3 words: blah, blah and blah
:)
I’ll try and revisit this sometime this week. Sorry, I lost track of it.
~Eric
From: joe
[mailto:[EMAIL PROTECTED]
ping ~Eric
Pinging ~Eric.texas.cpr.microsoft.com [xx.xx.xx.xx] with 32 bytes of data:
Request timed out. Request timed out.
:o)
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Let me digest a bit and report back. The answer is probably yes, I just need to think about it.
<aside> Have you noticed that every ldp snip I do is from a different domain? Yes, I have that many forests in virtual machines. I just noticed that I’m not sure if I’ve used the same one twice on this list………
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of listmail
Understood on the constructed. Though it makes you wonder why that one is and whenChanged isn't. :o)
How about the overall more general question, is there a way to ascertain what would and wouldn't be displayed? For instance, is there something "query-able" that tells me ntsecuritydescriptor would or wouldn't be displayed.
joe
From: [EMAIL PROTECTED]
on behalf of Eric Fleischman In this case:
>> Dn: CN=Modify-Time-Stamp,CN=Schema,CN=Configuration,DC=corp,DC=microsoft,DC=com 1> lDAPDisplayName: modifyTimeStamp; 1> systemFlags: 0x8000014 = ( FLAG_ATTR_IS_CONSTRUCTED | FLAG_SCHEMA_BASE_OBJECT | FLAG_DOMAIN_DISALLOW_RENAME );
Constructed attributes are only returned 1) If requested AND 2) if requested in a base search against the object
~Eric
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of listmail
Nope. Not every attribute is returned. I don't know personally what the logic is that specifies what is returned and what isn't. I would like to think it is something you can query out of the schema but I have never seen anything to substantiate that thought.
It is easy to see it in action though, query the schema on 2K and do the same on K3. You will certain attribs on certain objects returned in 2K but not in K3, you have to ask for them meaning that MS backed out the default return set. Why I don't know but helped someone with an App that blew up because of it. I don't recall exactly what the attribute was though, I purposely forgot it so I could have enough room in my head to remember the thing about ntsecuritydescriptors...
What about ntsecuritydescriptors you ask? ntsecuritydescriptor should be on every object but when have you seen a query where you didn't specifically specify you needed it that it did get returned? Answer, you have to ask for it.
With adfind you would do something like
adfind -b <somebase> -f <somefilter> * ntsecuritydescriptor
That will return what I call the * set (star set) and also the ntsecuritydescriptor attribute.
I started to talk to ~Eric about this once before but I don't think we ever got to the part of the discussion concerning how it was determined what is returned and what isn't.
joe
From:
[EMAIL PROTECTED] on behalf of AD Hmm, I am a little bit confused joe. I did not ask for msExchAlObjectVersion but it returns it anyways. Isn't LDP suppose to return every attribute that is set for a an object?
Thanks
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of listmail Because you didn't request it. That one needs to be specifically requested, you can instead use whenChanged which is returned in the default * set.
joe
From:
[EMAIL PROTECTED] on behalf of AD
Does anyone know why LDP does not return the modifyTimeStamp attribute? |
- RE: [ActiveDir] LDP does not return modifyTimeStamp attrib... Eric Fleischman
- RE: [ActiveDir] LDP does not return modifyTimeStamp a... joe
- [ActiveDir] Logging Login / Logout Matt Brown
- [ActiveDir] Group / Permission Matt Brown
- RE: [ActiveDir] LDP does not return modifyTimeSta... joe
- RE: [ActiveDir] LDP does not return modifyTim... Brett Shirley
- RE: [ActiveDir] LDP does not return modif... Dean Wells
- RE: [ActiveDir] LDP does not return ... joe
- RE: [ActiveDir] LDP does not ret... Brett Shirley
- RE: [ActiveDir] LDP does not... Rick Kingslan