I have a Windows Server 2016 Standard with no desktop experience installed. I want to expand the Active Directory schema with custom attributes. I can do it on a desktop environment using MMC without issues. Can I do it using PowerShell only?
Powershell – add custom attributes to Active Directory schema using PowerShell only
active-directorypowershellwindows-server-2016
Related Solutions
As for finding what's using the attributes, I think your best hope is some rather severe logging of the directory service access events by enabling the setting for it in the audit config of the Domain Controllers GPO, as well as setting aggressive audit ACLs to inherit throughout the domain. The logs will likely get very noisy.
If possible, the new Directory Services auditing features in 2008 might be a great help in this process; get a 2008 domain controller if you can!
When you're ready to get rid of those schema modifications - there's unfortunately no way to actually purge all memory of a schema modification, but you can at least halt its use and make it appear to be deleted.
You'll modify the attribute object in the schema to have an isDefunct
value of TRUE
; this can be done through ADSIEdit or the Active Directory Schema snap-in. See the "Removing Information from the Schema" section of this documentation for more info.
If you're not 100% certain that an attribute is out of use, it's ok to try making it defunct; you can reverse the change by setting isDefunct
back to FALSE
(the old values will still be there when it's reactivated). Definitely go down the auditing path if possible first, but the option is there.
If you want a purely powershell method, you may use info from this technet blog post, or take a look at the Quest powershell cmdlets. http://blogs.technet.com/b/joec/archive/2013/04/25/active-directory-delegation-via-powershell.aspx
In my company we have several groups that need to create unlimited computer accounts. I continue to use the DSACLS.EXE tool, because I have past experience with it, and while it is cryptic I can accomplish in a few lines what take many many lines of pure powershell with either of the methods mentioned above. DSACLS has a long and very thorough help page. I've pared it down for brevity in this post to only address the perm to create computer accounts. With some research, you should also be able to find the object names and permission levels to create the other things you mention. Remember that Users & Groups would be covered by membership in "Account Operators" and you may want to restrict Site & Subnet creation to members of "Domain Admins"
Grant a group the right to create computer accounts at a given OU path. Replace ThisDom & ThisGroup to fit your environment.
dsacls "OU=coyote,DC=acme,DC=com" /I:T /G 'ThisDom\ThisGroup:CCDC;computer'
dsacls "OU=coyote,DC=acme,DC=com" /I:S /G 'ThisDom\ThisGroup:WO;;computer'
dsacls "OU=coyote,DC=acme,DC=com" /I:S /G 'ThisDom\ThisGroup:WP;userAccountControl;computer'
Usage (edited)
C:\Windows\System32>dsacls /?
Displays or modifies permissions (ACLS) of an Active Directory Domain Services (AD DS) Object
DSACLS object [/I:TSP] [/N] [/P:YN] [/G <group/user>:<perms> [...]]
[/R <group/user> [...]] [/D <group/user>:<perms> [...]]
[/S] [/T] [/A] [/resetDefaultDACL] [/resetDefaultSACL]
[/takeOwnership] [/user:<userName>] [/passwd:<passwd> | *]
[/simple]
<... skipped lines...>
/I Inheritance flags:
T: This object and sub objects
S: Sub objects only
P: Propagate inheritable permissions one level only.
<... skipped lines...>
/G <group/user>:<perms>
Grant specified group (or user) specified permissions.
See below for format of <group/user> and <perms>
<... skipped lines...>
CC Create child object
DC Delete a child object
WO Change owner information
WP Write property
Best Answer
try to look this: http://www.rebeladmin.com/2017/11/step-step-guide-create-custom-active-directory-attributes/
should be what you need.