tags:

views:

142

answers:

2
+1  Q: 

Active directory - ldap attribute createTimeStamp in Windows Server 2008 R2

To check how many users were created in the past one year for a particular domain I queried like the following,

(&(objectCategory=person)(objectClass=user)(!(sAMAccountType=805306370))(createTimeStamp>=20090831022227.0Z))

I have two domain controllers, DC-1 is Windows Server 2008 and DC-2 is Windows Server 2008 R2 and this query works fine with the 2008 Server & I found that there were 1500 new users in the last year, but 2008 R2 Server gives only 64 users. I have made the search for domain level & different OU levels and there is no change in the result count(64) but the users were different. I have also checked with other Domain DC's and for all other servers it works fine and another 2008 R2 Server alone gave the same result count, 64. I have also confirmed that this is not a replication issue.

Need Help.

A: 

I find strange that you use !(sAMAccountType=805306370) in the search criteria. There are different values for sAMAccountType. There are new supported values for new operation system (compare http://msdn.microsoft.com/en-us/library/cc220839(PROT.13).aspx and http://msdn.microsoft.com/en-us/library/cc228417(PROT.13).aspx. Moreover you write about user accounts, so the point of your interest are SAM_USER_OBJECT (0x30000000 or 805306368).

So I suggest to use the query

(&
  (objectCategory=person)
  (objectClass=user)
  (sAMAccountType=805306368)
  (createTimeStamp>=20090831022227.0Z)
)

and compare the results on both DCs. If you do have different results pick up some accounts which are in one set and not in another and search explicit for the account.

Oleg  2010-09-03 22:20:48
That doesn't work either
Mack  2010-09-06 05:02:39
What doesn't work? Do you have different results on two DCs? Do you find out at least one user account which is in one set and not in the other?
Oleg  2010-09-06 06:11:10
The query you have suggested doesn't work.Let me explain the problem in a different way,I'm using the search query for DC level - Result is 64Search query applied for 'Users' Container - Result is 64Search query applied for an OU named 'HR' - Result is 64Search query applied for an OU named 'Test' - Result is 64How come this is possible.
Mack  2010-09-07 10:26:42
@Mack: I recommed you to verify LDAP_OPT_SIZELIMIT session option (see http://msdn.microsoft.com/en-us/library/aa367019.aspx) on both servers. You don't post any code example. Do you use paging of results? You can also pickup one account from 1500 which is not in the list of 64 users and search this account explicitly on the Windows Server 2008 R2. If you do find it you have just problem with the default limit of results, which you can just fix with paging of results (see http://msdn.microsoft.com/en-us/library/aa367011.aspx and http://support.microsoft.com/kb/2009267).
Oleg  2010-09-07 11:09:18
@Mark: for paring of results you can use either `ldap_create_page_control()`, `ldap_search_ext_s()`, `ldap_parse_result()` (see http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/apis/ldap_paged_results.htm) or better ldap_search_init_page(), ldap_get_next_page_s(). In .NET you will not have the problem with paging at all. You can just set `PageSize` and `SizeLimit` properties of `DirectorySearcher`, call `FindAll()` method and go through the results. I used all the above methods so if you find out that your problem are really the size limit or paging problem I could help.
Oleg  2010-09-07 11:31:00
@Oleg: I don't have any paging or session restrictions. Using the above query I get the same 1500users but the only change was, instead of createTimeStamp I used whenCreated. Still I'm curious to know what goes wrong with createTimeStamp and that too with 2008 R2 alone.
Mack  2010-09-08 08:40:07
@Mack: It's a little strange. Could you display both `createTimeStamp` and `whenCreated` attributes when you use in the query `whenCreated`. Which values hat wrong entries? The only difference between `createTimeStamp` and `whenCreated` attributes are that `whenCreated` in the global catalog.
Oleg  2010-09-08 10:52:33
@Oleg: Let me post it as a reply instead.
Mack  2010-09-08 14:13:10
A: 

For createTimeStamp :

(&(objectCategory=person)(objectClass=user)(!(sAMAccountType=805306370))(createTimeStamp>=20090831022227.0Z)) which will fetch only 64 users irrespective of the domain/OU.

For whenCreated :

(&(objectCategory=person)(objectClass=user)(!(sAMAccountType=805306370))(whenCreated>=20090831022227.0Z)) which will fetch all the recently created users.

I'm still confused why createTimeStamp behaves differently for 2008 R2 alone.

PS: My domain functional level & forest functional level both are 2008 R2

Mack  2010-09-08 14:19:14

related questions

Verifying files for testing
How do you create your own moniker (URL Protocol) on Windows systems?
Windows Equivalent of 'nice'
Is this a good way to determine OS Architecture?
Dual vs. Quadcore on a Webserver
Is there a WMI Redistributable Package?
PHP Error - Uploading a file
Ruby On Rails with Windows Vista - Best Setup?
OpenVPN Config file to prevent timeout
How can I create Debian install packages in Windows for a Visual Studio project?
How do I configure and communicate with a serial port?
What's the best setup for Mono development on Windows?
Appropriate pagefile size for SQL Server
XML Editing/Viewing Software
Linux shell equivalent on IIS
What is a better file copy alternative than the Windows default?
Windows Help files - what are the options?
Heap corruption under Win32; how to locate?
Best way to access Exchange using PHP?
Get a preview jpeg of a pdf on windows?
WinForms ComboBox data binding gotcha
How do you schedule tasks in Windows?
Register Windows program with the mailto protocol programmatically
Embedding Windows Media Player for all Browsers
Best Subversion clients for Windows Vista (64bit)