Contacts displayed as containers

At TechEd I was staffing the Windows Server 2008 R2 Active Directory-Booth. We had a lot of interesting questions, scenarios and discussions there.

One interesting issue was a customer who asked us why his contacts in Active Directory are being displayed as containers and how he can take it off. Actually this took us some time to look into it. He had two forests – when he was targeting Active Directory-Users and –Computers against one forest, his contacts were displayed as containers (meaning there was a plus-symbol right next to it and you were able to see it in the tree, with no objects underneath). On the other forest the contacts weren’t displayed as container.

So we had to figure out what’s going on there. And what I’ve actually found is quite interesting, and I believe that more companies are running into this, so I found it worth documenting it on the web.

So what’s going on is that we found out the one forest was extended with the Windows Server 2008 Schema (adprep /forestprep) but the customer is still running Windows Server 2003 DCs. In the Schema of Windows Server 2003 by default there are not any objects who can be “underneath” a contact [1]. In the Windows Server 2008 Schema there are two new objects, which can be underneath a contact. Those are ms-net-ieee-80211-grouppolicy and ms-net-ieee-8023-grouppolicy. You can check this by querying the attribute allowedChildClassesEffective on a contact – this is a constructed attribute which is telling you which objects may be underneath the current object, more specifically which attributes the currently logged on user can create underneath the current object (taken permissions into credit). [2]

dsquery * “cn=My Contact,ou=…,dc=…” –scope base –properties allowedChildClassesEffective

In Powershellv2 (which ships with Windows Server 2008 R2 and in RSAT for Win7 (need to install, see [3]) you can use the following command (make sure that the Active Directory-Module is loaded, either use the shortcut or import-module ActiveDirectory):

get-adobject -identity "cn=My Contact,ou=…,dc=…" -properties allowedChildClassesEffective

In Active Directory-Users and –Computers there is an option in the view-menu which allows you to specify whether you’d like to see users, computers and groups as containers or not. In the version which ships with Windows Server 2008 (or is in the Remote Server Administration Tools of Vista and above) this setting is extended to behave on contacts as well. This setting is local to the computer and overrides any settings in the schema.

So apparently Active Directory-Users and –Computers is querying the schema, sees that contacts may contain other objects and is displaying them as containers, whether you’ve set the view-option or not (in Windows Server 2003 R2 and before) because is doesn’t apply to contacts. This is fixed with the versions which are shipping in Windows Server 2008 or RSAT for Vista and higher.

So if you extended the schema to Windows Server 2008 (R2), but your management consoles are still running on Windows Server 2003 (R2) / Windows XP and prior you’ll see contacts as containers.

There would be a workaround – there is a setting in the display specifiers which is modifying this behavior. It’s in cn=contact-display,cn=409,cn=display specifies,cn=configuration,dc… (your forest-root domain DN, you’ll also have to exchange the 409 with your language version, where 409 equals US-English, 407 would be German a.s.o.). So the workaround is to navigate to the contact-display object, then change the Value for the “treatAsLeaf”-attribute to TRUE (by default it’s <not set>) [4].

While this workaround will work, I wouldn’t actually recommend it, in my eyes the “bug” is not annoying enough that you’d change something in the configuration context. On the other hand, this setting is quite unimportant. So it’s up to you, however as soon as you start working with the Windows Server 2008 (R2) Management Consoles this wont annoy you anymore. So keep migrating ;)

Ulf

[1] It’s actually not defined in the object what kind of objects can be underneath, but on the child-objects what possible superior it may have.

[2] IMHO Scripting or Programming Best-Practice would mean to query an object prior to creating a child-object for allowedChildClassesEffective to make sure that the current user has the right to create the object.

image[3] The Remote Server Administration Tools for Windows 7 include the Powershell Module for Active Directory. If you open the generic Powershell-Windows you’ll have to import-module ActiveDirectory first (there’s a shortcut installed in Administrative Tools which starts Powershell with this module loaded instead. Note that the PS-Provider relies on the Active Directory Webservice (ADWS), so you need one Windows Server 2008 R2 Domain Controller. ADWS is also announced to be available as Out-of-band Release/Hotfix for Windows Server 2003 and 3008, however this is currently not available. Win7 and WS2k8R2 are also just Release Candidates at this point, however I already want to mention how to do things using PSv2 since we have to get used to this in the AD-World (and it’s pretty impressive actually what you can do with it easily).

[4] Boolean Values in Active Directory are kind of weird – there are three states as opposed to two – either TRUE, FALSE or <not set> if the attribute is empty. Also the reason for a boolean value in general is to keep space limited, you only need one bit usually. However in AD the String of the Word TRUE or FALSE is stores.



Leave a Reply