… how to create custom attributes in AD and link/assign/associate them to object Classes (computers, Users, etc.)
First let me give credit to Farhan Kazi for a great article on how to do this with at post at http://fkazi.blogspot.com/2013/04/creating-custom-active-directory_27.html
A customer requested that I implement a solution to help keep their Active Directory clean of old/inactive Computer objects. While this is something I’ve done manually many times, I finally have a customer willing to automate the solution. As part of that exercise I wanted to write the “Previous OU” and some other data to the AD Computer object. I intended to use ExtensionAttribute15; however, I quickly realized that this attribute did not exist. As I discovered, ExtensionAttribute[1-15] are created by Microsoft Exchange which was not part of this environment. So, I needed a new field to store the data. Here is what I did.
Basic steps to create a new attribute and associate it to a Class / object
- Logon to a domain controller with administrative and Schema Admin rights
- Open a command prompt as an Administrator
- register the Schema MMC snap-in by running regsvr32 schmMgmt.dll
- generate the OID via PowerShell or VBScript
- Open Active Directory Schema mmc snap-in
- Right-click on the Attributes folder, and Create New…
- Create an attribute for the Previous OU
- Description: customPreviousOU
- Common Name: customPreviousOU
- X.500 OID: <copy/paste from the script>.1
- Syntax: Unicode String
- Attribute is active: checked
- Create an attribute for the Disabled On date
- Description: customDisabledOn
- Common Name: customDisabledOn
- X.500 OID: <copy/paste from the script>.2
- Syntax: Generalized Time
- Attribute is active: checked
- Assigned the Attributes to a Class (object type)
- Open the properties of Computer in the Classes folder
- In the Attributes tab select Add and select the new attributes. Select OK to save and close.
The new attribute(s) can be viewed / modified in ADSI Edit or via a script. Below are a few PowerShell commands to view and modify the custom attributes.
[cc lang=’powershell’ ]
Import-Module ActiveDirectory
Set-ADComputer MyComputer$ -add @{customPreviousOU=”lab.local/TestLab/Workstations”}
Set-ADComputer MyComputer$ -replace @{customDisabledOn=$(Get-Date)}
Set-ADComputer MyComputer$ -clear customPreviousOU,customDisabledOn
Get-ADComputer -Filter {customPreviousOU -Like “lab*”} -Property * | ft sAMAccountName, enabled, customPreviousOU, customDisabledOn
[/cc]