Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2015-01-05) Finding Attributes Marked As Members Of Partial Attribute Set (PAS)

Posted by Jorge on 2015-01-05


When an attribute is defined with the bit 2^1 (=2) in the systemFlags property, the attribute is marked as being a member of the partial attribute set (PAS). The PAS is a set of attributes for which the values do replicate to DCs that also have been configured as a GC for the NC that is hosted partially on that GC. Another way to see if an attribute is a member of the PAS is to check the value of the property "isMemberOfPartialAttributeSet". When configured with FALSE or <NOT SET>, the attribute is not a member of the PAS. When configured with TRUE, the attribute is a member of the PAS. To make an attribute a member of the PAS or remove its membership, the property "isMemberOfPartialAttributeSet" must be configured accordingly and not the property "systemFlags".

ADFIND

ADFIND -h R1FSRWDC1.IAMTEC.NET -schema -f "(&(objectClass=attributeSchema)(isMemberOfPartialAttributeSet=TRUE))" -dn

OR

ADFIND -sc PAS -dn (sorted output: ADFIND -sc PASL -dn)

image

Figure 1: Example Output

AD PoSH Module

Get-ADObject -Server R1FSRWDC1.IAMTEC.NET -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&(objectClass=attributeSchema)(isMemberOfPartialAttributeSet=TRUE))" | %{$_.DistinguishedName}

ADSI Through PoSH

$targetDC = "R1FSRWDC1.IAMTEC.NET"
$rootDSE = [ADSI]"LDAP://$targetDC/RootDSE"
$schemaNamingContext = $rootDSE.schemaNamingContext
$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$Search.SearchRoot = "LDAP://$targetDC/$schemaNamingContext"
$search.filter = "(&(objectClass=attributeSchema)(isMemberOfPartialAttributeSet=TRUE))"
$search.FindAll() | %{$_.Properties.distinguishedname}

PS: replace the FQDN of the DC with your info

PS: the opposite of this query can be found by replacing (isMemberOfPartialAttributeSet=TRUE) with (!(isMemberOfPartialAttributeSet=TRUE)), which by the way is not the same as (isMemberOfPartialAttributeSet=FALSE)

More information:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

One Response to “(2015-01-05) Finding Attributes Marked As Members Of Partial Attribute Set (PAS)”

  1. joe said

    adfind -sc pasl

    Additionally there are two ways to mark an attribute to be part of the PAS, your examples only check one way. The AdFind command checks both.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: