You want to find the attributes are not replicated or are constructed by Active Directory.
10.15.2.1 Using a graphical user interface
10.15.2.2 Using a command-line interface
To find the nonreplicated attributes, use the following command:
> dsquery * cn=schema,cn=configuration,<ForestRootDN> -scope onelevel -attr "cn"[RETURN] -filter "(&(objectcategory=attributeSchema)(systemFlags:1.2.840.1135126.96.36.1993:=1))"
To find the constructed attributes, use the following command:
> dsquery * cn=schema,cn=configuration,<ForestRootDN> -scope onelevel -attr "cn"[RETURN] -filter "(&(objectcategory=attributeSchema)(systemFlags:1.2.840.1135188.8.131.523:=4))"
10.15.2.3 Using VBScript
' This script will print out the nonreplicated and constructed attributes set objRootDSE = GetObject("LDAP://RootDSE") strBase = "<LDAP://" & objRootDSE.Get("SchemaNamingContext") & ">;" strFilter = "(&(objectcategory=attributeSchema)" _ & "(systemFlags:1.2.840.1135184.108.40.2063:=1));" strAttrs = "cn;" strScope = "onelevel" set objConn = CreateObject("ADODB.Connection") objConn.Provider = "ADsDSOObject" objConn.Open "Active Directory Provider" set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope) objRS.MoveFirst WScript.Echo "Nonreplicated attributes: " while Not objRS.EOF Wscript.Echo " " & objRS.Fields(0).Value objRS.MoveNext wend strFilter = "(&(objectcategory=attributeSchema) " _ & "(systemFlags:1.2.840.1135220.127.116.113:=4));" set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope) objRS.MoveFirst WScript.Echo "" WScript.Echo "Constructed attributes: " while Not objRS.EOF Wscript.Echo " " & objRS.Fields(0).Value objRS.MoveNext wend
The systemFlags attribute of attributeSchema objects defines a few special attribute properties, including whether an attribute is not replicated between domain controllers and whether it is dynamically constructed by Active Directory.
Most attributes are replicated after they are updated on an object, but some never replicate between domain controllers. These attributes are considered nonreplicated. An example of a nonreplicated attribute you may be familiar with is the lastLogon attribute that stores the last logon timestamp for user and computer objects. Whenever a user or computer logs in to Active Directory, the authenticating domain controller updates the user or computer's lastLogin attribute, but the update does not get replicated out to other domain controllers.
Constructed attributes are automatically maintained by Active Directory and cannot be set manually. A good example of a constructed attribute is the new msDS-Approx-Immed-Subordinates that is available in Windows Server 2003. That attribute contains the approximate number of child objects within a container. Obviously this attribute wouldn't be of much value if you had to maintain it, so Active Directory does it automatically.
One of the downsides to constructed attributes is that you cannot search against them. For example, I cannot perform a search to find all containers that have more than 10 objects in them (i.e., msDS-Approx-Immed-Subordinates>10). This would return an operations error. Constructed attributes can only be returned as part of the attribute set for a query and not used as part of the query itself.
To find the nonreplicated or constructed attributes you have to use a bitwise LDAP filter against attributeSchema objects. A bit value of 1 indicates the attribute is non-replicated and a value of 4 indicates the attribute is constructed.
10.15.4 See Also
Recipe 4.9 for searching with a bitwise filter