Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


September 2000

Extending the User Class in the AD Schema

From the September 2000 Edition
of Windows Web Solutions
Tim Huckaby
Feature
InstantDoc #9738
Windows Web Solutions
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows Web Solutions | See More Active Directory (AD) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Download the Code Here

Extending the User Class in the AD Schema

Editor's Note: Each month, this column discusses various aspects of the advanced administration of e-commerce sites. This month's column examines extending the AD schema by adding a schema attribute to the User class.

I'm amazed by the lack of documentation and tools for extending Active Directory (AD). Don't get me wrong—AD is robust. Hundreds, maybe thousands of available attributes exist. The User class alone has more than 200 attributes.

By definition, every object in AD is an instance of a particular class. A class is a container of attributes that are available for that particular class. Each class derived from a parent class, or superclass. Each class' attributes are either inherited from their superclasses or explicitly defined.

The User class represents the users in a Windows 2000 domain. Some of the attributes available to the User class are Password, Phone, Street Address, and Email Address. Password is a mandatory attribute for an instance of the User class (i.e., a new user). The other attributes are optional. Extending the schema lets you add optional or mandatory attributes.

Extending the AD schema to include new class attributes is treacherous because the results are irreversible. After you add an attribute to AD, you can't remove it. You can mark the attribute as "unusable," but the schema is replicated to the Global Catalog (GC) even if you mark it as obsolete. However, any company using AD will certainly find the need (if it hasn't already) for an attribute in the User class that doesn't currently exist. My company develops many business-to-consumer (B2C) software applications for clients. In many of these projects, one of the first attributes we add to AD is Gender because this attribute doesn't exist by default. (B2C sites profile their users by gender because it significantly helps in target advertising.) This month, I show you how to use the Active Directory Schema Console to extend AD. Specifically, I show you how to install the Schema Console, extend the schema, and manage attributes.

Installing the Active Directory Schema Console
The first challenge in this process is installing the tool. The Schema Console isn't installed by default with Win2K Server—not even on the domain controller that hosts your AD. In addition, Microsoft didn't write an installation program for the tool. You must manually register the Schema Console, which is a COM object that is hosted as a Microsoft Management Console (MMC) snap-in. You can find the Schema Console in the \winnt\system32 folder.

To register the tool, choose Start, Run. Type regsvr32 C:\winnt\system32\schmmgmt.dll (assuming C is where you installed Win2K), and click OK. When you've successfully registered the tool, perform these steps:

  1. Choose Start, Run; type mmc /a, then click OK.
  2. On the Console menu, click Add/
    Remove Snap-in, then click Add.
  3. Under Snap-in, double-click Active Directory Schema, then click Close.
  4. Click OK.
  5. On the Console menu, click Save to save the console.

By default, you save the console to the Administrative Tools folder. Save your snap-in in that location, and it will appear under Start, Programs, Administrative Tools.

Extending the Schema
If you want to extend the schema, you first need to enable that option on your computer. Open the Schema Console. Right-click Active Directory Schema in the AD Schema Console's console tree, then select Operations Master. The Change Schema Master dialog box, which Figure 1 shows, appears. Select the The Schema may be modified on this Domain Controller check box to enable schema modifications. The schema master domain controller controls all updates and modifications to AD schema.

After you enable schema modifications, you can add attributes. For example, suppose you want to add a Gender attribute. In the AD Schema Console, right-click the Attributes folder, then select Create Attribute. A warning about the implications of your actions, which Figure 2 shows, immediately appears. Click Continue to access the Create New Attribute dialog box, which Figure 3 shows. In the Common Name and LDAP Display Name text boxes, enter Gender. You now need to populate the Unique X500 Object ID text box. Object IDs (OIDs) are unique identifiers for AD objects.

You need a valid OID to add an attribute. The Microsoft Windows 2000 Resource Kit includes a command-line OID-generator program, oidgen.exe, that generates valid OIDs. The utility uses a base OID from the Microsoft branch of the International Organization for Standardization (ISO) OID tree and a globally unique ID (GUID) generated each time the program runs to generate the OIDs. Figure 4 shows a command prompt with the OID-generator program.

Oidgen.exe produces two root OIDs—an Attribute Base OID and a Class Base OID. Run oidgen.exe once for your organization, then manage the OID space beneath these two roots by incrementing the number for each attribute you add to the AD schema.

You must group all the OIDs for your organization under common roots. AD maintains an internal table of OIDs. To optimize performance, OIDs are maintained in a separated state as a prefix and a suffix. The prefix is the entire OID minus the rightmost (low-order) value. AD stores the prefixes in a table so that it can reference them by an index value. AD then uses the remaining (low-order) part of the OID and the index value for its prefix to identify the classes and attributes. Grouping all your OIDs under common roots keeps the prefix table small. Excessive growth in the prefix table can degrade the performance of the Win2K server hosting AD.

When you've populated the Unique X500 Object ID text box with a valid OID, you can give the Gender attribute a minimum length of four characters (Male) and a maximum length of six characters (Female). Click OK to add the attribute. The new attribute appears in the AD Schema's Attributes folder, as Figure 5 shows.

When you view the new attribute in the AD Schema Console, you'll notice that the Description field is empty. To fill in this field, right-click the Gender attribute to access the Gender Properties dialog box that Figure 6 shows. In this dialog box, you can fill in the Description field and other properties. For example, you can replicate the new attribute to the GC. Click OK to return to the AD Schema Console.

From the Schema Console, click the Class folder. Scroll down to the User class, right-click it, and select Properties. On the user Properties dialog box, click the Attributes tab, which Figure 7 shows. Click Add, then choose the Gender attribute. Click OK twice, and you've successfully added the Gender attribute to the User class.

Managing Attributes in AD
Wouldn't you like to use Active Directory Users and Computers to assign a value (Male or Female) to the users in your AD? Well, by default, you can't. You can use the Users and Computers tool to modify a hundred or so User attributes, but they're hard-coded in this MMC application, which means that the software developer fixed the fields in the code itself. To help you, Microsoft provided an open extension API to the tool. The API is C++ only and not for the faint of heart, but a software developer could make the Gender attribute available for editing in the Users and Computers tool. I've found that custom-written Web-based tools are much more powerful than the MMC tools that Win2K includes.

A simple bit of Microsoft Active Directory Service Interfaces (ADSI) code, which Listing 1 shows, in an Active Server Pages (ASP) page can test the new Gender attribute. You'll have to change the container object (strObject) to a valid user in your AD, but the code will run unchanged after that. I use the IADs interface to set and retrieve attributes from AD. The Put method persists a change to the cache, and the Setinfo method flushes the cache by writing the change to AD. I can then retrieve the value from AD with the Get method.

Next Month
Extending AD has serious implications, which is why the Win2K online documentation has an abundance of documentation about the careful planning, implications, and considerations necessary before modifying the AD schema. Little documentation exists about how to extend AD. Perhaps this lack of documentation is meant to keep people from casually modifying the AD schema. However, if you're cautious and follow the procedures I just showed you, you can successfully add attributes to the AD schema.

Next month, I'll introduce you to an exciting technology—Windows Management Instrumentation (WMI). In addition to explaining all the great features of WMI, I'll show you how to execute processes and applications on remote machines.

End of Article

Reader Comments
You article is a godsend. However, I did have some issues using the new MMC. It seems to not be consistant. Some times it would list my new attribute using the LDAP Display Name, sometimes the Common Name and in one case when I went to add it to the User class, it showed up in the list as the OID (not very useful by the way). I also discovered through trial and error that you couldn't enter a minimum value of 0, it has to be a 1. If you could add these types of facts to your already great article, then it might make it a bit easier for other folks. Again, great aricle.

Tom Campbell

Tom Campbell April 20, 2002

Hi
I tried to simulate the example you have given in the above mentioned article. I gave some Object ID and was able to create Gender attribute successfully. I did not see that attribute in the properties pane of the user object. What am I missing here?

Prashanth L.V. December 26, 2002

As a reminder to practitioner, you will need to update your Schem in order to see these attributes under a user. right click on adsi domain and click update schema now.

sivysiv September 17, 2004 (Article Rating: )

It's good article. If you add details on how to add these attributes to user' properties as a tab in detail would be very very helpful

Anonymous User August 15, 2005 (Article Rating: )

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
Battery Life Issues Almost Certainly Not Windows 7's Fault

While Microsoft is still investigating a notebook battery life issue that was supposedly caused by Windows 7, some interesting trends have emerged. ...

Confirmed: Battery Life Issues Not Windows 7's Fault

Microsoft on Monday issued a lengthy statement about the recent Windows 7 battery controversy, echoing my assessment from earlier in the day, but backing it up with hard, cold evidence. ...

Getting your iPhone to Sync with Exchange 2003

Follow these steps to use an iPhone with Exchange. ...
Active Directory (AD) Whitepapers Unleash the Power of Active Directory Groups

Meeting Compliance Objectives in SharePoint

Email Controls and Regulatory Compliance
Related Events The Experts Conference 2010

Troubleshooting Active Directory

Concrete Ways to Make Sure Your SharePoint Deployment Doesn't Blow Up

Check out our list of Free Email Newsletters!
Active Directory (AD) eBooks The Essentials Series: Active Directory 2008 Operations

Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security

Windows 2003: Active Directory Administration Essentials
Related Active Directory (AD) Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Collaborate with Confidence
Accelerate deployment and simplify Microsoft SharePoint management with EMC solutions and services.

Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Announcing Symantec Backup Exec 2010
With integrated deduplication and unified archiving technology.
Feb 25 - Are your IT Systems distributed? Or Convoluted?
Find out why integrated management solutions are more important than ever in today's IT environments and what criteria to consider when evaluating those solutions.

Virtualization Faceoff – Join the Discussion
Blogs, free poster, videos, community commentary – IT experts and peers face off on VMware & Microsoft virtualization solutions.

Should Your Email Live in the Cloud?
This Forrester report shows how-to calculate your on-premise email costs and compare with cloud-based alternatives and offers best practices for reducing email costs.

Exchange Server 2010: Deploying Unified Communications
register for this free virtual event and build your Unified Communications future on a strong Exchange Server 2010 foundation

New from Left-Brain.com - Manage VMware with PowerShell
Learn how to perform everything from simple ad-hoc reporting at the command-line to complex scripts that automate a massive deployment of hundreds of virtual machines.  Solve your old problems using less code than you thought possible!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2010 Penton Media, Inc. Terms of Use | Privacy Statement