Extending the User Class in the AD Schema

Editor's Note: Each month, this column discusses various aspects of the advanced administration of e-commerce sites. This month's column examines extending the AD schema by adding a schema attribute to the User class.

I'm amazed by the lack of documentation and tools for extending Active Directory (AD). Don't get me wrong—AD is robust. Hundreds, maybe thousands of available attributes exist. The User class alone has more than 200 attributes.

By definition, every object in AD is an instance of a particular class. A class is a container of attributes that are available for that particular class. Each class derived from a parent class, or superclass. Each class' attributes are either inherited from their superclasses or explicitly defined.

The User class represents the users in a Windows 2000 domain. Some of the attributes available to the User class are Password, Phone, Street Address, and Email Address. Password is a mandatory attribute for an instance of the User class (i.e., a new user). The other attributes are optional. Extending the schema lets you add optional or mandatory attributes.

Extending the AD schema to include new class attributes is treacherous because the results are irreversible. After you add an attribute to AD, you can't remove it. You can mark the attribute as "unusable," but the schema is replicated to the Global Catalog (GC) even if you mark it as obsolete. However, any company using AD will certainly find the need (if it hasn't already) for an attribute in the User class that doesn't currently exist. My company develops many business-to-consumer (B2C) software applications for clients. In many of these projects, one of the first attributes we add to AD is Gender because this attribute doesn't exist by default. (B2C sites profile their users by gender because it significantly helps in target advertising.) This month, I show you how to use the Active Directory Schema Console to extend AD. Specifically, I show you how to install the Schema Console, extend the schema, and manage attributes.

Installing the Active Directory Schema Console
The first challenge in this process is installing the tool. The Schema Console isn't installed by default with Win2K Server—not even on the domain controller that hosts your AD. In addition, Microsoft didn't write an installation program for the tool. You must manually register the Schema Console, which is a COM object that is hosted as a Microsoft Management Console (MMC) snap-in. You can find the Schema Console in the \winnt\system32 folder.

To register the tool, choose Start, Run. Type regsvr32 C:\winnt\system32\schmmgmt.dll (assuming C is where you installed Win2K), and click OK. When you've successfully registered the tool, perform these steps:

Choose Start, Run; type mmc /a, then click OK.
On the Console menu, click Add/
Remove Snap-in, then click Add.
Under Snap-in, double-click Active Directory Schema, then click Close.
Click OK.
On the Console menu, click Save to save the console.

By default, you save the console to the Administrative Tools folder. Save your snap-in in that location, and it will appear under Start, Programs, Administrative Tools.

Extending the Schema
If you want to extend the schema, you first need to enable that option on your computer. Open the Schema Console. Right-click Active Directory Schema in the AD Schema Console's console tree, then select Operations Master. The Change Schema Master dialog box, which Figure 1 shows, appears. Select the The Schema may be modified on this Domain Controller check box to enable schema modifications. The schema master domain controller controls all updates and modifications to AD schema.

After you enable schema modifications, you can add attributes. For example, suppose you want to add a Gender attribute. In the AD Schema Console, right-click the Attributes folder, then select Create Attribute. A warning about the implications of your actions, which Figure 2 shows, immediately appears. Click Continue to access the Create New Attribute dialog box, which Figure 3 shows. In the Common Name and LDAP Display Name text boxes, enter Gender. You now need to populate the Unique X500 Object ID text box. Object IDs (OIDs) are unique identifiers for AD objects.

You need a valid OID to add an attribute. The Microsoft Windows 2000 Resource Kit includes a command-line OID-generator program, oidgen.exe, that generates valid OIDs. The utility uses a base OID from the Microsoft branch of the International Organization for Standardization (ISO) OID tree and a globally unique ID (GUID) generated each time the program runs to generate the OIDs. Figure 4 shows a command prompt with the OID-generator program.

Oidgen.exe produces two root OIDs—an Attribute Base OID and a Class Base OID. Run oidgen.exe once for your organization, then manage the OID space beneath these two roots by incrementing the number for each attribute you add to the AD schema.

You must group all the OIDs for your organization under common roots. AD maintains an internal table of OIDs. To optimize performance, OIDs are maintained in a separated state as a prefix and a suffix. The prefix is the entire OID minus the rightmost (low-order) value. AD stores the prefixes in a table so that it can reference them by an index value. AD then uses the remaining (low-order) part of the OID and the index value for its prefix to identify the classes and attributes. Grouping all your OIDs under common roots keeps the prefix table small. Excessive growth in the prefix table can degrade the performance of the Win2K server hosting AD.

When you've populated the Unique X500 Object ID text box with a valid OID, you can give the Gender attribute a minimum length of four characters (Male) and a maximum length of six characters (Female). Click OK to add the attribute. The new attribute appears in the AD Schema's Attributes folder, as Figure 5 shows.

When you view the new attribute in the AD Schema Console, you'll notice that the Description field is empty. To fill in this field, right-click the Gender attribute to access the Gender Properties dialog box that Figure 6 shows. In this dialog box, you can fill in the Description field and other properties. For example, you can replicate the new attribute to the GC. Click OK to return to the AD Schema Console.

From the Schema Console, click the Class folder. Scroll down to the User class, right-click it, and select Properties. On the user Properties dialog box, click the Attributes tab, which Figure 7 shows. Click Add, then choose the Gender attribute. Click OK twice, and you've successfully added the Gender attribute to the User class.

Managing Attributes in AD
Wouldn't you like to use Active Directory Users and Computers to assign a value (Male or Female) to the users in your AD? Well, by default, you can't. You can use the Users and Computers tool to modify a hundred or so User attributes, but they're hard-coded in this MMC application, which means that the software developer fixed the fields in the code itself. To help you, Microsoft provided an open extension API to the tool. The API is C++ only and not for the faint of heart, but a software developer could make the Gender attribute available for editing in the Users and Computers tool. I've found that custom-written Web-based tools are much more powerful than the MMC tools that Win2K includes.

A simple bit of Microsoft Active Directory Service Interfaces (ADSI) code, which Listing 1 shows, in an Active Server Pages (ASP) page can test the new Gender attribute. You'll have to change the container object (strObject) to a valid user in your AD, but the code will run unchanged after that. I use the IADs interface to set and retrieve attributes from AD. The Put method persists a change to the cache, and the Setinfo method flushes the cache by writing the change to AD. I can then retrieve the value from AD with the Get method.

Next Month
Extending AD has serious implications, which is why the Win2K online documentation has an abundance of documentation about the careful planning, implications, and considerations necessary before modifying the AD schema. Little documentation exists about how to extend AD. Perhaps this lack of documentation is meant to keep people from casually modifying the AD schema. However, if you're cautious and follow the procedures I just showed you, you can successfully add attributes to the AD schema.

Next month, I'll introduce you to an exciting technology—Windows Management Instrumentation (WMI). In addition to explaining all the great features of WMI, I'll show you how to execute processes and applications on remote machines.

End of Article

You article is a godsend. However, I did have some issues using the new MMC. It seems to not be consistant. Some times it would list my new attribute using the LDAP Display Name, sometimes the Common Name and in one case when I went to add it to the User class, it showed up in the list as the OID (not very useful by the way). I also discovered through trial and error that you couldn't enter a minimum value of 0, it has to be a 1. If you could add these types of facts to your already great article, then it might make it a bit easier for other folks. Again, great aricle.

Tom Campbell

Tom Campbell April 20, 2002

Hi
I tried to simulate the example you have given in the above mentioned article. I gave some Object ID and was able to create Gender attribute successfully. I did not see that attribute in the properties pane of the user object. What am I missing here?

Prashanth L.V. December 26, 2002

As a reminder to practitioner, you will need to update your Schem in order to see these attributes under a user. right click on adsi domain and click update schema now.

sivysiv September 17, 2004 (Article Rating:

)

It's good article. If you add details on how to add these attributes to user' properties as a tab in detail would be very very helpful

Anonymous User August 15, 2005 (Article Rating:

)

You must log on before posting a comment.

If you don't have a username & password, please register now.