Modifying AD Schema





If for example you're asked to add a new attribute to the user class in your Domain, you can do this by modifying your AD Schema. Modifying AD schema is not always about adding new attributes, you can also add new class or modify existing ones and also activate or deactivate class and attributes. Before you make a modification to the AD Schema, you have to make sure that you're have the permission to do so. To check this, your account must be a member of the Schema Admin group.


Microsoft has provides you a tool to make AD Schema modification. You can access this tool from the MMC.


First, type the MMC on the Run command. This will bring you up the MMC window,




go to File > Add/Remove Snap-in. Click the Add button. Choose the Active Directory Schema from the list and click Add (If you don't see the Active Directory Schema in the list, you have to regist it first by typing the 'regsvr32 schmmgmt.dll' at the Run command or at the command prompt).



Click close and the Active Directory Schema utility will be added to the MMC. There's only one domain controller on which AD schema changes can be made, this domain controller is called the schema master. To be able to make changes to the AD schema, this tool must point to schema master. Right click on the Active Directory Schema entry in the MMC and choose Change Domain Controller.



In this tool, you can create/modify, activate/deactivate classes or attributes. Let's say that you want to add another attribute to the user class. First, right click on the Attributes and choose Create Attribute, a dialog box will appear warning you that creating an attribute is a nonreversible action. Next, you will see the create new attribute dialog.



Common Name This field becomes the Common Name attribute of the attribute.

LDAP Display Name This is the string that the LDAP utility will display to users when they access the directory.

Unique X.500 Object ID This is the OID you received from the ISO.

Description This optional field provides a short description of the attribute.


Snytax is the data type of the attribute will hold, such as string, SID, OID, etc...

Maximum specify the maximum value for the attribute

Minimum specify the minimum value for the attribute


Now, if you ever have to create a new class or attribute, you will need a unique Object Identifier (OID). There are a couple ways to get this OID, you can apply to ANSI which will take time and money (you will have the right to use any OID that starts with your OID) or you can use the script available here (copy the script and paste it into a file with an extension of .vbs or just simply named it oidgen.vbs, then just execute the file to obtain your OID). After filling all of the needed fields, click OK.


Now, to add the newly created attribute to the user class, go to the click the Classes and search for the user class, right click on it and choose Properties. Go to the Attributes tab and click Add.



Choose the attribute that you've created and click OK. Then you can verify that the attribute is listed in the optional attribute list box.


The next thing is to give values to your new attribute. There are some ways to do this, but one of the way is buy using ldp.exe. It is a tool that is included when you install Windows Server 2003 Support Tools. With this tool you can search, modify, add, delete against LDAP server such as Microsoft AD. Just type ldp on the Run command. Click on the Connection then Connect.



Type in the server location, this could be a dns name or ip address. Then just press OK. Next, we have to bind, click Connection then Bind.



Type in your username and password which has the permission to modify user's attribute, then press OK. Then click Browse then Modify.




  • In the DN textbox, type the DN for the user which you want to modify his/her attribute. For example, the DN for the administrator account would be something like this CN=administrator,CN=users,DC=srv1,DC=domain,DC=com.

  • In the attribute textbox, type in the name of the attribute that you want to modify. For example, if you want to modify the givenName of a user, type in givenName.

  • Type in the new value for the attribute that you want to change in the Values textbox.

  • Press enter, you can add another new attribute and value again if you want to modify more than one attribute.

  • If you're done then click Run.


To verify the attribute modification use the search operation agains AD, press Ctrl+S or click Browse then Search in LDP.


0 comments:

top