0

Whenever we are trying to create computer object in Microsoft Active Directory as below:

var ldap = require('ldapjs');

var client = ldap.createClient({
  url: 'ldap://<<host>>:389'
});

client.bind('<<Admin DN>>', '<<password>>', function(err) {
  if(err){
      console.log('error',err);
  }else{
      console.log('bind is success');
  }
});

var newDN = "CN=testcomputeruser,OU=testou,DC=test,DC=com";
var newUser = {
    cn: 'newtestComputer334',
    objectClass: 'computer',
    description: 'This is test implementation hence this is test description.', 
    //UndefinedAttributeTypeError:  'msDS-RevealedList':'S:12:RevealedList:CN=RevealedList,OU=testou,DC=test,DC=com',   
    //UndefinedAttributeTypeError   'msDS-isGC':'FALSE',
    //UndefinedAttributeTypeError   'msDS-isRODC':'FALSE',
    //UndefinedAttributeTypeError   'msDS-SiteName':'TestmsDSSiteName', 
    //UndefinedAttributeTypeError   'msDS-IsUserCachableAtRodc':'568974',   
  }

client.add(newDN, newUser,function(err, resp) {
    console.log('newDN : ', newDN);
    console.log('newUser : ' ,newUser);
  if(err){
      console.log('error',err);
  }else{
      console.log('new user is success');
  }
})

It is failing with UndefinedAttributeTypeError for few attributes like msDS-RevealedList, msDS-isGC, msDS-isRODC, msDS-SiteName and msDS-IsUserCachableAtRodc after providing appropriate value.

Is there any way to find what is the issue for the same?

prashanthmadduri
  • 63
  • 7

1 Answers1

2

Those are all constructed attributes, meaning that AD calculates the value of those attributes at the time you ask for them. They are not writable.

Sometimes you see this in the documentation online. For example, the documentation for msDS-RevealedList says:

The msDS-RevealedList attribute is constructed from the msDS-RevealedUsers attribute

But some of the documentation pages don't tell you that, like msDS-isGC.

The easiest way to figure out if it's a constructed attribute is to use AD Users and Computers. Make sure View -> Advanced Features is selected. Then navigate to an OU and open the properties of a type of object you want to look at (like a computer). Then go to the Attribute Editor tab. Use the 'Filter' button and make sure the "Show only" options are deselected. Then show or hide Constructed attributes, and see if the attribute you're looking for shows up.

ADUC Attribute Editor

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • Thank you for your inputs. Currently we are using Active Directory Schema for object creation. Is there anyway to know same from Schema instead using UI tool. – prashanthmadduri Jan 01 '20 at 12:50
  • Probably, but I'm not entirely sure. It might be a bit flag attribute on the schema object. There isn't a whole lot of documentation about it. – Gabriel Luci Jan 01 '20 at 16:08