Active Directory User Attribute List

active-directoryschemauser-accounts

I'm trying to find a list of Active Directory User Attributes that I can use for customization without having to extend the schema. We are using 2008R2 functional level.

I exported a list with powershell of all properties. But I don't know how to tell which are user-info that I can edit (such as displayname, phone, employee-id) and AD-Data that I shouldn't edit manually (dn,accountexpires). I can see some obvious ones from this list such as employee-id, extensionAttribute1-15.

Get-QADUser 'username' -IncludeAllProperties |  Get-Member -MemberType Properties

I have found a few websites that list all attributes, but none of them distinguish between user-info and AD-Data.

This Microsoft list divides properties up into Property sets: Public-Information, User-Logon etc. but still doesn't divide the list between user-info and AD-Data. It also doesn't include employee-id or the extensionAttribute1-15

Question: Does this list Active Directory User Attributes that I can use for customization exist?
Thanks

Edit:
Additional info:
Our developers want to attach some info to all user accounts for a new application. The first example of the data they wanted to attach was employee-id. This field already exists in AD. I'm not opposed to extending the schema, I just don't want change things unnecessarily or to duplicate fields that already exist. If I can just give them a list, there might be fields with appropriate names that we can just use. If not, then I will extend the schema.

Reworded question:
Which attributes can I use for my own purposes (eg. displayname, phone, employee-id) ? Which attributes should I leave alone (dn, lastModifiedDate, accountexpires)?

Best Answer

The short answer is that there are only really a couple attributes that are intended for cosmetic metadata on a user account like description and info. Even the extensionAttributeX ones aren't really intended for your customization. They're part of the Exchange schema extensions and should be considered "reserved" if you're actually running Exchange.

A better question is why are you trying to avoid extending your schema? There's nothing inherently risky about doing it. If you have a valid use-case for adding business specific custom metadata on a particular class, come up with a logical attribute name, and add it. Maybe make sure your ldif file works the way you intend on a temporary throwaway DC that you bring up first. But ultimately, it's the only way to guarantee that nothing else will step on it or be affected by it.

If you're trying to avoid it because of political issues (your team doesn't manage AD and the AD team is averse to schema changes), it's still in your best interest to fight the good fight and make a business justification for the change (assuming you actually have a good business justification).

If your need is only temporary, then maybe just use something like description or info knowing that your user management teams might screw up the data accidentally. It's also possible some poorly written third party software might have the same idea though and conflict with yours.

You may also want to update your question with more specifics about the type of data you're trying to add. There may be existing attributes you could use that are intended for your purposes already.

Response to Edit: As you pointed out, there is already an employeeID attribute you could use. There's also an employeeNumber attribute as well. But again, the answer to the root of your question is that there is no definitive list of pre-existing writable attributes that no other software uses. The best way to do what you're trying to do is open up the properties dialog for a user in your domain, select the Attributes tab, change the filter to Show only writable attributes and scroll down looking for something that doesn't have any data in it yet that might fit your data definition. Then, google that particular attribute name to see what the attribute's intended purpose is and as a sanity check to see if anything you use in your environment also uses it.

Related Solutions

Security – Grant account write access to specific attributes on Active Directory User object

While @sysdmin1138 answer was correct it's worth mentioning that changing the scope is not the only reason why things are missing from the view. There are things that invisible by default.

Some objects such as physicalDeliveryOfficeName are hidden from view so you can't delegate them easily. A lot of other attributes are also hidden, but physicalDeliveryOfficeName is very specific and can be good example on how things works for Delegation.

The Per-Property Permissions tab for a user object that you view through Active Directory Users and Computers may not display every property of the user object. This is because the user interface for access control filters out object and property types to make the list easier to manage. While the properties of an object are defined in the schema, the list of filtered properties that are displayed is stored in the Dssec.dat file that is located in the %systemroot%\System32 folder on all domain controllers. You can edit the entries for an object in the file to display the filtered properties through the user interface.

A filtered property looks like this in the Dssec.dat file:

[User]
propertyname=7

To display the read and write permissions for a property of an object, you can edit the filter value to display one or both of the permissions. To display both the read and write permissions for a property, change the value to zero (0):

[User]
propertyname=0

To display only the write permission for a property, change the value to 1:

[User] 
propertyname=1

To display only the read permissions for a property, change the value to 2:

[User]
propertyname=2

After you edit the Dssec.dat file, you must quit and restart Active Directory Users and Computers to see the properties that are no longer filtered. The file is also machine specific so changing it on one machine doesn’t update all others. It’s up to you whether you want it visible everywhere or not.

Full story about physicalDeliveryOfficeName and how to change it with screenshots can be read at my blog.

PS1. Since physicalDeliveryOfficeName is special case, after modifying this setting look for Read/Write Office Location. Unfortunately the name physicalDeliveryOfficeName never shows up.

PS2. Unless those settings are uncovered by modifying dssec.dat you won't be able to see them. Since this file is per computer it's entirely possible it's visible on some computers and not visible on others depending whether someone made the change earlier or not. This could explain why you could see it before and not later on.

PS3. Sorry for resurrection but just spent few hours trying to find the cause so thought I would share it for future reference.

Scripting Extended Attributes in Active Directory

I had to do this exact same thing last week. I wanted to fill in the "extensionAttribute" field for multiple users and ended up having to move to Powershell with the quest cmdlets to do this.

This line should give you the bones of what you need to do:

Import-CSV C:\users.csv | ForEach-Object {
Set-QADUser -Identity $_.”username” -ObjectAttribute @{extensionAttribute1=$heading1}}

Where "username" and "heading1" are columns in your users.csv file. The quest cmdlets will let you alter any field in AD as far as I know.

Best Answer

Related Solutions

Security – Grant account write access to specific attributes on Active Directory User object

Scripting Extended Attributes in Active Directory

Related Topic