joeware - never stop exploring... :)

While working on the PPT Deck for DEC I was going through the slides that were put together almost entirely[1] by Dean and came across a slide on how to show container objectClass objects in the NEW context menu selection in ADUC – i.e. how to make it so you can create new container objects with ADUC. That reminded me of a cute trick I worked up for someone once. We didn’t really have time to chat about this during the sessions and this is actually something I think would have a good amount of interest if people understood it so put some quick notes together for the blog here… Enjoy…

I was previously pinged by someone who needed to allow people to create users via a special provisioning command line tool they had but could *not* create the users via ADUC (no other tools mentioned, ADUC was the culprit they wanted out of the picture). At first when I was asked I responded… ah no, you can’t do it, the permissions are for your security context only, not a combination of the security context and tool…  Sorry you will have to find some way to have the application raise its security context to something with the rights to create a user and take away rights from the admins themselves.

I sat around as I often do rethinking what I have said to make sure I was entirely accurate, is there some way I could snake around that problem if it was me and I really really really needed a solution??? Then thought, well wait a minute… This doesn’t have to be truly secure, just sort of secure… It is a for getting admins to refrain from using the GUI for the user creations, not stop them outright. Basically I wasn’t enforcing policy through the GUI which should never be done[2], but simply hinting to follow policy.

Longer story short, I had recalled the defaultHidingValue property of classSchema objects. This is a cute little property that tells how the GUI (at least the MSFT supplied simple admin GUI tools[3]) how to present the info. If you ever had new objectClasses added to your schema and then they started popping up in your NEW context menu annoying you then you may have found this little gem of an attribute because that is how you filter those out from being shown… I ran into this years ago in one company I was at when a bunch of crap classes were added and it took me like 2 years and another job to find the attribute… That is why it sticks in my head LOL.

Anyway, if you set defaultHidingValue=TRUE for user objects in the schema, then you cannot manually create users in ADUC, they don’t show up as a valid objectClass to instantiate. Even if the admin has rights to create users… Of course they aren’t blocked in say ADSIEDIT or LDP, but many admins won’t go there, they use ADUC or they kind of sit and spin.

A quick ADMOD command to do this would be

admod -schema -rb CN=user defaulthidingvalue::TRUE

to change it back so it can be seen in the new context menu again you simply do

admod -schema -rb CN=user defaulthidingvalue::FALSE

Haven’t tried this with Windows Server 2008 yet but I fully expect it to work there as well.

Hope this was a helpful hint to at least one reader.

     joe

[1] All sorts of excuses for this one… As a general rule, the stuff I work on isn’t good presentation material for DEC, just not enough people who really care that much about the guts stuff and in general it isn’t that good sound bite short zing type items that make good presentations… Dean on the other hand has REAMS of info that is perfect for this sort of event because of his amazing training classes. If you haven’t had him in for a training session, you need to. Your people who get to attend the class will be crying at how much they learn. My contributions to the deck (for the most part) have been a lot of the humour type stuff, some stuff on LDAP controls and policies, cool adfind/admod commands, and the photoshopped photos as well as spell checking and technical consultant.

[2] The old NT4 User Manager tried to enforce policy and so does Exchange ESM, you can so easily bypass them it isn’t funny but you will get people who think they were totally secure even though they weren’t. How do I know? I ran into several folks that fit that and did think they were secure right up until I showed them some of the holes.

[3] Well not all of them… DSSITES.MSC seems to conveniently ignore the hints…