Remko Weijnen's Blog (Remko's Blog)

About Virtualization, VDI, SBC, Application Compatibility and anything else I feel like

Archive for the ‘Active Directory’ Category

I wanted to read the otherWellKnownObjects attribute from an Active Directory object.

In my case this was the Microsoft Exchange container in the Configuration partition:


The otherWellKnownObjects attribute is of type ADSTYPE_DN_WITH_BINARY which unfortunately cannot be viewed or edited with ADSI Edit:

There is no editor registered to handle this attribute type 



Adding a hidden Exchange mailbox to Outlook

In Exchange it’s possible to hide a Mailbox from the (Global) Address List. You can do that in the Exchange System Manager:


But after you have hidden a Mailbox you cannot create an Outlook profile for it (or add it as an extra mailbox).


When you click Check Name in the wizard you’ll get an error:


The common workaround is to remove the “Hide from Exchange address lists” setting, create the profile (or add the Mailbox) and afterwards set it again.

Once the profile is created it all keeps working.

There is an easier solution though!


Recursive Groups #2

In my previous post I explained how to get the recursive group membership with a very simple Powershell Script.

Commenter Michel thought that the script only tested one level deep but it doesn’t.

But let’s prove that!

Create 3 Global Groups in your Active Directory and name them Level1, 2 and 3:


Make Level3 a Member of Level 2 and make Level a member of Level 1 and finally add an account to the Level 3 group:





Recursive group Membership in Powershell

In this post I will show an easy way to get the recursive group membership for the current user.

I use this in a logon script to handle certain tasks based on group membership.

Most scripts I see for this task do a manual recursive enumeration but in a large environment this could be very slow.

A better way would be to use the tokenGroups attribute of the Active Directory user object.

The tokenGroups attribute is an array of SIDs computed by Active Directory and is used to verify user access.

We need to translate these SIDs to their sAMAccountNames to get the actual group names.

In unmanaged code this could be accomplished by calling the DsCrackNames API or the IADsNameTranslate interface.


I was creating an unattended Exchange 2007 install job today and while testing it, it failed with the following error:

Active Directory operation failed on nl-dc001.MYDOMAIN.LAN. The object ‘CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=My Organisation,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=MYDOMAIN,DC=LOCAL’ already exists

I opened the Exchange System Manager and expanded the Tree (Recipient | All Address Lists | All Global Address Lists) and I found 2 Global Address Lists but not the Default Global Address List:



I was trying to install HP Insight Control server deployment (previously called HP Rapid Deployment Pack) on Sql Server 2008 Express. I will just call it Deployment Server or DS from here.

I first installed SQL 2008 Express with Advanced Services and configured it to listen op Port 1433 as required by DS.

The installation of the first part (Deployment Server version 6.9.4) indicated a successfull install but the prereqisuites check of the Hotfix version 2.0 installer failed on the last step:

No Attached Consoles HP Deployment Server

This was strange because I didn’t yet startup the console, so I decided to start it and close it as this would perhaps allow me to continue.

The next screen was a clear indication something went wrong:

Altiris Deploymeny Server Unable to Connect

I presumed that the ODBC connection was missing so I went to Adminstrative Tools | Data Sources (ODBC). But the ODBC connection was present. I then fired up SQL Server Management Studio which showed me the eXpress database was missing.

Active Directory Properties Commandline Tool

I have written a small commandline tool that shows the Active Directory Property Sheet for a given account.

The Property sheet is what you get when you doubleclick an object in Active Directory & Computers. Basically this tool is meant to make it easy to quickly view or change properties without needing to start a GUI tool and looking up the account in the AD Tree.

I needed to obtain the Fully Qualified Domain Name (FQDN) for a given NetBios domain name. Eg from MYDOMAIN to dc=mydomain,dc=local.

I did some tests with the TranslateName API and if you append a \ to the domain name it returns the FQDN.

Here is a short example:


Random Active Directory Notes #4

Previously I discussed IDirectoryObject, today I will show how to change a user’s password with IDirectoryObject.

I didn’t find any documentation except a kb article describing how to use pure ldap to do it. Of course I could have used IADsUser::SetPassword but I decided not to because of the following reasons:

  • IADs interfaces are terribly slow (although for one use you probably wouldn’t really notice).
  • IADsUser::SetPassword tries 3 different methods to set the password (ldap over ssl, kerberos and finally NetUserSetInfo) which makes it even slower (most domain controllers do not have an ssl certificate) and unpredictable.

All example code I found was .NET based using the .NET wrappers for Active Directory and seemed to be meant for use in Adam rather than full Active Directory (it set port number to 389 and password mode to cleartext).

In the end it’s not very difficult but nonetheless it took me a while before I got it right.

We can write to the unicodePwd attribute which wants the password as a double quoted unicode string. If you look at this attribute with AdsiEdit you’ll see that the type is Octet String and that it can be written only.

I was tricked with Delphi’s QuotedStr function for a while because it doesn’t return a double but single quoted string 😉

Below a small snippet from the upcoming JwsclActiveDirectory that shows how to use it: (more…)

Using Windows Dialogs from Delphi

Today I reused a unit I wrote a long time ago for TSAdminEx that shows Resource Dialogs from DLL’s or Executables. I wrote it for a couple of reasons:

  • Reusing existing dialogs is conventient since the user already knows it.
  • Windows takes care of translating it into the user’s language.
  • I am too lazy to recreate them 😉

The code is hardly rocket science and could probably be improved and made more sophisticated but it works for me. I decided to share it since you may find it usefull.

Here is a small usage example that shows the Reset Password dialog from Active Directory Users & Computers. This dialog is in dsadmin.dll (on Windows Vista/7 you will find it in ds.admin.dll.mui in the language subfolder eg %systemroot%\system32\en-US but you can load it using just the dll name).

It looks like this: