How to add ForeignSecurityPrincipals to AD LDS? Bringing 'AD users and computer accounts' to AD LDS as FSP?

StackOverflow https://stackoverflow.com/questions/23154393

Pergunta

How to add ForeignSecurityPrincipals to 'Active Directory Lightweight Directory Services' (AD LDS)? i.e. bringing 'AD security principals (users as well as computer accounts)' to AD LDS? Any script/ps cmdlet/tool?

Adding 'AD' security princials as "ForeingSecurtyPrincipals" to AD LDS using 'ADSI edit'

I know I can bring them by making them members of administrators/readers/users (i.e. in order to define roles for the 'AD users' as readers/users/administrators the foreign security principals need to be added - which makes sense - so ADSI edit is automatically adding the SIDs to foregin security principals container) (please see the attached image adding 'ad security principals' as one of the members to 'ad lds' using ad lds

Question (what are different ways of doing it other than assigning roles using adsi edit):

But, I am wondering is there a way without making the security principal as member of one of the roles? especially I don't want to do this way for 'computer accounts' - as they are not categorized as 'administrators' or 'users' or 'roles' - default in AD LDS schema. I think I can extend the schema so that my AD LDS instance understands computer accounts and then add the computers there.

Just curious if there is another way to do it? any other tool or PS script will also do as well as I am pretty sure there are number of 'directory services admin tools'

Regards.

Foi útil?

Solução 3

Actually it simply turned out to be that I can set 'permissions' on ad lds directory objects without adding to the 'ForeignSecuritypPrincipals' container...

So, I just set 'perms' based on sid (few examples are below, http://greatit.wordpress.com/2012/08/13/dsacls-and-built-in-groups/ )

Examples which grant 'generic all/full control' on AD LDS obect:

dscals "\\{myadldsserver}:{port}\cn=testadldsobect,cn=test,cn=com' /g {sid}:GA

dsacls {DN} /g {domain}/{username}:GA

dsacls {DN} /g {domain}/{machinename}$:GA

Regards.

Outras dicas

You seem to be asking about two different things, here. The image is showing you grant access to Active Directory security principals to ADLDS. But then you start talking about extending the schema, suggesting you're looking to import objects from AD.

If it's the latter, you could use FIM, ADAMSync or roll your own using e.g. PowerShell.

More help on ADAMSync here

* UPDATE *

According to Dmitri Gavrilov in this post, manually adding FSPs is not possible.

Alternatively, you can use powershell to add the user/computer to one of the built-in groups (my example will use Readers), then immediately remove them. The foreignSecurityPrincipal will remain in the directory. It seems that ADAM/ADLDS is the one actually creating the foreignSecurityPrincipal object on your behalf when you request adding a member by SID.

Get the Readers group in the Configuration partition...

$servername = "myserver:389"

$configPartition = (Get-ADRootDSE -Server $servername).namingContexts | ? { $_ -match "^CN=Configuration" }

$readersGroup = ("CN=Readers,CN=Roles," + $configPartition)

Add the SID (Wrap in <SID=...>) to the Readers group

Set-ADObject -Identity $readersGroup-Add @{member = "<SID=S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXX-XXXXX>"} -Server $servername

Remove the SID from the Readers group

Set-ADObject -Identity $readersGroup-Remove @{member = "<SID=S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXX-XXXXX>"} -Server $servername

Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top