Microsoft KB Archive/275323

= How to Create Enabled Users with the Active Directory Management Agent =

Article ID: 275323

Article Last Modified on 5/28/2003

-

APPLIES TO


 * Microsoft Metadirectory Services 2.2 Service Pack 1
 * Microsoft Metadirectory Services 2.2 Service Pack 1

-



This article was previously published under Q275323



SUMMARY
This article describes how to configure Microsoft Metadirectory Services (MMS) and Active Directory so that users can be created as enabled users in Active Directory.



MORE INFORMATION
You can use the Active Directory Management Agent to create enabled users, disabled users, or contacts in the Active Directory. The default option creates contacts. Enabled users can also be created and user passwords can be set at the time of the creation of the user object.

To create enabled users and set the user password in the Active Directory, the following criteria must be met:  A control attribute must be set on the metaverse objects. This attribute, msMMS-ManagedByMA, controls the creation of users or contacts.For additional information about this attribute, click the article number below to view the article in the Microsoft Knowledge Base:

285298 How to Use the msMMS-ManagedByMA Attribute to Create Users in Active Directory

 Because MMS can potentially connect to any domain controller that is hosting a specific naming context, all domain controllers and the MMS server(s) must be using 128-bit encryption. For servers that are not running Windows 2000 Service Pack 2 (SP2) or later, you can install the Windows 2000 High Encryption Pack on the servers.

NOTE: The installation of Windows 2000 SP2 brings all Windows 2000-based computers to the 128-bit level whether or not the Windows 2000 High Encryption Pack has been previously installed. For computers that are running Windows 2000 Service Pack 1 (SP1), note that if Windows 2000 SP1 has been applied to any of the computers before the installation of the Windows 2000 High Encryption Pack, the service pack must be re-applied after you install the Windows 2000 High Encryption Pack. A certificate authority (CA), such as Microsoft Certificate Services (included with Windows 2000) must be available to issue the certificates that are required to establish an SSL connection between the domain controller and the MMS server. The CA can be a stand-alone or Enterprise CA.

You can also use a third-party CA if it supports the Extended Key Usage extension for X.509v3 certificates, which is used to restrict the purposes for which the certificate can be used.

If a third-party CA is to be used for LDAP SSL connections, it is important that the Microsoft Enterprise CA not be installed, because this may cause a conflict. The conflict occurs because the domain controller automatically uses the Microsoft Enterprise CA's certificate as the default certificate for SSL validation.

If a CA is to be installed, it is also important that the computer be running 128-bit encryption before certificate services are installed, or that Windows 2000 Service Pack 2 be installed before certificate services are installed.For additional information about the installation of a CA, click the article number below to view the article in the Microsoft Knowledge Base:

231881 How to Install/Uninstall a Public Key Certificate Authority

For additional information about the installation of the Windows 2000 High Encryption Pack before you install a CA, click the article number below to view the article in the Microsoft Knowledge Base:

278877 Changing the default Encryption Algorithm on Windows 2000 Certificate Server

 Because MMS can potentially connect to any domain controller that is hosting a specific naming context, all domain controllers and the MMS server must have connectivity to the CA that issued the certificates. If the issuing CA is not available, or cannot be reached because of name resolution or connectivity issues, the SSL connection attempt will not work.

It may be useful to understand the following information before you set up the configuration:
 * The user's password is stored as the unicodePwd attribute in the user object in Active Directory. The attribute may be accessed for writing, but it may not be read. This is by design.
 * Access to this attribute through an LDAP connection requires a Secure Socket Layer connection to the Active Directory over port 636. This is a requirement for any LDAP client to the Active Directory, including MMS.
 * A CA is required to provide the machine certificates that must be issued to the domain controllers, and the root CA certificates that are used by the domain controllers and the MMS servers. The certificates will be used in negotiating a secure LDAP connection between the servers.
 * The domain controller and the MMS server must each have root CA certificates installed in the Trusted Root CAs container on the computer. The root certificate can be imported manually by using the Certificates MMC snap-in, or it can be distributed by using a group policy.
 * A certificate is required for each level of CA in the trust chain if intermediate CAs are used. The computers must also have connectivity to the CA for purposes of verifying the Certificate Revocation List (CRL).
 * Domain controllers will automatically request domain controller machine certificates if there is a Windows 2000 Enterprise CA for the domain online. If the CA is to be a third-party program or a stand-alone Windows 2000 CA, the certificate request must be made manually by using Microsoft Internet Explorer because Windows 2000 automatic enrollment is supported only with a Windows 2000 Enterprise CA. The name that is used to request the certificate should be the fully qualified domain name of the domain controller.

If a Windows 2000 Enterprise CA is used, domain controllers will receive certificates automatically. If the existing certificates are deleted, or if new certificates are required, machine certificates may be manually requested by using the MMC snap-in or through a group policy. If certificates are to be manually requested, each server must make a separate request. The following explanation assumes that a Windows 2000 Enterprise CA is available, and that no machine certificates are currently present in the machine store. The process is basically the same on all domain controllers.

Manually Request Machine Certificates from a Windows 2000 Enterprise CA

 * 1) Log on as an administrator.
 * 2) From the server, click Start, click Run, type MMC, and then press ENTER.
 * 3) In the MMC console window, click Add/Remove Snap-in on the Console menu.
 * 4) Click Add, click Certificates, and then click Add.
 * 5) Click Computer account, and then click Next.
 * 6) Under Select Computer, click Local computer.
 * 7) Click Close, and then click OK.
 * 8) Click the snap-in you just installed, and under the snap-in, click the Personal folder, and then click the Certificates folder.
 * 9) Click All Tasks, and then click Request New Certificate to start the Certificate Request Wizard. Click Next.
 * 10) Click the Computer template on member servers, and then click Next.
 * 11) Type a &quot;friendly name&quot; for the certificate, click Next, and then click Finish. Note that you should receive a message that indicates that the certificate request was successful.
 * 12) Repeat this process for all domain controllers.

Enable Machine Certificate Requests from a Windows 2000 CA By Using a Group Policy

 * 1) Log on as an administrator.
 * 2) Start the Active Directory Users and Computers snap-in.
 * 3) Right-click the appropriate domain, click Properties, and then click the Group Policy tab.
 * 4) Click the default domain policy, and then click Edit.
 * 5) In the Default Domain Policy GPO Editor, click Computer Configuration, click Windows Settings, and then click Public Key Policies.
 * 6) Under Public Key Policies, right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request to start the Automatic Certificate Request Wizard. Click Next.
 * 7) Click the Computer template, and then click Next.
 * 8) The CA is displayed. Click Next.
 * 9) Click Finish.
 * 10) The policy is applied the next time group policies are applied on the server. The refresh of group policies can be forced by either restarting the computer, or by running the secedit /refreshpolicy machine_policy /enforce command at the console prompt.

After the domain controllers and MMS server(s) have their certificates, create and configure the Active Directory Management Agent.

Create the Active Directory Management Agent

 * 1) Log on to to the Compass client as an administrator.
 * 2) View the MMS server DSA object.
 * 3) On the Actions menu, click Create New Management Agent.
 * 4) In the Create Management Agent box, click Microsoft Active Directory Management Agent, and then name the MA.
 * 5) In the Configure the Management Agent pane, click the Active Directory Discovery Settings tab.
 * 6) Under Discovery Settings and Forest to discover, type the name of the Active Directory forest (for example, company.com ).
 * 7) Under Active Directory Login Information, type the name and password of the administrator or another user with appropriate rights. The name must be in UPN format ( administrator@company.com ) or domainname\username format.
 * 8) Click OK to save the current settings.

Configure the Active Directory Management Agent
 Log on to the Compass client as an administrator. View the MMS server DSA object, and then view the Active Directory MA.</li> On the Actions menu, click Configure MA.</li> Click the Active Directory Discovery Settings tab. Containers to include and exclude from the discovery process are selected here.</li> Click Active Directory Containers to Discover.</li> Click the ellipsis button next to the Select Active Directory Containers to Discover box.</li> Provide your credentials when you are prompted to do so. Type them as previously described.</li> In the Forest Browser window, expand the list of the containers under the domain, and select the appropriate container. Note that this is often the Users container. Click OK.</li> The selected container(s) should be seen in the list. A typical item looks like:

CN=Users,DC=domain,DC=com

Click OK twice to return to the Active Directory Discovery Settings tab.</li> Click Active Directory Containers to Exclude, and then repeat the preceding selection process, but this time, select the containers you do not want to discover.</li> The selected container(s) should be seen in the list. Click OK to return to the Active Directory Discovery Settings tab.</li> By default, the management agent will discover contacts, containers, groups, organization units, and users. If you want to select additional objects, click Active Directory Objects to Discover, and then click the objects that you want to discover. Click OK to return to the Active Directory Discovery Settings tab.</li> Click the Active Directory Object Creation Settings tab, click Default Creation Settings, and then click Account Settings under Users.</li> Under Account Settings, locate User Account Creation Settings, and then click Enabled User. This causes the Edit the account generation script button to appear. Click this button.</li> Although the user interface appears as though multiple lines can be typed, the script can be only one line. The default script is

$hash($cn,&quot;md4&quot;,16,5)

which performs a hash function on the common name attribute five times and sets the result to be the user password. In the field, it is often impractical as it requires the administrator to write or obtain other software to hash the common names of the users in this way and then somehow communicate this password to the users before the users can log on. As an alternative, the script can be changed to allow the use of other values. For example

$mv.sn

sets the password to be the user's surname. Other attributes may be used as necessary or a purely text value can be entered. The principal restriction is that the script can be only one line in length.

NOTE: If using password complexity policies in the domain, ensure that the password script that you are configuring complies.</li></ol>

The ADMA should now be able create enabled users in the Active Directory.

For additional information about how to to test connectivity through SSL between the MMS server and a domain controller, click the article number below to view the article in the Microsoft Knowledge Base:

319970 How to Use the Windows Address Book to Test SSL Connectivity

For additional information about how to set a Windows 2000 user's password through the Lightweight Directory Access Protocol (LDAP), click the article number below to view the article in the Microsoft Knowledge Base:

269190 HOWTO: Change a Windows 2000 User's Password Through LDAP

Additional query words: via zoomit

Keywords: kbhowto kbenv KB275323

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.