Solved

need a spare active directory user attribute

Posted on 2013-11-15
8
1,016 Views
Last Modified: 2013-11-18
I need to add a unique id to each active directory user account
should I try to find an existing attribute to use or extend the schema and create a new one
is it safe to extend schema and how can I do this?
or how can I find an attribute that is never used?
0
Comment
Question by:dougdog
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 10

Expert Comment

by:172pilotSteve
ID: 39651220
Why not use the "ObjectGUID" or "SID" for the user?  Those are both definitely unique..
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 39651222
Extending the schema is as safe as working in the registry. Perfectly fine if you know what you are doing and plan ahead of time.

I would just use a spare attribute though. Info is a good one.
0
 

Author Comment

by:dougdog
ID: 39651258
Why not use the "ObjectGUID" or "SID" for the user
these are both in use
0
Get Actionable Data from Your Monitoring Solution

Your communication platform is only as good as the relevance of the information you send. Ensure your alerts get to the right people every time with actionable responses. Create escalation rules that ensure everyone follows the process and nothing is left to chance.

 
LVL 37

Expert Comment

by:Mahesh
ID: 39651285
You can fill values with employeeID OR employeeNumber attribute which are already present in AD and also unique with each account and some applications may use this for account query.  
You can think addition of schema attribute only if required by any application to query active directory.
It will require lot of perfect scripting work.It may affect AD schema if programmed wrongly.
0
 

Author Comment

by:dougdog
ID: 39651435
how can I search the whole AD to make sure the attribute I choose is def not used
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39651617
You can query AD for perticular attribute
you can user Bulk AD users from wisesoft and can search any custom attribute for single user or all users in entire domain.
There is option called "Properties to load" there.
You can enter any custom attribute there
For Ex.employeeNumber OR employeeID
also u can export search results to excel or csv
the tool can downloaded as freeware from below site
http://wisesoft.co.uk/software/bulkadusers/default.aspx

OR

alternatively you can check through adsiedit.msc if u have 2003 DC or you can use attribute editor if you have 2008 DC
hope that helps
0
 

Author Comment

by:dougdog
ID: 39652101
so employee id or info are def not used and would be safer to use that creating a new one?
also do I need to add this to the GC list to be replicated
or is it already in there
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39652197
EmployeeID and EmployeeNumber are the attribute which are not written automatically during user creation.
Also these attributes are not replicated with global catalog.
If you want you can add to replicated attributes through GC.
Please check below article
http://msdn.microsoft.com/en-us/library/windows/desktop/ms675160(v=vs.85).aspx
Below article is written for windows 2000, but still applies to later versions also.
http://support.microsoft.com/kb/248717
Below is the list of attributes replicated with GC
http://support.microsoft.com/kb/257203
Hope that helps
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question