Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to add/modify altSecurityIdentities property using ADSI?

913 views
Skip to first unread message

Rodney Dyer

unread,
Dec 10, 2001, 11:07:17 AM12/10/01
to
I need to update the altSecurityIdentities property for
about 10,000 users. I can't seem to find a COM interface
in ADSI that modifies that property. The
altSecurityIdentities property appears not to be exposed.

Specifically, I'm trying to add a Kerberos name mapping
for each of our users in the active directory. Can this
be done with ADSI, or do I have to go through an LDAP
connection?

Here is the only thing I can find on the MSDN site about
the altSecurityIdentities property...

http://msdn.microsoft.com/library/default.asp?
url=/library/en-us/netdir/ad/user_object_properties.asp

Help is really appreciated.

Thanks,

Rodney

Rodney M. Dyer
NT Systems Programmer
Mosaic NT Network Group
College of Engineering
University of North Carolina at Charlotte
Email: rmd...@uncc.edu
Phone: (704)687-3518
Help Desk Line: (704)687-3150
FAX: (704)687-2352
Office: 267 Smith Building

Rodney Dyer

unread,
Dec 10, 2001, 6:31:30 PM12/10/01
to
Ok, so I worked this one out myself. BUT! Why-o-why does
the Active Directory store users LDAP entries by full
name? If I didn't have the "WinNT:" provider which is for
backward compatibility with 4.0 domains I would not have
been able to grab the users username from LDAP. What's
going on here????

Anyway here's the simple code for anyone who cares...

[ldap.vbs]

Public Const ADS_PROPERTY_UPDATE = 2

sUsername = "username"

Set myObj = GetObject("WinNT://your_domain_name/" &
sUserName & ",user")

'WScript.Echo myObj.FullName

Set oOU = GetObject("LDAP://server.domain.company.com/CN="
& myObj.FullName & ",CN=Users,DC=domain,DC=company,DC=com")

oOU.PutEx ADS_PROPERTY_UPDATE, "altSecurityIdentities",
Array("Kerberos:user...@COMPANY.COM")

oOU.SetInfo

'pIdentity = oOU.GetEx("altSecurityIdentities")

'For Each pValue in pIdentity

' WScript.Echo PValue

'Next

To run this script use: c:\>cscript ldap.vbs
Remove remarks to see what happens.

Later.

>.
>

Max L. Vaughn

unread,
Dec 11, 2001, 1:38:43 PM12/11/01
to
If you know the pieces of the altSecurityIdentity value, you would set it
the same way you set any multi-valued property in the AD using the
IADs::PutEx method passing a control value that describes your action and a
variant array containing your data.

The PutEx call would look something like:

oUsr.PutEx 3, ARRAY("Value1","Value2","Value3",....)

Sincerely,
Max Vaughn
Microsoft Developer Support


Disclaimer: This posting is provided “AS IS” with no warranties, and
confers no rights. You assume all risk for your use.

Security Note:
Recent viruses on the Internet underscore the threat to all computer users
and highlight challenges facing the entire industry in providing security
that everyone needs to conduct business. I encourage you to sign up to
receive automatic notification of Microsoft Security Bulletins by visiting
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/notify.asp. For more information on security, our Strategic
Technology Protection Program and to order your FREE Security Tool Kit,
please visit http://www.microsoft.com/security. We will be happy to answer
any questions or provide assistance with your security needs.

0 new messages