问题
We could see attributes which are part of systemMayContain
attributes list are user modifiable. If we consider the computer
object class.
Below is the definition of object class
( 1.2.840.113556.1.3.30 NAME 'computer' SUP user STRUCTURAL MAY (cn $ networkAddress $ localPolicyFlags $ defaultLocalPolicyObject $ machineRole $ location $ netbootInitialization $ netbootGUID $ netbootMachineFilePath $ siteGUID $ operatingSystem $ operatingSystemVersion $ operatingSystemServicePack $ operatingSystemHotfix $ volumeCount $ physicalLocationObject $ dNSHostName $ policyReplicationFlags $ managedBy $ rIDSetReferences $ catalogs $ netbootSIFFile $ netbootMirrorDataFile $ msDS-AdditionalDnsHostName $ msDS-AdditionalSamAccountName $ msDS-ExecuteScriptPassword $ msDS-KrbTgtLink $ msDS-RevealedUsers $ msDS-NeverRevealGroup $ msDS-RevealOnDemandGroup $ msDS-RevealedList $ msDS-AuthenticatedAtDC $ msDS-isGC $ msDS-isRODC $ msDS-SiteName $ msDS-PromotionSettings $ msTPM-OwnerInformation $ msTSProperty01 $ msTSProperty02 $ msDS-IsUserCachableAtRodc $ msDS-HostServiceAccount $ msTSEndpointData $ msTSEndpointType $ msTSEndpointPlugin $ msTSPrimaryDesktopBL $ msTSSecondaryDesktopBL $ msTPM-TpmInformationForComputer $ msDS-GenerationId $ msImaging-ThumbprintHash $ msImaging-HashAlgorithm $ netbootDUID $ msSFU30Name $ msSFU30Aliases $ msSFU30NisDomain $ nisMapName ) )
Below is the list systemMayContain
attributes
"systemMayContain":["msImaging-HashAlgorithm","msImaging-ThumbprintHash","msDS-GenerationId","msTPM-TpmInformationForComputer","msTSSecondaryDesktopBL","msTSPrimaryDesktopBL","msTSEndpointPlugin","msTSEndpointType","msTSEndpointData","msDS-HostServiceAccount","msDS-IsUserCachableAtRodc","msTSProperty02","msTSProperty01","msTPM-OwnerInformation","msDS-RevealOnDemandGroup","msDS-NeverRevealGroup","msDS-PromotionSettings","msDS-SiteName","msDS-isRODC","msDS-isGC","msDS-AuthenticatedAtDC","msDS-ExecuteScriptPassword","msDS-RevealedList","msDS-RevealedUsers","msDS-KrbTgtLink","volumeCount","siteGUID","rIDSetReferences","policyReplicationFlags","physicalLocationObject","operatingSystemVersion","operatingSystemServicePack","operatingSystemHotfix","operatingSystem","networkAddress","netbootSIFFile","netbootMirrorDataFile","netbootMachineFilePath","netbootInitialization","netbootDUID","netbootGUID","msDS-AdditionalSamAccountName","msDS-AdditionalDnsHostName","managedBy","machineRole","location","localPolicyFlags","dNSHostName","defaultLocalPolicyObject","cn","catalogs"]
If we consider msImaging-HashAlgorithm, msImaging-ThumbprintHash, msTPM-TpmInformationForComputer, msTSEndpointPlugin, msTSEndpointType, msTSEndpointData, msDS-HostServiceAccount, msTSProperty02, msTSProperty01, msTPM-OwnerInformation, msDS-RevealOnDemandGroup, msDS-NeverRevealGroup, msDS-PromotionSettings, msDS-AuthenticatedAtDC, msDS-RevealedUsers, msDS-KrbTgtLink, volumeCount, rIDSetReferences, policyReplicationFlags, physicalLocationObject, operatingSystemVersion, operatingSystemServicePack, operatingSystemHotfix, operatingSystem, networkAddress, managedBy, machineRole, location, localPolicyFlags, dNSHostName, defaultLocalPolicyObject, cn, catalogs
these fields are user modifiable and part of systemMayContain
list.
When tried with setting value while creating Computer
object it allows. Is there any way to know only system fields which does not allow user input? Thank you.
回答1:
This information is specific to Active Directory. MSDN has documentation for each schema attribute -- e.g. CN -- which documents if the attribute is "system only" or not.
For an automated process, search at the base cn=schema,cn=configuration,dc=example,dc=com
with the filter (&(ldapDisplayName=AttributeName))
and return the value of systemOnly
. E.G. this shows that operatingSystemServicePack is user writable.
***Searching...
ldap_search_s(ld, "cn=schema,cn=configuration,dc=example,dc=com", 2, "(&(ldapDisplayName=operatingSystemServicePack))", attrList, 0, &msg)
Getting 1 entries:
Dn: CN=Operating-System-Service-Pack,CN=Schema,CN=Configuration,dc=example,dc=com
systemOnly: FALSE;
You can also list all of the system-only attributes by using the filter (&(systemOnly=TRUE))
and returning ldapDisplayName
***Searching...
ldap_search_s(ld, "cn=schema,cn=configuration,dc=example,dc=com", 2, "(&(systemOnly=TRUE))", attrList, 0, &msg)
Getting 189 entries:
Dn: CN=OM-Object-Class,CN=Schema,CN=Configuration,dc=example,dc=com
lDAPDisplayName: oMObjectClass;
Dn: CN=Canonical-Name,CN=Schema,CN=Configuration,dc=example,dc=com
lDAPDisplayName: canonicalName;
Dn: CN=Managed-Objects,CN=Schema,CN=Configuration,dc=example,dc=com
lDAPDisplayName: managedObjects;
Dn: CN=MAPI-ID,CN=Schema,CN=Configuration,dc=example,dc=com
lDAPDisplayName: mAPIID;
Dn: CN=Mastered-By,CN=Schema,CN=Configuration,dc=example,dc=com
lDAPDisplayName: masteredBy;
Dn: CN=Top,CN=Schema,CN=Configuration,dc=example,dc=com
lDAPDisplayName: top;
Dn: CN=NTDS-DSA-RO,CN=Schema,CN=Configuration,dc=example,dc=com
lDAPDisplayName: nTDSDSARO;
Dn: CN=Application-Process,CN=Schema,CN=Configuration,dc=example,dc=com
lDAPDisplayName: applicationProcess;
...
来源:https://stackoverflow.com/questions/59611514/finding-system-modifiable-attributes-for-each-object-class-in-microsoft-active-d