Unity users not showing in AD Users & Computers?

 26 Aug 2007 02:38:10 pm

Some user object created or modified by Cisco Unity fail to show in Active Directory Users and Computers unless Advanced Features is enabled.

In addition to simple view issues some tools (i.e. Microsoft’s own ADMT) fail to locate user accounts. This is how I ran into the issue this weekend, trying to do a migration for one of our customers. Fortunately for them only about 100 mailboxes were affected.

As I understand it this is thanks to Cisco Unity (confirmed in 4.2.1 and 5.x). Looking at the Directory attributes it modifies (AD attriutes unity has access to) you’ll notice that the Unity attribute AVP_HIDDEN_IN_DIRECTORY is listed for both the msExchHideFromAddressLists (which stops a user from getting displayed in the Exchange address lists that someone would look at in Outlook) as well as the showInAdvancedViewOnly attribute (which stops it from getting displayed in a host of other places). Although I haven’t been able to do extensive testing I’m fairly confident now that when you set a user as hidden from the directory in Unity it’s modifying both attributes in AD and that is the root of the problem.

So the question is how to fix it?
What I ended up doing was to use ldifde.exe to export the user objects where the attribute was set to true:

Code :
> ldifde -f hidden_users.ldf -r "(&(objectClass=user)(showInAdvancedViewOnly=TRUE))" -l showInAdvancedViewOnly

Next I used PowerShell to parse the LDF file and give me a list of the DNs of the users to fix:
Code :
> Get-Content hidden_users.ldf | where { $_ -like “dn:*” } | Out-File Users-to-fix.txt

And assembled a quick PowerShell script to generate a new LDF for import:
Code :
Fix-hidden-users.ps1
---------------------------------
Get-Content $fixusers | foreach-Object -process {
Write-Output $_ >> fixed_users.ldf
Write-Output "changetype: modify" >> fixed_users.ldf
Write-Output "replace: showInAdvancedViewOnly" >> fixed_users.ldf
Write-Output "showInAdvancedViewOnly: FALSE" >> fixed_users.ldf
Write-Output "-" >> fixed_users.ldf
Write-Output "" >> fixed_users.ldf }

Set the filename variable and run it:
Code :
> Set-Variable fixusers Users-to-fix.txt
> .fix-hidden-users.ps1

Lastly use ldifde.exe again to import the changes:
Code :
> ldifde -i -f fixed_users.ldf


As usual the typical disclaimers apply. There may be a good reason that your accounts are hidden so do your homework first; you also may want to consider limiting the scope of your LDF export by specifying the base DN with the -d switch. Any damage you cause you cause by using the above tasks/scripts is your own problem, USE AT YOUR OWN RISK!

Good Luck!

Erik Szewczyk

Posted By : Erik | Category: Active Directory | Comments [[124]] | Trackbacks [0]

  How to enable Vista’s Network Map for Domain Members

 17 Oct 2006 03:24:13 am

For those of you who have had a chance to play with Microsoft’s Windows Vista there is a handy new feature called the “Network Map”. Vista uses the Link Layer Topology Discovery protocol (LLTP), a layer 2 protocol that gathers information about neighboring devices to create (among other things) a top-down map of your network segment.

However this feature is disabled by default on domain member machines, reason being that if you had it enabled in the enterprise on every machine it could pose a security risk (and lets just face it, this isn’t exactly something I want enabled across the enterprise). However for your IT department or in smaller domains you may want to enable this feature. To do so you’ll need to make some quick group policy changes.

If you haven’t already create a GPO and link it to the OU that computer account(s) reside in. Click on “start” and in the search box (or a run dialog) type “MMC”. Click on “File” and “Add/Remove Snap-in…” and add the “Group Policy Management” snap-in to your console. Drill-down and edit the policy you wish to change and browse to Computer Configuration>Administrative Templates>Network>Link-Layer Topology Discovery. Here you will notice 2 policies, “Turn on Mapper I/O (LLTDIO) driver” and “Turn on Responder (RSPNDR) driver”. If you enable the mapper driver it will allow the client(s) to connect out over the network and look for other devices, if you enable the responder it will allow other machines to locate these client(s).

I do not recommend enabling functionality while on public networks.

Cheers,
Erik Szewczyk

Posted By : Erik | Category: Active Directory | Comments [[72]] | Trackbacks [0]



1
Sep 2024 October 2024 Nov 2024
S M T W T F S
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31   

Categories

Recent

Archives

User List

Search

Syndication

rss0.90
rss_2.0