I've bumped into a highly-customized Active Directory environment (2003 FL) that's got me wondering if there's any particularly easy way to figure out what a custom attribute's function is, and what, if anything, is "using" that particular attribute. And then what some good options for potentially removing custom attributes from the schema might be. Aside from a restore or starting from scratch. If such an option exists.
For example, I think I can be fairly certain what the "isDumbass" attribute with a value of TRUE means, but not so much with "IRPextCONST", containing a value of 393684. Likewise, I'd think it should be pretty safe to delete the "isDumbass" attribute, but would like to a) be sure and b) find out what's querying or updating that value anyway, because I suspect that anything using that attribute might be next on the list of things to remove. Ideally, without having to run a search on the contents of every custom script and bit of source code I can get my hands on, of course.
And finally, aside from rebuilding from scratch, or doing an authoritative AD restore from backups that don't exist… is there a way to delete a given custom attribute? (Not blank the value, but actually delete the attribute from the schema – some folks would rather not have attributes like [redacted] hanging around.) I've been able to find and successfully test a method on Windows 2k, but it seems like Microsoft disabled this option in SP4, and the domain in question is a 2003 functional level.
Best Answer
As for finding what's using the attributes, I think your best hope is some rather severe logging of the directory service access events by enabling the setting for it in the audit config of the Domain Controllers GPO, as well as setting aggressive audit ACLs to inherit throughout the domain. The logs will likely get very noisy.
If possible, the new Directory Services auditing features in 2008 might be a great help in this process; get a 2008 domain controller if you can!
When you're ready to get rid of those schema modifications - there's unfortunately no way to actually purge all memory of a schema modification, but you can at least halt its use and make it appear to be deleted.
You'll modify the attribute object in the schema to have an
isDefunctvalue ofTRUE; this can be done through ADSIEdit or the Active Directory Schema snap-in. See the "Removing Information from the Schema" section of this documentation for more info.If you're not 100% certain that an attribute is out of use, it's ok to try making it defunct; you can reverse the change by setting
isDefunctback toFALSE(the old values will still be there when it's reactivated). Definitely go down the auditing path if possible first, but the option is there.