Tech Line

AD Your Way

So the AD database doesn't have everything you need? Here's how to have it your way.

  • By Chris Wolf
  • 08/16/2005
Chris: Bill Boswell's "Fine-Tuning Active Directory Access" (November 2003) describes the process surrounding hiding fields. My problem is that I want to add a new field to the Active Directory Users and Computers (ADUC) MMC, such as employeeID, employeeType and employeeNumber. Can this be done in a relatively easy fashion or is it a deep delve in ADSI programming?
— Neil

Neil: Your problem is pretty typical and is experienced by many administrators that wish for Active Directory to mold to the structure of their company. Like you, most fear the possible schema changes that may be necessary to get this level of functionality and because of this, put it off for another day. For many of us, telling the boss "It's hard. I'll do it some other time" doesn't always cut it. In cases like this, a good friend of mine has decided to instead make something up.

For example, a couple of weeks ago his company was having some trouble with streaming media. He was busy looking for bargains on eBay and didn't have time to address the problem. So he decided to tell them the problem was the result of a bug with Windows Media Player. When I asked about his strategy, he told me "This should keep them at bay for awhile!"

OK, so if you want to be proactive and solve the problem, there are some pretty straightforward solutions. Actually, a scenario very close to your problem is described in Kurt Hudson's informIT article "Extending the Active Directory Schema to Track Custom Info."

Tech Help—Just An
E-Mail Away

Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the MCPmag.com editors at mailto:[email protected]; the best questions get answered in this column and garner the questioner with a nifty MCPmag.com baseball-style cap.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

In your specific case, you're looking to add an attribute for "Employee ID" to user account objects in Active Directory. Believe it or not, this attribute is already there.

In the AD Schema, there are employeeID and employeeNumber attributes that are ready and waiting to be used. To add these to your AD configuration, you'll need access to the domain controller that has the Schema Master operations master role. By default, the Schema Master resides on the first domain installed in your forest. If you're unsure of which domain controller is the schema master, you can find out by accessing the Active Directory Schema MMC, right-clicking the Active Directory Schema object, and selecting Operations Master.

To be able to access the Active Directory Schema MMC and to configure the Employee-ID attribute, you'll need to be a member of the Domain Admins and Schema Admins user groups. Now to use the AD Schema MMC, you must register it first by running "regsvr32 schmmgmt.dll."

Now run "mmc" to open an empty MMC shell and add the Active Directory Schema snap-in to the shell. At this point, you can follow these steps to link the employeeID attribute to the "user" class in Active Directory:

  1. Expand the Active Directory Schema object and then expand the Classes container.
  2. Scroll down to the "user" class. Right-click on the "user" class and select Properties.
  3. In the "user Properties" dialog box, click the Attributes tab and then click the Add button.
  4. You should now be at the Select Schema Object window. Scroll down and select employeeID and then click OK.
  5. In the "user Properties" dialog box, click OK.

Remember that these steps will modify the schema. Changes made to the Active Directory schema will affect the entire forest, so be sure to have proper sign-off on these changes before attempting this procedure.

While having the employeeID attribute connected to user objects is nice, it's pointless unless you can actually use it. Here's a VBscript that allows you to query and modify a user object in AD:

Dim objEmployeeID
Dim objSelectedUser
Dim strNewEmployeeID
Set objEmployeeID = Wscript.Arguments
Set objSelectedUser = GetObject(objEmployeeID(0))
strNewEmployeeID = InputBox("Employee ID: " & objSelectedUser.employeeID & vbCRLF _
  & vbCRLF _
  & "To enter a new Employee ID number," _
  & " type it into the text box" _
  & " below and click OK.")
if strNewEmployeeID <> ""
  then objSelectedUser.Put "employeeID",strNewEmployeeID
objSelectedUser.SetInfo
WScript.Quit

For easy accessibility by all domain controllers, I saved this file locally as EditEmployeeID.vbs in the C:\Windows directory on each domain controller. With the script now in place to query and modify the employeeID attribute, you now need to configure ADUC to show you the attribute. To do this, you'll need ADSI Edit, which is included with the Windows Support Tools.

Here are the steps to use ADSI Edit to configure an option for Employee ID to be present on the right-click power menu of a user object in Active Directory:

  1. Click Start | Run, then type "adsiedit.msc" in the Run dialog box and click OK.
  2. In the ADSI Edit MMC, expand the Configuration node to CN=Configuration,CN=DisplaySpecifiers,CN=409.
  3. With the CN=409 display specifier selected, right-click on the "CN=user-Display" object in the right pane of the MMC and select Properties.
  4. In the Attributes portion of the CN=user-Display Properties dialog box, click the adminContextMenu attribute and then click the Edit button.
  5. You should now see the Multi-valued String Editor dialog box. In the Value to Add field, type the following:

    ,&Employee-ID, C:\Windows\EditEmployeeID.vbs

    Note the preceding comma in the statement as well as the path used. You may need to edit the path based on the location of the EditEmployeeID.vbs script on your domain controllers.
  6. Click OK to close the Multi-valued String Editor dialog box.
  7. Click OK to close the CN-user-Display Properties dialog box.
  8. Close ADSI Edit.

You can now test your configuration by opening ADUC. Just right-click on any User object and select the Employee ID option. You can enter a new Employee ID in the dialog box and then click OK to save the value. If you open the Employee ID dialog box again for the same user, the newly assigned ID will be displayed.

The most important part of the process is getting the employeeID attribute connected to the user object in the schema. Once this is done, you're free to query and modify the attribute using a variety of scripts as well. Many sample scripts for this purpose are available at the TechNet Script Center.

[Chris Wolf has just released Virtualization: From the Desktop to the Enterprise (Apress) and also welcomes your virtualization questions for this column. —Editors]

About the Author

Chris Wolf is a Microsoft MVP for Windows --Virtual Machine and is a MCSE, MCT, and CCNA. He's a Senior Analyst for Burton Group who specializes in the areas of virtualization solutions, high availability, storage and enterprise management. Chris is the author of Virtualization: From the Desktop to the Enterprise (Apress), Troubleshooting Microsoft Technologies (Addison Wesley), and a contributor to the Windows Server 2003 Deployment Kit (Microsoft Press).learningstore-20/">Troubleshooting Microsoft Technologies (Addison Wesley) and a contributor to the Windows Server 2003 Deployment Kit (Microsoft Press).

comments powered by Disqus
Most   Popular