Why do some attributes sync on a policy change, while some don't?
Article ID: 53594
Updated On:
Products
Issue/Introduction
Description:
When applying a role to a user, certain attributes that may have changed in the policy don't propagate to the account.
Solution:
Admin has the concept of Initial VS. Capability attributes. Initial attributes will only be set the first time a policy/role is applied to a Global user. Capability attributes will 'sync' each time the policy is update and synced with the user.
You can find out which attribute are capability type attributes by dumping the parser files.
Admin comes with a utility for dumping parser files called dumpptt.exe. The parser files are located in your %ETAHOME%\data folder.
The usage is as follows:
Usage: dumpptt [-c] [-a] [-f] [-b] [-t parser_table] [-of output_file ]
Flags:
-c : Show account capability attributes
-a : Show classes on which ACL can be set
-a -f : Show classes and attributes on which ACL can be set
-f : Show full definition.
(By default, only most useful info)
-b : Show brief classes definition.
-t parser_table : Specify the parser table to be dumped
-of output_file : Specify the output file name
Here's an example of a dump of the Active Directory parser file:
%ETAHOME\data:\>dumpptt -t adsparse.ptt -c -of adsdump.txt
This will output a list of the attributes that are capability attributes. Here's the contents on the adsdump.txt:
Listing Account Capability Attributes
ActiveDirectory(Active Dir. Account):
Attribute Name Description Multi-valued SyncRemoveValues
--------------------- ------------------------------------------------------------------------ ------------ ----------------
accountExpires Account expiration date
GroupMembership List of groups user is in Multi-valued SyncRemoveValues
logonHours Permitted user-login times
altSecurityIdentities Security Identity Mapping Multi-valued SyncRemoveValues
ADSwtsProfilePath Terminal Services: Terminal Server Profile Path
ProxyAddresses List of email addresses (Exchange2000 only) Multi-valued SyncRemoveValues
submissionContLength Maximum size of an outgoing message (Exchange2000 only)
delivContLength Maximum size of an incoming message (Exchange2000 only)
authOrig Accept message from Mailbox (Exchange2000 only) Multi-valued SyncRemoveValues
unauthOrig Refuse message from Mailbox (Exchange2000 only) Multi-valued SyncRemoveValues
msExchRecipLimit Maximum number of recipients for outgoing message (Exchange2000 only)
mDBUseDefaults Use Default values for Storage Quotas (Exchange2000 only)
mDBStorageQuota Issue warning at (KB) (Exchange2000 only)
mDBOverQuotaLimit Prohibit send and receive at (KB) (Exchange2000 only)
mDBOverHardQuotaLimit Prohibit send at (KB) (Exchange2000 only)
garbageCollPeriod Days deleted items should be kept (Exchange2000 only)
deletedItemFlags Provides from deleting permatently items - if true - (Exchange2000 only)
MailboxRights Mailbox Rights (Exchange2000 only) Multi-valued SyncRemoveValues
securityProtocol Security Protocol flag (Exchange2000 only)
If you omit the '-c' switch, you will get a listing of all the attributes and their properties. If you add the '-f' switch, you will get additional info concerning the attribute, like this:
ATTRIBUTE (LDAP Name) eTADSDirectory::eTADSDirectoryName
User-friendly Name : name
Description: eTrust Active Directory Name
ProhibitedCharacters: /\\?|*:<>"}{][,
MinValue: (null)
MaxValue: (null)
DefaultValue: (null)
MinLength: 1
MaxLength: 100
EditType: 0 [string]
MergeAlgorithm:
IsSpaceAllowedIn: yes
IsAsciiOnly: no
IsMultiValued: no
Case: 0 [insensitive]
Values: <NONE>
ExcludedValues: <NONE>
OrWords: <NONE>
VerbReqs: copyto, tocopy, copyallto, tocopyall, renameto, torename, add, !inselect, !toupdate
Group: (null)
Label: (null)
IsHidden: no
IsRelationalOperatorAllowedWith: no
IsEncrypted: no
IsIndexed: yes
IsBaseAttribute: no
Searchable: yes
Incremental: no
Obscured: no
Deprecated: no
DataLocation: 3 [BOTH]
AuthOps: 0x00 (NONE)
AuthAlias: (null)
DependsOn: <NONE>
Environment
Component: ETRADM
Feedback
