ADS changes using JNDI (Java)

[Brandon McCombs]

Does anyone know whether ADS (win2k3) lets a user modify a group's scope
or type programmatically when using JNDI? It seems that it doesn't
based on the code I've setup. I'm using the following values to make the
mods as appropriate:

//groupType attribute values
public static final String GLOBAL_DIST_GROUP = "2";
public static final String GLOBAL_SEC_GROUP = "-2147483646";
public static final String DOMAIN_LOCAL_DIST_GROUP = "4";
public static final String DOMAIN_LOCAL_SEC_GROUP = "-2147483644";
public static final String UNIVERSAL_DIST_GROUP = "8";
public static final String UNIVERSAL_SEC_GROUP = "-2147483640";

//sAMAccountType attribute values
public static final String GLOBAL_DIST_TYPE = "268435457";
public static final String GLOBAL_SEC_TYPE = "268435456";
public static final String DOMAIN_LOCAL_DIST_TYPE = "536870913";
public static final String DOMAIN_LOCAL_SEC_TYPE = "536870912";
public static final String UNIVERSAL_DIST_TYPE = "268435457";
public static final String UNIVERSAL_SEC_TYPE = "268435456";

I did notice that when using the ADUC snap-in it will warn a user when
changing a group's type from security to distribution (since the group
could already be involved in some ACLs) but no such warning occurs for
scope changes but through JNDI I can't change either one. Thanks for
any tips (I searched using Google and didn't find anything regarding this).


thanks
brandon

 

[Brian Desmond [MVP]]

What scope are you trying to move to and from (e.g. global to universal,
security to distro, etc.)

--
Thanks,
Brian Desmond
Windows Server MVP - Directory Services

www.briandesmond.com

 

[Brandon McCombs]

What scope are you trying to move to and from (e.g. global to universal,
security to distro, etc.)

Well initially I tried moving from a Security type to Distribution and I
got the WILL_NOT_PERFORM JNDI error. Upon trying the same thing in ADUC
I first got a warning about permissions possibly being messed up since a
security group could be used in ACLs.

When trying to change the same group from a Global scope to Universal I
also got a WILL_NOT_PERFORM. I've implemented the same restrictions on
the scope changes as ADS enforces so a Global can only be changed to
Universal and a Universal can be changed to Domain Local or Global (as
long as it isn't one of the default groups) and so on. I only tested by
trying to change from Global to Universal (and only on 1 test group) and
didn't see a need to try any other combination since the same attribute
is involved with scope changes; its just the value of the attribute that
differs.


thanks for responding
Brandon