321 Table 10-3. attributeSyntax and oMSyntax combinations Name attributeSyntax oMSyntax Description PrintableString 2.5.5.5 19 Case-sensitive string that contains characters from the printable character set. ReplicaLink 2.5.5.10 127 Used by Active Directory internally. Sid 2.5.5.17 4 Octet string that contains a security identifier (SID). UTCTime 2.5.5.11 23 Time string format defined by ASN.1 standards. The searchFlags attribute is a bit flag that defines special properties related to searching with the attribute. Table 10-4 contains the values that can be set for this attribute. The values are cumulative; so in order to index an attribute and include it in ANR searches, you would set a value of 5 (1 + 4). Table 10-4. searchFlags bit values Value Description 1 Index over attribute. See Recipe 10.11 for more information. 2 Index over container and attribute. 4 Include as part of Ambiguous Name Resolution (ANR). Should be used in addition to 1. See Recipe 10.13 for more information. 8 Preserve attribute in tombstone objects. 16 Copy attribute when duplicating an object. See Recipe 10.12 for more information. 32 Create a tuple index for this attribute. This improves the response time for searches that put a wildcard in front of the search string for the attribute, (e.g., givenname=*on). 10.7.4 See Also Recipe 4.12 for setting a bit flag, Recipe 10.9 for adding a new class, and Recipe 10.22 for reloading the schema 322 Recipe 10.8 Viewing an Attribute 10.8.1 Problem You want to view the properties of an attribute. 10.8.2 Solution 10.8.2.1 Using a graphical user interface 1. Open the Active Directory Schema snap-in. 2. In the left pane, click on the Attributes folder. 3. In the right pane, double-click the attribute you want to view. 4. Click on each tab to view the available properties. 10.8.2.2 Using a command-line interface In the following command, replace <AttrCommonName> with the common name (not LDAP display dame) of the attribute you want to view: > dsquery * cn=schema,cn=configuration,<ForestRootDN> -scope onelevel -attr *[RETURN] -filter "(&(objectcategory=attributeSchema)(cn=<AttrCommonName>))" 10.8.2.3 Using VBScript ' This code displays the attributes for the specified attributeSchema object ' Refer to Recipe 4.2 for the DisplayAttributes( ) function code. ' SCRIPT CONFIGURATION ' Set to the common name (not LDAP display dame) of the attribute strAttrName = "<AttrCommonName>" ' e.g. surname ' END CONFIGURATION set objRootDSE = GetObject("LDAP://RootDSE") set objAttr = GetObject("LDAP://cn=" & strAttrName & "," & _ objRootDSE.Get("schemaNamingContext")) objAttr.GetInfo WScript.Echo "Properties for " & strAttrName & ":" DisplayAttributes(objAttr.ADsPath) 10.8.3 Discussion In the CLI and VBScript solutions, I mention that you need to specify the common name or cn of the attribute you want to view. The common name is a source of confusion for many people. For example, the surname attribute has the following distinguished name in the rallencorp.com forest: cn=surname,cn=schema,cn=configuration,dc=rallencorp,dc=com The problem is that most applications refer to attributes by their LDAP display name as defined in the lDAPDisplayName attribute for the attributeSchema object, which is typically different 323 than the cn attribute. As an example, the surname attribute uses surname for its common name (cn), but sn for its LDAP display name (lDAPDisplayName). In the CLI solution, if you want to use the LDAP display name instead of cn, simply change (cn=<AttrCommonName>) to (lDAPDisplayName=<AttrLDAPName>). In the VBScript solution, it is not that simple. When using cn, we can call GetObject since we know the DN of the attributeSchema object. If you want to use the lDAPDisplayName attribute instead, you'll need to do an ADO query and use the search criteria similar to that in the CLI solution. One attribute of note that is defined on attributeSchema objects is the systemFlags bit flag, which is used to define a few miscellaneous properties about an attribute. Table 10-5 contains the bits associated with systemFlags. The values are cumulative, so a value of 17 (1 + 16) would indicate that the attribute is part of the base Active Directory installation and is not replicated. Table 10-5. systemFlags bit values Value Description 1 Not replicated among domain controllers. 4 Dynamically constructed by Active Directory. 16 Part of the base Active Directory installation. This value cannot be set. 10.8.4 See Also Recipe 4.2 for viewing the attributes of an object and Recipe 4.9 for searching with a bit-wise filter Recipe 10.9 Adding a New Class 10.9.1 Problem You want to add a new class to the schema. 10.9.2 Solution For Windows 2000 Active Directory you need to enable schema modifications before proceeding. See Recipe 10.2 for more information. 10.9.2.1 Using a graphical user interface 1. Open the Active Directory Schema snap-in. 2. In the left pane, right-click on the Classes folder and select Create Class . . . 3. Click the Continue button to confirm that you want to extend the schema. 324 4. Enter the information for the new class and click Next. 5. Enter any mandatory and optional attributes and click Finish. 10.9.2.2 Using a command-line interface You can create new classes by using ldifde and an LDIF file that contains the properties to be set on the class. The following text shows an example LDIF file called create_class.ldf that creates a class called rallencorp-SalesUser: dn: cn=rallencorp-SalesUser,cn=schema,cn=configuration,<ForestRootDN> changetype: add objectclass: classSchema lDAPDisplayName: rallencorp-SalesUser governsId: 1.3.6.1.4.1.999.1.1.28.4 objectClassCategory: 3 subClassOf: top description: Auxiliary class for Sales user attributes adminDescription: Auxiliary class for Sales user attributes mayContain: rallencorp-Building mayContain: rallencorp-Theatre Then run the following command: > ldifde -v -i -f create_class.ldf 10.9.2.3 Using VBScript ' This code creates a class in the schema called rallencorp-SalesUser. ' It is assumed that the script is being run by a member of Schema Admins set objRootDSE = GetObject("LDAP://RootDSE") set objSchemaCont = GetObject("LDAP://" & _ objRootDSE.Get("schemaNamingContext") ) set objClass = objSchemaCont.Create("classSchema", _ "cn=rallencorp-SalesUser") objClass.Put "lDAPDisplayName", "rallencorp-SalesUser" objClass.Put "governsId", "1.3.6.1.4.1.999.1.1.28.4" objClass.Put "objectClassCategory", 3 objClass.Put "subClassOf", "top" objClass.Put "adminDescription", "Languages a user speaks" objClass.Put "mayContain", Array("rallencorp-Building","rallencorp-Theatre") objClass.SetInfo WScript.Echo "Class created" 10.9.3 Discussion To create a new class, you need to create a classSchema object in the Schema container. The important attributes to set include: governsId Defines the OID for the class 325 objectClassCategory Defines the class type subClassOf Defines the parent class mayContain and mustContain Defines any optional and mandatory attributes for instantiated objects of the class The lDAPDisplayName also needs to be set and should be equal to the common name (cn) as a general rule. Even though many of the default classes do not use the same name for the common name and LDAP display name, using the same name is highly recommended to avoid confusion when referencing the class. Another best practice is to set the schemaIDGUID of the class, which is especially important if you are doing anything with extended rights. The See Also section contains references to recipes that cover some of these topics in more depth. 10.9.4 See Also Introduction in Chapter 10 for attributes of classSchema objects, Recipe 10.3 for generating an OID, Recipe 10.4 for generating a GUID, Recipe 10.17 for more on object class type, Recipe 10.19 for setting the default security for a class, and Recipe 10.22 for reloading the schema cache Recipe 10.10 Viewing a Class 10.10.1 Problem You want to view the attributes of a class. 10.10.2 Solution 10.10.2.1 Using a graphical user interface 1. Open the Active Directory Schema snap-in. 2. In the left pane, click on the Classes folder. 3. In the right pane, double-click the class you want to view. 4. Click on each tab to view the available properties. 10.10.2.2 Using a command-line interface In the following command, replace <ClassCommonName> with the common name (not LDAP display name) of the class you want to view: 326 > dsquery * cn=<ClassCommonName>,cn=schema,cn=configuration,<ForestRootDN> - scope[RETURN] base -attr * 10.10.2.3 Using VBScript ' This code prints out the attributes for the specified class. ' Recipe 4.2 for the code for the DisplayAttributes( ) function. ' SCRIPT CONFIGURATION ' Set to the common name (not LDAP display dame) ' of the class you want to view. strClassName = "<ClassCommonName>" ' e.g. user ' END CONFIGURATION set objRootDSE = GetObject("LDAP://RootDSE") set objClass = GetObject("LDAP://cn=" & strClassName & "," & _ objRootDSE.Get("schemaNamingContext")) objClass.GetInfo WScript.Echo "Properties for " & strClassName DisplayAttributes(objClass.ADsPath) 10.10.3 Discussion See Table 10-1 for a list of the important classSchema attributes and their descriptions. 10.10.4 See Also Recipe 4.2 for viewing the attributes of an object Recipe 10.11 Indexing an Attribute 10.11.1 Problem You want to index an attribute so that searches using that attribute are faster. 10.11.2 Solution For Windows 2000 Active Directory you need to enable schema modifications before proceeding. See Recipe 10.2 for more information. 10.11.2.1 Using a graphical user interface 1. Open the Active Directory Schema snap-in. 2. In the left pane, click on the Attributes folder. 3. In the right pane, double-click the attribute you want to index. 4. Check the box beside Index this attribute in the Active Directory. 5. Click OK. 10.11.2.2 Using a command-line interface 327 You can index an attribute by using the ldifde utility and an LDIF file that contains the following: dn: cn=<AttrCommonName>,cn=schema,cn=configuration,<ForestRootDN> changetype: modify replace: searchFlags searchFlags: 1 - If the LDIF file were named index_attribute.ldf, you would run the following command: > ldifde -v -i -f index_attribute.ldf 10.11.2.3 Using VBScript ' This code indexes an attribute. ' SCRIPT CONFIGURATION ' Set to the common name (not LDAP display name) of the attribute strAttrName = "<AttrCommonName>" ' e.g. rallencorp-LanguagesSpoken ' END CONFIGURATION set objRootDSE = GetObject("LDAP://RootDSE") set objAttr = GetObject("LDAP://cn=" & strAttrName & "," & objRootDSE.Get("schemaNamingContext")) objAttr.Put "searchFlags", 1 objAttr.SetInfo WScript.Echo "Indexed attribute: " & strAttrName The CLI and VBScript solutions assume that searchFlags wasn't previously set and just blindly overwrites whatever value is present if one was. See Recipe 4.12 for a better solution that will enable the bit you want without overwriting any previous settings. 10.11.3 Discussion To index an attribute, you need to enable the 1 bit (0001) in the searchFlags attribute for the attributeSchema object. searchFlags is a bit flag attribute that is used to set various properties related to searching with the attribute. Table 10-5 contains the various bit flags that can be set with searchFlags. When setting searchFlags, you may often need to set a couple bits together. For example, all Ambiguous Name Resolution (ANR) attributes must also be indexed, which means searchFlags should be set to 5 (1 + 4). You can find the attributes that are indexed in the schema by using the following search criteria: Base cn=Schema,cn=Configuration,<ForestRootDN> Filter (&(objectcategory=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:= 1)) 328 Scope onelevel Alternatively, to find attributes that aren't indexed, change the previous search filter to the following: (&(objectcategory=attributeSchema)(!(searchFlags:1.2.840.113556.1.4.803:=1))) 10.11.4 See Also Recipe 4.12 for modifying a bit-flag attribute, Recipe 10.7 for adding a new attribute, and MS KB 243311 (Setting an Attribute's searchFlags Property to Be Indexed for ANR) Recipe 10.12 Modifying the Attributes That Are Copied When Duplicating a User 10.12.1 Problem You want to add an attribute to the list of attributes that are copied when duplicating a user with the Active Directory Users and Computers snap-in. 10.12.2 Solution For Windows 2000 Active Directory you need to enable schema modifications before proceeding. See Recipe 10.2 for more information. 10.12.2.1 Using a graphical user interface 1. Open the Active Directory Schema snap-in. 2. In the left pane, click on the Attributes folder. 3. In the right pane, double-click the attribute you want to edit. 4. Check the box beside Attribute is copied when duplicating a user. 5. Click OK. 10.12.2.2 Using a command-line interface You can cause an attribute to get copied when duplicating a user by using the ldifde utility and an LDIF file that contains the following: dn: cn=rallencorp-LanguagesSpoken,cn=schema,cn=configuration,<ForestRootDN> changetype: modify replace: searchFlags searchFlags: 16 - If the LDIF file were named add_dup_user_attr.ldf, you would run the following command: 329 > ldifde -v -i -f add_dup_user_attr.ldf 10.12.2.3 Using VBScript ' This code adds an attribute to the list of attributes that get ' copied when duplicating a user. ' SCRIPT CONFIGURATION ' Set to the common name (not LDAP display dame) of the attribute strAttrName = "<AttrCommonName>" ' e.g. rallencorp-LanguagesSpoken ' END CONFIGURATION set objRootDSE = GetObject("LDAP://RootDSE") set objAttr = GetObject("LDAP://cn=" & strAttrName & "," & objRootDSE. Get("schemaNamingContext")) objAttr.Put "searchFlags", 16 objAttr.SetInfo WScript.Echo "New copied attribute: " & strAttrName The CLI and VBScript solutions assume that searchFlags wasn't previously set and just blindly overwrites whatever value is present if one was. Check our Recipe 4.12 for a better solution that will enable the bit you want without overwriting any previous settings. 10.12.3 Discussion The Active Directory Users and Computers snap-in queries the schema for the list of attributes that should be copied whenever you right-click on a user and select Copy. This flag is purely informational and does not impose any restrictions or result in any impact on the DIT, like indexing an attribute does. To find which attributes are copied when duplicating a user, use the following search criteria: Base cn=Schema,cn=Configuration,<ForestRootDN> Filter (&(objectcategory=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:= 16)) Scope onelevel Alternatively, to find attributes that aren't copied, change the search filter above to the following: (&(objectcategory=attributeSchema)(!(searchFlags:1.2.840.113556.1.4.803:=16))) 10.12.4 See Also Recipe 4.12 for modifying a bit flag attribute and Recipe 10.7 for adding a new attribute 330 Recipe 10.13 Modifying the Attributes Included with Ambiguous Name Resolution 10.13.1 Problem You want to modify the attributes that are included as part of ANR. 10.13.2 Solution For Windows 2000 Active Directory, you need to enable schema modifications before proceeding. See Recipe 10.2 for more information. 10.13.2.1 Using a graphical user interface 1. In order to proceed, you must have first indexed the attribute. 2. Open the Active Directory Schema snap-in. 3. In the left pane, click on the Attributes folder. 4. In the right pane, double-click the attribute you want to edit. 5. Check the box beside ANR. 6. Click OK. 10.13.2.2 Using a command-line interface You can include an attribute as part of ANR by using the ldifde utility and an LDIF file that contains the following: dn: cn=rallencorp-LanguagesSpoken,cn=schema,cn=configuration,<ForestRootDN> changetype: modify replace: searchFlags searchFlags: 5 - If the LDIF file were named add_anr_attr.ldf, you would run the following command: > ldifde -v -i -f add_anr_attr.ldf 10.13.2.3 Using VBScript ' This code will make an attribute part of the ANR set. ' SCRIPT CONFIGURATION ' Set to the common name (not LDAP display dame) of the attribute strAttrName = "<AttrCommonName>" ' e.g. rallencorp-LanguagesSpoken ' END CONFIGURATION set objRootDSE = GetObject("LDAP://RootDSE") set objAttr = GetObject("LDAP://cn=" & strAttrName & "," & _ objRootDSE.Get("schemaNamingContext")) objAttr.Put "searchFlags", 5 . the Active Directory Users and Computers snap-in. 10.12.2 Solution For Windows 2000 Active Directory you need to enable schema modifications before proceeding. See Recipe 10.2 for more information For Windows 2000 Active Directory you need to enable schema modifications before proceeding. See Recipe 10.2 for more information. 10.9.2.1 Using a graphical user interface 1. Open the Active. attribute are faster. 10.11.2 Solution For Windows 2000 Active Directory you need to enable schema modifications before proceeding. See Recipe 10.2 for more information. 10.11.2.1 Using a graphical