Unity users not showing in AD Users & Computers?
26 Aug 2007 02:38:10 pm
Some user object created or modified by Cisco Unity fail to show in Active Directory Users and Computers unless Advanced Features is enabled.
In addition to simple view issues some tools (i.e. Microsoft’s own ADMT) fail to locate user accounts. This is how I ran into the issue this weekend, trying to do a migration for one of our customers. Fortunately for them only about 100 mailboxes were affected.
As I understand it this is thanks to Cisco Unity (confirmed in 4.2.1 and 5.x). Looking at the Directory attributes it modifies (AD attriutes unity has access to) you’ll notice that the Unity attribute AVP_HIDDEN_IN_DIRECTORY is listed for both the msExchHideFromAddressLists (which stops a user from getting displayed in the Exchange address lists that someone would look at in Outlook) as well as the showInAdvancedViewOnly attribute (which stops it from getting displayed in a host of other places). Although I haven’t been able to do extensive testing I’m fairly confident now that when you set a user as hidden from the directory in Unity it’s modifying both attributes in AD and that is the root of the problem.
So the question is how to fix it?
What I ended up doing was to use ldifde.exe to export the user objects where the attribute was set to true:
Next I used PowerShell to parse the LDF file and give me a list of the DNs of the users to fix:
And assembled a quick PowerShell script to generate a new LDF for import:
---------------------------------
Get-Content $fixusers | foreach-Object -process {
Write-Output $_ >> fixed_users.ldf
Write-Output "changetype: modify" >> fixed_users.ldf
Write-Output "replace: showInAdvancedViewOnly" >> fixed_users.ldf
Write-Output "showInAdvancedViewOnly: FALSE" >> fixed_users.ldf
Write-Output "-" >> fixed_users.ldf
Write-Output "" >> fixed_users.ldf }
Set the filename variable and run it:
> .fix-hidden-users.ps1
Lastly use ldifde.exe again to import the changes:
As usual the typical disclaimers apply. There may be a good reason that your accounts are hidden so do your homework first; you also may want to consider limiting the scope of your LDF export by specifying the base DN with the -d switch. Any damage you cause you cause by using the above tasks/scripts is your own problem, USE AT YOUR OWN RISK!
Good Luck!
Erik Szewczyk
Category : Active Directory | Posted By : Erik | Comments [0] | Trackbacks [0]
Trackbacks
http://www.spyordie007.com/trackback.php/18
Comments