ADedit and orphan report
10-15-2014 12:59 PM
How can i get an orphan data / broken links report similar to the one i get using the analize option in the access manager console but using adedit on a linux box?
Solved! Go to Solution.
10-15-2014 02:33 PM
I will use a lengthy explanation for the benefit of other readers. Centrify Access Manager (one of the tools that you can do management along with Windows Powershell, Unix tcl adedit or even your own SDK written programs) has this health checker that allows an admin to identify any inconsistencies with Centrify-related objects in a given AD environment. The question is around the ability to do this using adedit. Adedit is a TCL-based language that can perform any operations with Active Directory - current customers can read all about it from the Programmer's Guide for Adedit.
To you question, unfortunately, I'm not an adedit person by any means but may be able to point you in the right direction (coworkers feel welcome to chime in). The screenshot below shows the analysis categories in access manager (it does more than report any broken links or orphan objects), so every major category may be a different adedit program.
Anyway, focusing on "Orphan zone data objects and invalid data links" in the context of UNIX user identities.
This means that you can still have the service connection point (scp) that contains the UNIX information of a user in a particular zone, but the user object (parent) could have been deleted.
I have this issue in my demo environment:
This means that there exists and SCP in the zone\Users container for the identity of Dave Smith that is referencing an AD account that does not exist. If you further inspect this scp in ADUC you can see the following:
Note that the container name (cn) of the SCP is the same as the user's userprincipalname (UPN). This means that:
With adedit you can:
a) Bind to the domain
c) Browse to a particular target container that has SCPs (in the case users, in the Zone\Users container)
e) While the container has scps, you can copy the cn and put it on a matrix.
f) You can recursively pick the data on this matrix and attempt to find a UPN in the domain that matches it.
If you find it you can label it as OK, if you can't, then you have identified an orphan object.
g) You can display or redirect your results (or you can delete them).
Now notice that my logic is for a single domain only. We support multiple forests, so I would look to see if there are any trusting domains if I want to delete the upn.
Notice that each category of analisys could be a different adedit tcl program.
I hope this helps.