Solved

Add New Field on Active Directory Users Account

Posted on 2008-10-16
18
4,735 Views
Last Modified: 2011-10-19
I'm currently running a Windows 2003 domain that has two DC and 110 Windows XP workstations. I would like to add another field to the network users account page. For Example when you right click a active directory user account and go to properties on the general tab page I would like to create a fied that states some thing like:   Application User ID (then has a blank text field) Basically something similar to the Description attribute on the general page.
1) Is this possible?
2) If I can do this, how hard is it to do?
3) How can I do this?
0
Comment
Question by:compdigit44
  • 7
  • 6
  • 4
  • +1
18 Comments
 
LVL 11

Expert Comment

by:loftyworm
ID: 22736904
I know it can be done, using the schema.  It is notsomething I have done though, and would have to research it.  Bu the simple answer is "yes"  it can be done.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 22736922
This is good news but I have never done it eithre...Looking for step-by-step instructions....
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22738604

You can add an attribute to the Schema, but I would debate the need. I advise you use one of the existing fields, there are many. If you installed Exchange there are 15 fields, extensionAttribute1 - 15 that can be used for whatever you please.

As those are visible in AD Users and Computers with Exchange 2003, or in the Exchange System Console with Exchange 2007 it puts you a huge leap ahead of adding your own options.

You can view all the attributes available to you by opening ADSIEdit.msc (Start, Run), then opening the properties for a user. Many of the attributes listed are not exposed in the GUI.

Which leads us onto adding fields to AD Users and Computers.

There are a number of ways to achieve this. The easiest is to add an option to the context menu (right click on a user) and have that fire a script off and pop up a box. It's basic, but not all that hard to do.

Actually adding fields into the existing property sheets on the other hand is difficult. You need to have a programming background to even begin thinking about that one (in my opinion). We certainly wouldn't be able to provide step-by-step instructions for it, only point you at the appropriate starting point in MSDN.

Chris
0
 
LVL 19

Author Comment

by:compdigit44
ID: 22741908
Chris-Dent - Thanks for your reply. I have opened adsiedit.msc and expanded the schema. Here are my new questions:
1) In the screen shot can I rename any of the CN fields to be called something else?
2) How can I force some of these attritubes currently listed to show up in AD users properties
ScreenShot-1.bmp
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22741954

No :) Please do not modify any of the default fields in the Schema. In fact, please be exceptionally careful with the Schema, if you break anything there you must rebuild / restore every single DC in your Forest.

You would have to extend AD Users and Computers, which is back to requiring Programming experience. If you are interested in chasing that one up you would start here:

http://msdn.microsoft.com/en-us/library/aa814672(VS.85).aspx

Chris
0
 
LVL 19

Author Comment

by:compdigit44
ID: 22742060
I could have sworn that AD user properties were like a rolodex and that you are given a default paramete but could also create custom fields as well??? This is what I was also told anyway??? There has to be an easier way to do this???? I'm not a programer...Any other ideas or some way I could use the existing field to fit my needs???
0
 
LVL 18

Expert Comment

by:exx1976
ID: 22742497
Yes, you can create custom fields.  You were told correctly.  Notice that you did not say "I was told there was an easy way to do this".  Anyone that told you so was lying.  If you want the property field to display on one of the pages, you need a programming background.

Now, if you just want to extend the schema and then be able to access those fields programmatically, that's a little easier to do.  Like Chris-Dent said, though, there are already 15 extensionAttribute fields that you can use.

What I would personally recommend is to just find a field in the user object that you don't use, and that doesn't affect anything, and use that to hold the data you're trying to store.  PO Box comes to mind..   I have already repurposed that field in my AD..  :-)
0
 
LVL 19

Author Comment

by:compdigit44
ID: 22743440
OK Stupid question: IN ADSIEDIt.msc where do I find this 15 existing fields and how do I make them show up???
0
 
LVL 18

Expert Comment

by:exx1976
ID: 22744024
In ADSIEdit they are visible as       extensionAttribute1  extensionAttribute10  extensionAttribute11  12  13  14  15  2  3  4  5  6  7  8  9   .  You can't make then show up any way that I'm aware of, it's like the employeeID field.  They can only be accessed programmatically (or using ADSIEdit - they don't show in ADU&C).

Unless anyone else knows a trick?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22745066

Yeah, they appear under the Exchange, er, General? Tab in if you're running Exchange 2003 and it's extension for AD Users and Computers. They're accessed with the Custom Attributes button.

For Exchange 2007 they're accessed through the Exchange Management Console, there's no AD extension for that one.

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22745095

Yep, it's Exchange General. That opens up a simple list of boxes for each of the attributes.

Chris
0
 
LVL 18

Expert Comment

by:exx1976
ID: 22746895
Ahh.  Thank you for pointing that out.  I don't ever even bother to go and look for anything anymore, I admin my entire directory with VBS..    Lazy me.  LOL
0
 
LVL 19

Author Comment

by:compdigit44
ID: 22748032
Thanks for the reply everyone...Here one more problem / though I want to have this information placed in one of the "default ADUC" fields becuase not all AD users including our help desk have the Exchange 2003 admin interface installed on there workstation.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22748120

Then you must use a default field, one that is already exposed in the default GUI, there's no other way to do it.

If I were you I would drop AD Users and Computers for that one and throw together a small web application to deal with displaying and updating the attribute.

Chris
0
 
LVL 19

Author Comment

by:compdigit44
ID: 22748142
I like the idea of a web page the only problem is that I'm not a web developer or programmers :-(
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22755902

Don't worry, not one of us is either (unless I'm mistaken about exx1976) :)

That said, we can probably help you on the way to building one, but it would be more of a tutorial than a packaged solution (for the reason above).

Is that any use to you? Otherwise it would be more appropriate to use command line or script based modification.

If you are interested, you will either need Visual Studio 2008, or Visual Web Developer 2008 Express Edition. The latter is free, but has less features (which has never been a problem for me).

You can find the Express edition downloads here:

http://www.microsoft.com/express/default.aspx

Chris
0
 
LVL 18

Expert Comment

by:exx1976
ID: 22758321
You are correct, Chris, I'm not a programmer either.  I dabble, but only out of necessity.  I consider myself near Expert-level on VBS (again, from necessity), but only maybe novice or intermediate at VB.NET and ASP..  I took a few semesters of C++ and JAVA in college, and I retained enough of it at least to still be able to do the logic portions..  LOL

OP - with the above out of the way, it has been infinitely helpful to me that I can at least write SOME code..  Makes administration a lot easier, and the automation I've been able to add into my systems has been priceless.  It's a lot of work to admin large numbers of servers/users, so any part of it that you can streamline/put on autopilot is very helpful.  A great book (that I still reference from time-to-time) on VBS is Windows 2000 Scripting Bible, ISBN 0-7645-4677-5.  It's $30 USD, and worth every penny.  Even if you have no programming background, this book is an excellent stating point, and I highly recommend it.  I'd also recommend using PrimalScript for your IDE (Integrated Development Environment) for scripting.  You can download it from www.sapien.com

HTH,
-exx
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 22759066

I'm very similar to Exx on this one. VbScript was my first and remains my strongest (and ASP by association), Perl visited briefly, VB .NET and C# .NET came afterwards and PowerShell most recently.

I recommend PowerShell rather than VbScript these days. You can do things in a couple of lines of PowerShell that take hundreds of lines of VbScript. I replaced some of my excessively complex VbScript this way.

Doesn't work very well if you have to do Logon Scripts, but for administration side scripting it's great. Besides, administration for things like Exchange 2007 is based in PowerShell.

It's here if you want to take a look:

http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx

With some plug-ins here for extra ease of use:

AD - http://www.quest.com/powershell/
Group Policy - http://www.sdmsoftware.com/

Scripting is less help for this one really as we want to provide a user interface. But I do very much agree with Exx that having some scripting under your belt is invaluable. It's a real enabler... it enables me to play foosball instead of spending 4 hours clicking on stuff :)

Back on topic a bit, quite happy to help out with the web-interface for this although making things visually pretty is truly beyond me. That will be .NET if it's my choice because it involves the least code for the prettiest return.

Chris
0

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now