none
isMemberOfPartialAttributeSet & FLAG_ATTR_REQ_PARTIAL_SET_MEMBER in systemFlags. RRS feed

Answers

All replies

  • That bit of the systemFlags attribute is new to me. I've always used the isMemberOfPartialAttributeSet property of the attribute object to check if the attribute is replicated to the GC (is a member of the PAS). The only code I've seen to add an attribute to the PAS modifies the isMemberOfPartialAttributeSet property to True.

    Also, I don't see that bit described here:

    http://msdn.microsoft.com/en-us/library/windows/desktop/aa772297(v=vs.85).aspx

    so I assume it is new, perhaps set by the system (if it really is as described in your link).


    Richard Mueller - MVP Directory Services

    Wednesday, May 22, 2013 9:37 PM
  • I checked in my test domain and many more attributes have isMemberOfPartialAttributeSet TRUE than have the 0x2 bit of systemFlags set. Two of the attributes with isMemberOfPartialAttributeSet equal to TRUE but without the bit of systemFlags set are givenName and sn (Given-Name and Surname). You can see this using ADSI Edit.


    Richard Mueller - MVP Directory Services

    Wednesday, May 22, 2013 10:33 PM
  • I should add, that I found that all attributes with the 0x2 bit of systemFlags set also had isMemberOfPartialAttributeSet equal to TRUE. You can use dsquery * to check in your domain. To find all attributes where isMemberOfPartialAttributeSet is TRUE (so they are member of PAS):

    dsquery * "cn=Schema,cn=Configuration,dc=mydomain,dc=com" -filter "(&(objectCategory=attributeSchema)(isMemberOfPartialAttributeSet=TRUE))" -Limit 0 -Attr lDAPDisplayName systemFlags > PAS1.txt

    To find all attributes with the 0x2 bit of systemFlags set:

    dsquery * "cn=Schema,cn=Configuration,dc=mydomain,dc=com" -filter "(&(objectCategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=2))" -Limit 0 -Attr lDAPDisplayName isMemberOfPartialAttributeSet > PAS2.txt

    I redirected the output to text files so you can compare the number of lines and find which attributes are missing from the second file. I don't think the FLAG_ATTR_REQ_PARTIAL_SET_MEMBER bit means what we think. Many members of the PAS do not have this bit set.


    Richard Mueller - MVP Directory Services

    Wednesday, May 22, 2013 10:50 PM
  • Hi Richard,

    Cheers for looking into that in such detail... I'm seeing similar things here. I was writing something in PowerShell to be able to easily get some *interesting* properties from named or all attributes (I'll put it up on the Gallery at some point). I was looking at the searchFlags and systemFlags properties when I came across this bit.

    Everything that has ATTR_REQ_PARTIAL_SET_MEMBER also has isMemberOfPartialAttributeSet (or at least the numbers suggest as much) but not the other way around. Interestingly, I also have a whole bunch that don't have anything in systemFlags at all.

    $attributes = .\Get-AttributeSchemaInfo.ps1 -ExpandSystemFlags
    ($attributes | ?{$_.ATTR_REQ_PARTIAL_SET_MEMBER -eq $true}).Count
    47
    ($attributes | ?{$_.isMemberOfPartialAttributeSet -eq $true}).Count
    556
    ($attributes | ?{$_.isMemberOfPartialAttributeSet -And $_.ATTR_REQ_PARTIAL_SET_MEMBER}).Count
    47
    ($attributes | ?{$_.systemFlags -eq ""}).Count
    2172

    I thought it may be a bit like msExchDelegateListLink and full mailbox access in that msExchDelegateListLink gets updated when you grant FMA but doesn't go back and *fix accounts that already had that permission.
    So in this instance new or modified attributes would have their systemFlags *fixed. However I found cn and isDeleted in the list of attributes
    with the ATTR_REQ_PARTIAL_SET_MEMBER flag set and (I may be wrong but) I'm pretty sure they've been there for a while. I also found 47 attributes with ATTR_REQ_PARTIAL_SET_MEMBER set across 3 different forests so the consistency there blows that theory out off the water.

    So ATTR_REQ_PARTIAL_SET_MEMBER still falls into the *interesting* category but for a completely different reason in that I don't know what it does...

    Thanks,

    Mark.


    Thursday, May 23, 2013 11:53 AM
  • I also have 47 attributes with ATTR_REQ_PARTIAL_SET_MEMBER set. And I have some attributes where systemFlags has no value (missing), but not nearly as many as you do. Also I don't have as many in the PAS. I assume this is because I don't have Exchange.


    Richard Mueller - MVP Directory Services

    Thursday, May 23, 2013 3:22 PM
  • I think this is due to that you can't change systemFlags (well not in a supported manner at least) from the outside e.g Microsoft can flag certain attributes to be part of PAS and make assumptions in code that they are, while isMemberOfPartialAttributeSet can be used to make a certain attribute member of PAS on a "user/customer" basis - that's just my toughts but it is intressting so I will do some more search arround this :)

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Friday, May 24, 2013 3:12 PM
  • I've never modified the PAS in my test domain. There are many more attributes where isMemberOfPartialAttributeSet is True than ones where the  ATTR_REQ_PARTIAL_SET_MEMBER bit of systemFlags is set. The systemFlags bit must mean something else.


    Richard Mueller - MVP Directory Services

    Friday, May 24, 2013 4:42 PM
  • Yes that could make sense the onces that have the BIT set in searchFlags could be those who the code makes assumptions about being in PAS.

    I've now verified my theory, it works as stated.

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog


    Friday, May 24, 2013 7:22 PM
    • Proposed as answer by Richard MuellerMVP Friday, May 24, 2013 10:22 PM
    • Marked as answer by - Mark - Saturday, May 25, 2013 11:06 AM
    Friday, May 24, 2013 9:20 PM
  • Excellent blog post. From the article you link the important statement is as follows:

    FLAG_ATTR_REQ_PARTIAL_SET_MEMBER: This attribute is a member of PAS regardless the value of attribute isMemberOfPartialAttributeSet.


    Richard Mueller - MVP Directory Services

    • Marked as answer by - Mark - Saturday, May 25, 2013 11:06 AM
    Friday, May 24, 2013 10:22 PM
  • Cheers Richard and Christoffer! It make sense that there would be a list of attributes that the system forces into the PAS since you could, with the correct rights and the right script, nuke the entire GC functionality in your environment. Now that someone clever has answered my question and looking at the "REQ" piece in FLAG_ATTR_REQ_PARTIAL_SET_MEMBER, it seems the answer was staring at us in the face!

    I’ve added a switch to the script to filter for just these attribute (-ReqPAS). You download it from here: http://gallery.technet.microsoft.com/Get-AttributeSchemaInfops1-77aa850b. I’d appreciate your thoughts!

    Thanks,

    Mark

    • Marked as answer by - Mark - Saturday, May 25, 2013 11:06 AM
    Saturday, May 25, 2013 11:00 AM