Security

Hi,

my goal is to store information in Active Directory OU attributes and using those informations in CPPM role mappings for user or computer authorization. I know it's possible to add attributes by modifing the authentication source for user and computer attributes. But there is no ldapfilter to query an objects parent OU. To obtain those attributes of the parent OU of an user or computer object i didn't find an easy solution.

Best Regards

A user or computer's OU will be present in the UserDN attribute (default). You can use ENDS_WITH or CONTAINS operators with that attribute.

Thank you for your reply Tim, but i am interessted in comparing or using informations stored in those OU attributes (not only the name) for later use in profiles. A solution would be:

- Extracting the OU UserDN with an dummy SQL SUBSELECT regex

- Store it as endpoint attribute

- Modifing the authentication source for checking the endpoints OU attributes by using an ldap filter which returns the OU attribute

Is there anything easier than this?

So an example would be storing a VLAN-ID in one of the OUs and use this information in an enforcement profile. I know this could also be done easily with group membership or separate rules checking if UserDN ends with 'OU=...,OU=...DC=..' for each role / VLAN-profile.

One of my customer would like to segement his clients in 50 or more VLANs, and the OUs will change very likely over time. With such an solution maintaining the network segemention would be an easy task for an average AD administrator without touching CPPM.

---

@cappalli wrote:
So you’re adding custom attributes inside AD?

---

yes

With ADSI-Edit or simply using the attribute editor with ADUC Snapin:

For extending the schema, see this post:

https://social.technet.microsoft.com/Forums/office/en-US/50b728b8-e706-4800-8b3d-94d11042337b/ad-schema-extension-add-new-attribute-to-an-ou-instead-of-users?forum=winserverDS