Extending the User Class in the AD Schema Extending the User Class in the AD Schema Editor's Note: Each month, this column discusses various aspects of the advanced administration of e- commerce sites. This month's column examines extending the AD schema by adding a schema attribute to the User class. I'm amazed by the lack of documentation and tools for extending Active Directory (AD). MMC cannot open the file when launching an Microsoft Management Console Snap-in. Solution in 7 steps. Don't get me wrong—AD is robust. Hundreds, maybe thousands of available attributes exist. The User class alone has more than 2. By definition, every object in AD is an instance of a particular class. Runas is a command-line tool that is. I know it is possible to do it because I worked for a place where we had one like. This is the FreeCAD manual. It includes the essential parts out of the FreeCAD documentation wiki. It is made primarily to be printed as one big document, so, if you. Sequencing the the App-V Management Console is reasonably straight-forward; however it wasn’t quite as simple as you would expect. Prerequisites. Miscellaneous Registry Fixes for Windows 10, 8, 7, Vista, XP. Ramesh – you are a legend! I’ve fixed the MSI installer issue on many xp/vista machines with. ![]() A class is a container of attributes that are available for that particular class. Each class derived from a parent class, or superclass. Each class' attributes are either inherited from their superclasses or explicitly defined. The User class represents the users in a Windows 2. Some of the attributes available to the User class are Password, Phone, Street Address, and Email Address. Password is a mandatory attribute for an instance of the User class (i. The other attributes are optional. Extending the schema lets you add optional or mandatory attributes. Extending the AD schema to include new class attributes is treacherous because the results are irreversible. After you add an attribute to AD, you can't remove it. You can mark the attribute as . However, any company using AD will certainly find the need (if it hasn't already) for an attribute in the User class that doesn't currently exist. My company develops many business- to- consumer (B2. C) software applications for clients. In many of these projects, one of the first attributes we add to AD is Gender because this attribute doesn't exist by default. Specifically, I show you how to install the Schema Console, extend the schema, and manage attributes. Installing the Active Directory Schema Console The first challenge in this process is installing the tool. The Schema Console isn't installed by default with Win. K Server—not even on the domain controller that hosts your AD. In addition, Microsoft didn't write an installation program for the tool. You must manually register the Schema Console, which is a COM object that is hosted as a Microsoft Management Console (MMC) snap- in. You can find the Schema Console in the \winnt\system. To register the tool, choose Start, Run. ![]() Type regsvr. 32 C: \winnt\system. C is where you installed Win. K), and click OK. When you've successfully registered the tool, perform these steps: Choose Start, Run; type mmc /a, then click OK. Save your snap- in in that location, and it will appear under Start, Programs, Administrative Tools. Extending the Schema If you want to extend the schema, you first need to enable that option on your computer. ![]() Open the Schema Console. Right- click Active Directory Schema in the AD Schema Console's console tree, then select Operations Master. The Change Schema Master dialog box, which Figure 1 shows, appears. Select the The Schema may be modified on this Domain Controller check box to enable schema modifications. ![]() The schema master domain controller controls all updates and modifications to AD schema. After you enable schema modifications, you can add attributes. For example, suppose you want to add a Gender attribute. In the AD Schema Console, right- click the Attributes folder, then select Create Attribute. A warning about the implications of your actions, which Figure 2 shows, immediately appears. Click Continue to access the Create New Attribute dialog box, which Figure 3 shows. In the Common Name and LDAP Display Name text boxes, enter Gender. You now need to populate the Unique X5. Object ID text box. Object IDs (OIDs) are unique identifiers for AD objects. You need a valid OID to add an attribute. The Microsoft Windows 2. Resource Kit includes a command- line OID- generator program, oidgen. OIDs. The utility uses a base OID from the Microsoft branch of the International Organization for Standardization (ISO) OID tree and a globally unique ID (GUID) generated each time the program runs to generate the OIDs. Figure 4 shows a command prompt with the OID- generator program. Oidgen. exe produces two root OIDs—an Attribute Base OID and a Class Base OID. Run oidgen. exe once for your organization, then manage the OID space beneath these two roots by incrementing the number for each attribute you add to the AD schema. You must group all the OIDs for your organization under common roots. AD maintains an internal table of OIDs. To optimize performance, OIDs are maintained in a separated state as a prefix and a suffix. The prefix is the entire OID minus the rightmost (low- order) value. AD stores the prefixes in a table so that it can reference them by an index value. AD then uses the remaining (low- order) part of the OID and the index value for its prefix to identify the classes and attributes. Grouping all your OIDs under common roots keeps the prefix table small. Excessive growth in the prefix table can degrade the performance of the Win. K server hosting AD. When you've populated the Unique X5. Object ID text box with a valid OID, you can give the Gender attribute a minimum length of four characters (Male) and a maximum length of six characters (Female). Click OK to add the attribute. The new attribute appears in the AD Schema's Attributes folder, as Figure 5 shows. When you view the new attribute in the AD Schema Console, you'll notice that the Description field is empty. To fill in this field, right- click the Gender attribute to access the Gender Properties dialog box that Figure 6 shows. In this dialog box, you can fill in the Description field and other properties. For example, you can replicate the new attribute to the GC. Click OK to return to the AD Schema Console. From the Schema Console, click the Class folder. Scroll down to the User class, right- click it, and select Properties. On the user Properties dialog box, click the Attributes tab, which Figure 7 shows. Click Add, then choose the Gender attribute. Click OK twice, and you've successfully added the Gender attribute to the User class. Managing Attributes in AD Wouldn't you like to use Active Directory Users and Computers to assign a value (Male or Female) to the users in your AD? Well, by default, you can't. You can use the Users and Computers tool to modify a hundred or so User attributes, but they're hard- coded in this MMC application, which means that the software developer fixed the fields in the code itself. To help you, Microsoft provided an open extension API to the tool. The API is C++ only and not for the faint of heart, but a software developer could make the Gender attribute available for editing in the Users and Computers tool. I've found that custom- written Web- based tools are much more powerful than the MMC tools that Win. K includes. A simple bit of Microsoft Active Directory Service Interfaces (ADSI) code, which Listing 1 shows, in an Active Server Pages (ASP) page can test the new Gender attribute. You'll have to change the container object (str. Object) to a valid user in your AD, but the code will run unchanged after that. I use the IADs interface to set and retrieve attributes from AD. The Put method persists a change to the cache, and the Setinfo method flushes the cache by writing the change to AD. I can then retrieve the value from AD with the Get method. Next Month Extending AD has serious implications, which is why the Win. K online documentation has an abundance of documentation about the careful planning, implications, and considerations necessary before modifying the AD schema. Little documentation exists about how to extend AD. Perhaps this lack of documentation is meant to keep people from casually modifying the AD schema. However, if you're cautious and follow the procedures I just showed you, you can successfully add attributes to the AD schema. Next month, I'll introduce you to an exciting technology—Windows Management Instrumentation (WMI). In addition to explaining all the great features of WMI, I'll show you how to execute processes and applications on remote machines.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
November 2017
Categories |