IMPORTANT NOTE: When using the Next/Previous
buttons, Hyena will write any changes to the directory when they are clicked.
|
Hyena's Active Directory Attribute Manager is designed to overcome limitations in performing mass updates to AD objects. Since Hyena has a variety of ways to view and manage AD data, the Attribute Manager can be accessed using different methods:
1. Multiple-Object / User-Selectable Attribute Modification
2. Multiple-Object / Single Attribute Modification
3. Single-Object / User-Selectable Attribute Modification
See the sections below for information on each of these techniques:
Multiple-Object / User-Selectable Attribute Modification
This method uses a simple multi-step process of selecting and updating AD attributes:
Step 1 - Select the directory objects to update.
Directory objects can be selected in either Hyena's left or right windows. To select multiple objects, multi-select them in Hyena's right window. To access the Attribute Management functions, simply select Manage Directory Attributes... from the context menu of any Active Directory object. For computer objects, this function can be found on the Directory Functions menu.
Step 2 - Select the directory object attributes to manage.
The 'Select Active Directory Attributes' dialog allows four (4) options to view the attributes of the selected object(s):
Option
1 - 'Show all Active Directory attributes present in the directory'
- This option will only retrieve the attributes that exist in the directory.
Note that Active Directory does not allow the storage of a NULL
or 'blank' values for any attribute. If, for example, you wish to
update the 'MiddleName' attribute for a user account, and the middle name
has never been assigned, the 'MiddleName' attribute will not exist. Other
options (below) will need to be used.
Option 2 - 'Show all attributes defined in the schema for selected object(s)' - This option will retrieve all attributes that are assigned any values for the selected object(s), plus also display any attributes defined in the schema that currently don't have any values assigned to them. This option is the same as selecting option 4 (below) and selecting all defined schema attributes.
Option
3 - 'Show all attributes defined in this Active Directory query (specify
query)' - This option will display the attributes in the current
query being displayed (if any), but also allows selecting any pre-existing
query.
Option 4 - 'Only show these attributes:' - Use this option to select any number of attributes that exist in the directory schema for the type of object selected. Use the Attribute Filters... button to save/recall a previous set of attributes.
Step 3 - Modify the selected attributes.
To modify an attribute, select it, and double-click or click the Modify... button. If Hyena supports modification and/or viewing of the attribute data type, the Modify Directory Attribute Value dialog will be displayed.
Modification of Single-Valued Attributes
When modifying single-valued attributes, simply enter a new value as indicated (text, number, or true/false). To clear (remove) a value, check the Clear (remove) directory attribute for selected object(s) option.
Modification of Multi-Valued Attributes
Multi-valued attributes in Active Directory can be updated in several ways. The options on the 'Modify Directory Attribute Value' dialog when updating multi-valued attributes are:
Update - Select this option to REPLACE the contents of all selected directory objects with the new value(s).
Append - Select this option to add one or more values to the existing values of all selected directory objects.
Delete - Select this option to remove (delete) one or more values from the existing values of all selected directory objects.
Clear - This option will completely remove the attribute and data from all selected directory objects.
Click OK to complete this step.
If a value is modified or cleared, the icon next to the attribute name will be changed. To modify additional attributes, repeat this step.
Step 4 - Commit attribute modifications to Active Directory.
To commit (save) the newly modified attribute values for the selected directory object(s), click OK. To abandon the changes, click Cancel.
Multiple-Object / Single Attribute Modification
To modify a single attribute, select one or more objects as outlined in 'Step 1' above, then right click in the displayable column area of the attribute that you want to modify, then select the 'Modify <attribute name>' option from the context menu. This will display the attribute's Modify dialog directly; clicking OK will update the selected attribute for all selected directory objects.
It may be necessary to scroll the display horizontally to bring the required attribute into view.
Single-Object / User-Selectable Attribute Modification
When using the Query Active Directory->View All Directory Attributes function, Hyena will display all of the attributes defined in the directory for a single object. One or more directory attributes may be modified from this view.
If one attribute is selected, the context menu will display 'Modify <attribute name'. From here the behavior for modification of a single attribute will continue as above.
If more than one attribute is selected, select 'Modify Attributes...' from the context menu. From this point, the behavior will continue the same as step #3 as shown above.
Important Usage Notes
Using Replaceable Parameters When Modifying Directory Attributes
When entering a new value for a directory attribute, the existing value (or some portion) of one ore more directory attributes can be used within the new value. The syntax for specifying that the value of a directory attribute should be used as any portion of a new value for a directory attribute is:
%Active_Directory_Attribute_Name:Length%
The :Length portion is optional; if omitted, the entire directory value will be used.
For example,
if you want to modify the value of the 'comment' attribute to be Building
118, Division , then followed by the value of the 'division' attribute,
then the words ' , Section 'A', use:
Building
118, Division %division%, Section 'A'
The value
of %division% will be replaced with the value of the 'division' directory
attribute. To use only the first 6 characters of the division, use:
Building 118, Division %division:6%, Section 'A'
To use more than one attribute, simply specify multiple directory attribute names. For example, to replace an attribute with the values of the first and last names (givenName and Sn), use:
%GivenName%_%sn%
This will
put the first name (GivenName), the underscore character, then the value
of the last name (SN), into the specified attribute.
Important Usage Notes:
When using the optional ' :Length ' setting, the leftmost characters will be used for the replacement.
Only single-valued directory attributes are supported for both source and destination of the replacement value.
The current value of the directory attribute is used for the replacement. In the example above, if the 'division' attribute was being modified at the same time, then the existing value of the division attribute (not the new value) will be used in the replacement.
If the attribute does not exist in the directory for the object, then the placeholder will be replaced with nothing. Using the previous example of %GivenName%_%sn%, if the GivenName (First Name) attribute is empty for a directory object with the last name of Edwards, then the new value of DisplayName will be "_Edwards".
Active Directory attribute names are not case-sensitive, so "GivenName", "givenname", and "Givenname" are all equivalent.
Remember to always test this first on a select test group of objects before using this function on a large collection of objects.
Using Previous/Next Buttons to Navigate Selected Directory Objects
When MULTIPLE directory objects are displayed in Hyena's right window, and a SINGLE directory object is selected and the Manage Directory Attributes... option is chosen, Hyena will place Previous and Next buttons on the Active Directory Object Attributes dialog. These buttons provide a convenient way to show the attributes for the next/previous objects displayed in the right window.
IMPORTANT NOTE: When using the Next/Previous
buttons, Hyena will write any changes to the directory when they are clicked.
Modifying Attributes for Multiple Directory Objects
When more than one directory object is selected and the Manage Directory Attributes... option is chosen, Hyena will display a merged set of attributes. The values will be displayed for attributes that have the SAME value on ALL directory objects. However, if one or more of the selected objects has a different value (or no value/NULL) for a given attribute, a "Different Values Found" message will be displayed for the attribute value.
The Modify Directory Attribute Value dialog can be used to see the value on one or more of the selected objects. Click the Get All Values button to retrieve and display the values for all selected objects, or click on any single object to see the object's attribute value. This approach is used by Hyena as a way of minimizing network traffic and maximizing performance, while still providing an option to see the different values for any number of selected directory objects.
Important Notes and Warnings
Use caution when modifying and updating attributes for multiple directory objects, and always test on a smaller subset of objects before performing domain-wide updates.
When updating a multi-valued attribute on multiple directory objects, consider which update method (Update, Append, or Delete) to use and test accordingly.
When setting a new value for multiple selected directory objects, the new value will be set on ALL selected objects.
Microsoft
does not provide detailed or clear documentation on the majority of
Active Directory attribute settings. Before modifying directory
attributes directly, make note of these warnings:
There isn't any direct method for Hyena to determine whether a directory attribute can be modified. Hyena will attempt to prevent modification of attributes that are known to be read-only, however many other attributes will appear to be writable, when in fact they are not. Active Directory will return an error when modification is attempted on read-only attributes. These errors will usually be displayed as either a 'constraint violation' or a 'server is unwilling to perform' error.
The directory schema does not always fully support a minimum and maximum range of values. Hyena will attempt to determine if an attribute has a min/max value for 'string-type' attributes and prevent entry of string lengths outside of these ranges. This is done only to avoid errors when the changes are written back to the Directory.
Modification of 'numeric-type' attributes should be done with caution and only after determining what the valid values are for the attribute. In most cases, the directory will permit any numeric value to be entered, but only some values will be understood by the Windows sub-system that is using the attribute. Always test on a single directory object before performing system wide changes on multiple objects.
The order that the individual values of multi-valued attributes are stored and returned in Active Directory cannot be predicted.