|
One of the drawbacks to the conventional method used by Hyena and nearly all Microsoft applications when managing Active Directory objects is the presentation of a dialog box to request user input. Some of the disadvantages to the standard GUI dialog for managing Active Directory include:
Active Directory offers many more additional properties (attributes) than can be displayed on most GUI interfaces.
Limited options exist for managing the attributes for multiple directory objects at the same time, resulting in lost time performing one-by-one updates.
Extended schema attributes will not usually be available in Microsoft or 3rd party utilities.
Tools for direct access to AD attributes such as ADSIedit are difficult and clumsy to use.
Scripting solutions offer only a non-interactive method of updating directory objects.
Hyena's new Active Directory Attribute Management functions are designed to overcome these limitations and provide new capabilities for direct access and manipulation of AD objects. By utilizing advanced techniques and optimized directory access functions, this new capability will greatly enhance AD management, especially where multiple attributes need to be modified on a large collection of directory objects. This new function uses a simple multi-step process of selecting and updating AD attributes:
Step 1 - Select the directory objects to update.
Directory objects can be selected in either Hyena's left or right windows. To select multiple objects, multi-select them in Hyena's right window. To access the new Attribute Management functions, simply select Manage Directory Attributes... from the context menu of any Active Directory object. For computer objects, this function can be found on the Directory Functions menu.
Step 2 - Select the directory object attributes to manage.
The 'Select Active Directory Attributes' dialog allows three (3) options to view the attributes of the selected object(s):
Option 1 - 'Show all Active
Directory attributes present in the directory' - This option
will only retrieve the attributes that exist in the directory.
Note that Active Directory does not allow the storage of a
NULL or 'blank' value for any attribute. If, for example, you
wish to update the 'MiddleName' attribute for a user account, and
the middle name has never been assigned, the 'MiddleName' attribute
will not exist. Options 2 or 3 (below) will need to be
used.
Option 2 - 'Show all attributes
defined in the schema for selected object(s)' - This option
will retrieve all attributes that are assigned any values for the
selected object(s), plus also display any attributes defined in the
schema that currently don't have any values assigned to them.
This option is the same as selecting option 3 (below) and
selecting all defined schema attributes.
Option 3 - 'Only show these attributes:' - Use this option to select any number of attributes that exist in the directory schema for the type of object selected. Use the Attribute Filters... button to save/recall a previous set of attributes.
Step 3 - Modify the selected attributes.
To modify an attribute, select it, and double-click or click the Modify... button. If Hyena supports modification and/or viewing of the attribute data type, the Modify Directory Attribute Value dialog will be displayed.
Modification of Single-Valued Attributes
When modifying single-valued attributes, simply enter a new value as indicated (text, number, or true/false). To clear (remove) a value, check the Clear (remove) directory attribute for selected object(s) option.
Modification of Multi-Valued Attributes
Multi-valued attributes in Active Directory can be updated in several ways. The options on the 'Modify Directory Attribute Value' dialog when updating multi-valued attributes are:
Update - Select this option to REPLACE the contents of all selected directory objects with the new value(s).
Append - Select this option to add one or more values to the existing values of all selected directory objects.
Delete - Select this option to remove (delete) one or more values from the existing values of all selected directory objects.
Clear - This option will completely remove the attribute and data from all selected directory objects.
Click OK to complete this step.
If a value is modified or cleared, the icon next to the attribute name will be changed. To modify additional attributes, repeat this step.
Step 4 - Commit attribute modifications to Active Directory.
To commit (save) the newly modified attribute values for the selected directory object(s), click OK. To abandon the changes, click Cancel.
Using Previous/Next Buttons to Navigate Selected Directory Objects
When MULTIPLE directory objects are displayed in Hyena's right window, and a SINGLE directory object is selected and the Manage Directory Attributes... option is chosen, Hyena will place Previous and Next buttons on the Active Directory Object Attributes dialog. These buttons provide a convenient way to show the attributes for the next/previous objects displayed in the right window.
IMPORTANT NOTE: When using the Next/Previous buttons, Hyena will write any changes to the directory when they are clicked.
Modifying Attributes for Multiple Directory Objects
When more than one directory object is selected and the Manage Directory Attributes... option is chosen, Hyena will display a merged set of attributes. The values will be displayed for attributes that have the SAME value on ALL directory objects. However, if one or more of the selected objects has a different value (or no value/NULL) for a given attribute, a "Different Values Found" message will be displayed for the attribute value.
The Modify Directory Attribute Value dialog can be used to see the value on one or more of the selected objects. Click the Get All Values button to retrieve and display the values for all selected objects, or click on any single object to see the object's attribute value. This approach is used by Hyena as a way of minimizing network traffic and maximizing performance, while still providing an option to see the different values for any number of selected directory objects.
Important Notes and Warnings
Use caution when modifying and updating attributes for multiple directory objects, and always test on a smaller subset of objects before performing domain-wide updates.
When updating a multi-valued attribute on multiple directory objects, consider which update method (Update, Append, or Delete) to use and test accordingly.
When setting a new value for multiple selected directory objects, the new value will be set on ALL selected objects.
Microsoft does not provide detailed or clear
documentation on the majority of Active Directory attribute
settings. Before modifying directory attributes directly,
make note of these warnings:
There isn't any direct method for Hyena to determine whether a directory attribute can be modified. Hyena will attempt to prevent modification of attributes that are known to be read-only, however many other attributes will appear to be writable, when in fact they are not. Active Directory will return an error when modification is attempted on read-only attributes. These errors will usually be displayed as either a 'constraint violation' or a 'server is unwilling to perform' error.
The directory schema does not always fully support a minimum and maximum range of values. Hyena will attempt to determine if an attribute has a min/max value for 'string-type' attributes and prevent entry of string lengths outside of these ranges. This is done only to avoid errors when the changes are written back to the Directory.
Modification of 'numeric-type' attributes should be done with caution and only after determining what the valid values are for the attribute. In most cases, the directory will permit any numeric value to be entered, but only some values will be understood by the Windows sub-system that is using the attribute. Always test on a single directory object before performing system wide changes on multiple objects.
The order that the individual values of multi-valued attributes are stored and returned in Active Directory cannot be predicted.