Messing with otherWellKnownObjects

  • [アーティクル]

otherWellKnownObject attributes have been widely used in HMC as a cross reference as well as very much as a kind of a poor man’s AD schema extension strategy. J This blog aims to discuss it and also provide some ways to work with this attribute using HMC procedures.

Firstly, here is a list of common otherWellKnownObjectGUID in HMC,

List of common otherWellKnownObjectGUID in HMC

  • 7DEF010C6019A1458068D74AD1A3C1FA
    •  name="FolderUsers"
    • Eg.:CN=FolderUsers@alpineskihouse.com,OU=ALPINESKIHOUSE,OU=CONSOLIDATEDMESSENGER,OU=Hosting,DC=fabrikam,DC=com
  • A276E3A170F0C24699770F593818501E
    • name="FolderAdmins"
    • Eg.:CN=FolderAdmins@alpineskihouse.com,OU=ALPINESKIHOUSE,OU=CONSOLIDATEDMESSENGER,OU=Hosting,DC=fabrikam,DC=com
  • D22DFCC5B73645E99E16C9AD3D61F34F
    • name="OfflineAddressList"
    • Eg.:CN=ALPINESKIHOUSE OAL,CN=All Offline Address Lists,CN=Address Lists Container,CN=HMC45,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=fabrikam,DC=com
  • 9E444526CB6F4D5C9A59C9A84E26B627
    • name="AddressList"
    • Eg.:CN=ALPINESKIHOUSE AL,CN=All Address Lists,CN=Address Lists Container,CN=HMC45,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=fabrikam,DC=com
  • 89FB25B7DF784FC198A493E2E8A0EE7E
    • name="GlobalAddressList"
    • Eg.:CN=ALPINESKIHOUSE GAL,CN=All Global Address Lists,CN=Address Lists Container,CN=HMC45,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=fabrikam,DC=com
  • 4619BE598BF441DB8C9DB0482E62E386
    • name="MultiGroupPointer"
    • Eg.:CN=MultiGroup,CN=_Private,OU=ALPINESKIHOUSE,OU=CONSOLIDATEDMESSENGER,OU=Hosting,DC=fabrikam,DC=com
  • EA755D448CE64157A20E82B7CCBE14B0
    • name="OrgType"
    • Eg.:CN=customer,CN=WatOrgTypes,CN=_Private,OU=Hosting,DC=fabrikam,DC=com
  • 3B6FF4FA8AA248039AD8F9493A43B704
    • name="ChildOrgCreators"
    • Eg.:CN=CSRAdmins@alpineskihouse.com,OU=ALPINESKIHOUSE,OU=CONSOLIDATEDMESSENGER,OU=Hosting,DC=fabrikam,DC=com
  • 65F37ECB46704F0E9300E1FB48E1096E
    • name="UserCreators"
    • Eg.:CN=Admins@alpineskihouse.com,OU=ALPINESKIHOUSE,OU=CONSOLIDATEDMESSENGER,OU=Hosting,DC=fabrikam,DC=com
  • 58888CFC8F7F430C8183102CD5758D81
    • name="ForeignOwnerOrg"
    • Eg.: OU=CONSOLIDATEDMESSENGER,OU=Hosting,DC=fabrikam,DC=com
  • CC016CF08DEF4EA4A05C9C54B198785A
    • name="ThisOrganizationRoot"
    • Eg.:OU=ALPINESKIHOUSE,OU=CONSOLIDATEDMESSENGER,OU=Hosting,DC=fabrikam,DC=com

 

How to reset the otherWellKnownObject using HMC procedure

Sometimes, you may find it necessary to reset the otherWellKnownObject for whatever reason such as you may accidentally remove the Offline Address Book. This may result in the otherWellKnownObject reference to be invalid.

You can set or reset the otherWellKnownObject attribute by running the following procedure,

Sample Request:

<request>

<procedure name="SetOtherWellKnownObject" description="Set WKO" access="private" type="write" perfEnabled="0" saveDataForRollback="0" auditEnabled="0">

                <procedureData>

                <path>LDAP://OU=alpineskihouse,OU=consolidatedmessenger,OU=Hosting,DC=fabrikam,DC=com</path>

                                <GUID>9E444526CB6F4D5C9A59C9A84E26B627</GUID>

                                <referent>LDAP://CN=Alpineskihouse AL,CN=All Address Lists,CN=Address Lists Container,CN=HMC45,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=fabrikam,DC=com</referent>

                                <preferredDomainController>AD01.fabrikam.com</preferredDomainController>

                </procedureData>

                <before source="data" destination="procedureData" mode="insert"/>

                <execute namespace="Managed Active Directory" procedure="SetOtherWellKnownObject_" impersonate="2">

                                <before source="procedureData" sourcePath="path" destination="executeData"/>

                                <before source="procedureData" sourcePath="GUID" destination="executeData"/>

                                <before source="procedureData" sourcePath="referent" destination="executeData"/>

                                <before source="procedureData" sourcePath="preferredDomainController" destination="executeData"/>

                </execute>

               

</procedure>

</request>

 

 

 

If you wish to clear it, you just don’t set anything on the referent.

 

 

How to retrieve the otherWellKnownObject using HMC procedure

<request>

<procedure name="GetOtherWellKnownObject" description="Get WKO" access="private" type="write" perfEnabled="0" saveDataForRollback="0" auditEnabled="0">

                <procedureData>

                                <GUID>9E444526CB6F4D5C9A59C9A84E26B627</GUID>

                <object>LDAP://OU=Alpineskihouse,OU=ConsolidatedMessenger,OU=Hosting,DC=Fabrikam,DC=com

                </object>

                                <preferredDomainController>AD01.fabrikam.,com</preferredDomainController>

                </procedureData>

               

                <execute namespace="Managed Active Directory" procedure="GetOtherWellKnownObject" impersonate="2">

                                <before source="procedureData" sourcePath="object" destination="executeData"/>

                                <before source="procedureData" sourcePath="GUID" destination="executeData"/>

                                <before source="procedureData" sourcePath="preferredDomainController" destination="executeData"/>

                </execute>

               

</procedure>

</request>

 

 

Sample VBScript to retrieve otherWellKnownObject

strDomain = "fabrikam.com"

strWKGUID = "D22DFCC5B73645E99E16C9AD3D61F34F"

set oab = GetObject("LDAP://<WKGUID=" & _

                             strWKGUID & "," & _

                             "OU=alpineskihouse,OU=consolidatedmessenger,OU=Hosting,DC=fabrikam,DC=com" & ">" )

WScript.Echo oab.Get("distinguishedName")

 

 

Sample PowerShell to retrieve otherWellKnownObject

# The following script will retrieve all the OABs of each OU

$LDAP = "OU=Hosting,dc=hmc45, dc=com"

$preferredDC = "AD01.fabrikam.com"

$domain = "LDAP://" + $LDAP

$directoryEntry = New-Object System.DirectoryServices.DirectoryEntry $domain

$strWKGUID = "D22DFCC5B73645E99E16C9AD3D61F34F"

$query = new-object system.directoryservices.directorysearcher

$query.SearchRoot = $directoryEntry

$query.PageSize = 1000

$query.filter = ("(objectClass=organizationalUnit)")

$orgs = $query.findAll()

Foreach($org in $orgs)

{

                $org = $org.GetDirectoryEntry()

                $orgDN = $org.distinguishedName

                $orgName = $org.name

                $oab = New-Object DirectoryServices.DirectoryEntry "LDAP://<WKGUID=$strWKGUID,$orgDN>"

                If($oab.name -ne $null) {

                                "Org DN: $orgDN, "

                                "OAB: " + $oab.name

                               

                                "------------------------------------------"

                                " "

                }

}

Comments