AD Custom Attribute with unique value

active-directorywindows-server-2003

I have custom AD attribute added to my AD schema. Attribute's syntax is Unicode String. It is added to user class and the purpose of it is to store user ID of corporate ERP system. Problem is, that I can have two or more user objects with the same value stored in that attribute, which is something that I would like to avoid. Is there a way to configure AD attribute so it is unique within the domain boundary? (The same behavior as sAMAccountName attribute.)

i.e :

If there already exists user object in AD with this attribute set to "JSmith" and I try to set that attribute with the same value for another user, Direcory Services will refuse to update that object and give me "already exists" error.

Domain functional level is windows 2003.

Best Answer

AD doesn't built-in functionality to allow schema extensions to have enforced uniqueness. Being a loose convergence multi-master database makes this a Hard Problem^(tm). There is functionality built-in to check for duplication of some built-in schema attributes, but there are even situations when this can fail.

Your best hope is going to be to write something that periodically "groveled" though AD and alerted an Administrator to duplication (or to initiate some kind of conflict resolution logic on your own).

Related Solutions

Ldap – Configuring OpenLDAP as a Active Directory Proxy

You need to add mappings to your slapd.conf file:

moduleload rwm
...
overlay rwm
rwm-map attribute uid sAMAccountName
rwm-map objectClass posixGroup group 
rwm-map objectClass posixAccount person
rwm-map objectClass memberUid member

Then you can search for the uid attribute instead of the sAMAccountName attribute in your .htaccess file:

AuthLDAPURL "ldap://breauthsrv01.xxx.de:389/OU=xxx,DC=int,DC=xxx,DC=de?uid?sub"

Powershell – List _all_ AD user properties with powershell

There are lot of system properties that might make the exercise you are thinking of less than useful due to a significant amount of extraneous data. Perhaps you could use AD Explorer to identify the attributes that look interesting and use the -Properties parameter to retrieve them for all users.

When you retrieve a user object in AD, it only returns back a subset of the object attributes. You can use the -Properties parameter to force get-user to retrieve other properties. For example: get-aduser jjohnson -Properties pwdlastset would add pwdlastset to the list of properties normally retrieved by get-aduser for the user jjohnson.

Best Answer

Related Solutions

Ldap – Configuring OpenLDAP as a Active Directory Proxy

Powershell – List _all_ AD user properties with powershell

Related Topic