Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2009-08-05) Managing W2K3 AD Domain Through Windows Vista Or Windows Server 2008 (R2)

Posted by Jorge on 2009-08-05


Today I was working with ILM 2007 at a client’s site. The client uses a W2K3 AD. ILM is installed on a W2K8 server and I wanted to use "Active Directory Users and Computers (ADUC)" with the "attribute editor" tab to check some attributes. To be able to view the "attribute editor" tab in ADUC you need to first enable Advance Features. After that you should see the new tab. However this was NOT the case. My first thought was "WTF!" After googling I found the following information which I had totally forgotten about.

Source: http://social.technet.microsoft.com/Forums/en-US/winserverManagement/thread/6e6ef6bd-b5c9-4f16-b346-097832e3b93c
(it has been adjusted by me a little bit to make it as accurate as possible!)

ABSTRACT

When you install RSAT on a Vista or a Windows Server 2008 (R2) system, that is managing a 2000/2003 based AD forest, you do not see the "Attribute Editor" tab in ADUC when looking at the properties of a User or Computer object.

MORE INFORMATION

The Display Specifier is not updated in the Configuration Naming context, because the 2008 (R2) schema changes have not been executed on the 2000/2003 AD forest. Part of the upgrade updates the forest Display Specifiers. The "Attribute Editor" tab actually uses functions within the ADSIEDIT tool, more specifically the ADSIEDIT.DLL extension. Although the DLL is probably registered on the RSAT system, the Config NC needs to be updated, in order to expose the "Attribute Editor" tab in the ADUC interface.

SOLUTION

Use the ADSIEDIT tool (or other tool of choice…ADexplorer, LDP etc), with a user who has rights to modify the Configuration Naming Context.

Navigate to "CN=<Language Code Page>,CN=DisplaySpecifiers,CN=Configuration,DC=<DOMAIN>,DC=<TLD>". See http://support.microsoft.com/kb/324097

Then for the following objects edit the attribute called "AdminPropertyPages" and add the corresponding line

  • CN=computer-Display,CN=<Language Code Page>,CN=DisplaySpecifiers,CN=Configuration,DC=<DOMAIN>,DC=<TLD>
    • 11,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}
  • CN=User-Display,CN=<Language Code Page>,CN=DisplaySpecifiers,CN=Configuration,DC=<DOMAIN>,DC=<TLD>
    • 12,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}
  • CN=Default-Display,CN=<Language Code Page>,CN=DisplaySpecifiers,CN=Configuration,DC=<DOMAIN>,DC=<TLD>
    • 4,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}

If you performed these actions while ADUC was open, the close ADUC and reopen it. Assuming the "Advanced Features" option is enabled, you should see the "Attribute Editor" tab.

 

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: