[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Need to add information into custom AD attributes

Posted on 2009-02-09
9
Medium Priority
?
684 Views
Last Modified: 2012-05-06
I have a customer who wants to use the Custom Attribute #1 and Custom Attribute #2 attributes in Windows 2000 Active Directory. I thought this ouldn't be too bad and loaded up the Exchange ADUC console. Unfortunately, half of these users (custom attribute #1) are contractors without mailboxes, which I am pretty sure means I cannot use ADUC to see these fields. How do I enter the information (4 word string) into AD? The good news is that their AD aware application will be using the info so the fields do not need to be visible in Active Directory Users and Computers, although that would be nice.
0
Comment
Question by:summit_pcguy
  • 4
  • 4
9 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 23594147

ADSIEdit.msc if you want a GUI (of sorts). Although do be aware that it doesn't have the safeguards that AD Users and Computers do.

The attributes are known as extensionAttribute1 and extensionAttribute2 if using ADSIEdit, they're only called "Custom ..." in the user friendly interfaces.

Otherwise there are a variety of methods ranging from scripts, to tools like ADMod. Any preference?

Chris
0
 
LVL 13

Expert Comment

by:dhoffman_98
ID: 23594686
Active Directory Explorer is another tool that give you a GUI interface and will allow you to see, and in some cases modify individual attributes. Some of those attributes are not viewable in ADUC.

http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx
0
 
LVL 1

Author Comment

by:summit_pcguy
ID: 23600298
A graphical took is needed unless someone wants to write me the code to do this.
I would prefer native tools like ADSIedit or the Schema snap-in or something free (Active Directory Explorer looks great if I can figure it out).

Maybe I just need a quick primer on these tools. I need to insert a 4 character string into about 20 users so manually doing it is fine.
I need this to be somewhat simple so I can leave the directions for the IT guy they hire.

My main question is can I use the custom attributes on users without Exchange mail boxes and my second question is how do I enter the info. I have been told that the AD aware app is a helpdesk app and it will flag priority requests by the values in these attrbiutes.  The attributes can be changed in the app so I am not forced to using any particular attrbute, it is just that the customer was leery of modifying the schema and felt that the "customattribute #1" and #2 made perfect sense to use.

My third question is if it is not advisable to use the custom attributes installed by Exchange for these users without mailboxes, how do I add and populate attributes to the schema in the safest way.

Thank you.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 23600711

You're not making any changes to the Schema. Running the ForestPrep part of Exchange setup back when you did that took care of all of that. It's important to understand that because changing the Schema isn't something we should do on an ad hoc basis. Such changes are irreversible and can have far reaching consequences.

Fortunately, because of the update Exchange needed the Custom Attributes are available on all users, and contacts, regardless of whether or not they are mail enabled. Changing the attributes on an account that is not mail enabled does not adversely effect AD, or Exchange, or the account. Therefore it is indeed advisable to use the custom attributes for this task rather than adding your own.

If you were to do this change in ADSIEdit, you would browse to the account (expanding folders in the same way as with AD Users and Computers). Open the properties then browse through the attribute list to extensionAttribute1 and extensionAttribute2. These are the underlying attributes that are called Custom Attribute 1 and 2 in the GUI. Then simply double click on the attribute, type in the value you want and press OK.

Whether or not you need a more restricted GUI depends on how happy you are using that there. It would only take a few minutes to knock together something in .NET which could only make this one change.

Chris
0
 
LVL 1

Author Comment

by:summit_pcguy
ID: 23600934
Chris - This sounds quite promising.  I would be happy to open up a second question if you were to provide an app that allowed us to enter a value into the extensionAttribute1 or extensionAttribute2 fields. Every time a contractor or VIP AD account is created, a string needs to be entered in one of these fields so an easy way to handle this would be nice.  There is no one here currently who I would feel comfortable using ADSIedit.

The preferred way to do this for the customer, would be to expose the fields in AD Users and Computers so that standard Level 1 helpdesk guy could create the account and enter the employee type. The .dot script would be the next best way.

Thank you!  I will go try this out.

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 23601096

You can expose them in AD Users and Computers, but it's unfortunately quite a lot of work if they're not mail enabled.

All things considered, I think our best bet would be to use a little web page to do it. Largely because it means you don't have to do anything on the client, it's all server side. How does that sound?

Chris
0
 
LVL 1

Author Comment

by:summit_pcguy
ID: 23601218
I have no control over the web stuff here. At least the Sharepoint and Intranet stuff. They have their own team. I can run IIS on an XP Desktop,and maybe a 2k3 toosl server.  That's about it.
It does sound like a great idea!

Thanks!
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 23601254

I was thinking maybe on the Domain Controller?

Well, not to worry, the base code is similar anyway, lets see what we can do.

Chris
0
 
LVL 1

Author Comment

by:summit_pcguy
ID: 23601615
I have to get approval, test lab it and everything, but that is probably doable..
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

640 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question