|Applies To||Microsoft Active Directory 2003 or 2008|
The customer was a government agency which has a requirement to deploy On-Demand tokens, but not to disclose management's private mobile numbers to Exchange Server properties feeding from Active Directory.
One way of achieving this is to create a custom attribute in AD and to map to RSA Authentication Manager
|Issue||Create a custom attribute in Active Directory to map to RSA Authentication Manager|
I Follow these steps to configure a custom attribute
1. Install the Schema snap-in (Start, Run, regsvr32 schmmgmt.dll).
2. Go to Start -> Run -> Type MMC and press Enter
3. Go to File -> Add/Remove Snap-in -> click Add -> Select Active Directory Schema and click Add
4. Expand the Active Directory schema and Right Click Attributes
5. Click ?Create Attribute?
6. Create New Attribute window will appear
7. In Common name enter ?privateMobile?
8. Enter LDAP name also as ?privateMobile?
9. For our demo we have used DUMMY Values like 18.104.22.168.5 (For your base OID number, please refer to a Microsoft article ms677620)
10. Select the appropriate syntax, which in our case may be Unicode String.
11. Mention Minimum and Maximum values if required. These are optional you can leave them blank.
12. Once Attribute is created, select Classes
13. Expand CLASSES and Select PERSON
14. Click PERSON and select Properties
15. Click Attribute Tab and click Add
16. Select the Attribute you created and click OK.
17. Click OK to close all property windows
18. Go to Start ->Run -> Type adsiedit.msc.
19. Open the Active Directory Service Interfaces (ADSI) Edit utility
20. Right-click ADSI Edit and click on Connect to?
21. In the Select a well known Naming Context drop-down menu, select Configuration and click OK.
22. Navigate to CN=DisplaySpecifiers, CN=409 and double-click
23. In the right-pane, locate and right-click CN=user-display, and select Properties.
24. Select AdminContextMenu and click EDIT
25. In the Edit Attribute box, type the following:
26. Enter the following in the Empty box and Click Add
3,&Private Mobile, c:\EnterAttrib.vbs
28. Click OK to close all window popups
29. Select Configuration in ADSIEDIT panel and Right Click
30. Click "Update Schema Now"
II These steps configure the options PrivateMobile on the context menu for a user in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.
Place the following scripts on your C:\EnterAttrib.vbs or in your file path:
Set oVar = Wscript.Arguments
Set oUsr = GetObject(oVar(0))
tmp = InputBox("The Private Mobile of the user is: " & oUsr.privateMobile & vbCRLF & vbCRLF & "Enter the new Private Mobile Below")
if tmp <> "" then oUsr.Put "privateMobile",tmp
Set oUsr = Nothing
Note:This will enable to add a new mobile number or replace the existing one.
III How To Add Custom Attributes to the Directory Service Find List
1. Use ADSIEdit to select the Configuration namespace.
2. Expand the displaySpecifier container.
3. Expand the appropriate displaySpecifier container. For example, "409" is English.
4. View the Properties for the user-Display object.
5. Modify the attributeDisplayNames attribute by adding a value in the format:
For example, "Private Mobile" looks like this:
IV Map the object to the RSA Authentication Manager
Security Console > Identity > Identity Attribute Definitions > Enter the custom attribute created for privateMobile in your Active Directory column
|Legacy Article ID||a62178|