/\/\o\/\/ PowerShelled

This blog has moved to http://ThePowerShellGuy.com Greetings /\/\o\/\/
$AtomFeed = ("Atom.xml")
$PreviousItems = (" get AD user allowed Logonhours from MSH "," MSH Show-Byte Function "," Let monad "drop" some chars "," getting an Inputbox in MOnad "," Get AD info into a nested HashTable from MSH "," Logging your MSH session "," MSH get-dateFormat function "," Working with a Path in MSH "," MSH MSN Instant messenger project (broken off) "," Running (Un-block) a downloaded script in MSH "," ")

Tuesday, December 06, 2005

 

MSH AD querying with .NET 2.0 framework

I found this Great article about new way's to deal with AD in .NET 2.0

Got Directory Services? New Ways to Manage Active Directory using the .NET Framework 2.0
http://msdn.microsoft.com/msdnmag/issues/05/12/DirectoryServices/

by Ethan Wilansky (coauthor of the Microsoft Shell (MSH) language reference)
realy recommended !

I already mention some of the New infrastucture classes of AD in .NET 2.0 in a previous entry: AD Infastructure exploring with MSH

this article will point you to more improvements in the DirectoryServices Namespace.

I will give some examples converted to MSH below (the examples in the article are easy to translate to Monad), but I will point you to the Article for more information.

# get a user for the examples :

$de = new-object system.directoryservices.directoryentry("cn=mow,ou=mowou,dc=mow,dc=com")

# Using (Native) ADSI properties by using InvokeGet Method : 

$de.InvokeGet("IsAccountLocked"

# getting a Security Descriptor : 

$sd = new-object system.directoryservices.ActiveDirectorySecurity 

# get Owner / Group (with the choice as NtAccount or SID) 

$sd.GetOwner([security.principal.ntaccount]) 

$sd.GetGroup([system.security.principal.securityidentifier]) 

# Check if ACEs are properly ordered (W2K3 standard, not standard on W2K) 

$sd.AreAccessRulesCanonical 

# check if Permissions inheritance is enabled. 

$sd.AreAccessRulesProtected 

$ds = new-object system.directoryservices.directorySearcher 

$ds.SearchRoot # defaulting to Domain (using RootDSe) 

$ds.searchroot = "LDAP://ou=MowOU,dc=mow,dc=com" # or set it.

# Make a Snapshot of AD

$sync = new-object System.DirectoryServices.DirectorySynchronization 
$ds.DirectorySynchronization = $Sync 
$ds.findall() 

An error occurred while enumerating through a collection: Access is denied. 

# As I don't have the Replicate right (see Article) I need to set ObjectSecurity
$sync = new-object System.DirectoryServices.DirectorySynchronization 
$sync.option = "ObjectSecurity" 
$ds.DirectorySynchronization = $Sync 
$ds.findall() 

Exception calling "FindAll" with "0" argument(s): "The value for the property DirectorySynchronizationFlag cannot be se 
t.". 

# why I can't set this I don't know, I posted a Question in the NG, if I know more I let you know.

# for writing the Cookie (stopped here as I had former Problem)

$bf = new-object System.Runtime.Serialization.Formatters.Binary.BinaryFormatter 

# Do a Search using ExtendedDN (to get SID and GUID back also)

$ds.ExtendedDN = "Standard" 
$ds.findall() 

Exception calling "FindAll" with "0" argument(s): "The value for the property ExtendedDn cannot be set."

# and again here I have the problem setting the property

I just tipped at some of the new features mentioned in the article,
I would realy recommend reading it, as it gives a lot of good info about the new possibilities and hope the samples I provided will help porting them to MSH.

as I have more info about the errors setting the properties, I will post it.

if you might know the answer please leave a Comment.

gr /\/\o\/\/

posted by /\/\o\/\/
Comments:
Blogger /\/\o\/\/
from the ADSI NG :

Joe Kaplan (MVP - ADSI) wrote:

> Hmm,
>
> It appears to be broken in the RTM version of .NET 2.0. Very interesting. It is possible that I'm doing it wrong, but samples I had that used to work don't seem to anymore.
>
> Perhaps MS can investigate?
>
> Joe K.

gr /\/\o\/\/
# posted by Blogger /\/\o\/\/ : 9:13 PM
 
Blogger /\/\o\/\/
Joe Kaplan (MVP - ADSI) wrote:

> We have confirmed that it a limitation of the ADSI client on Windows XP. I believe that is also the case for DirSync.
>
> To use the code, you need to run it on Win2K3.
>
> It is possible that MS might choose to backport those features to other ADSI clients, but who knows. Note that in the case of extended DN, the underlying LDAP API supports the control. It is just ADSI itself that does not. As such, you could write this code in System.DirectoryServices.Protocols and it would work (although maybe not in Monad. I have no idea :) ).
>
> Joe K.
>

thx,

to bad, I can not install MSH on a server yet ;-)
but if System.DirectoryServices.Protocols is to hard .net 2.0 FW might be doable ;-)


gr /\/\o\/\/
# posted by Blogger /\/\o\/\/ : 12:00 AM
 
Anonymous Anonymous
Take a look at: http://www.irishdev.com/blogs/jbrennan/archive/2006/07/03/1664.aspx

Probably the DirectoryServices.DirectorySynchronization uses the highestCommittedUSN, this one is probably only available on the DC, and not OU.
# posted by Anonymous Anonymous : 3:00 PM
 
Post a Comment



<< Home

Archives

October 2005   November 2005   December 2005   January 2006   February 2006   March 2006   April 2006   May 2006   June 2006   July 2006   August 2006   September 2006   October 2006   November 2006   December 2006  

Links

$Links = ("PowerShell RC1 Docs"," PowerShell RC1 X86"," PowerShell RC1 X64"," Monad GettingStarted guide"," Monad Progamming Guide"," Monad SDK"," Monad videos on Channel 9"," MSH Community Workspace"," scripts.readify.net "," MonadSource"," www.reskit.net"," PowerShell Blog"," Under The Stairs"," computerperformance powershell Home"," proudlyserving"," MSH on wikipedia"," MSHWiki Channel 9"," Keith Hill's Blog"," Precision Computing"," PowerShell for fun"," MSH Memo (Japanese)"," monadblog")

find-blog -about "PowerShell","Monad" | out-Technorati.
find-blog -contains "","" | out-Technorati.
Google
 
Web mow001.blogspot.com

This page is powered by Blogger. Isn't yours?