Creating Custom Active Directory Attributes

No Gravatar

… how to create custom attributes in AD and link/assign/associate them to object Classes (computers, Users, etc.)

First let me give credit to Farhan Kazi for a great article on how to do this with at post at http://fkazi.blogspot.com/2013/04/creating-custom-active-directory_27.html

A customer requested that I implement a solution to help keep their Active Directory clean of old/inactive Computer objects.  While this is something I’ve done manually many times, I finally have a customer willing to automate the solution.  As part of that exercise I wanted to write the “Previous OU” and some other data to the AD Computer object.  I intended to use ExtensionAttribute15; however, I quickly realized that this attribute did not exist.  As I discovered, ExtensionAttribute[1-15] are created by Microsoft Exchange which was not part of this environment.  So, I needed a new field to store the data.  Here is what I did.

Basic steps to create a new attribute and associate it to a Class / object

  • Logon to a domain controller with administrative and Schema Admin rights
  • Open a command prompt as an Administrator
  • register the Schema MMC snap-in by running regsvr32 schmMgmt.dll
  • generate the OID via PowerShell or VBScript
  • Open Active Directory Schema mmc snap-in
  • Right-click on the Attributes folder, and Create New…
  • Create an attribute for the Previous OU
    • Description: customPreviousOU
    • Common Name: customPreviousOU
    • X.500 OID: <copy/paste from the script>.1
    • Syntax: Unicode String
    • Attribute is active: checked
  • Create an attribute for the Disabled On date
    • Description: customDisabledOn
    • Common Name: customDisabledOn
    • X.500 OID: <copy/paste from the script>.2
    • Syntax: Generalized Time
    • Attribute is active: checked
  • Assigned the Attributes to a Class (object type)
    • Open the properties of Computer in the Classes folder
    • In the Attributes tab select Add and select the new attributes.  Select OK to save and close.

The new attribute(s) can be viewed / modified in ADSI Edit or via a script.  Below are a few PowerShell commands to view and modify the custom attributes.

[cc lang=’powershell’ ]
Import-Module ActiveDirectory
Set-ADComputer MyComputer$ -add @{customPreviousOU=”lab.local/TestLab/Workstations”}
Set-ADComputer MyComputer$ -replace @{customDisabledOn=$(Get-Date)}
Set-ADComputer MyComputer$ -clear customPreviousOU,customDisabledOn
Get-ADComputer -Filter {customPreviousOU -Like “lab*”} -Property * | ft sAMAccountName, enabled, customPreviousOU, customDisabledOn
[/cc]

 

Create a custom Active Directory attribute
Create a custom Active Directory attribute

 

Create a custom Active Directory attribute
Create a custom Active Directory attribute

 

Assigning an attribute to a Class/Object type
Assigning an attribute to a Class/Object type
View/Edit a custom attribute in ADSI
View/Edit a custom attribute in ADSI

June 10, 2014

Posted In: Uncategorized