Lost in a Sea of Attributes
Forget who has access to which services? Find your way back with the LDAP Browser.
- By Bill Boswell
- 12/09/2003
Bill: I'm running Exchange
2000. I disabled the HTTP protocol in Exchange properties for users who are
not authorized to have OWA access. Over time, I've allowed certain users the
ability to use HTTP but I've lost track of which people I've authorized to have
it. Is there a way to have Active Directory tell me what users have the HTTP
protocol enabled in the AD Users & Computers snap-in?
Dan
Dan: I was not able to find this information in the Exchange
documentation, so I used the LDAP Browser (ldp.exe) from the Windows Server
2003 Support Tools to dump a regular mailbox-enabled user's AD attributes. I
then disabled the HTTP protocol in the user's Exchange properties, dumped the
attributes again, and compared the results to find the difference.
It turns out that the Exchange protocol configuration for a user gets stored
in an attribute called ProtocolSettings. The following listings show the value
for this attribute when all three protocols (POP3, IMAP4, and HTTP) have been
disabled and again for when they are enabled:
'All protocols disabled
protocolSettings: POP3§0§1§4§ISO-8859-1§0§§§;IMAP4§0§1§4§ISO-8859-1§0§1§0§0;
HTTP§0§1§§§§§§;
'All protocols enabled
protocolSettings: POP3§1§1§4§ISO-8859-1§0§§§;IMAP4§1§1§4§ISO-8859-1§0§1§0§0;
HTTP§1§1§§§§§§;
You can use the Find feature in AD Users & Computers to search for users
who have an HTTP setting in the ProtocolSettings attribute that indicates Enabled.
Select the Custom Search option and the Advanced tab, then enter this LDAP
query:
(objectcategory=user)(ProtocolSettings=*http§1§1§*)
Click on Find Now to get a list of the users who have HTTP enabled.
Get
Help from Bill |
Got a Windows or Exchange question or need troubleshooting
help? Or maybe you want a better explanation than provided
in the manuals? Describe your dilemma in an e-mail
to Bill at mailto:[email protected];
the best questions get answered in this column.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message but submit the requested
information for verification purposes.)
|
|
|
Just as a quick aside: If you have a Windows XP workstation where you do your
AD management, you can install the Windows Server 2003 admin tools, which includes
a version of AD Users & Computers with a Saved Queries feature. This lets
you enter LDAP queries like the one above and get a graphical display just like
you'd get when browsing the contents of an OU. Then, you can save the query
and use it anytime you want. Very cool, and it works great against a Windows
2000 domain.
Hope this helps.
Much Ado about ACLs and Exmerges
In last
week's column, I included a script to make changes to MAPI permissions.
Alert administrator Pete wrote me to point out that the script gives an ActiveX
error.
It turns out that the script requires a copy of ACL.DLL, which, unfortunately
is not available in compiled form at the Microsoft Download site. However, you
can download a tool from Microsoft's ftp site: ftp.microsoft.com/pss/tools.
Download the Outlook_Folders application and install it. This places an up-to-date
copy of ACL.DLL on the machine.
If you don't like the idea of installing an unsupported tool on a production
Exchange server, you can install the Outlook_Folders utility on a workstation
then copy the ACL.DLL file to the Exchange server and register it as follows:
regsvr32 acl.dll
This eliminates the ActiveX error when you run the script at the server.
As a follow-up to "Weighty
Decision in an Exchange/Windows Upgrade ," regarding migrating
user mailboxes using Exmerge, reader Greg points out that this form of mailbox
migration can cause problems when replying to internal messages after the X.500
address changes. If you plan on using Exmerge to migrate mailboxes between Exchange
organizations or between sites in the same legacy organization, see Microsoft
KnowledgeBase article 275134,
"XADM: Cannot Reply to Messages That Are Sent from a User Account That
Was Moved to a Different Site."
About the Author
Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.