Saturday, April 27, 2013

Creating Custom Active Directory Attributes

This will guide on how to create custom Active Directory attributes where an existing attribute is not available. For example, creating an attribute to hold user's "Medicare Card Number".

Adding custom attributes involves modification in AD schema which requires you to be a member of Schema Administrators and Enterprise Administrators groups. By default, the administrator account is a member of the Schema Administrator group.
 
Or as an alternative to extending the schema there are existing attributes called ExtensionAttribute1 through to ExtensionAttribute15, which can be used for storing custom data without extending the schema.

You can view user object attributes through Attribute Editor tab in user properties.


Before you add attribute into schema you need to register Schema snap-in because by default Active Directory Schema its not available in management console.
  • Navigate to Start > Run >mmc
  • Open File > Add/Remove Snap-in..
 
  • You will notice there is no "Active Directory Schema"
  • To register Schema snap-in type RegSvr32 SchmMgmt.dll in Run text box and hit OK.
  • On successful SchmMgmt.dll registration Windows will show information message box.
  •  Open Schema snap-in. Start > Run > mmc.exe > File >Add/Remove Snap-in >Active Directory Schema > Add
  • Expand Active Directory Schema, right-click Attributes and click on "Create Attribute.."


  • Click on Continue, if you receive schema object creation warning message.

In order to proceed with the next step, you will need to generate an Object Identifier (OID) for the Unique X500 Object ID field.
You can generate OID either using by PowerShell or VBScript.

Generating OID using PowerShell (Microsoft Link):

Navigate to StartAll Programs > Accessories > Windows PowerShell > Windows PowerShell
Copy and Paste following statements on PowerShell window.


#---
$Prefix="1.2.840.113556.1.8000.2554"
$GUID=[System.Guid]::NewGuid().ToString()
$Parts=@()
$Parts+=[UInt64]::Parse($guid.SubString(0,4),"AllowHexSpecifier")
$Parts+=[UInt64]::Parse($guid.SubString(4,4),"AllowHexSpecifier")
$Parts+=[UInt64]::Parse($guid.SubString(9,4),"AllowHexSpecifier")
$Parts+=[UInt64]::Parse($guid.SubString(14,4),"AllowHexSpecifier")
$Parts+=[UInt64]::Parse($guid.SubString(19,4),"AllowHexSpecifier")
$Parts+=[UInt64]::Parse($guid.SubString(24,6),"AllowHexSpecifier")
$Parts+=[UInt64]::Parse($guid.SubString(30,6),"AllowHexSpecifier")
$OID=[String]::Format("{0}.{1}.{2}.{3}.{4}.{5}.{6}.{7}",$prefix,$Parts[0],$Parts[1],$Parts[2],$Parts[3],$Parts[4],$Parts[5],$Parts[6])
$oid
#---
Copy OID string (dot separated numeric string) and paste into Unique X500 Object ID field.


Generating OID using VBScript (Microsoft Link):
Open following link in Web browser and copy VB script code and paste into Notepad.

http://gallery.technet.microsoft.com/scriptcenter/56b78004-40d0-41cf-b95e-6e795b2e8a06
Save notepad file with "OIDGen.vbs" (enclosed with double quotes, otherwise it will suffix .txt after .vbs) name on C: drive

Open command prompt and run this script.  Start > Run > Cmd.exe > CScript.exe C:\OIDGen.vbs
Copy OID string (dot separated numeric string) and paste into Unique X500 Object ID field. 

  • In Create New Attribute dialog box enter Common Name (in this case Medicare Number)
  • LDAP Display Name field will automatically populate from Common Name (without space)
  • Paste OID string that we generate in previous steps into Unique X500 Object ID field.
  • Write Description in text box.
  • Choose attribute type (in this case Medicare Number is a numeric value) by selecting appropriate Syntax from drop down list. This could be of a different type and depends on the usage of each attribute)
  • Click OK

Custom attribute medicareNumber is created.

  • We will now add/associate this new attribute to the User class.  Navigate to the Classes leaf and select the User class.
  • Right-click User, click on Properties.
  • Navigate to the Attributes tab. Click on Add.
  • Locate the medicareNumber attribute and click OK, and again OK.
  • Just to confirm that the attribute has been associated with User, right-click User, properties and navigate to the Attributes tab. The medicareNumber attribute should be present in the list of Optional attributes.
This completes the creation of a custom attribute.

Open Active Directory Users and Computers snap-in and check user properties for custom attribute.


 You can set this attribute's value by clicking Edit button and entering appropriate value.


To view all users with Medicare Card number set, you can run following command line statement.
DSQuery * -Filter (medicareNumber=*) -Attr Name, medicareNumber

2 comments:

  1. Hi, this is very nice post.
    I want to edit this attribute through vbscript or powershell how can i don that? and invoke this script when you rightclick on user to edit this attribute

    ReplyDelete
  2. This is a very helpful and clear post, thanks.

    After all steps are finished, is there any way to add these fields to one of the User Properties tabs in AD, to avoid using the Attribute Editor field (just to make them easier to edit). thanks

    ReplyDelete