AD web service computer searches return intel Vpro IME objects

Sep 3, 2012 at 11:59 PM

Hi,

I am using the MDT web services extensivly in four forests with around 30, 000 computers. We use Intel Vpro here which creates a user-like AD object with the same name as a given computer.  Not sure if you have seen it as VPro isn't that common.

The computer search functions in the AD web services are returning V-pro objects in some cases.  Can these be filtered out in the LDAP queries used for the computer web services?

Notes on the VPro object below.

http://www.symantec.com/connect/articles/part-4-configuring-ad-integration-and-kerberos-authentication-intel-vpro-technology

From the article, the objects differ from regular computer objects in following way:

At first glance, the two computer objects may appear to be exactly the same. Upon closer inspection a few key elements are different, as noted in the following list:

  • sAMAccoutName differs with "$iME" after the hostname (i.e. e6400$iME), thus referring to a service on the remote system.
  • primaryGroupID differs between 515 and 513 (Domain Computer and Domain User groups)
  • servicePrincipalName differs with the iME object specifying the Intel AMT network ports, and referring to an HTTP address instead of a HOST address (i.e. HTTP/e6400.vprodemo.com:16992).
  • userPrincipalName does not exist in the first example, yet does in the second. This is another indication that the second computer object is a user, or rather a service, to which authentication can occur.
  • Operating system details exist only in the first computer object, and not the second. Yet another indication that the first object refers to the operating system, while the second object refers to a service outside of the operating system.