Solved

Updating AD's managedBy attribute

Posted on 2014-07-31
10
1,111 Views
Last Modified: 2014-08-01
Using the following code block to populate this attribute.
It throws an exception stating "The specified directory service attribute or value already exists.  "
Yet, when I look at the properties, the two values are there.  What could I be doing wrong or how can I avoid this error?  Only thing I was thinking is to completely remove it beforehand, trap that error (though expected) and then try this method.... help?

Try
  group.Properties("ManagedBy").AddRange(New String() {Primary.DistinguishedName, Backup.DistinguishedName})
  group.CommitChanges()
Catch ex As Exception
  debug.print ex.message
End Try

Open in new window

0
Comment
Question by:sirbounty
  • 5
  • 5
10 Comments
 
LVL 4

Expert Comment

by:Kevin Stanush
ID: 40232942
I don't see that the ManagedBy attribute is multi-valued, so are you trying to put two values into it ?  How are you looking at the properties ?
0
 
LVL 67

Author Comment

by:sirbounty
ID: 40232960
Yes, I am replacing a tool that is accomplishing multiple values, and I can look at it via powershell or visual studio and can see those values (just not through the ADUC interface)...
0
 
LVL 67

Author Comment

by:sirbounty
ID: 40232981
0
 
LVL 4

Expert Comment

by:Kevin Stanush
ID: 40233003
ManagedBy is single-valued.  Its a DN-string, so the error is probably misleading. Usually it would be a constraint violation or something.  This shows it as Single-Valued for all Windows versions:

http://msdn.microsoft.com/en-us/library/ms676857(v=vs.85).aspx
0
 
LVL 67

Author Comment

by:sirbounty
ID: 40233020
But if I can add multiple values to that attribute using powershell, I should be able to in visual studio, no?  They're both using .net?

I can easily accomplish this in powershell.

Syntax from EMS: Set-DistributionGroup [-ManagedBy  <MultiValuedProperty>]
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 
LVL 4

Expert Comment

by:Kevin Stanush
ID: 40233043
Let me know where you see that in the EMS.  I'm just looking at the documentation of the ManagedBy attribute (see link above).  Our own application, Hyena, also updates AD dynamically and it gets the schema information as single-valued.

I also checked using the Schema Manager snapin, and it too shows it as single-valued.
0
 
LVL 4

Assisted Solution

by:Kevin Stanush
Kevin Stanush earned 500 total points
ID: 40233053
Look at the bottom of this link:

http://en.community.dell.com/techcenter/powergui/f/4834/p/19573603/20595790.aspx

Are you trying to maybe update a different value and using 'managedby' instead ?
0
 
LVL 67

Author Comment

by:sirbounty
ID: 40233978
No, I've been using managedBy, but the link you posted may shed some light on the discrepancy I'm seeing in VS... I'll try that attribute instead.

This is one link I've used for set-distributiongroup:
http://social.technet.microsoft.com/Forums/scriptcenter/en-US/67f8bd40-7396-4423-8540-1b48ea5c6e99/powershell-cmd-to-get-distribution-list-owners-in-exchange?forum=ITCG
0
 
LVL 4

Accepted Solution

by:
Kevin Stanush earned 500 total points
ID: 40234168
Your link above references listing the owners, but I think I figured out why both you and I are both right.  The problem comes from my literal interpretation of the AD attribute 'managedBy' and the terms used in Powershell to manage it.  I don't use Powershell.

When I used the EMC to set the Managed By on the Group Information tab for a group, I saw where you could add more than one user.  Well, this seemed impossible.  But it worked when I added two users.  So, I used our own product, Hyena, to view where the information went, and this is where I learned something.

Active Directory's attribute named "ManagedBy" can only accept one value.  When you add more than one user using Powershell and use the -ManagedBy qualifier, it puts the FIRST user into the 'ManagedBy' directory attribute, then it puts the rest into the 'MsExchCoManagedByLink' attribute.  This IMO is a real mess.

So, the command to set multiple managedby values using Powershell, would be:

Set-DistributionGroup -Identity TestDL -Managedby user1, user2

You probably already knew this would work, and my apologies for not believing you.  The problem is that the term "ManagedBy" here is a command qualifier and I took it literally to mean the 'managedby' directory attribute.

In looking at your original code, I suspect that it too is trying to set the 'managedby' attribute which only accepts one value.  So, can you put the rest into the 'MsExchCoManagedByLink' ?
0
 
LVL 67

Author Closing Comment

by:sirbounty
ID: 40234531
Yep, this makes much more sense now and clearer from some articles I've read that reference what happens with the newer schema.
Code seems to be working now, so I'm satisfied - thank you for the quick turnaround on this one!
:^)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A long time ago (May 2011), I have written an article showing you how to create a DLL using Visual Studio 2005 to be hosted in SQL Server 2005. That was valid at that time and it is still valid if you are still using these versions. You can still re…
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now