(Best viewed on a Mac or using Safari on Windows)
Deconstructing an AD User Entity
Steve Hideg
October 27, 28, 29 2008
There are 14 tabs in the Properties window of a user entry in the Active Directory Users and Computers application.
This document will be an attempt at mapping the fields found in those tabs to various attributes in AD's LDAP schema.
There are also 10 tabs in the Properties window of a user entry in the Exchange Management Console. Mappings for fields and settings for those are also discussed in this document.
Notes:
- Click on each graphic to change its size. You must have javascript enabled for this feature.
- This analysis was primarily accomplished by creating an account on the test server and seeding fields and settings in the AD interfaces with values and comparing those to values shown in attributes in the corresponding LDAP entry on the AD test server.
- The "Mapped From" column in each table lists where we would get this data from the existing directory server.
It may include Banner or other sources as this document evolves.
- Many of the values in the graphics are simply placeholders and do not necessarily reflect the correct data or format an attribute should have.
Correct data and formats should be ultimately clarified in the example value and comment columns of the tables.
AD - General
Name, description, basic location and contact information.
|
Field/Setting
|
Attribute Name
|
Mapped From
|
Example Value
|
|
First name
|
givenName
|
givenName
|
John
|
|
|
Initials
|
initials
|
|
H
|
Not currently stored in LDAP as a separate attribute.
|
|
Last name
|
sn
|
sn
|
Doe
|
|
|
Display name
|
displayName
|
displayName, cn
|
Johnny Doe
|
Human-readable name in lieu of cn, which must be unique.
|
|
Description
|
description
|
description
|
New Student 200810
|
Description field, sometimes used in LDAP searches.
|
|
Office
|
physicalDeliveryOfficeName
|
smcEduRoomNumber, smcEduBuildingName
|
101 Haggar College Center
|
Described in MSDN as "Contains the office location in the user's place of business."
|
|
Telephone number
|
telephoneNumber
|
telephoneNumber
|
+1 574 284 4882
|
Standard LDAP format is as shown in the example. I don't know what AD requires or accommodates.
|
|
E-mail
|
mail
|
mail
|
jdoe@saintmarys.edu
|
Email address. Not restricted to saintmarys.edu?
|
|
Web page
|
wWWHomePage
|
labeledUri
|
http://www.saintmarys.edu/~jdoe
|
|
AD - Address
Postal address information.
|
Field/Setting
|
Attribute Name
|
Source
|
Example Value
|
|
Street
|
streetAddress
|
street, smcEduRoomNumber, smcEduBuildingName
|
239 Moreau Center for the Arts
|
AD doesn't (in this interface) use the LDAP-standard street attribute. Probably best to parse this from street and change banner data parsing for syncing AD to Banner.
|
|
P.O. Box
|
postOfficeBox
|
|
|
Not used
|
|
City
|
l
|
l
|
Notre Dame
|
The attribute l is for "location" which equates to a city in LDAP parlance.
|
|
State/province
|
st
|
st
|
IN
|
|
|
Zip/Postal Code
|
postalCode
|
postalCode
|
46556
|
|
|
Country/region
|
co, c, countryCode
|
postalCode
|
co: United States
c: US
countryCode: 840
|
We have not been storing country information in LDAP, but I have run across instances where we should. This will be built into the Banner-to-AD sync code.
I don't know where the mappings between co, c and countryCode come from.
|
AD - Account
Account and password management information.
|
Field/Setting
|
Attribute Name
|
Source
|
Example Value
|
|
User logon name
|
userPrincipalName
|
uid
|
userPrincipalName: jdoe@saintmarys.edu
|
Looks like this only controls userPrincipalName.
userPrincipalName needs the domain name appended to the uid as shown.
|
|
User logon name (pre-Windows 2000)
|
sAMAccountName
|
uid
|
jdoe
|
Mandatory
|
|
Account Options
|
userAccountControl?
|
|
?
|
See this article
|
|
Account Expires
|
userAccountControl?
accountExpires?
|
|
?
|
See this article
and this article
|
AD - Profile
Windows profile, login script, home directory information
|
Field/Setting
|
Attribute Name
|
Source
|
Example Value
|
|
Profile path
|
profilePath
|
|
?
|
Not used initially (per Merideth).
|
|
Login script
|
scriptPath
|
|
?
|
Preferred management method is via group policies (per Merideth).
|
|
Home folder -> Local path
|
homeDirectory
|
|
?
|
Preferred management method is via group policies (per Merideth).
|
|
Home folder -> Connect
|
?
|
|
?
|
I cannot test this.
Preferred management method is via group policies (per Merideth).
|
AD - Telephones
Telephone and fax numbers
|
Field/Setting
|
Attribute Name
|
Source
|
Example Value
|
|
Home
|
homePhone
|
homePhone
|
+1 574 284 4882
|
Standard LDAP format is as shown in the example. I don't know what AD requires or accommodates.
|
|
Pager
|
pager
|
pager
|
+1 574 284 4882
|
Not used in current directory.
Standard LDAP format is as shown in the example. I don't know what AD requires or accommodates.
|
|
Mobile
|
mobile
|
mobile
|
+1 574 284 4882
|
Standard LDAP format is as shown in the example. I don't know what AD requires or accommodates.
|
|
Fax
|
facsimileTelephoneNumber
|
facsimileTelephoneNumber
|
+1 574 284 4882
|
Standard LDAP format is as shown in the example. I don't know what AD requires or accommodates.
|
|
IP phone
|
ipPhone
|
|
?
|
I don't know what AD requires or accommodates.
|
|
Notes
|
info
|
|
|
|
AD - Organization
Organization information (duh)
|
Field/Setting
|
Attribute Name
|
Source
|
Example Value
|
|
Title
|
title
|
title
|
Assoc. Professor - Art
|
|
|
Department
|
department
|
ou
|
Center for Spirituality
|
Current directory stores this information in a value of the ou attribute. Note that this is not the same as an OU container.
|
|
Company
|
company
|
o
|
Saint Mary's College
|
AD doesn't (in this interface) use the LDAP-standard o attribute. I suggest we populate both o and company.
|
|
Manager -> Name
|
manager
|
|
CN=dmckeown,OU=Infotech,
OU=People,DC=saintmarys,DC=edu
|
Contains the DN of this person's supervisor. If this information is available in a consistent manner, it may be possible to do a banner-PIDM-to-AD/LDAP-DN mapping and put it in this attribute during sync.
|
|
Direct reports
|
|
|
|
I could not test this.
|
AD - Member Of
Security group membership.
|
Field/Setting
|
Attribute Name
|
Source
|
Example Value
|
|
Member of
|
memberOf
|
eduPersonPrimaryAffiliation, primary unix group membership, /etc/group entries
|
CN=Staff,OU=UserGroups,
OU=Groups,DC=saintmarys,DC=edu
|
Doug said we should have a subset of the security group structure reflect the OU structure (Faculty, Staff, Students, etc). Any user account in an OU will also be made a member of the corresponding security group at account creation.
Every user is by default a member of "Domain Users".
Membership in security groups should correspond with membership in unix groups?
|
|
Set Primary Group (button)
|
primaryGroupID
|
eduPersonPrimaryAffiliation, primary unix group membership
|
513
|
Select a group in the member of list then click this button.
513 is the group number of Domain Users which is the default primary group.
|
AD - Dial-in
Will this be used? Only if we deal with VPNs (per Merideth)
Preferred management method is via group policies (per Merideth).
AD - Environment
Settings appear to be encoded and stored in (at least) userParameters.
Preferred management method is via group policies (per Merideth).
AD - Sessions
Can't tell where these are stored.
Preferred management method is via group policies (per Merideth).
AD - COM+
Can't test this.
Will this be used?
AD - Unix Attributes
Unix attributes of an account.
|
Field/Setting
|
Attribute Name
|
Source
|
Example Value
|
|
NIS Domain
|
msSFU30NisDomain
|
|
adsmc?
|
Is this the name of the AD domain?
|
|
UID
|
uidNumber
|
uidNumber
|
10001
|
These must match current uidNumbers or file ownership on the server will break.
|
|
Login Shell
|
loginShell
|
loginShell
|
/bin/csh
|
|
|
Home Directory
|
unixHomeDirectory
|
homeDirectory
|
/home/infotech1/khausman
|
NOTE: the homeDirectory attribute has been hijacked by AD for windows use. The traditional homeDirectory data has to be remapped to unixHomeDirectory.
|
|
Primary group name/GID
|
gidNumber
|
gidNumber, eduPersonPrimaryAffiliation
|
22
|
This is the primary unix group and has nothing to do with primaryGroupID.
|
EX - General
|
Field/Setting
|
Attribute Name
|
Source
|
Example Value
|
|
|
displayName
|
displayName
|
Johnny Doe
|
First field in this tab appears to manipulate displayName.
|
|
Alias
|
mail, mailNickName
|
mail? mailAlternateAddress?
|
Johnny Doe
|
This could be fun...
This also influences the list in EX - E-mail Addresses.
|
|
Hide from Exchange address lists (checkbox)
|
msExchHideFromAddressLists
|
zimbraHideInGal
|
TRUE, FALSE
|
"Determines if the recipient appears in address lists."
We could look at zimbraHideInGal for each account on Zimbra during migration.
|
|
Custom Attributes (button)
|
|
|
|
See EX - Custom Attributes.
|
EX - User Information
|
Field/Setting
|
Attribute Name
|
Source
|
Example Value
|
|
First name
|
givenName
|
givenName
|
John
|
|
|
Initials
|
initials
|
|
H
|
Not currently stored in LDAP as a separate attribute.
|
|
Last name
|
sn
|
sn
|
Doe
|
|
|
Name
|
cn, DN
|
uid
|
jdoe
|
This manipulates the cn attribute, which is part of the entry's Distinguished Name. This must be unique.
|
|
Simple Display Name
|
displayNamePrintable
|
displayName
|
John Doe
|
Separate from, but similar to displayName.
|
|
Web page
|
wWWHomePage
|
labeledUri
|
http://www.saintmarys.edu/~jdoe
|
|
|
Notes
|
info
|
|
|
|
EX - Address and Phone
|
Field/Setting
|
Attribute Name
|
Source
|
Example Value
|
|
Street address
|
streetAddress
|
street, smcEduRoomNumber, smcEduBuildingName
|
239 Moreau Center for the Arts
|
AD doesn't (in this interface) use the LDAP-standard street attribute. Probably best to parse this from street and change banner data parsing for syncing AD to Banner.
|
|
City
|
l
|
l
|
Notre Dame
|
The attribute l is for "location" which equates to a city in LDAP parlance.
|
|
State/province
|
st
|
st
|
IN
|
|
|
Zip/Postal Code
|
postalCode
|
postalCode
|
46556
|
|
|
Country/region
|
co, c, countryCode
|
postalCode
|
co: United States
c: US
countryCode: 840
|
We have not been storing country information in LDAP, but I have run across instances where we should. This will be built into the Banner-to-AD sync code.
I don't know where the mappings between co, c and countryCode come from.
|
|
Business
|
telephoneNumber
|
telephoneNumber
|
+1 574 284 4882
|
Standard LDAP format is as shown in the example. I don't know what AD requires or accommodates.
|
|
Pager
|
pager
|
pager
|
+1 574 284 4882
|
Not used in current directory.
Standard LDAP format is as shown in the example. I don't know what AD requires or accommodates.
|
|
Fax
|
facsimileTelephoneNumber
|
facsimileTelephoneNumber
|
+1 574 284 4882
|
Standard LDAP format is as shown in the example. I don't know what AD requires or accommodates.
|
|
Home
|
homePhone
|
homePhone
|
+1 574 284 4882
|
Standard LDAP format is as shown in the example. I don't know what AD requires or accommodates.
|
|
Mobile
|
mobile
|
mobile
|
+1 574 284 4882
|
Standard LDAP format is as shown in the example. I don't know what AD requires or accommodates.
|
|
Fax
|
facsimileTelephoneNumber
|
facsimileTelephoneNumber
|
+1 574 284 4882
|
Standard LDAP format is as shown in the example. I don't know what AD requires or accommodates.
|
EX - Account
|
Field/Setting
|
Attribute Name
|
Source
|
Example Value
|
|
User logon name
|
name, msSFU30Name, uid, userPrincipalName
|
uid
|
name: jdoe
msSFU30Name: jdoe
uid: jdoe
userPrincipalName: jdoe@saintmarys.edu
|
I don't know if all of these attributes are controlled from this interface element, but they all need to be derived from the current uid attribute.
userPrincipalName needs the domain name appended to the uid as shown.
|
|
User logon name (pre-Windows 2000)
|
sAMAccountName
|
uid
|
jdoe
|
Do we need this? Prior research has indicated that this attribute is mandatory.
|
|
User must change password at next logon
|
pwdLastSet
|
|
|
Checking this box seems to set pwdLastSet to 0.
|
EX - Member Of
|
Field/Setting
|
Attribute Name
|
Source
|
Example Value
|
|
Member of
|
memberOf
|
eduPersonPrimaryAffiliation, primary unix group membership, /etc/group entries
|
CN=Staff,OU=UserGroups,
OU=Groups,DC=saintmarys,DC=edu
|
Doug said we should have a subset of the security group structure reflect the OU structure (Faculty, Staff, Students, etc).
Any user account in an OU will also be made a member of the corresponding security group at account creation.
This interface does not display the default a membership in "Domain Users" as AD - Member Of does.
Membership in security groups should correspond with membership in unix groups?
|
EX - E-mail Addresses
|
Field/Setting
|
Attribute Name
|
Source
|
Example Value
|
|
Address
|
mail
mailNickname
proxyAddresses (multi)
|
mail
mail
mail, mailAlternateAddress
|
jdoe@saintmarys.edu
jdoe@saintmarys.edu
SMTP:jdoe@saintmarys.edu, smtp:...
|
Evidently proxyAddresses is multi-valued and it is where mail aliases are stored. Each line in this list has a corresponding value in proxyAddresses.
The line that is bold reflects data in proxyAddresses that has "SMTP" in ALL CAPS and is presumably the account's "main" address.
|
EX - Messaging Records Management
|
Field/Setting
|
Attribute Name
|
Source
|
Example Value
|
|
Managed folder mailbox policy
|
|
|
|
I was unable to test this.
|
|
Enable retention hold for items in this mailbox (checkbox)
|
msExchELCMailboxFlags
|
|
1
|
Checking this box creates attribute msExchELCMailboxFlags and sets its value to 1.
|
|
Start Date
|
msExchELCExpirySuspensionStart
|
|
20081028190957.0Z
|
Appears to be a date/time stamp, but I don't believe it's a standard LDAP date string.
|
|
End Date
|
msExchELCExpirySuspensionEnd
|
|
20081029190957.0Z
|
Appears to be a date/time stamp, but I don't believe it's a standard LDAP date string.
|
EX - Storage Quotas
|
Field/Setting
|
Attribute Name
|
Source
|
Example Value
|
|
Use mailbox database defaults (checkbox)
|
mDBUseDefaults
|
|
TRUE, FALSE
|
Checking this box gives mDBUseDefaults a value of TRUE.
Unchecking it sets mDBUseDefaults to FALSE.
|
|
Issue warning at (KB) (checkbox & field)
|
mDBStorageQuota
|
zimbraMailQuota from individual accounts or COS, policy
|
10001
|
Checking this box creates attribute mDBStorageQuota and gives it a value as entered in the field.
Unchecking it removes mDBStorageQuota.
|
|
Prohibit send at (KB) (checkbox & field)
|
mDBOverQuotaLimit
|
zimbraMailQuota from individual accounts or COS, policy
|
10002
|
Checking this box creates attribute mDBOverQuotaLimit and gives it a value as entered in the field.
Unchecking it removes mDBOverQuotaLimit.
|
|
Prohibit send and receive at (KB) (checkbox & field)
|
mDBOverHardQuotaLimit
|
zimbraMailQuota from individual accounts or COS, policy
|
10003
|
Checking this box creates attribute mDBOverHardQuotaLimit and gives it a value as entered in the field.
Unchecking it removes mDBOverHardQuotaLimit.
|
|
Use mailbox database defaults (checkbox)
|
|
|
|
I can't determine what this affects in the LDAP entry.
|
|
Keep deleted items for (days)
|
garbageCollPeriod
|
|
1123200
|
Appears to be the value of the field multiplied by 86400. The attribute value is the number of seconds corresponding to the number of days specified in the field.
|
|
Do not permanently delete items until you back up the database (checkbox)
|
|
|
|
I can't determine what this affects in the LDAP entry.
|
EX - Delivery Options
|
Field/Setting
|
Attribute Name
|
Source
|
Example Value
|
|
Send on behalf -> Grant this permission to
|
publicDelegates
|
|
CN=jsmith,OU=Staff,OU=People,DC=saintmarys,DC=edu
|
"This property specifies the list of URLs of all users that have access to the mailbox."
Actually, it looks like Distinguished Names, not URLs. publicDelegates appears to be multi-valued.
|
|
Forward to
|
altRecipient
|
mailForwarddingAddress,
zimbraFeatureMailForwardingEnabled,
zimbraMailForwardingAddress,
zimbraPrefMailForwardingAddress
|
CN=jsmith,OU=Staff,OU=People,DC=saintmarys,DC=edu
|
"An alternative recipient to receive e-mail."
Distinguished Name. Is this multi or single? If it is only single, what do we do about accounts that already have multiple fowarding addresses (e.g. www)?
|
|
Deliver message to both forwarding address and mailbox (checkbox)
|
deliverAndRedirect
|
zimbraPrefMailLocalDeliveryDisabled, mailDeliveryOption
|
TRUE
|
"Indicates whether to forward every message to another recipient."
Checking this box causes attribute deliverAndRedirect to be created and assigned a value of TRUE.
This has the opposite logic of zimbraPrefMailLocalDeliveryDisabled, and is the equivalent of setting values of both "mailbox" and "forward" for mailDeliveryOption on Aegis.
|
|
Maximum recipients (checkbox & field)
|
msExchRecipLimit
|
smtpd_recipient_limit (postfix)?
|
1000
|
"The maximum number of recipients this user may send to, or a global maximum for the organization."
Checking this box causes attribute msExchRecipLimit to be created and assigned a value of the contents of the field.
I believe zimbra uses postfix's smtpd_recipient_limit. Curiously, this appears (set to 1000) in main.cf.default but not in main.cf on zmta1.
|
EX - Message Size Restrictions
|
Field/Setting
|
Attribute Name
|
Source
|
Example Value
|
|
Sending... ->Maximum message size (in KB) (checkbox & field)
|
submissionContLength
|
message_size_limit (postfix)
|
11000
|
"The maximum length, in kilobyte (KB), of a message that can be sent to the contact."
The definition at the above link sounds like it's referring to received messages, while the interface indicates sending.
Checking this box causes attribute submissionContLength to be created and assigned a value of the contents of the field.
I believe zimbra uses postfix's message_size_limit (104857600).
|
|
Receiving... -> Maximum message size (in KB) (checkbox & field)
|
delivContLength
|
message_size_limit (postfix)
|
22000
|
"Amount of data, in kilobyte (KB), that you are allowed to receive."
Checking this box causes attribute delivContLength to be created and assigned a value of the contents of the field.
I believe zimbra uses postfix's message_size_limit (104857600).
|
EX - Message Delivery Restrictions
|
Field/Setting
|
Attribute Name
|
Source
|
Example Value
|
|
Accept messages from (radio buttons & list)
|
authOrig (individuals)
dLMemSubmitPerms (groups)
|
|
CN=Ima Staff,CN=Users,DC=d,DC=saintmarys,DC=edu
CN=imagroup,CN=Users,DC=d,DC=saintmarys,DC=edu
|
authOrig: "The identity of the person who wrote the original message or body part."
dLMemSubmitPerms: "A distribution list (DL) whose members may send to this recipient or send messages over this connector."
|
|
Require that all senders are authenticated (checkbox)
|
msExchRequireAuthToSendTo
|
|
TRUE
|
How to restrict the users who can send inbound Internet e-mail to another user or to a distribution group in Exchange 2003
Checking this box creates attribute msExchRequireAuthToSendTo and sets its value to TRUE.
|
|
Reject messages from (radio buttons & list)
|
unauthOrig (individuals)
dLMemRejectPerms (groups)
|
|
CN=Ima Staff,CN=Users,DC=d,DC=saintmarys,DC=edu
CN=imagroup,CN=Users,DC=d,DC=saintmarys,DC=edu
|
unauthOrig: "Contains e-mail addresses that cannot send messages to this e-mail address."
Actually, it contains a DN, not an email address.
|
EX - Mailbox Features
|
Field/Setting
|
Attribute Name
|
Source
|
Example Value
|
|
Outlook Web Access
|
protocolSettings (2 values)
|
|
OWA§0 (disabled) and
HTTP§1§1§§§§§§ (disabled)
OWA§1 (enabled) and
HTTP§0§1§§§§§§ (enabled)
|
How to manage Outlook Web Access features in Exchange Server 2003
|
|
Exchange ActiveSync
|
?
|
|
|
Could not test this.
|
|
Unified Messaging
|
?
|
|
|
Could not test this. Not manipulatable.
|
|
MAPI
|
protocolSettings
|
|
MAPI§0§§§§§§§ (disabled)
MAPI§1§§§§§§§ (enabled)
|
|
|
POP3
|
protocolSettings
|
|
POP3§0§0§§§§§§§0§ (disabled)
POP3§1§1§§§§§§§0§ (enabled, use protocol default)
POP3§1§0§§§§§§§0§ (enabled, Text)
POP3§1§0§§§§§§§1§ (enabled, HTML)
POP3§1§0§§§§§§§2§ (enabled, HTML & alternative text)
POP3§1§0§§§§§§§3§ (enabled, enriched text)
POP3§1§0§§§§§§§4§ (enabled, enriched text & alternative text)
POP3§1§0§§§§§§§5§ (enabled, best body format)
POP3§1§0§§§§§§§6§ (enabled, TNEF)
|
|
|
IMAP4
|
protocolSettings
|
|
IMAP4§0§1§§§§§§§0§ (disabled)
IMAP4§1§1§§§§§§§0§ (enabled, use protocol default)
IMAP4§1§0§§§§§§§0§ (enabled, Text)
IMAP4§1§0§§§§§§§1§ (enabled, HTML)
IMAP4§1§0§§§§§§§2§ (enabled, HTML & alternative text)
IMAP4§1§0§§§§§§§3§ (enabled, enriched text)
IMAP4§1§0§§§§§§§4§ (enabled, enriched text & alternative text)
IMAP4§1§0§§§§§§§5§ (enabled, best body format)
IMAP4§1§0§§§§§§§6§ (enabled, TNEF)
|
|
