Before you configure SSPR, you must first extend the Active Directory schema and assign user rights.
SSPR leverages the directory to store and manage the SSPR data. To accomplish this, SSPR extends the directory schema to add three SSPR schema attributes where the SSPR data is stored.
After you extend the directory schema, you must give permissions to access objects, including the group policy, organizational units, and containers. Authorizing read or write rights to the SSPR directory schema attributes is referred to as assigning user rights.
The SSPR Microsoft Active Directory schema extension executable extends the schema on the server and enables you to assign user rights. You must determine which containers and organizational units need SSPR access, and you must know their distinguished names (DN) so that you can assign rights to each container and organizational unit separately.
You can also extend the Microsoft Active Directory schema to the root of the domain and assign rights to each container and organizational unit below the root.
The following instructions apply to the configuration of the Microsoft Active Directory instance stored and administered on a separate server from the Active Directory server domain controller.
Log in to the server as an administrator.
Click .
or
If you are installing from the SSPR installer package, locate the supplemental folder, then double-click ssprADSschema.exe.
The SSPR Active Directory Schema dialog box is displayed.
Select.
Click .
The following SSPR attributes are added to the Directory schema:
pwmEventLog
pwmResponseSet
pwmLastPwdUpdate
A confirmation message is displayed.
Click to return to the Active Directory Schema dialog box.
Because the directory schema is now extended, you must assign access rights to the relevant containers and organizational units.
If you have previously extended the schema, a message listing the existing schema appears. Ignore this message.
You must assign permission to objects in the directory to store the data against the new SSPR schema attributes. You assign rights to all the objects that access the SSPR data, including the user objects, containers, group policies, and organizational units.
When you assign rights to the containers and organizational units, the rights filter down to all associated user objects. Unless you are required to do so, it is not necessary to assign rights at the individual user object level.
Run ssprADSschema.exe, which is found in supplemental\Schema\AD.
Select , then click .
The Assign Rights to This Object dialog box is displayed.
For example, if you assign rights to the Users container, the User container definition is:
cn=users, dc=www, dc=training, dc=com
To assign rights to an organizational unit, such as Marketing, in the www.company.com domain, the definition is:
ou=marketing, dc=www, dc=company, dc=com
Specify your container or organizational unit definition in the Assign rights to this object field. The confirmation dialog box appears.
Click to return to the Active Directory Schema dialog box.
Repeat Step 2 to Step 4 to assign rights to all required user objects, containers, and organizational units.
If you see an error message indicating Error opening the specified object: - 2147016661, it means that the rights have already been assigned to the object.
If you see an error message indicating Error opening the specified object: -214716656, it means that you have attempted to assign the rights to an object that does not exist in the directory.
Check your punctuation, syntax, and spelling, then repeat the procedure.
After all the required rights are successfully assigned, click to return to the Active Directory Schema dialog box.
Click .
NOTE:You can extend the rights to the objects any time after the schema is extended. If you add organizational units, you need to rerun the adschema.exe tool and assign rights to the new object to permit the SSPR data to write to the directory.
Run the Microsoft Management Console (MMC), then display the Active Directory Schema plug-in.
Right-click , then select .
On the menu, click to close the MMC.
In a multi-server environment, schema updates occur on server replication.
After configuring Active Directory for SSPR, goto Section 4.3, Configuring SSPR