Extending Active Directory Schema -- obtaining OIDs

Posted on 2009-12-16
Last Modified: 2012-05-08

I am trying to extend my AD schema by adding a few attributes.  I understand almost everything I need to do, but the one thing I am stuck on is the "X.500 OID" field when creating the new attribute.  I have searched around but have not found much.  I found a few sites that say I need to generate or obtain new OIDs in order to create attributes.  But as far as I can tell generating them is not advised which leaves me to obtaining them.  I looked all over Microsoft's site but was unable to find how I can obtain new OIDs.  Is this something no one does anymore?  Is there an easier way to create attributes in AD?  Can I make up new OIDs?

Thanks in advance for the help.
Question by:sdcox
    LVL 33

    Accepted Solution

    I advise caution extending Active Directory schema, if you're working on something internal to your organization, I recommend attempting to make use of pre-existing fields if possible.

    You can get an OID from Microsoft (, or check with

    Author Comment

    Thanks for the response.  The only problem is we need to create 8 additional fields and there is not enough existing fields we can convert.  Why do you advise against extending the schema?

    LVL 33

    Expert Comment

    by:Todd Gerbert
    I don't necessarily advise against it, just saying - be careful if you do.  It's not the most straight-forward thing in the world, and it is irreversible.  If you're running Exchange your users should have 15 extensionAttribute fields, which may or may not be of use to you.

    Here's a better link for registering an OID:

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
    Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now