Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Foreign principal for ADAM

147 views
Skip to first unread message

dumc...@gmail.com

unread,
Sep 12, 2005, 4:27:16 AM9/12/05
to
Hi

When I try to add a new entry to the
CN=ForeignSecurityPrincipals,CN=Configuration container using
ldifde.exe tool I recieve next error message:

Add error on line 2: Unwilling To Perform

The server side error is: 0x20e7 The modification was not permitted for
security reasons.

The extended server error is:

000020E7: SvcErr: DSID-03152972, problem 5003 (WILL_NOT_PERFORM), data
8358

LDIF file is:
dn:
CN=S-1-5-21-3481246173-3943819819-2627901438-2109,CN=ForeignSecurityPrincipals,CN=Configuration,CN=X
objectClass: foreignSecurityPrincipal
cn: S-1-5-21-3481246173-3943819819-2627901438-2109
distinguishedName:
CN=S-1-5-21-3481246173-3943819819-2627901438-2109,CN=ForeignSecurityPrincipals,CN=Configuration,CN=X
instanceType: 4
name: S-1-5-21-3481246173-3943819819-2627901438-2109
objectSid:: AQUAAAAAAAUVAAAA3Zl/zyvqEev+l6KcPQgAAA==
objectCategory:
CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,CN=X

What could It be?

Lee Flight

unread,
Sep 12, 2005, 10:54:36 AM9/12/05
to
Hi

in general FSPs are created for you by the system. When
you add a Windows principal to a group the corresponding
FSP is created.

The problem you are having below (that the system handles
for you) is that you are attempting to specify the objectSID.

Lee Flight

<dumc...@gmail.com> wrote in message
news:1126513636.7...@g14g2000cwa.googlegroups.com...

dumc...@gmail.com

unread,
Sep 13, 2005, 4:03:50 AM9/13/05
to
Thank you Lee for the answer, but I didn't understand how to add new
security principal.
As I understood if I want to assign the Administrator role to a foreign
principal I must add new value to the attribute member of the entry
cn=Administrators,cn=Roles,cn=Configuration,cn={GUID}.
So LDIF file will look like

dn: cn=Administrators,cn=Roles,cn=Configuration,CN=X
changetype: modify
add: member
member: {value}
-
What is {value} in my case? It should be dn FSP. But this entry doesn't
exist.


Lee Flight писал(а):

Lee Flight

unread,
Sep 13, 2005, 9:42:51 AM9/13/05
to
Hi

that's not so easy to do with ldif if you are using ldifde.

ADAM allows you to add group members by specifying the
DN (if the object exists in ADAM) or in the form

<SID=S-1-5...>

If you are using ADSI you can add a domain member to an
group using just the string form of the SID above which will
then create the FSP.

With the current version of ldifde you will need to Base64 encode
the string form of the SID above and use that.

So for a domain account

S-1-5-21-3481246173-3943819819-2627901438-2109

you would to encode

<SID=S-1-5-21-3481246173-3943819819-2627901438-2109>

giving

PFNJRD1TLTEtNS0yMS0zNDgxMjQ2MTczLTM5NDM4MTk4MTktMjYyNzkwMTQzOC0yMTA5Pj==

and the LDF would

have

member::
PFNJRD1TLTEtNS0yMS0zNDgxMjQ2MTczLTM5NDM4MTk4MTktMjYyNzkwMTQzOC0yMTA5Pj==


ignore line wraps and note :: after member.


Lee Flight

<dumc...@gmail.com> wrote in message
news:1126598630.7...@o13g2000cwo.googlegroups.com...


Thank you Lee for the answer, but I didn't understand how to add new
security principal.
As I understood if I want to assign the Administrator role to a foreign
principal I must add new value to the attribute member of the entry
cn=Administrators,cn=Roles,cn=Configuration,cn={GUID}.
So LDIF file will look like

dn: cn=Administrators,cn=Roles,cn=Configuration,CN=X
changetype: modify
add: member
member: {value}
-
What is {value} in my case? It should be dn FSP. But this entry doesn't
exist.


Lee Flight ?????(?):

wilsrx

unread,
Sep 13, 2005, 1:19:01 PM9/13/05
to
Could you be more specific on the vbscript code to add AD domain account to
group?

Lee Flight

unread,
Sep 13, 2005, 2:41:18 PM9/13/05
to
Hi

'ADAM group
groupPath = LDAP://localhost:389/CN=Mygrp,OU=Groups,DC=Mydom,DC=com
'AD user referenced by SID
memberPath =LDAP://<SID=S-1-5-21-xxxxxx-yyyyy-zzzz>

'Add the user to the group
Set objGroup = GetObject(groupPath)
objGroup.Add(memberPath)


Lee Flight

"wilsrx" <wil...@discussions.microsoft.com> wrote in message
news:738718B4-D39E-4B58...@microsoft.com...

wilsrx

unread,
Sep 13, 2005, 5:42:28 PM9/13/05
to
Never mind, it was a typo problem. memberPath = LDAP// instead of LDAP://

Thanks again for you help.

"wilsrx" wrote:

> Thanks for your quick reply Lee. Here is the code script that I tried to run
> and the error I get from it.
>
> Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
> Set colItems = objWMIService.ExecQuery("Select * from Win32_UserAccount",,48)
> For Each objItem in colItems
> if UCase(objItem.Name) = "1TEST2" then
> ' memberPath = "LDAP//<SID=" & objItem.SID & ">"


> Set objGroup = GetObject(groupPath)
> objGroup.Add(memberPath)

> wscript.echo "User " & usrName & " was successfully added to group " &
> grpName
> end if
> Next
>
> Here is the error - C:\ADAM Scripts\Users\addusr2grp_adam.vbs(32, 3) (null):
> 0x80005000
>
> Any ideas. The SID string is returned by using objItem.SID.

wilsrx

unread,
Sep 13, 2005, 5:43:56 PM9/13/05
to
Thanks for your quick reply Lee. Here is the code script that I tried to run
and the error I get from it.

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_UserAccount",,48)
For Each objItem in colItems
if UCase(objItem.Name) = "1TEST2" then
' memberPath = "LDAP//<SID=" & objItem.SID & ">"

Set objGroup = GetObject(groupPath)
objGroup.Add(memberPath)

wscript.echo "User " & usrName & " was successfully added to group " &
grpName
end if
Next

Here is the error - C:\ADAM Scripts\Users\addusr2grp_adam.vbs(32, 3) (null):
0x80005000

Any ideas. The SID string is returned by using objItem.SID.

0 new messages