Page tree
Skip to end of metadata
Go to start of metadata



Import-Module ActiveDirectory
cd AD:

Looking around the domain

cd "DC=win,DC=evolveum,DC=com"
cd "CN=Users"
Get-ADUser idmadmin
Get-ADUser -Filter *
Get-ADUser -Filter 'Name -like "*adm*"'
Get-ADObject -LDAPFilter "(cn=*adm*)" -SearchBase "CN=Users,DC=win,DC=evolveum,DC=com" -SearchScope Subtree

RootDSE and Schema


$schema =[DirectoryServices.ActiveDirectory.ActiveDirectorySchema]::GetCurrentSchema()
$schema.FindClass("user").mandatoryproperties | ogv
$schema.FindClass("user").optionalproperties | ogv


GUI Tools

Show account attributes

Turn on advanced features in "Users and Computers":

Active Directory Users and Computers -> View -> Advanced Features (check)

Edit user properties. There will be "Attribute Editor" tab that shows the LDAP-like view of the user.

Grant access rights to idmadmin user

Active Directory Users and Computers -> expand the domain -> right click on "Users" -> Delegate Control

Users and groups (principal): idmadmin

Delegate the following common tasks:

  • Create, delete and manage user accounts
  • Reset user passwords and force password change at next logon
  • Read all user information
  • Create, delete and manage groups
  • Modify the membership of a group
  • Create, delete and manage inetOrgPerson accounts (TODO: is this needed?)
  • Reset inetOrgPerson accounts and force password change at next logon (TODO: is this needed?)
  • Read all inetOrgPerson information

Password policy

Password policy is defined in group policy. Open "Group Policy Management" tool. navigate to Forest -> Domains ->  <domain> -> Group Policy Objects -> Default Domain Policy. Choose "Settings" tab. See Computer configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies/Password Policy



Getting LDAP Schema

Search the following DN:


For example, use the ldapsearch comman-line tool:

ldapsearch -x -h chimera -p 389 -D "CN=Administrator,CN=Users,DC=example,DC=com" -w 'secret' -b 'CN=Aggregate,CN=Schema,CN=Configuration,DC=example,DC=com' -s sub "(objectclass=*)"  \* objectclasses attributetypes matchingrules syntaxes

Enabling LDAPS

Either install Active Directory Certificate Services (AD CS) using Server Manager ("Add role") or install server certificate manually:

If you install AD CS but, for some reason, the server certificate for DC was not created, you can create it manually.

(I was roughly following - "Domain Controller - Initial Enrollment" chapter.)

  1. Open "certlm.msc" or "mmc.exe" with "Certificates" snap-in for Window s2008 R2 DC. The following is based on "mmc.exe" for Windows 2008 R2.
  2. Right-Click the “Personal” store and select “All Tasks - Request New Certificate”. Click “Next” twice until the screen with available templates appears.
  3. Select the check box next to "Domain Controller", expand the "Details" and click "Properties"
  4. Click "Subject" tab and select "Alternative name" to be of type "DNS". Enter your server DNS to "Value" input box.
  5. Click "OK".
  6. Click the "Enroll" button.

To export the AD CA certificate:

  1. find "Manage computer certificates" window
  2. in Personal - Certificates
  3. in Server Manager select: Roles - AD Certificate Services - Enterprise PKI - (your authority certifikate)
  4. in the right window pane click Properties on your CA Certificate, then click Details and Copy to file...
  5. select "DER encoded binary X.509 (.CER)" format and save the file.

To import the AD CA certificate to midPoint keystore:

  1. stop midPoint
  2. backup $midpoint.home/keystore.jceks
  3. copy the CA certificate file (e.g. "cacert.cer") to midPoint server
  4. run the following command: "keytool -import -alias ad-ca -keystore $midpoint.home/keystore.jceks -storetype jceks -file cacert.cer"
  5. start midPoint

If not working, please check if you already set up to midPoint keystore.

See Also


  • No labels