Log onto Domain Controller Schema Master with an account belong to the group Schema Admin >> Run CMD >>enter command: regsvr32 schmmgmt.dll >> Run MMC >> Add Snap-in Active Directory Schema >> Drill down to Active Directory Schema – Attributes >> right-click Attributes, select Create Attribute >> click Continue at the warning >> input values for Common Name (e.g. FOB Serial), LDAP Display Name (e.g. fobSerial), Unique X500 Object ID (use script in note to generate this number, then append .2.1 to the end), Description (e.g. FOB Serial Number), Syntax: choose Case Insensitive String >> OK >> expand Classes container >> right-click person >> select Properties >> click Attributes tab >> Add >> select the newly created attribute in prior steps (i.e. fobSerial, dataCenterLockCode) >> OK >> Run: services.msc >> Restart Active Directory Domain Services (Windows 2003 require a reboot)
Note:
– Windows 2003 Servers require this fix https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc784724(v=ws.10)?redirectedfrom=MSDN).
Regedit: HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/NTDS/Parameters >> New DWORD value Schema Update Allowed = 1
– How to generate unique object ID:
– Windows 2003 Active Directory may not show the Attribute Editor tab in ADUC. The following procedure is required to enable it: ADSIEDIT >> CN=Configuration >> CN=DisplaySpecifiers >> CN=409 >> double-click CN=user-Display >> select adminPropertyPages >> click Edit >> Value to add = 11,{c7436f12-a27f-4cab-aaca-2bd27ed1b773} >> click Add >> OK >> OK >> Repeat for cn=Computer-Display with 12,{c7436f12-a27f-4cab-aaca-2bd27ed1b773} >> Repeat for cn=Default-Display with 4,{c7436f12-a27f-4cab-aaca-2bd27ed1b773} >> Repeat for cn=group-Display with 5,{c7436f12-a27f-4cab-aaca-2bd27ed1b773} >> Repeat for contact-display >> repeat for inetOrgPerson-Display >> repeat for container-Display
– Attribute editor is only shown when ADUC is in Advanced View.
– Optionally add an extra column in ADUC browser: ADSIEDIT >> CN=Configuration >> CN=DisplaySpecifiers >> CN=409 >> double-click organizationalUnit-Display >> select extraColumn >> click Edit >> Value to add = fobSerial,FOB Key Serial Number,1,150,0 >> click Add >> OK >> OK
Cool Research:
– Employee ID, Employee Number, Photo of Employee: http://www.cmezzetti.net/adext
– AD Explorer as an alternative to ADUC: https://technet.microsoft.com/en-us/sysinternals/bb963907
– Sharepoint Portal Server integration: http://jantjesworld.blogspot.com/2012/04/how-to-map-birthday-sharepoint-field-to.html
Script to update extended attributes in Active Directory:
Import-CSV <filepath> | For-EachObject { Set-ADUser $._userName -add @{“extensionAttribute1” = $._UserBirthday}
Categories:
