在Microsoft Active Directory中为每个对象类查找系统可修改属性 [英] Finding System modifiable attributes for each object class in Microsoft Active Directory

问题描述

我们可以看到属于systemMayContain属性列表的属性可以由用户修改.如果考虑computer对象类. 下面是对象类的定义 ( 1.2.840.113556.1.3.30 NAME 'computer' SUP user STRUCTURAL MAY (cn $ networkAddress $ localPolicyFlags $ defaultLocalPolicyObject $ machineRole $ location $ netbootInitialization $ netbootGUID $ netbootMachineFilePath $ siteGUID $ operatingSystem $ operatingSystemVersion $ operatingSystemServicePack $ operatingSystemHotfix $ volumeCount $ physicalLocationObject $ dNSHostName $ policyReplicationFlags $ managedBy $ rIDSetReferences $ catalogs $ netbootSIFFile $ netbootMirrorDataFile $ msDS-AdditionalDnsHostName $ msDS-AdditionalSamAccountName $ msDS-ExecuteScriptPassword $ msDS-KrbTgtLink $ msDS-RevealedUsers $ msDS-NeverRevealGroup $ msDS-RevealOnDemandGroup $ msDS-RevealedList $ msDS-AuthenticatedAtDC $ msDS-isGC $ msDS-isRODC $ msDS-SiteName $ msDS-PromotionSettings $ msTPM-OwnerInformation $ msTSProperty01 $ msTSProperty02 $ msDS-IsUserCachableAtRodc $ msDS-HostServiceAccount $ msTSEndpointData $ msTSEndpointType $ msTSEndpointPlugin $ msTSPrimaryDesktopBL $ msTSSecondaryDesktopBL $ msTPM-TpmInformationForComputer $ msDS-GenerationId $ msImaging-ThumbprintHash $ msImaging-HashAlgorithm $ netbootDUID $ msSFU30Name $ msSFU30Aliases $ msSFU30NisDomain $ nisMapName ) )

We could see attributes which are part of systemMayContain attributes list are user modifiable. If we consider the computer object class. Below is the definition of object class ( 1.2.840.113556.1.3.30 NAME 'computer' SUP user STRUCTURAL MAY (cn $ networkAddress $ localPolicyFlags $ defaultLocalPolicyObject $ machineRole $ location $ netbootInitialization $ netbootGUID $ netbootMachineFilePath $ siteGUID $ operatingSystem $ operatingSystemVersion $ operatingSystemServicePack $ operatingSystemHotfix $ volumeCount $ physicalLocationObject $ dNSHostName $ policyReplicationFlags $ managedBy $ rIDSetReferences $ catalogs $ netbootSIFFile $ netbootMirrorDataFile $ msDS-AdditionalDnsHostName $ msDS-AdditionalSamAccountName $ msDS-ExecuteScriptPassword $ msDS-KrbTgtLink $ msDS-RevealedUsers $ msDS-NeverRevealGroup $ msDS-RevealOnDemandGroup $ msDS-RevealedList $ msDS-AuthenticatedAtDC $ msDS-isGC $ msDS-isRODC $ msDS-SiteName $ msDS-PromotionSettings $ msTPM-OwnerInformation $ msTSProperty01 $ msTSProperty02 $ msDS-IsUserCachableAtRodc $ msDS-HostServiceAccount $ msTSEndpointData $ msTSEndpointType $ msTSEndpointPlugin $ msTSPrimaryDesktopBL $ msTSSecondaryDesktopBL $ msTPM-TpmInformationForComputer $ msDS-GenerationId $ msImaging-ThumbprintHash $ msImaging-HashAlgorithm $ netbootDUID $ msSFU30Name $ msSFU30Aliases $ msSFU30NisDomain $ nisMapName ) )

下面是列表systemMayContain属性 "systemMayContain":["msImaging-HashAlgorithm","msImaging-ThumbprintHash","msDS-GenerationId","msTPM-TpmInformationForComputer","msTSSecondaryDesktopBL","msTSPrimaryDesktopBL","msTSEndpointPlugin","msTSEndpointType","msTSEndpointData","msDS-HostServiceAccount","msDS-IsUserCachableAtRodc","msTSProperty02","msTSProperty01","msTPM-OwnerInformation","msDS-RevealOnDemandGroup","msDS-NeverRevealGroup","msDS-PromotionSettings","msDS-SiteName","msDS-isRODC","msDS-isGC","msDS-AuthenticatedAtDC","msDS-ExecuteScriptPassword","msDS-RevealedList","msDS-RevealedUsers","msDS-KrbTgtLink","volumeCount","siteGUID","rIDSetReferences","policyReplicationFlags","physicalLocationObject","operatingSystemVersion","operatingSystemServicePack","operatingSystemHotfix","operatingSystem","networkAddress","netbootSIFFile","netbootMirrorDataFile","netbootMachineFilePath","netbootInitialization","netbootDUID","netbootGUID","msDS-AdditionalSamAccountName","msDS-AdditionalDnsHostName","managedBy","machineRole","location","localPolicyFlags","dNSHostName","defaultLocalPolicyObject","cn","catalogs"]

如果我们认为msImaging-HashAlgorithm, msImaging-ThumbprintHash, msTPM-TpmInformationForComputer, msTSEndpointPlugin, msTSEndpointType, msTSEndpointData, msDS-HostServiceAccount, msTSProperty02, msTSProperty01, msTPM-OwnerInformation, msDS-RevealOnDemandGroup, msDS-NeverRevealGroup, msDS-PromotionSettings, msDS-AuthenticatedAtDC, msDS-RevealedUsers, msDS-KrbTgtLink, volumeCount, rIDSetReferences, policyReplicationFlags, physicalLocationObject, operatingSystemVersion, operatingSystemServicePack, operatingSystemHotfix, operatingSystem, networkAddress, managedBy, machineRole, location, localPolicyFlags, dNSHostName, defaultLocalPolicyObject, cn, catalogs，则这些字段是用户可修改的，并且是systemMayContain列表的一部分. 在创建Computer对象时尝试设置值时，它允许.有什么方法可以只知道不允许用户输入的系统字段?谢谢.

If we consider msImaging-HashAlgorithm, msImaging-ThumbprintHash, msTPM-TpmInformationForComputer, msTSEndpointPlugin, msTSEndpointType, msTSEndpointData, msDS-HostServiceAccount, msTSProperty02, msTSProperty01, msTPM-OwnerInformation, msDS-RevealOnDemandGroup, msDS-NeverRevealGroup, msDS-PromotionSettings, msDS-AuthenticatedAtDC, msDS-RevealedUsers, msDS-KrbTgtLink, volumeCount, rIDSetReferences, policyReplicationFlags, physicalLocationObject, operatingSystemVersion, operatingSystemServicePack, operatingSystemHotfix, operatingSystem, networkAddress, managedBy, machineRole, location, localPolicyFlags, dNSHostName, defaultLocalPolicyObject, cn, catalogs these fields are user modifiable and part of systemMayContain list. When tried with setting value while creating Computer object it allows. Is there any way to know only system fields which does not allow user input? Thank you.

推荐答案

此信息特定于Active Directory. MSDN拥有每个架构属性的文档-例如 CN －如果属性为仅限系统".

This information is specific to Active Directory. MSDN has documentation for each schema attribute -- e.g. CN -- which documents if the attribute is "system only" or not.

对于自动化过程，使用过滤器(&(ldapDisplayName=AttributeName))在基本cn=schema,cn=configuration,dc=example,dc=com处搜索，然后返回systemOnly的值.例如.这表明operatingSystemServicePack是用户可写的.

For an automated process, search at the base cn=schema,cn=configuration,dc=example,dc=com with the filter (&(ldapDisplayName=AttributeName))and return the value of systemOnly. E.G. this shows that operatingSystemServicePack is user writable.

***Searching...
ldap_search_s(ld, "cn=schema,cn=configuration,dc=example,dc=com", 2, "(&(ldapDisplayName=operatingSystemServicePack))", attrList,  0, &msg)
Getting 1 entries:
Dn: CN=Operating-System-Service-Pack,CN=Schema,CN=Configuration,dc=example,dc=com
systemOnly: FALSE; 

您还可以通过使用过滤器(&(systemOnly=TRUE))并返回ldapDisplayName

You can also list all of the system-only attributes by using the filter (&(systemOnly=TRUE)) and returning ldapDisplayName

***Searching...
ldap_search_s(ld, "cn=schema,cn=configuration,dc=example,dc=com", 2, "(&(systemOnly=TRUE))", attrList,  0, &msg)
Getting 189 entries:
Dn: CN=OM-Object-Class,CN=Schema,CN=Configuration,dc=example,dc=com
lDAPDisplayName: oMObjectClass; 

Dn: CN=Canonical-Name,CN=Schema,CN=Configuration,dc=example,dc=com
lDAPDisplayName: canonicalName; 

Dn: CN=Managed-Objects,CN=Schema,CN=Configuration,dc=example,dc=com
lDAPDisplayName: managedObjects; 

Dn: CN=MAPI-ID,CN=Schema,CN=Configuration,dc=example,dc=com
lDAPDisplayName: mAPIID; 

Dn: CN=Mastered-By,CN=Schema,CN=Configuration,dc=example,dc=com
lDAPDisplayName: masteredBy; 

Dn: CN=Top,CN=Schema,CN=Configuration,dc=example,dc=com
lDAPDisplayName: top; 

Dn: CN=NTDS-DSA-RO,CN=Schema,CN=Configuration,dc=example,dc=com
lDAPDisplayName: nTDSDSARO; 

Dn: CN=Application-Process,CN=Schema,CN=Configuration,dc=example,dc=com
lDAPDisplayName: applicationProcess; 
...

这篇关于在Microsoft Active Directory中为每个对象类查找系统可修改属性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！