joeware – never stop exploring… :)

Information about joeware mixed with wild and crazy opinions...

3/4/2011

Adding sAMAccountName and sAMAccountType to ADAM/ADLDS directories

by joe @ 12:37 am. Filed under tech

First and foremost… ADAM rocks. 🙂

With that being said… I regularly like to pull users and groups from AD and stuff them into ADAM. In general the normal ADAM schema is sufficient but for users and groups from an ADAM standpoint, ADAM is a positive step away from the SAM DB and as part of that step they did not put sAMAccountName nor sAMAccountType into the ADAM schema.

However… Sometimes I want the sAMAccountName and sAMAccountType attributes because I am importing user/group objects from AD and those values may be important for some reason and I may need to keep them, this could be for any number of reasons. Regardless of the reason, sometimes I want to do it, and that means I fairly regularly add those attributes to the schema of various ADAM instances I spin up. This can be done specifically for these couple of attributes or you can, if needed, import the whole Windows Server 2003 or Windows Server 2008 Schemas with the MS-adamschemaw2k3.LDF and MS-adamschemaw2k8.LDF files.

So it isn’t exciting to walk through using LDIF to import the K3 or K8 schemas and doing so doesn’t teach you anything about how you can use AdFind and AdMod so I will show how I import just those two attributes in case it proves useful to someone else trying to do something similar.

While you can do this with the older versions of AdFind and AdMod, I have added some features to the latest versions (AdFind V01.44.00 / AdMod V01.15.00) specifically to make it easier. Below I outline the process you can follow to update an ADAM instance on the local PC to have sAMAccountName and sAMAccountType for users and groups.

Step 1: Create a CSV file for the import (I ran this command against a Windows Server 2008 R2 Domain):

adfind -sc sdump -csv -af ldapdisplayname=samaccount* > SamAccount.csv

When run you see:

[Wed 03/02/2011 23:23:42.71]
F:\Dev\Current\CPP\SchemaMods>adfind -sc sdump -csv -af ldapdisplayname=samaccount* > SamAccount.csv

[Wed 03/02/2011 23:24:08.33]

This creates the file (it won’t look pretty here) ;o)

__SamAccount.csv__

"dn","adminDescription","adminDisplayName","attributeID","attributeSecurityGUID","attributeSyntax","auxiliaryClass","cn","defaultHidingValue","defaultObjectCategory","defaultSecurityDescriptor","description","extendedCharsAllowed","governsID","isDefunct","isMemberOfPartialAttributeSet","isSingleValued","lDAPDisplayName","linkID","mAPIID","mayContain","mustContain","objectClass","objectClassCategory","oMSyntax","possSuperiors","rangeLower","rangeUpper","rDNAttID","schemaIDGUID","searchFlags","showInAdvancedViewOnly","subClassOf","systemAuxiliaryClass","systemFlags","systemMayContain","systemMustContain","systemOnly","systemPossSuperiors"
"CN=SAM-Account-Name,<SCHEMA>","SAM-Account-Name","SAM-Account-Name","1.2.840.113556.1.4.221","{59BA2F42-79A2-11D0-9020-00C04FC2D3CF}","2.5.5.12","","SAM-Account-Name","","","","","","","","TRUE","TRUE","sAMAccountName","","","","","attributeSchema;top","","64","","0","256","","{3E0ABFD0-126A-11D0-A060-00AA006C33ED}","13","TRUE","","","18","","","FALSE",""
"CN=SAM-Account-Type,<SCHEMA>","SAM-Account-Type","SAM-Account-Type","1.2.840.113556.1.4.302","{59BA2F42-79A2-11D0-9020-00C04FC2D3CF}","2.5.5.9","","SAM-Account-Type","","","","","","","","TRUE","TRUE","sAMAccountType","","","","","attributeSchema;top","","2","","","","","{6E7B626C-64F2-11D0-AFD2-00C04FD930C9}","1","TRUE","","","18","","","FALSE",""

Then to import into ADAM with the new importschema shortcut (use –po switch with shortcut to see exact switches enabled for you if curious)…

[Wed 03/02/2011 23:24:08.33]
F:\Dev\Current\CPP\SchemaMods>admod -hh . -sc importschema:SamAccount.csv