Create a custom Multi-Valued attribute in Active Directory

Jan 26th, 2014

Have you ever worked in an environment where because of regulations and compliance, you are required to maintain all terminated and former employees group membership long after they have left the company and their accounts disabled. Leaving their membership in groups makes the group hard to audit because it will contain both active and disabled users. One possible solution is to create a custom user attribute to store the legacy groups for all disabled users.

This brief post will demonstrate how to successfully modify the Active Directory schema to create a custom Multi-Valued user attributes. To modify the schema, the account must be a member of the schema Admins group. Before proceeding make sure you understand the full functionality of an Active Directory Schema. Since schema modification/extension is irreversible, caution must be taken for any schema modification. It is always advisable to test in a lab environment before attempting in production. More information about the Active Directory schema can be found on the TechNet site.

1. First thing is to register the schema snap-in by going to run, and type this command: regsvr32 c:\windows\system32\schmmgmt.dll and click ok. Once you get the confirmation message box, move to next step.

2. Now we need to open the Schema Management Console. Go to run, type MMC to invoke the snap-in. Click file menu, select the Add/Remove Snap in, select the Active Directory Schema on the left and add to the right console root and click Ok.

3. Now let’s create our custom attribute. Select attributes, click create Attribute

Click ok when you see the warning message:

4. Now fill in the required information for the new attribute. The Common name and the LDAP display name should be the same. For the Unique X500 ID, I used the oidGen.vbs  script from the TechNet script  center. Click here for the link. . I copied the script on a notepad and ran on my machine and I got my OID:1.2.840.113556.1.8000.2554.23134.57732.20530.17455.33218.11809071.14926414

For the syntax, I used “Distinguished Name” because I want to make sure the groups entered here are valid groups and also this will enable me to avoid duplication. With this selection, I will have to enter the complete DN which will be validated against AD.

I also checked the “Multi-Valued” box, because I want to enter all the legacy  groups of a disabled user  with no limitation. If you intend to have only a single value for this custom attribute, leave the Multi-Valued box unchecked. I leave the min and max blank because I don’t want any limitation.

This is a very critical step. If you are not that sure of what to enter here, go to the schema snap in, select and attribute that is similar to what you need  to achieve and copy the same settings. In my case, I selected the member attribute as seen here:

Any mistake here once you complete cannot be reversed, which means you will have to start all over again and make sure you are in a lab environment.

Click ok, once all information have been correctly entered.

5. Now, we need associate the newly created attribute to the correct schema class. In my case, the attribute will be an addition to a user attribute. Go to the Schema snap in, select classes, scroll down, select the user class, right-click properties, select the attributes tab.

Click add, find and select the newly created attribute (legacyGroups), click ok, apply and close

Note: I also wanted this newly created attribute to replicate across all GC. Go to attributes, select legacyGroups, right-click properties and check the GC box.

6. To see the newly created attribute, go to run, type adsiedit.msc. connect to the naming context. Right click and select update schema now.

7. Select any user and look at the attribute editor, and you will see the newly created custom attribute.

8. Let’s test by populating this a. attribute:

a. I added a group called DHCP-Admins (Distinguished Name not included), but I received the following error: “The name reference s invalid” as seen below.

b. I resolved it by entering the full Distinguished Name and value was successful added.

c. My user JDoe left the company and his account is disabled. He was a member of the following groups

I need to remove him from those groups and because of company policy, I need to keep track record of the groups that JDoe was a member of at the time he left the company. So all I need to do now is to add these groups to JDoe’s legacyGroups attribute and we are all set.  At the end of the day, Group membership will stay clean because there will be no disabled users remaining in groups (Admins will be happy) and Compliance will be happy as well because they can still track what groups a user was in at the time he/she was fired or voluntarily left the company.

d. And down the road, if an auditor sent a request for a list of group membership that an old employee was a member of. A one liner PowerShell will get the results: This can also be piped into a .CSV file etc.

 

Be Sociable, Share!
No comments yet.