Finding System modifiable attributes for each object class in Microsoft Active Directory

旧时模样 提交于 2020-02-06 16:21:07

问题


We could see attributes which are part of systemMayContain attributes list are user modifiable. If we consider the computer object class. Below is the definition of object class ( 1.2.840.113556.1.3.30 NAME 'computer' SUP user STRUCTURAL MAY (cn $ networkAddress $ localPolicyFlags $ defaultLocalPolicyObject $ machineRole $ location $ netbootInitialization $ netbootGUID $ netbootMachineFilePath $ siteGUID $ operatingSystem $ operatingSystemVersion $ operatingSystemServicePack $ operatingSystemHotfix $ volumeCount $ physicalLocationObject $ dNSHostName $ policyReplicationFlags $ managedBy $ rIDSetReferences $ catalogs $ netbootSIFFile $ netbootMirrorDataFile $ msDS-AdditionalDnsHostName $ msDS-AdditionalSamAccountName $ msDS-ExecuteScriptPassword $ msDS-KrbTgtLink $ msDS-RevealedUsers $ msDS-NeverRevealGroup $ msDS-RevealOnDemandGroup $ msDS-RevealedList $ msDS-AuthenticatedAtDC $ msDS-isGC $ msDS-isRODC $ msDS-SiteName $ msDS-PromotionSettings $ msTPM-OwnerInformation $ msTSProperty01 $ msTSProperty02 $ msDS-IsUserCachableAtRodc $ msDS-HostServiceAccount $ msTSEndpointData $ msTSEndpointType $ msTSEndpointPlugin $ msTSPrimaryDesktopBL $ msTSSecondaryDesktopBL $ msTPM-TpmInformationForComputer $ msDS-GenerationId $ msImaging-ThumbprintHash $ msImaging-HashAlgorithm $ netbootDUID $ msSFU30Name $ msSFU30Aliases $ msSFU30NisDomain $ nisMapName ) )

Below is the list systemMayContain attributes "systemMayContain":["msImaging-HashAlgorithm","msImaging-ThumbprintHash","msDS-GenerationId","msTPM-TpmInformationForComputer","msTSSecondaryDesktopBL","msTSPrimaryDesktopBL","msTSEndpointPlugin","msTSEndpointType","msTSEndpointData","msDS-HostServiceAccount","msDS-IsUserCachableAtRodc","msTSProperty02","msTSProperty01","msTPM-OwnerInformation","msDS-RevealOnDemandGroup","msDS-NeverRevealGroup","msDS-PromotionSettings","msDS-SiteName","msDS-isRODC","msDS-isGC","msDS-AuthenticatedAtDC","msDS-ExecuteScriptPassword","msDS-RevealedList","msDS-RevealedUsers","msDS-KrbTgtLink","volumeCount","siteGUID","rIDSetReferences","policyReplicationFlags","physicalLocationObject","operatingSystemVersion","operatingSystemServicePack","operatingSystemHotfix","operatingSystem","networkAddress","netbootSIFFile","netbootMirrorDataFile","netbootMachineFilePath","netbootInitialization","netbootDUID","netbootGUID","msDS-AdditionalSamAccountName","msDS-AdditionalDnsHostName","managedBy","machineRole","location","localPolicyFlags","dNSHostName","defaultLocalPolicyObject","cn","catalogs"]

If we consider msImaging-HashAlgorithm, msImaging-ThumbprintHash, msTPM-TpmInformationForComputer, msTSEndpointPlugin, msTSEndpointType, msTSEndpointData, msDS-HostServiceAccount, msTSProperty02, msTSProperty01, msTPM-OwnerInformation, msDS-RevealOnDemandGroup, msDS-NeverRevealGroup, msDS-PromotionSettings, msDS-AuthenticatedAtDC, msDS-RevealedUsers, msDS-KrbTgtLink, volumeCount, rIDSetReferences, policyReplicationFlags, physicalLocationObject, operatingSystemVersion, operatingSystemServicePack, operatingSystemHotfix, operatingSystem, networkAddress, managedBy, machineRole, location, localPolicyFlags, dNSHostName, defaultLocalPolicyObject, cn, catalogs these fields are user modifiable and part of systemMayContain list. When tried with setting value while creating Computer object it allows. Is there any way to know only system fields which does not allow user input? Thank you.


回答1:


This information is specific to Active Directory. MSDN has documentation for each schema attribute -- e.g. CN -- which documents if the attribute is "system only" or not.

For an automated process, search at the base cn=schema,cn=configuration,dc=example,dc=com with the filter (&(ldapDisplayName=AttributeName))and return the value of systemOnly. E.G. this shows that operatingSystemServicePack is user writable.

***Searching...
ldap_search_s(ld, "cn=schema,cn=configuration,dc=example,dc=com", 2, "(&(ldapDisplayName=operatingSystemServicePack))", attrList,  0, &msg)
Getting 1 entries:
Dn: CN=Operating-System-Service-Pack,CN=Schema,CN=Configuration,dc=example,dc=com
systemOnly: FALSE; 

You can also list all of the system-only attributes by using the filter (&(systemOnly=TRUE)) and returning ldapDisplayName

***Searching...
ldap_search_s(ld, "cn=schema,cn=configuration,dc=example,dc=com", 2, "(&(systemOnly=TRUE))", attrList,  0, &msg)
Getting 189 entries:
Dn: CN=OM-Object-Class,CN=Schema,CN=Configuration,dc=example,dc=com
lDAPDisplayName: oMObjectClass; 

Dn: CN=Canonical-Name,CN=Schema,CN=Configuration,dc=example,dc=com
lDAPDisplayName: canonicalName; 

Dn: CN=Managed-Objects,CN=Schema,CN=Configuration,dc=example,dc=com
lDAPDisplayName: managedObjects; 

Dn: CN=MAPI-ID,CN=Schema,CN=Configuration,dc=example,dc=com
lDAPDisplayName: mAPIID; 

Dn: CN=Mastered-By,CN=Schema,CN=Configuration,dc=example,dc=com
lDAPDisplayName: masteredBy; 

Dn: CN=Top,CN=Schema,CN=Configuration,dc=example,dc=com
lDAPDisplayName: top; 

Dn: CN=NTDS-DSA-RO,CN=Schema,CN=Configuration,dc=example,dc=com
lDAPDisplayName: nTDSDSARO; 

Dn: CN=Application-Process,CN=Schema,CN=Configuration,dc=example,dc=com
lDAPDisplayName: applicationProcess; 
...


来源:https://stackoverflow.com/questions/59611514/finding-system-modifiable-attributes-for-each-object-class-in-microsoft-active-d

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!