Udostępnij za pośrednictwem


Redirecting Well Known Containers (CN=Users; CN=Computers etc.)

In this post we will see the Powershell way of redirecting Users and Computers containers (i.e. Powershell equivalent of tools: redirusr.exe and redircmp.exe).

By now you might know that you can use Get-ADDomain cmdlet for viewing the well-known containers of a domain, For example:

 PS C:\Users\Administrator.DSWAMIPAT-W7-V1> Get-ADDomain | select *Container


ComputersContainer                 : CN=Computers,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
DeletedObjectsContainer            : CN=Deleted Objects,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
DomainControllersContainer         : OU=Domain Controllers,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
LostAndFoundContainer              : CN=LostAndFound,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
QuotasContainer                    : CN=NTDS Quotas,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
SystemsContainer                   : CN=System,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
UsersContainer                     : OU=SwamTempOU,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com

However, Get-ADDomain cmdlet does not show you all the well-known containers. For example some lesser known containers such as: Program Data Container, Managed Service Account Container (which is technically an Other-Well-Known container) etc. are missing. Also, one cannot change/redirect a well-known container to some other OU using Set-ADDomain cmdlets.

These limitations can be easily overcome using Get-ADObject and Set-ADObject cmdlets. This blog discusses how to do these tasks using ADObject cmdlets and also provides easy-to-use functions for them.

Fetching well-known containers is really simple. All you have to do is read the wellKnownObjects and otherWellKnownObjects properties of the domain’s default naming context.

 PS C:\Users\Administrator.DSWAMIPAT-W7-V1> Get-ADObject (Get-ADRootDSE).DefaultNamingContext -Properties otherWellKnownObjects, wellKnownObjects | fl OtherWellKnownObjects, wellKnownObjects


OtherWellKnownObjects : {B:32:1EB93889E40C45DF9F0C64D23BBB6237:OU=TestMSAOU,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com}
wellKnownObjects      : {B:32:A9D1CA15768811D1ADED00C04FD8D5CD:OU=SwamTempOU,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com, B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com, B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Program Data,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com, B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data, DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com...}

These properties contain a list of well-known object containers by GUID and distinguished name. Of course you must know the GUID of the container that you are looking for, to find its value.

Also, changing/redirecting a well-known container can be done using Set-ADObject cmdlet by removing the old value from wellKnownObjects/otherWellKnownObjects attribute on the default naming context (i.e. DC=domainname,DC=com) and adding a new value. For example in order to redirect the Users container, one would run the following command:

 PS C:\Users\Administrator.DSWAMIPAT-W7-V1> Set-ADObject (Get-ADRootDSE).DefaultNamingContext -Remove @{wellKnownObjects = "B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com" } -Add @{wellKnownObjects = "B:32:A9D1CA15768811D1ADED00C04FD8D5CD:OU=SwamTempOU,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com" } -server (Get-ADDomain).PDCEmulator

NOTE: The operation must be performed on the Primary domain controller (PDC).

Though it is feasible to use Get-ADObject and Set-ADObject cmdlets to read and manipulate well known containers, it is cumbersome. I have written few functions that would Get and Set the values of these containers.

In order to express the container name in a user-friendly way (rather than a cryptic GUID) I have created a new Enum called: WellKnownGuid. (I used a modified version of Add-Enum script described here in order to create the Enum)

There are two functions Get-XADWellKnownContainer and Set-XADWellKnownContainer that would get and set the value of a well-known container identified by its WellKnownGuid.

Example:

 PS C:\Users\Administrator.DSWAMIPAT-W7-V1> Get-XADWellKnownContainer UsersContainer
OU=SwamTempOU,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com


PS C:\Users\Administrator.DSWAMIPAT-W7-V1> Get-XADWellKnownContainer ComputersContainer
CN=Computers,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com

For getting the values of all the Well-known containers of a domain type this:

 PS C:\Users\Administrator.DSWAMIPAT-W7-V1> [Enum]::GetNames([WellKnownGuid]) | %{ $_.PadRight(30) + " : "+(Get-XADWellKnownContainer $_)}
UsersContainer                 : OU=SwamTempOU,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
ComputersContainer             : CN=Computers,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
SystemsContainer               : CN=System,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
DCContainer                    : OU=Domain Controllers,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
InfrastructureContainer        : CN=Infrastructure,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
DeletedObjectsContainer        : CN=Deleted Objects,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
LostAndFoundContainer          : CN=LostAndFound,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
ForeignSecurityPrincipalContainer : CN=ForeignSecurityPrincipals,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
ProgramDataContainer           : CN=Program Data,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
MicrosoftProgramDataContainer  : CN=Microsoft,CN=Program Data,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
NtdsQuotasContainer            : CN=NTDS Quotas,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
ManagedServiceAccountContainer : OU=LeakTestOU,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com

For changing/redirecting a well-known container simply pass the container name and new DN to Set-XADWellKnownContainer function.

Example:

 PS C:\Users\Administrator.DSWAMIPAT-W7-V1> Set-XADWellKnownContainer  UsersContainer CN=Users,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com"


PS C:\Users\Administrator.DSWAMIPAT-W7-V1> Get-XADWellKnownContainer  UsersContainer
CN=Users,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com

The script that contains these functions can be found attached to this blog.

For more information on well-known containers, read this: Binding to Well-Known Objects using WKGUID.

Cheers,

Swami

RedirectingWellKnownGuidContainer.ps1

Comments

  • Anonymous
    February 23, 2011
    dont ry this stuff it can break your AD
  • Anonymous
    October 31, 2011
    ^^All Active Directory modifications must be taken with caution. Make sure you know what you are doing before you start to make changes you do not understand.
  • Anonymous
    January 17, 2012
    1: public partial class RedirectingContainer : TemplatePage  2: {  3:     private PageData redirectTarget = null;  4:    5:     protected override void OnInit(EventArgs e)  6:     {  7:         base.OnInit(e);  8:         // Detect edit mode by checking for underscore (workpage prefix) in id  9:         if (!(Request.QueryString["id"] ?? String.Empty).Contains("")) 10:         { 11:             // Perform redirect immediately 12:             Response.Redirect(RedirectTarget.LinkURL); 13:         } 14:     } 15:   16:     protected override void OnLoad(EventArgs e) 17:     { 18:         base.OnLoad(e); 19:         // Display a link to the redirect page 20:         hlRedirect.NavigateUrl = RedirectTarget.LinkURL; 21:         hlRedirect.Text = String.Format("{0} ({1})", RedirectTarget.PageName, RedirectTarget.PageLink.ID); 22:     } 23:   24:     protected PageData RedirectTarget 25:     { 26:         get 27:         { 28:             if (_redirectTarget == null) 29:             { 30:                 // Get specified page or parent if empty 31:                 PageReference pageLink = (PageReference)(CurrentPage["ContainerRedirectTarget"] ?? PageReference.EmptyReference); 32:                 // Make sure the redirect target is not the current page (avoid infinite loop) 33:                 pageLink = (PageReference.IsNullOrEmpty(pageLink) || pageLink.Equals(CurrentPage.PageLink)) ? CurrentPage.ParentLink : pageLink; 34:                 _redirectTarget = DataFactory.Instance.GetPage(pageLink); 35:   36:             } 37:             return _redirectTarget; 38:         } 39:     } 40: }The above code can be used for the task as well
  • Anonymous
    August 24, 2013
    The comment has been removed
  • Anonymous
    June 03, 2014
    Unimaginable and unbelievable. I am Mary Smith from the United States and i have a good news to share to the entire world. Do you need your ex husband or lover urgently? I wanna tell you that you need not to worry because i have a good news for those out there that are faced or similar to such situation because there is always a hope and a solution to all problem. There is a great spell caster called Great DR.ODUBU who can really solve your problem. Getting my lover back is what i can't imagine but when I was losing Jackson, I needed help and somewhere to turn badly but my Aunty told me about this spell caster who also helped her on the internet. I thought it won't work but i just tried to give this man a chance and i ordered a LOVE SPELL. Two days later, my phone rang. Jackson was his old self again and wanted to come back to me! Not only come back, the spell caster opened him up to know how much I loved and needed him. This Spell Casting isn't brainwashing, but he opened up his eyes to know how much we have to share together and he also cast a protection spell and no side effect for the spell and also he still cast money spell for me too but i have no problem about money i am reach now and also happy with my family. I recommend anyone who is in my old situation to try him because he will help you and make things be the way it thought to be. If you have such problem or similar to this, please contact him on his email DR.{odubuspiritualtempledr@yahoo}.com thank you Great DR.ODUBU and may your gods reward you for your good deeds { odubuspiritualtempledr@yahoo.com.}
  • Anonymous
    August 22, 2014
    The comment has been removed
  • Anonymous
    August 27, 2014
    I want to thank Dr. godwin for getting my lover back to me within 48 hours. When my lover left me i was so tired and frustrated till i search the internet for help and i saw so many good talk about Dr godwin of solidodspelltemple2@gmail.com and i decided to give him a try and i contact him and explain my problems to him and he cast a love spell for me which i use to get my husband back.If you want to get your lover back contact Dr. godwin via email: solidodspelltemple2@gmail.com Dr.godwin the great man that is able to bring back lost lovesolidodspelltemple2@gmail.com
  • Anonymous
    September 21, 2014
    Byenveni nan tanp lan nan repons te tout pwoblèmyo rezoud ak gwo nam rele Dr bazecol la li ka ede wrezoud tout kalite pou pwoblèm. kontakte l 'pounenpòt ki kalite pou période (1) période renmen (2)période Lajan (4) période Gwosès (5) période loto (6)VIH / SIDA période (7) Ex tounen période (8) Si ou apchèche pou travay ( 9) Bon chans période.Bazecolspell@gmail.com +234805064927