none
Connecting Enterprise Resource to Active Directory Resource RRS feed

  • Question

  • Hi Guys, 

    Anyone knows if it is possible to edit the Active Directory GUID of an Enterprise Resource? 
    Our scenario is that some users are not currently in Sync with Active Directory so when it is sync with the Enterprise Resource, it gets duplicated. The problem if we delete the non-AD resource, all of their task, connections etc. will be lose.

    So we are hoping to find a way to make a non-AD resource to an AD sync resource. We have check documentation for both CSOM and PowerShell API, no answer so far. 

    We are using SharePoint 2016.

    Thursday, July 11, 2019 9:06 PM

All replies

  • Hi,

    Generally object GUID doesn't change over the lifetime of an object in AD.

    If you have two domains/forests, I suggest to you to migrate the users, this will create a new GUID for the users and resolve your issue.

    Regards,

    SAAD Youssef

    _______

    Please remember to mark the replies as answer if they help, thank you!

    Thursday, July 11, 2019 9:13 PM
  • Migrating users is unfortunately not an option because the resources itself are currently active. 

    They have counter parts in AD which we are trying connect via the GUID.
    Since a non-AD Resource in Project would have 0000-000... GUID, at best we only want to edit that part via script and connect its AD resource counterpart. 
    Thursday, July 11, 2019 9:32 PM
  • https://docs.microsoft.com/en-us/windows/win32/adschema/a-objectguid

    Like said in the article, the Object GUID cannot be changed.

    Thursday, July 11, 2019 9:35 PM
  • Thanks for bringing up the definition of GUID 

    Unfortunately converting a non-AD to AD can be said creating another object which means we are not changing anything instead of creating it. 

    Thursday, July 11, 2019 10:05 PM
  • I find this solution, it corresponds to your need:

    You can create an object with a specific GUID. There are the requirements that must be satisfied to be able to do this:

      * fSpecifyGUIDOnAdd = true in dSHeuristics (section 7.1.1.2.4.1.2).
      * The requester has the Add-GUID control access right (section 5.1.3.2.1) on the NC root of the NC where the object is being added.
        * The requester-specified objectGUID is not currently in use in the forest.
        * Active Directory is operating as AD DS.

    Documented here:

    http://msdn.microsoft.com/en-us/library/cc223443%28PROT.10%29.aspx

    The most important of these is fSpecifyGUIDOnAdd. This is *not* enabled by default, you must enable it on this node:

    CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=<Forest>

    The dsHeuristics field, which is not set at all by default, is a composite of a number of options. To enable this particular option you would need to make it this:

    00000000001

    Each of the fields and their position is documented here:

    http://msdn.microsoft.com/en-us/library/cc223560%28PROT.10%29.aspx

    The setting is applied to the Forest and will effect all member domains. Naturally any forest-wide change should be approached with great care and ideally full testing.

    Thursday, July 11, 2019 10:16 PM
  • Hmm will check it out
    Thursday, July 11, 2019 10:33 PM