Skip to main content

Extending the User Class in the AD Schema

 Extending the User Class in the AD Schema

Editor's Note: Each month, this column discusses various aspects of the advanced administration of e-commerce sites. This month's column examines extending the AD schema by adding a schema attribute to the User class.
I'm amazed by the lack of documentation and tools for extending Active Directory (AD). Don't get me wrong—AD is robust. Hundreds, maybe thousands of available attributes exist. The User class alone has more than 200 attributes.
By definition, every object in AD is an instance of a particular class. A class is a container of attributes that are available for that particular class. Each class derived from a parent class, or superclass. Each class' attributes are either inherited from their superclasses or explicitly defined.
The User class represents the users in a Windows 2000 domain. Some of the attributes available to the User class are Password, Phone, Street Address, and Email Address. Password is a mandatory attribute for an instance of the User class (i.e., a new user). The other attributes are optional. Extending the schema lets you add optional or mandatory attributes.
Extending the AD schema to include new class attributes is treacherous because the results are irreversible. After you add an attribute to AD, you can't remove it. You can mark the attribute as "unusable," but the schema is replicated to the Global Catalog (GC) even if you mark it as obsolete. However, any company using AD will certainly find the need (if it hasn't already) for an attribute in the User class that doesn't currently exist. My company develops many business-to-consumer (B2C) software applications for clients. In many of these projects, one of the first attributes we add to AD is Gender because this attribute doesn't exist by default. (B2C sites profile their users by gender because it significantly helps in target advertising.) This month, I show you how to use the Active Directory Schema Console to extend AD. Specifically, I show you how to install the Schema Console, extend the schema, and manage attributes.
Installing the Active Directory Schema Console
The first challenge in this process is installing the tool. The Schema Console isn't installed by default with Win2K Server—not even on the domain controller that hosts your AD. In addition, Microsoft didn't write an installation program for the tool. You must manually register the Schema Console, which is a COM object that is hosted as a Microsoft Management Console (MMC) snap-in. You can find the Schema Console in the \winnt\system32 folder.
To register the tool, choose Start, Run. Type regsvr32 C:\winnt\system32\schmmgmt.dll (assuming C is where you installed Win2K), and click OK. When you've successfully registered the tool, perform these steps:

  1. Choose Start, Run; type mmc /a, then click OK.
  2. On the Console menu, click Add/
    Remove Snap-in, then click Add.
  3. Under Snap-in, double-click Active Directory Schema, then click Close.
  4. Click OK.
  5. On the Console menu, click Save to save the console.

By default, you save the console to the Administrative Tools folder. Save your snap-in in that location, and it will appear under Start, Programs, Administrative Tools.
Extending the Schema
If you want to extend the schema, you first need to enable that option on your computer. Open the Schema Console. Right-click Active Directory Schema in the AD Schema Console's console tree, then select Operations Master. The Change Schema Master dialog box, which Figure 1 shows, appears. Select the The Schema may be modified on this Domain Controller check box to enable schema modifications. The schema master domain controller controls all updates and modifications to AD schema.
After you enable schema modifications, you can add attributes. For example, suppose you want to add a Gender attribute. In the AD Schema Console, right-click the Attributes folder, then select Create Attribute. A warning about the implications of your actions, which Figure 2 shows, immediately appears. Click Continue to access the Create New Attribute dialog box, which Figure 3 shows. In the Common Name and LDAP Display Name text boxes, enter Gender. You now need to populate the Unique X500 Object ID text box. Object IDs (OIDs) are unique identifiers for AD objects.
You need a valid OID to add an attribute. The Microsoft Windows 2000 Resource Kit includes a command-line OID-generator program, oidgen.exe, that generates valid OIDs. The utility uses a base OID from the Microsoft branch of the International Organization for Standardization (ISO) OID tree and a globally unique ID (GUID) generated each time the program runs to generate the OIDs. Figure 4 shows a command prompt with the OID-generator program.
Oidgen.exe produces two root OIDs—an Attribute Base OID and a Class Base OID. Run oidgen.exe once for your organization, then manage the OID space beneath these two roots by incrementing the number for each attribute you add to the AD schema.
You must group all the OIDs for your organization under common roots. AD maintains an internal table of OIDs. To optimize performance, OIDs are maintained in a separated state as a prefix and a suffix. The prefix is the entire OID minus the rightmost (low-order) value. AD stores the prefixes in a table so that it can reference them by an index value. AD then uses the remaining (low-order) part of the OID and the index value for its prefix to identify the classes and attributes. Grouping all your OIDs under common roots keeps the prefix table small. Excessive growth in the prefix table can degrade the performance of the Win2K server hosting AD.
When you've populated the Unique X500 Object ID text box with a valid OID, you can give the Gender attribute a minimum length of four characters (Male) and a maximum length of six characters (Female). Click OK to add the attribute. The new attribute appears in the AD Schema's Attributes folder, as Figure 5 shows.
When you view the new attribute in the AD Schema Console, you'll notice that the Description field is empty. To fill in this field, right-click the Gender attribute to access the Gender Properties dialog box that Figure 6 shows. In this dialog box, you can fill in the Description field and other properties. For example, you can replicate the new attribute to the GC. Click OK to return to the AD Schema Console.
From the Schema Console, click the Class folder. Scroll down to the User class, right-click it, and select Properties. On the user Properties dialog box, click the Attributes tab, which Figure 7 shows. Click Add, then choose the Gender attribute. Click OK twice, and you've successfully added the Gender attribute to the User class.
Managing Attributes in AD
Wouldn't you like to use Active Directory Users and Computers to assign a value (Male or Female) to the users in your AD? Well, by default, you can't. You can use the Users and Computers tool to modify a hundred or so User attributes, but they're hard-coded in this MMC application, which means that the software developer fixed the fields in the code itself. To help you, Microsoft provided an open extension API to the tool. The API is C++ only and not for the faint of heart, but a software developer could make the Gender attribute available for editing in the Users and Computers tool. I've found that custom-written Web-based tools are much more powerful than the MMC tools that Win2K includes.
A simple bit of Microsoft Active Directory Service Interfaces (ADSI) code, which Listing 1 shows, in an Active Server Pages (ASP) page can test the new Gender attribute. You'll have to change the container object (strObject) to a valid user in your AD, but the code will run unchanged after that. I use the IADs interface to set and retrieve attributes from AD. The Put method persists a change to the cache, and the Setinfo method flushes the cache by writing the change to AD. I can then retrieve the value from AD with the Get method.
Next Month
Extending AD has serious implications, which is why the Win2K online documentation has an abundance of documentation about the careful planning, implications, and considerations necessary before modifying the AD schema. Little documentation exists about how to extend AD. Perhaps this lack of documentation is meant to keep people from casually modifying the AD schema. However, if you're cautious and follow the procedures I just showed you, you can successfully add attributes to the AD schema.
Next month, I'll introduce you to an exciting technology—Windows Management Instrumentation (WMI). In addition to explaining all the great features of WMI, I'll show you how to execute processes and applications on remote machines.


source: here

Comments

Post a Comment

Popular posts from this blog

Integration with vCloud Director failing after NSXT upgrade to 4.1.2.0 certificate expired

  Issue Clarification: after upgrade from 3.1.3 to 4.1.2.0 observed certificate to be expired related to various internal services.   Issue Verification: after Upgrade from 3.1.3 to 4.1.2.0 observed certificate to be expired related to various internal services.   Root Cause Identification: >>we confirmed the issue to be related to the below KB NSX alarms indicating certificates have expired or are expiring (94898)   Root Cause Justification:   There are two main factors that can contribute to this behaviour: NSX Managers have many certificates for internal services. In version NSX 3.2.1, Cluster Boot Manager (CBM) service certificates were incorrectly given a validity period of 825 days instead of 100 years. This was corrected to 100 years in NSX 3.2.3. However any environment originally installed on NSX 3.2.1 will have the internal CBM Corfu certs expire after 825 regardless of upgrade to the fixed version or not. On NSX-T 3.2.x interna...
Post a Comment
Read more

Calculate how much data can be transferred in 24 hours based on link speed in data center

  In case you are planning for migration via DIA or IPVPN link and as example you have 200Mb stable speed so you could calculate using the below formula. (( 200Mb /8)x60x60x24) /1024/1024 = 2TB /per day In case you have different speed you could replace the 200Mb by any rate to calculate as example below. (( 5 00Mb /8)x60x60x24) /1024/1024 =  5.15TB  /per day So approximate each 100Mb would allow around 1TB per day.
Post a Comment
Read more

Device expanded/shrank messages are reported in the VMkernel log for VMFS-5

    Symptoms A VMFS-5 datastore is no longer visible in vSphere 5 datastores view. A VMFS-5 datastore is no longer mounted in the vSphere 5 datastores view. In the  /var/log/vmkernel.log  file, you see an entry similar to: .. cpu1:44722)WARNING: LVM: 2884: [naa.6006048c7bc7febbf4db26ae0c3263cb:1] Device shrank (actual size 18424453 blocks, stored size 18424507 blocks) A VMFS-5 datastore is mounted in the vSphere 5 datastores view, but in the  /var/log/vmkernel.log  file you see an entry similar to: .. cpu0:44828)LVM: 2891: [naa.6006048c7bc7febbf4db26ae0c3263cb:1] Device expanded (actual size 18424506 blocks, stored size 18422953 blocks)   Purpose This article provides steps to correct the VMFS-5 partition table entry using  partedUtil . For more information see  Using the partedUtil command line utility on ESX and ESXi (1036609) .   Cause The device size discrepancy is caused by an incorrect ending sector for the VMFS-5 partition on the ...
Post a Comment
Read more