Add Additional Attributes to the User Objects

Posted on January 7, 2009 by Daniel Petri in Active Directory with 0 Comments

How can I add additional attributes to the users objects in Active Directory?

Sponsored

Windows 2000 and Windows Server 2003 Active Directory allows you to edit the Schema and add additional attributes to it. These attributes can be easily connected to existing Object Classes such as users, groups, computers and so on.

Adding items to the Schema, also called "extending the Schema", or even modifying existing objects can be a tricky business, and if done without proper knowledge, can be very destructive to your existing Active Directory infrastructure. This is because the Schema is a forest-wide setting, and any additions or changes to the Schema will be immediately replicated to each and every Domain Controller in each and every domain in your AD Forest. You cannot make any changes to the Schema and yet keep it within your domain’s boundaries. Furthermore, changing existing attributes (such as configuring an attribute to replicate itself to the Global Catalog) will cause a forest-wide replication of all the attributes and objects, even if your change was just made on one attribute. Note that this behavior was changed in Windows Server 2003, but even so, you might unintentionally cause a major network load and a lot of overhead by simply clicking one one small checkbox on one small attribute.

Many articles talk about adding items and extending the Schema. However on this article I wish to show you a simple method of adding attributes to the Schema, and by using these examples you can modify them and use them for your own purposes.

Requirements

Warning! First, let me stress the fact that the Schema is not a child’s play. If you don’t know what you’re doing – stop now. Go read a good book about AD, consult a knowledgeable friend, go play with traffic. Don’t blame me if you mess up your corporate network because you’ve made careless changes to the schema. Read my lips: I will not be held responsible for any of your actions, and for any of the results that follow these actions.

Now, read ahead.

In order to extend the Schema you’ll need to be a member of the Enterprise Admins and Schema Admins groups. These groups are part of the AD Forest Root Domain, and if you’re not already a member of these groups, then it probably means that you have no business in messing with the Schema in the first place.

Next, in most cases, you’d be better off by doing this on the Domain Controller that is holding the Schema Master FSMO role (read more about Understanding FSMO Roles in Active Directory).

Register the Active Directory Schema snap-in in order to later use it from an MMC window

Sponsored

Sponsored
  1. Open the Run command and type:

You should get a confirmation message.

  1. Next, open Run and type mmc.exe. Press Enter.

  2. In the new MMC window, click File > Add/Remove Snap-in.

  3. Click Add, then, in the Add Standalone Snap-in window, select the Active Directory Schema snap-in from the list. Next click Add again.

  4. Click Ok.

Windows 2000 only – Enable write operations to the Schema

If you’re running Windows 2000-based AD, you’ll probably need to allow the Schema to be written. To do so follow these guidelines (only required for W2K-based DC):

  1. In the MC window from the previous procedure, under the Console Root, double-click on the Active Directory Schema snap-in and let it load (you’ll know when it has loaded when you will see 2 nodes under the root – Classes and Attributes)

  2. Right-click Active Directory Schema (your domain controller name) and

Adding 3 new attributes to the Schema

One method of creating new attributes in the Schema is by using the Active Directory Schema snap-in from an MMC.

In order to use this snap-in you must first register it with the following command:

 

Connecting the new attributes to the User Object Class

One method of creating new attributes in the Schema is by using the Active Directory Schema snap-in from an MMC.

In order to use this snap-in you must first register it with the following command:

The results

After adding the new attributes we now need to verify their existence and functionality.

What now?

After the new attributes were successfully added to the Schema and we’ve verified their functionality, we would now like to begin working with these attributes and begin populating their values.

 

Related articles

You may find these related articles of interest to you:

Links

You Cannot Mount the Database, and Receive Events 9518 and 455 – 294367

Sponsored