i -v -f attr3.ldf -j .
Connecting to "myDomain.com"
Logging in as current user using SSPI
Importing directory from file "attr3.ldf"
Loading entries
1: CN=myAttribute,CN=Schema,CN=Configuration,DC=myDomain,DC=com
Entry modified successfully.


1 entry modified successfully.

The command has completed successfully

D:\Shared>

但是当我尝试使用vbs更新它时,我得到了:

C:\Users\update.vbs(8, 1) Active Directory: The requested operation did not 
satisfy one or more constraints associated with the class of the object.

请注意,其他属性(原始属性)可以更新,此问题仅适用于我正在导入的属性。

所以,我想知道我是否在导入后错过了一些链接或分离新属性的步骤。

这是attr3.ldf 

#attr3.ldf
#adding my new attribute
dn: CN=myAttribute,CN=Schema,CN=Configuration,DC=myDomain,DC=com
changetype: add
objectClass: top
objectClass: attributeSchema
cn: my-Attribute
distinguishedName: CN=my-Attribute,CN=Schema,CN=Configuration,DC=myDomain,DC=com
instanceType: 4
whenCreated: 20100401175340.0Z
whenChanged: 20100401175341.0Z
uSNCreated: 24154
attributeID: 2.16.840.1.113805.111
attributeSyntax: 2.5.5.12
isSingleValued: TRUE
rangeLower: 0
rangeUpper: 1
uSNChanged: 24163
showInAdvancedViewOnly: TRUE
adminDisplayName: my-Attribute
adminDescription: my-Attribute
oMSyntax: 64
searchFlags: 0
lDAPDisplayName: myAttribute
name: my-Attribute
schemaIDGUID:: tonVW6suWUu1Gev/D1pI9Q==
isMemberOfPartialAttributeSet: TRUE
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=myDomain,DC=com

#The following attributes were removed because I was getting:
#Add error on entry starting on line 1: Unwilling To Perform
#The server side error is: 0x20e7 The modification was not permitted for security
#reasons.
#The extended server error is:
#000020E7: SvcErr: DSID-03152D2C, problem 5003 (WILL_NOT_PERFORM), data 0

#objectGUID:: eTKYtnXbCE2fPMgc8UIe0w==
#attributeSecurityGUID:: VAGN5Pi80RGHAgDAT7lgUA==

这是vbs代码,

'update.vbs
Set objUser = GetObject("LDAP://CN=John Lennon,CN=Users,DC=myDomain,DC=com") 
objUser.myAttribute="someValue"  'Also tried with integers but not luck
objUser.SetInfo

谢谢, m0dest0。

谢谢JPBlanc,你是对的,我错过了将attr添加到类中然后刷新模式,

  1. 注册dll,regsvr32 schmmgmt.dll
  2. 打开“运行”并键入mmc.exe
  3. 添加Active Directory架构管理单元
  4. 右键单击类,属性,然后单击“添加”按钮,依此类推。

  5. 最后,刷新架构:

    C:\ Users> admod -sc refreshschema

    AdMod V01.17.00cpp Joe Richards(joe@joeware.net)2011年3月

    修改ROOTDSE ...... DN数:1 使用服务器:myServer.myDomain.com:389 目录:Windows Server 2008 R2

    修改指定的对象......    DN:ROOTDSE ......

    命令成功完成

    6. 此致

1 个答案:

答案 0 :(得分:1)

如果要在用户对象中使用该属性,则还必须将该属性添加到用户类(在schma中)。您必须修改LDIF文件:

# Define your attribute

# Reload the schema
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# modify user class

使用Microsoft MMC(注册schmmgmt.dll)查看您的架构

如果你还有问题,我可以在早上再次帮忙。

相关问题
最新问题