CODEWITHSUNDEEP
powershellactive-directory
donchuan
donchuan

Reputation: 95

Security Accounts Manager attributes

I would like to create user in AD using the attributes defined for other user from the same OU. But I do have issue with SAM protected items.

For do that I am creating an instance of user already defined in AD with all the properties. After I am using New-AdUser command to create a new user using the created instance. However in the properties there are elements which are managed by Security Accounts Manager - I tried to find which parameters belong to SAM but with no results. Can anyone help me to determinate the parameters I am able to copy acctualy. So I can define which parameters I would like to copy form the created instance.

PS C:\Users\xxx> $userInstance = Get-ADUser $accountIdentifier -properties *
PS C:\Users\xxx> New-ADUser -GivenName "John" -Instance $userInstance -Surname "Smith" -Title "Salesman" -EmailAddress "[email protected]" -UserPrincipalName [email protected] -Name "John Smith"

As a reslut I have the folowing errro message:

New-ADUser : Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM)

Upvotes: 1

Views: 2675

Answers (1)

AdminOfThings
AdminOfThings

Reputation: 25031

You can use the following to determine which attributes can be copied:

$searchBase = "CN=Schema,$((Get-ADRootDSE).configurationNamingContext)"
$Attributes = Get-ADObject -SearchBase $searchBase -Filter * -Properties searchflags,ldapdisplayname |
    Where-Object {$_.SearchFlags -band 16} | Select ldapdisplayname
$Attributes

Then you can use the attributes listed in the output as a guide for what you feed into the -Properties parameter of the New-ADUser command.

Essentially, this goes through every schema attribute in AD and returns the attributes where the searchflags attribute has the 16 decimal bit turned on. Depending on your display, you may see this as a hex representation (0x00000010). You cannot just rely on the value of 16 because if other flags are turned on, that value will change if other bits are turned on. The decimal values for the bits are summed. For this reason, we use the -band (bitwise and) operator. You can read more about the Search-Flags attribute here.

Upvotes: 1

Related Questions