active-directoryldapazure-active-directoryldapjs

Microsoft Active Directory create computer object operation failing with UndefinedAttributeTypeError for few attributes

Whenever we are trying to create computer object in Microsoft Active Directory as below:

var ldap = require('ldapjs');

var client = ldap.createClient({
  url: 'ldap://<<host>>:389'
});

client.bind('<<Admin DN>>', '<<password>>', function(err) {
  if(err){
      console.log('error',err);
  }else{
      console.log('bind is success');
  }
});

var newDN = "CN=testcomputeruser,OU=testou,DC=test,DC=com";
var newUser = {
    cn: 'newtestComputer334',
    objectClass: 'computer',
    description: 'This is test implementation hence this is test description.', 
    //UndefinedAttributeTypeError:  'msDS-RevealedList':'S:12:RevealedList:CN=RevealedList,OU=testou,DC=test,DC=com',   
    //UndefinedAttributeTypeError   'msDS-isGC':'FALSE',
    //UndefinedAttributeTypeError   'msDS-isRODC':'FALSE',
    //UndefinedAttributeTypeError   'msDS-SiteName':'TestmsDSSiteName', 
    //UndefinedAttributeTypeError   'msDS-IsUserCachableAtRodc':'568974',   
  }

client.add(newDN, newUser,function(err, resp) {
    console.log('newDN : ', newDN);
    console.log('newUser : ' ,newUser);
  if(err){
      console.log('error',err);
  }else{
      console.log('new user is success');
  }
})

It is failing with UndefinedAttributeTypeError for few attributes like msDS-RevealedList, msDS-isGC, msDS-isRODC, msDS-SiteName and msDS-IsUserCachableAtRodc after providing appropriate value.

Is there any way to find what is the issue for the same?

Solution

  • Those are all constructed attributes, meaning that AD calculates the value of those attributes at the time you ask for them. They are not writable.

    Sometimes you see this in the documentation online. For example, the documentation for msDS-RevealedList says:

    The msDS-RevealedList attribute is constructed from the msDS-RevealedUsers attribute

    But some of the documentation pages don't tell you that, like msDS-isGC.

    The easiest way to figure out if it's a constructed attribute is to use AD Users and Computers. Make sure View -> Advanced Features is selected. Then navigate to an OU and open the properties of a type of object you want to look at (like a computer). Then go to the Attribute Editor tab. Use the 'Filter' button and make sure the "Show only" options are deselected. Then show or hide Constructed attributes, and see if the attribute you're looking for shows up.

    ADUC Attribute Editor