?
Solved

need a spare active directory user attribute

Posted on 2013-11-15
8
Medium Priority
?
1,043 Views
Last Modified: 2013-11-18
I need to add a unique id to each active directory user account
should I try to find an existing attribute to use or extend the schema and create a new one
is it safe to extend schema and how can I do this?
or how can I find an attribute that is never used?
0
Comment
Question by:dougdog
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 10

Expert Comment

by:172pilotSteve
ID: 39651220
Why not use the "ObjectGUID" or "SID" for the user?  Those are both definitely unique..
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 39651222
Extending the schema is as safe as working in the registry. Perfectly fine if you know what you are doing and plan ahead of time.

I would just use a spare attribute though. Info is a good one.
0
 

Author Comment

by:dougdog
ID: 39651258
Why not use the "ObjectGUID" or "SID" for the user
these are both in use
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 37

Expert Comment

by:Mahesh
ID: 39651285
You can fill values with employeeID OR employeeNumber attribute which are already present in AD and also unique with each account and some applications may use this for account query.  
You can think addition of schema attribute only if required by any application to query active directory.
It will require lot of perfect scripting work.It may affect AD schema if programmed wrongly.
0
 

Author Comment

by:dougdog
ID: 39651435
how can I search the whole AD to make sure the attribute I choose is def not used
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39651617
You can query AD for perticular attribute
you can user Bulk AD users from wisesoft and can search any custom attribute for single user or all users in entire domain.
There is option called "Properties to load" there.
You can enter any custom attribute there
For Ex.employeeNumber OR employeeID
also u can export search results to excel or csv
the tool can downloaded as freeware from below site
http://wisesoft.co.uk/software/bulkadusers/default.aspx

OR

alternatively you can check through adsiedit.msc if u have 2003 DC or you can use attribute editor if you have 2008 DC
hope that helps
0
 

Author Comment

by:dougdog
ID: 39652101
so employee id or info are def not used and would be safer to use that creating a new one?
also do I need to add this to the GC list to be replicated
or is it already in there
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 39652197
EmployeeID and EmployeeNumber are the attribute which are not written automatically during user creation.
Also these attributes are not replicated with global catalog.
If you want you can add to replicated attributes through GC.
Please check below article
http://msdn.microsoft.com/en-us/library/windows/desktop/ms675160(v=vs.85).aspx
Below article is written for windows 2000, but still applies to later versions also.
http://support.microsoft.com/kb/248717
Below is the list of attributes replicated with GC
http://support.microsoft.com/kb/257203
Hope that helps
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question