?
Solved

Updating AD's managedBy attribute

Posted on 2014-07-31
10
Medium Priority
?
1,497 Views
Last Modified: 2014-08-01
Using the following code block to populate this attribute.
It throws an exception stating "The specified directory service attribute or value already exists.  "
Yet, when I look at the properties, the two values are there.  What could I be doing wrong or how can I avoid this error?  Only thing I was thinking is to completely remove it beforehand, trap that error (though expected) and then try this method.... help?

Try
  group.Properties("ManagedBy").AddRange(New String() {Primary.DistinguishedName, Backup.DistinguishedName})
  group.CommitChanges()
Catch ex As Exception
  debug.print ex.message
End Try

Open in new window

0
Comment
Question by:sirbounty
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 6

Expert Comment

by:Kevin Stanush
ID: 40232942
I don't see that the ManagedBy attribute is multi-valued, so are you trying to put two values into it ?  How are you looking at the properties ?
0
 
LVL 67

Author Comment

by:sirbounty
ID: 40232960
Yes, I am replacing a tool that is accomplishing multiple values, and I can look at it via powershell or visual studio and can see those values (just not through the ADUC interface)...
0
 
LVL 67

Author Comment

by:sirbounty
ID: 40232981
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 6

Expert Comment

by:Kevin Stanush
ID: 40233003
ManagedBy is single-valued.  Its a DN-string, so the error is probably misleading. Usually it would be a constraint violation or something.  This shows it as Single-Valued for all Windows versions:

http://msdn.microsoft.com/en-us/library/ms676857(v=vs.85).aspx
0
 
LVL 67

Author Comment

by:sirbounty
ID: 40233020
But if I can add multiple values to that attribute using powershell, I should be able to in visual studio, no?  They're both using .net?

I can easily accomplish this in powershell.

Syntax from EMS: Set-DistributionGroup [-ManagedBy  <MultiValuedProperty>]
0
 
LVL 6

Expert Comment

by:Kevin Stanush
ID: 40233043
Let me know where you see that in the EMS.  I'm just looking at the documentation of the ManagedBy attribute (see link above).  Our own application, Hyena, also updates AD dynamically and it gets the schema information as single-valued.

I also checked using the Schema Manager snapin, and it too shows it as single-valued.
0
 
LVL 6

Assisted Solution

by:Kevin Stanush
Kevin Stanush earned 2000 total points
ID: 40233053
Look at the bottom of this link:

http://en.community.dell.com/techcenter/powergui/f/4834/p/19573603/20595790.aspx

Are you trying to maybe update a different value and using 'managedby' instead ?
0
 
LVL 67

Author Comment

by:sirbounty
ID: 40233978
No, I've been using managedBy, but the link you posted may shed some light on the discrepancy I'm seeing in VS... I'll try that attribute instead.

This is one link I've used for set-distributiongroup:
http://social.technet.microsoft.com/Forums/scriptcenter/en-US/67f8bd40-7396-4423-8540-1b48ea5c6e99/powershell-cmd-to-get-distribution-list-owners-in-exchange?forum=ITCG
0
 
LVL 6

Accepted Solution

by:
Kevin Stanush earned 2000 total points
ID: 40234168
Your link above references listing the owners, but I think I figured out why both you and I are both right.  The problem comes from my literal interpretation of the AD attribute 'managedBy' and the terms used in Powershell to manage it.  I don't use Powershell.

When I used the EMC to set the Managed By on the Group Information tab for a group, I saw where you could add more than one user.  Well, this seemed impossible.  But it worked when I added two users.  So, I used our own product, Hyena, to view where the information went, and this is where I learned something.

Active Directory's attribute named "ManagedBy" can only accept one value.  When you add more than one user using Powershell and use the -ManagedBy qualifier, it puts the FIRST user into the 'ManagedBy' directory attribute, then it puts the rest into the 'MsExchCoManagedByLink' attribute.  This IMO is a real mess.

So, the command to set multiple managedby values using Powershell, would be:

Set-DistributionGroup -Identity TestDL -Managedby user1, user2

You probably already knew this would work, and my apologies for not believing you.  The problem is that the term "ManagedBy" here is a command qualifier and I took it literally to mean the 'managedby' directory attribute.

In looking at your original code, I suspect that it too is trying to set the 'managedby' attribute which only accepts one value.  So, can you put the rest into the 'MsExchCoManagedByLink' ?
0
 
LVL 67

Author Closing Comment

by:sirbounty
ID: 40234531
Yep, this makes much more sense now and clearer from some articles I've read that reference what happens with the newer schema.
Code seems to be working now, so I'm satisfied - thank you for the quick turnaround on this one!
:^)
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question