Terminal Services

Hi,

this is pure speculation...

As i understand the terminal server attributes can not be done using ADSI but the gateway uses ADO (therefore the management of the terminal server attributes was introduced first as late as IDM 5.5).

I'm not deep enough into the AD stuff but when you create an user object using ADSI replication issues may arise between domain controllers if you try to alter properties of the newly created user on a server remote of where he was created. This has been an issue for my collegues and me in the past when setting ACLs on filers but these issues could be solved by using the SID(objectSID).

When you create a user in AD using ADSI implicitly a SID is assigned to the user. If you use a resource action after creation to set an ACL for the user based on his DN you may run into problems: while the different mechanisms for setting ACLs accept a DN as an identifier they internally have to look up the SID as that is finally stored in the ACL. That lookup is subject to replication issues... The workaround for setting ACLs in resource actions is to read the SID right after provisioning. Using the read SID setting the ACL always works.

While the whole ACL stuff has nothing to do with your problem the error message reminds me of the times when we still had problems with replication. If the code in the gateway would not use the SID but the DN (no clue if this is even possible in ADO) to populate the terminal server attributes, i would expect the same problems we had with our ACLs to pop up with the terminal server attributes. Wild specultation... but i kind of smell a bug in the gateway code for handling terminal server attributes here.

Regards,

Patrick

Patrick.Wehingera at 2007-7-9 0:06:59 >