| Author | Messages | |
jenniferbazell
Posts:8
 | | 01/23/2009 3:48 PM |
| W2K3 - Multi-domain forest
Please forgive this n00b if I don't say it right...
I would like to see the creator of most of our structural objects in AD,
but don't understand why it's not a member of the partialAttributeSet
like other important attributes. Perhaps this tree ran out of bark or
I've got the wrong tree, but I couldn't find info via Google or
ActiveDir archives that address it specifically.
--What would be the best way to enable it so I can view the creator of
the most common structural objects? GUI or command line, doesn't matter
as long as I can retrieve the value.
--Is there more than one way to get the creator info that would not
affect the DIT size or replication too unfavorably?
Please advise, and I thank you in advance.
Jennifer
| | | |
| danholme
Posts:165
| | 01/23/2009 3:55 PM |
| Unfortunately IIRC if you add an attribute to the PAS, it's for all object classes... you can't say "I want the Created By attribute to be in the PAS for OUs only"...
One thing I've done that's quick-and-dirty (but effective) is to have a process (script or otherwise) that moves the desired information (e.g. Created By) into an attribute that *is* replicated (e.g. info or description). Something like that. Your process can have the logic to limit the effort to desired object classes... that kind of thing.
I'm sure the big brains here will have better ideas, but that's one...
Dan
Dan Holme
Intelliem (www.intelliem.com)
808.463.4858 new iPhone
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bazell Jennifer C
Sent: Friday, January 23, 2009 10:43 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] "creator" schema attribute
W2K3 - Multi-domain forest
Please forgive this n00b if I don't say it right...
I would like to see the creator of most of our structural objects in AD, but don't understand why it's not a member of the partialAttributeSet like other important attributes. Perhaps this tree ran out of bark or I've got the wrong tree, but I couldn't find info via Google or ActiveDir archives that address it specifically.
--What would be the best way to enable it so I can view the creator of the most common structural objects? GUI or command line, doesn't matter as long as I can retrieve the value.
--Is there more than one way to get the creator info that would not affect the DIT size or replication too unfavorably?
Please advise, and I thank you in advance.
Jennifer
| | | |
| jenniferbazell
Posts:8
| | 01/23/2009 4:07 PM |
| Thanks for your input Dan.
So if I forget the PAS option, perhaps add creator to select structural
objects as an optional attribute?
We may consider the solution as part of the W2K8-AD implementation as
well.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Friday, January 23, 2009 2:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
Unfortunately IIRC if you add an attribute to the PAS, it's for all
object classes... you can't say "I want the Created By attribute to be
in the PAS for OUs only"...
One thing I've done that's quick-and-dirty (but effective) is to have a
process (script or otherwise) that moves the desired information (e.g.
Created By) into an attribute that *is* replicated (e.g. info or
description). Something like that. Your process can have the logic to
limit the effort to desired object classes... that kind of thing.
I'm sure the big brains here will have better ideas, but that's one...
Dan
Dan Holme
Intelliem (www.intelliem.com)
808.463.4858 new iPhone
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bazell Jennifer
C
Sent: Friday, January 23, 2009 10:43 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] "creator" schema attribute
W2K3 - Multi-domain forest
Please forgive this n00b if I don't say it right...
I would like to see the creator of most of our structural objects in AD,
but don't understand why it's not a member of the partialAttributeSet
like other important attributes. Perhaps this tree ran out of bark or
I've got the wrong tree, but I couldn't find info via Google or
ActiveDir archives that address it specifically.
--What would be the best way to enable it so I can view the creator of
the most common structural objects? GUI or command line, doesn't matter
as long as I can retrieve the value.
--Is there more than one way to get the creator info that would not
affect the DIT size or replication too unfavorably?
Please advise, and I thank you in advance.
Jennifer
| | | |
| jenniferbazell
Posts:8
| | 02/02/2009 3:19 PM |
| Sorry to bug, but I haven't received any other responses.
Does anyone have knowledge about implementing this attribute, please?
What are the gotchas for this attribute, steps to enable it effectively,
etc.?
I appreciate any guidance you can throw my way. Thanks much.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bazell Jennifer
C
Sent: Friday, January 23, 2009 3:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
Thanks for your input Dan.
So if I forget the PAS option, perhaps add creator to select structural
objects as an optional attribute?
We may consider the solution as part of the W2K8-AD implementation as
well.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Friday, January 23, 2009 2:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
Unfortunately IIRC if you add an attribute to the PAS, it's for all
object classes... you can't say "I want the Created By attribute to be
in the PAS for OUs only"...
One thing I've done that's quick-and-dirty (but effective) is to have a
process (script or otherwise) that moves the desired information (e.g.
Created By) into an attribute that *is* replicated (e.g. info or
description). Something like that. Your process can have the logic to
limit the effort to desired object classes... that kind of thing.
I'm sure the big brains here will have better ideas, but that's one...
Dan
Dan Holme
Intelliem (www.intelliem.com)
808.463.4858 new iPhone
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bazell Jennifer
C
Sent: Friday, January 23, 2009 10:43 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] "creator" schema attribute
W2K3 - Multi-domain forest
Please forgive this n00b if I don't say it right...
I would like to see the creator of most of our structural objects in AD,
but don't understand why it's not a member of the partialAttributeSet
like other important attributes. Perhaps this tree ran out of bark or
I've got the wrong tree, but I couldn't find info via Google or
ActiveDir archives that address it specifically.
--What would be the best way to enable it so I can view the creator of
the most common structural objects? GUI or command line, doesn't matter
as long as I can retrieve the value.
--Is there more than one way to get the creator info that would not
affect the DIT size or replication too unfavorably?
Please advise, and I thank you in advance.
Jennifer
| | | |
| listmail
Posts:824
| | 02/02/2009 3:19 PM |
| Personally I was a little confused by the question and was a bit surprised
people could respond at all.
There is no builtin created by attribute for AD objects, in the PAS or not.
This is an attribute you would have to create or leverage another attribute
for and populate yourself and the control of whether or not this attribut
was in the PAS would be entirely up to whomever created the attribute and/or
wrote the script to populate the data into an existing attribute.
For example, if I wanted, I could push the creator information into the
description attribute and it would show up in the GCs. Or I could push it
into the info attribut and it wouldn't show up in the GCs. Or I could create
a custom attribute named companyprefix-ObjectCreator and specify whether or
not I wanted it part of the PAS and then populate as needed.
Again, since this created by isn't builtin functionality, you would either
have to seriously lock down who could create things to people who would
always populate that info, or lock it down to only tools that knew to
populate that value, or you would have to have something swinging through
and trying to figure out what value to populate the value with. If the
people aren't admins, then you can look at the owner portion of the
nTSecurityDescriptor but wouldn't really want to depend on that too much.
Alternately you could have something scanning the event logs and populating
the directory from that as well if you have the appropriate auditing
enabled.
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bazell Jennifer C
Sent: Wednesday, January 28, 2009 10:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
Sorry to bug, but I haven't received any other responses.
Does anyone have knowledge about implementing this attribute, please? What
are the gotchas for this attribute, steps to enable it effectively, etc.?
I appreciate any guidance you can throw my way. Thanks much.
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bazell Jennifer C
Sent: Friday, January 23, 2009 3:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
Thanks for your input Dan.
So if I forget the PAS option, perhaps add creator to select structural
objects as an optional attribute?
We may consider the solution as part of the W2K8-AD implementation as well.
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Friday, January 23, 2009 2:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
Unfortunately IIRC if you add an attribute to the PAS, it's for all object
classes... you can't say "I want the Created By attribute to be in the PAS
for OUs only"...
One thing I've done that's quick-and-dirty (but effective) is to have a
process (script or otherwise) that moves the desired information (e.g.
Created By) into an attribute that *is* replicated (e.g. info or
description). Something like that. Your process can have the logic to
limit the effort to desired object classes... that kind of thing.
I'm sure the big brains here will have better ideas, but that's one...
Dan
Dan Holme
Intelliem (www.intelliem.com)
808.463.4858 new iPhone
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bazell Jennifer C
Sent: Friday, January 23, 2009 10:43 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] "creator" schema attribute
W2K3 - Multi-domain forest
Please forgive this n00b if I don't say it right...
I would like to see the creator of most of our structural objects in AD, but
don't understand why it's not a member of the partialAttributeSet like other
important attributes. Perhaps this tree ran out of bark or I've got the
wrong tree, but I couldn't find info via Google or ActiveDir archives that
address it specifically.
--What would be the best way to enable it so I can view the creator of the
most common structural objects? GUI or command line, doesn't matter as long
as I can retrieve the value.
--Is there more than one way to get the creator info that would not affect
the DIT size or replication too unfavorably?
Please advise, and I thank you in advance.
Jennifer
| | | |
| Gil
Posts:315
| | 02/02/2009 3:19 PM |
| I was a little confused about this request as well and figured I just didn't read it carefully. I wonder if what the OP wants is the object owner from the ACL in the nTSecurityDescriptor attribute?
-g
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Thursday, January 29, 2009 1:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
Personally I was a little confused by the question and was a bit surprised people could respond at all.
There is no builtin created by attribute for AD objects, in the PAS or not. This is an attribute you would have to create or leverage another attribute for and populate yourself and the control of whether or not this attribut was in the PAS would be entirely up to whomever created the attribute and/or wrote the script to populate the data into an existing attribute.
For example, if I wanted, I could push the creator information into the description attribute and it would show up in the GCs. Or I could push it into the info attribut and it wouldn't show up in the GCs. Or I could create a custom attribute named companyprefix-ObjectCreator and specify whether or not I wanted it part of the PAS and then populate as needed.
Again, since this created by isn't builtin functionality, you would either have to seriously lock down who could create things to people who would always populate that info, or lock it down to only tools that knew to populate that value, or you would have to have something swinging through and trying to figure out what value to populate the value with. If the people aren't admins, then you can look at the owner portion of the nTSecurityDescriptor but wouldn't really want to depend on that too much. Alternately you could have something scanning the event logs and populating the directory from that as well if you have the appropriate auditing enabled.
joe
--
O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bazell Jennifer C
Sent: Wednesday, January 28, 2009 10:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
Sorry to bug, but I haven't received any other responses.
Does anyone have knowledge about implementing this attribute, please? What are the gotchas for this attribute, steps to enable it effectively, etc.?
I appreciate any guidance you can throw my way. Thanks much.
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bazell Jennifer C
Sent: Friday, January 23, 2009 3:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
Thanks for your input Dan.
So if I forget the PAS option, perhaps add creator to select structural objects as an optional attribute?
We may consider the solution as part of the W2K8-AD implementation as well.
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Friday, January 23, 2009 2:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
Unfortunately IIRC if you add an attribute to the PAS, it's for all object classes... you can't say "I want the Created By attribute to be in the PAS for OUs only"...
One thing I've done that's quick-and-dirty (but effective) is to have a process (script or otherwise) that moves the desired information (e.g. Created By) into an attribute that *is* replicated (e.g. info or description). Something like that. Your process can have the logic to limit the effort to desired object classes... that kind of thing.
I'm sure the big brains here will have better ideas, but that's one...
Dan
Dan Holme
Intelliem (www.intelliem.com)
808.463.4858 new iPhone
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bazell Jennifer C
Sent: Friday, January 23, 2009 10:43 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] "creator" schema attribute
W2K3 - Multi-domain forest
Please forgive this n00b if I don't say it right...
I would like to see the creator of most of our structural objects in AD, but don't understand why it's not a member of the partialAttributeSet like other important attributes. Perhaps this tree ran out of bark or I've got the wrong tree, but I couldn't find info via Google or ActiveDir archives that address it specifically.
--What would be the best way to enable it so I can view the creator of the most common structural objects? GUI or command line, doesn't matter as long as I can retrieve the value.
--Is there more than one way to get the creator info that would not affect the DIT size or replication too unfavorably?
Please advise, and I thank you in advance.
Jennifer
| | | |
| gazzadownunder
Posts:10
| | 02/02/2009 3:23 PM |
|
Not wanting to be rude, but I think you shoud step away from the AD.
Adding the attribute to the class is not going to solve your problem as it has been highlighted in previous posts. I think you should read Joe's post again and work out how you are going to implement a custom creation process first, then decide what attributes you need to add to the objects. It is advisable to create a new attribute for this purpose. Reusing existing attributes for purposes they were not intended for could lead to problems later down the track.
Have a read of these articles both you implement any schema changes: http://msdn.microsoft.com/en-us/library/ms676900(VS.85).aspx and http://technet.microsoft.com/en-us/library/cc773309.aspx
Gary.
________________________________
From: Bazell Jennifer C <Jennifer.C.Bazell@irs.gov>
To: ActiveDir@mail.activedir.org
Sent: Friday, 30 January, 2009 5:43:15 AM
Subject: RE: [ActiveDir] "creator" schema attribute
Thanks Davy. I have been looking for more info on the attributes and how to use them, do you know this from experience or can you point me in the direction where I can learn more myself? I may have missed it at some point last week before I got flummoxed.
Sooo, what if I added it to select classes (structural mostly)? What is the impact of adding any attribute to a structural class across the domain/forest currently in use?
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Davy Pierson
Sent: Thursday, January 29, 2009 11:11 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
Jennifer,
From what I can see on the msdn site you show, the creator attribute is only used on the Index-Server-Catalog class.
It’s a mandatory attribute for that class, but it’s not an attribute of users and group classes.
In other words, this value is set by the system, but only when Index-Server-Catalog objects are created, not when OUs or users are created.
I couldn’t find any of these Index-Server-Catalog objects in my AD, anyone know if they are commonly used?
Hope this helps,
Regards,
DavyP
________________________________
From:ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bazell Jennifer C
Sent: donderdag 29 januari 2009 17:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
No, not the object owner. It is built-in, and I found it by trolling thru the schema for all attributes and wondered why it is not at least in the PAS. When I dsquery or adfind the attribute for a group or user object it comes back blank, yet every object should have a creator, right?
adfind -gc -b -f name="SomeGroupName" creator
MSDN describes the attribute as “the person that created the object” and says “this value is set by the system”.
http://msdn.microsoft.com/en-us/library/ms675472(VS.85).aspx
________________________________
From:ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 29, 2009 8:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
I was a little confused about this request as well and figured I just didn’t read it carefully. I wonder if what the OP wants is the object owner from the ACL in the nTSecurityDescriptor attribute?
-g
From:ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Thursday, January 29, 2009 1:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
Personally I was a little confused by the question and was a bit surprised people could respond at all.
There is no builtin created by attribute for AD objects, in the PAS or not. This is an attribute you would have to create or leverage another attribute for and populate yourself and the control of whether or not this attribut was in the PAS would be entirely up to whomever created the attribute and/or wrote the script to populate the data into an existing attribute.
For example, if I wanted, I could push the creator information into the description attribute and it would show up in the GCs. Or I could push it into the info attribut and it wouldn't show up in the GCs. Or I could create a custom attribute named companyprefix-ObjectCreator and specify whether or not I wanted it part of the PAS and then populate as needed.
Again, since this created by isn't builtin functionality, you would either have to seriously lock down who could create things to people who would always populate that info, or lock it down to only tools that knew to populate that value, or you would have to have something swinging through and trying to figure out what value to populate the value with. If the people aren't admins, then you can look at the owner portion of the nTSecurityDescriptor but wouldn't really want to depend on that too much. Alternately you could have something scanning the event logs and populating the directory from that as well if you have the appropriate auditing enabled.
joe
--
O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm
________________________________
From:ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bazell Jennifer C
Sent: Wednesday, January 28, 2009 10:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
Sorry to bug, but I haven't received any other responses.
Does anyone have knowledge about implementing this attribute, please? What are the gotchas for this attribute, steps to enable it effectively, etc.?
I appreciate any guidance you can throw my way. Thanks much.
________________________________
From:ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bazell Jennifer C
Sent: Friday, January 23, 2009 3:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
Thanks for your input Dan.
So if I forget the PAS option, perhaps add creator to select structural objects as an optional attribute?
We may consider the solution as part of the W2K8-AD implementation as well.
________________________________
From:ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Friday, January 23, 2009 2:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
Unfortunately IIRC if you add an attribute to the PAS, it's for all object classes... you can't say "I want the Created By attribute to be in the PAS for OUs only"...
One thing I've done that's quick-and-dirty (but effective) is to have a process (script or otherwise) that moves the desired information (e.g. Created By) into an attribute that *is* replicated (e.g. info or description). Something like that. Your process can have the logic to limit the effort to desired object classes... that kind of thing.
I'm sure the big brains here will have better ideas, but that's one...
Dan
Dan Holme
Intelliem (www.intelliem.com)
808.463.4858new iPhone
From:ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bazell Jennifer C
Sent: Friday, January 23, 2009 10:43 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] "creator" schema attribute
W2K3 - Multi-domain forest
Please forgive this n00b if I don't say it right...
I would like to see the creator of most of our structural objects in AD, but don't understand why it's not a member of the partialAttributeSet like other important attributes. Perhaps this tree ran out of bark or I've got the wrong tree, but I couldn't find info via Google or ActiveDir archives that address it specifically.
--What would be the best way to enable it so I can view the creator of the most common structural objects? GUI or command line, doesn't matter as long as I can retrieve the value.
--Is there more than one way to get the creator info that would not affect the DIT size or replication too unfavorably?
Please advise, and I thank you in advance.
Jennifer
Stay connected to the people that matter most with a smarter inbox. Take a look http://au.docs.yahoo.com/mail/smarterinbox
| | | |
| jenniferbazell
Posts:8
| | 02/02/2009 3:27 PM |
| Perhaps a custom attribute is the way to go, it's worth trying in the
test forest.
joe, thank you for answering my questions....and for your patience.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Friday, January 30, 2009 1:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
I have never seen one myself prior to right now. I just created one, it
requires you to specify a creator value since it is a mustContains, I
put in a value of hello
dn:CN=testindexservercatalog,CN=Users,DC=test,DC=loc
>objectClass: top
>objectClass: leaf
>objectClass: connectionPoint
>objectClass: indexServerCatalog
>cn: testindexservercatalog
>distinguishedName: CN=testindexservercatalog,CN=Users,DC=test,DC=loc
>instanceType: 4
>whenCreated: 20090130071323.0Z
>whenChanged: 20090130071323.0Z
>uSNCreated: 3647059
>uSNChanged: 3647059
>showInAdvancedViewOnly: TRUE
>name: testindexservercatalog
>objectGUID: {16CEF398-1264-41F9-8F32-28E4DDE454F0}
>creator: hello
>objectCategory:
CN=Index-Server-Catalog,CN=Schema,CN=Configuration,DC=test,DC=loc
Admittedly I could have missed it, but just to doublecheck, I went
poking around in the Windows Server 2003 source code and didn't see any
special hooks for the creator attribute. So even if you linked this to
user or groups or whatever, it is still an attribute that would have to
be manually populated with values. You wouldn't even be able to force
the MUSTCONTAIN though since the objectclasses are already defined so it
would be just like any other attribute you chose to use. Only populated
if someone felt like it or the provisioning tools that could do the work
forced it.
As I mentioned before, there is no attribute that is populated with the
created by info. The closest is the owner property of the security
descriptor and again as I said, I wouldn't really depend on that all too
much.
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Davy Pierson
Sent: Thursday, January 29, 2009 12:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
Jennifer,
>From what I can see on the msdn site you show, the creator attribute is
only used on the Index-Server-Catalog class.
It's a mandatory attribute for that class, but it's not an attribute of
users and group classes.
In other words, this value is set by the system, but only when
Index-Server-Catalog objects are created, not when OUs or users are
created.
I couldn't find any of these Index-Server-Catalog objects in my AD,
anyone know if they are commonly used?
Hope this helps,
Regards,
DavyP
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bazell Jennifer
C
Sent: donderdag 29 januari 2009 17:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
No, not the object owner. It is built-in, and I found it by trolling
thru the schema for all attributes and wondered why it is not at least
in the PAS. When I dsquery or adfind the attribute for a group or user
object it comes back blank, yet every object should have a creator,
right?
adfind -gc -b -f name="SomeGroupName" creator
MSDN describes the attribute as "the person that created the object" and
says "this value is set by the system".
http://msdn.microsoft.com/en-us/library/ms675472(VS.85).aspx
<http://msdn.microsoft.com/en-us/library/ms675472(VS.85).aspx>
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 29, 2009 8:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
I was a little confused about this request as well and figured I just
didn't read it carefully. I wonder if what the OP wants is the object
owner from the ACL in the nTSecurityDescriptor attribute?
-g
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Thursday, January 29, 2009 1:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
Personally I was a little confused by the question and was a bit
surprised people could respond at all.
There is no builtin created by attribute for AD objects, in the PAS or
not. This is an attribute you would have to create or leverage another
attribute for and populate yourself and the control of whether or not
this attribut was in the PAS would be entirely up to whomever created
the attribute and/or wrote the script to populate the data into an
existing attribute.
For example, if I wanted, I could push the creator information into the
description attribute and it would show up in the GCs. Or I could push
it into the info attribut and it wouldn't show up in the GCs. Or I could
create a custom attribute named companyprefix-ObjectCreator and specify
whether or not I wanted it part of the PAS and then populate as needed.
Again, since this created by isn't builtin functionality, you would
either have to seriously lock down who could create things to people who
would always populate that info, or lock it down to only tools that knew
to populate that value, or you would have to have something swinging
through and trying to figure out what value to populate the value with.
If the people aren't admins, then you can look at the owner portion of
the nTSecurityDescriptor but wouldn't really want to depend on that too
much. Alternately you could have something scanning the event logs and
populating the directory from that as well if you have the appropriate
auditing enabled.
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bazell Jennifer
C
Sent: Wednesday, January 28, 2009 10:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
Sorry to bug, but I haven't received any other responses.
Does anyone have knowledge about implementing this attribute, please?
What are the gotchas for this attribute, steps to enable it effectively,
etc.?
I appreciate any guidance you can throw my way. Thanks much.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bazell Jennifer
C
Sent: Friday, January 23, 2009 3:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
Thanks for your input Dan.
So if I forget the PAS option, perhaps add creator to select structural
objects as an optional attribute?
We may consider the solution as part of the W2K8-AD implementation as
well.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Friday, January 23, 2009 2:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
Unfortunately IIRC if you add an attribute to the PAS, it's for all
object classes... you can't say "I want the Created By attribute to be
in the PAS for OUs only"...
One thing I've done that's quick-and-dirty (but effective) is to have a
process (script or otherwise) that moves the desired information (e.g.
Created By) into an attribute that *is* replicated (e.g. info or
description). Something like that. Your process can have the logic to
limit the effort to desired object classes... that kind of thing.
I'm sure the big brains here will have better ideas, but that's one...
Dan
Dan Holme
Intelliem (www.intelliem.com)
808.463.4858 new iPhone
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bazell Jennifer
C
Sent: Friday, January 23, 2009 10:43 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] "creator" schema attribute
W2K3 - Multi-domain forest
Please forgive this n00b if I don't say it right...
I would like to see the creator of most of our structural objects in AD,
but don't understand why it's not a member of the partialAttributeSet
like other important attributes. Perhaps this tree ran out of bark or
I've got the wrong tree, but I couldn't find info via Google or
ActiveDir archives that address it specifically.
--What would be the best way to enable it so I can view the creator of
the most common structural objects? GUI or command line, doesn't matter
as long as I can retrieve the value.
--Is there more than one way to get the creator info that would not
affect the DIT size or replication too unfavorably?
Please advise, and I thank you in advance.
Jennifer
| | | |
| listmail
Posts:824
| | 02/02/2009 3:27 PM |
| No problem. 
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bazell Jennifer C
Sent: Friday, January 30, 2009 1:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
Perhaps a custom attribute is the way to go, it's worth trying in the test
forest.
joe, thank you for answering my questions....and for your patience.
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Friday, January 30, 2009 1:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
I have never seen one myself prior to right now. I just created one, it
requires you to specify a creator value since it is a mustContains, I put in
a value of hello
dn:CN=testindexservercatalog,CN=Users,DC=test,DC=loc
>objectClass: top
>objectClass: leaf
>objectClass: connectionPoint
>objectClass: indexServerCatalog
>cn: testindexservercatalog
>distinguishedName: CN=testindexservercatalog,CN=Users,DC=test,DC=loc
>instanceType: 4
>whenCreated: 20090130071323.0Z
>whenChanged: 20090130071323.0Z
>uSNCreated: 3647059
>uSNChanged: 3647059
>showInAdvancedViewOnly: TRUE
>name: testindexservercatalog
>objectGUID: {16CEF398-1264-41F9-8F32-28E4DDE454F0}
>creator: hello
>objectCategory:
CN=Index-Server-Catalog,CN=Schema,CN=Configuration,DC=test,DC=loc
Admittedly I could have missed it, but just to doublecheck, I went poking
around in the Windows Server 2003 source code and didn't see any special
hooks for the creator attribute. So even if you linked this to user or
groups or whatever, it is still an attribute that would have to be manually
populated with values. You wouldn't even be able to force the MUSTCONTAIN
though since the objectclasses are already defined so it would be just like
any other attribute you chose to use. Only populated if someone felt like it
or the provisioning tools that could do the work forced it.
As I mentioned before, there is no attribute that is populated with the
created by info. The closest is the owner property of the security
descriptor and again as I said, I wouldn't really depend on that all too
much.
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Davy Pierson
Sent: Thursday, January 29, 2009 12:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
Jennifer,
>From what I can see on the msdn site you show, the creator attribute is only
used on the Index-Server-Catalog class.
It's a mandatory attribute for that class, but it's not an attribute of
users and group classes.
In other words, this value is set by the system, but only when
Index-Server-Catalog objects are created, not when OUs or users are created.
I couldn't find any of these Index-Server-Catalog objects in my AD, anyone
know if they are commonly used?
Hope this helps,
Regards,
DavyP
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bazell Jennifer C
Sent: donderdag 29 januari 2009 17:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
No, not the object owner. It is built-in, and I found it by trolling thru
the schema for all attributes and wondered why it is not at least in the
PAS. When I dsquery or adfind the attribute for a group or user object it
comes back blank, yet every object should have a creator, right?
adfind -gc -b -f name="SomeGroupName" creator
MSDN describes the attribute as "the person that created the object" and
says "this value is set by the system".
<http://msdn.microsoft.com/en-us/library/ms675472(VS.85).aspx>
http://msdn.microsoft.com/en-us/library/ms675472(VS.85).aspx
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 29, 2009 8:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
I was a little confused about this request as well and figured I just didn't
read it carefully. I wonder if what the OP wants is the object owner from
the ACL in the nTSecurityDescriptor attribute?
-g
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Thursday, January 29, 2009 1:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
Personally I was a little confused by the question and was a bit surprised
people could respond at all.
There is no builtin created by attribute for AD objects, in the PAS or not.
This is an attribute you would have to create or leverage another attribute
for and populate yourself and the control of whether or not this attribut
was in the PAS would be entirely up to whomever created the attribute and/or
wrote the script to populate the data into an existing attribute.
For example, if I wanted, I could push the creator information into the
description attribute and it would show up in the GCs. Or I could push it
into the info attribut and it wouldn't show up in the GCs. Or I could create
a custom attribute named companyprefix-ObjectCreator and specify whether or
not I wanted it part of the PAS and then populate as needed.
Again, since this created by isn't builtin functionality, you would either
have to seriously lock down who could create things to people who would
always populate that info, or lock it down to only tools that knew to
populate that value, or you would have to have something swinging through
and trying to figure out what value to populate the value with. If the
people aren't admins, then you can look at the owner portion of the
nTSecurityDescriptor but wouldn't really want to depend on that too much.
Alternately you could have something scanning the event logs and populating
the directory from that as well if you have the appropriate auditing
enabled.
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bazell Jennifer C
Sent: Wednesday, January 28, 2009 10:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
Sorry to bug, but I haven't received any other responses.
Does anyone have knowledge about implementing this attribute, please? What
are the gotchas for this attribute, steps to enable it effectively, etc.?
I appreciate any guidance you can throw my way. Thanks much.
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bazell Jennifer C
Sent: Friday, January 23, 2009 3:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
Thanks for your input Dan.
So if I forget the PAS option, perhaps add creator to select structural
objects as an optional attribute?
We may consider the solution as part of the W2K8-AD implementation as well.
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Friday, January 23, 2009 2:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "creator" schema attribute
Unfortunately IIRC if you add an attribute to the PAS, it's for all object
classes... you can't say "I want the Created By attribute to be in the PAS
for OUs only"...
One thing I've done that's quick-and-dirty (but effective) is to have a
process (script or otherwise) that moves the desired information (e.g.
Created By) into an attribute that *is* replicated (e.g. info or
description). Something like that. Your process can have the logic to
limit the effort to desired object classes... that kind of thing.
I'm sure the big brains here will have better ideas, but that's one...
Dan
Dan Holme
Intelliem (www.intelliem.com)
808.463.4858 new iPhone
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bazell Jennifer C
Sent: Friday, January 23, 2009 10:43 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] "creator" schema attribute
W2K3 - Multi-domain forest
Please forgive this n00b if I don't say it right...
I would like to see the creator of most of our structural objects in AD, but
don't understand why it's not a member of the partialAttributeSet like other
important attributes. Perhaps this tree ran out of bark or I've got the
wrong tree, but I couldn't find info via Google or ActiveDir archives that
address it specifically.
--What would be the best way to enable it so I can view the creator of the
most common structural objects? GUI or command line, doesn't matter as long
as I can retrieve the value.
--Is there more than one way to get the creator info that would not affect
the DIT size or replication too unfavorably?
Please advise, and I thank you in advance.
Jennifer
| | | |
|
|