| When Active Directory objects are discussed, the terms object properties and object attributes are frequently used. Sometimes the two can be interchanged. Depending on the interface used to access the object, though, this may not be the case. To make things more confusing, when the Active Directory Users and Computers MMC snap-in is used to view or change a user's attribute values, the friendly name presented in the graphical user interface may not be the same as the actual directory name. For example, on a user's Address property page, there is a field labeled City. Accessing this user object directly using ADSI Edit, the directory name for the City field is "l," which stands for "location," as shown in Figure 23.2. Figure 23.2. Accessing Active Directory user objects. 
To discover the directory names of object attributes and to find out what possible attributes an object can contain, you can use two utilities to simplify this task. The Active Directory Users and Computers MMC snap-in can also provide a roundabout way to find object attributes using the Saved Queries applet. The directory name of an object's attribute is used in a script when the script attempts to read or update the attribute's value. To find the directory name of an attribute, you may find the ADSI Edit MMC snap-in to be the easiest tool to use. ADSI Edit MMC Snap-in The ADSI Edit MMC snap-in provides a direct peek into Active Directory partitions to view and modify the objects contained within. ADSI Edit helps you figure out the actual directory names and values of objects and their attributes. Caution ADSI Edit is to Active Directory as Registry Editor is to the System Registry. ADSI Edit is a very powerful tool, but it's important to keep in mind that it doesn't have built-in safeguards that make Active Directory Users and Computers a relatively idiot-proof application. For example, ADUC doesn't allow having more than one primary SMTP address for a user account. There is nothing in ADSI Edit that prevents from assigning multiple primary SMTP addresses, and that may cause serious problems. Changes can be irreversible without a restore from backup. Therefore, perform a full backup prior to working with ADSI Edit.
You can use ADSI Edit to manually populate object attributes when the attribute is not readily available using the Active Directory Users and Computers MMC snap-in. This snap-in can be handy when an attribute name is not known. The entire list of attributes can be displayed in a single window within the snap-in. To connect to the Active Directory Domain Naming Context partition, perform the following steps: | | 1. | Log on to a workstation or server with Domain Admin rights and Local Admin rights on the machine.
| 2. | Install the Windows Server 2003 support tools from the setup CD-ROM. You can install the support tools by running the setup program D:\Support\Tools\ SUPTOOLS.msi, where D represents the letter assigned to the CD-ROM if the setup CD-ROM is used.
| 3. | After the support tools are installed, choose Start, Run.
| 4. | Type MMC and click OK to open the Microsoft Management Console.
| 5. | Choose File, Add/Remove Snap-in.
| 6. | In the Add/Remove Snap-in window, click the Add button to bring up a list of available snap-ins.
| 7. | On the Add Standalone Snap-in page, select ADSI Edit Snap-in and click Add.
| 8. | When the ADSI Edit snap-in is listed in the Add/Remove Snap-in window, click Close on the Add Standalone Snap-in page and click OK in the Add/Remove Snap-in window.
| 9. | When you're back in the MMC window, right-click the ADSI Edit applet and select Connect To.
| 10. | Enter the Active Directory partition or a container's distinguished name as the connection point. To connect to the entire domain so that you see a view similar to Active Directory Users and Computers, click the radio button labeled Select A Well Known Naming Context. Then choose the domain naming context, as shown in Figure 23.3.
Figure 23.3. Selecting the domain naming context as the initial connection point. 
| | | 11. | In the Computer section, choose to specify a domain or server or choose the default domain.
| 12. | Click OK to create the connection.
| 13. | Choose File, Save.
| 14. | Save the console as ADSI Edit in the suggested location and click the Save button.
| 15. | In the console window, expand the domain partition to find objects within the containers in the Active Directory domain.
|
Discovering the Directory Name of a User Attribute To find the directory name of a particular user attributefor example, the Pager attributefollow this simple process: 1. | Using the Active Directory Users and Computers MMC snap-in, find a test user that can be manipulated. Populate the Office attribute on the user's General property page using something that will be easy to locate, such as ZZZZ. Save the change and close the user object.
| 2. | After you save the value, open ADSI Edit by choosing Start, All Programs, Administrative Tools, ADSI Edit. If the console does not appear, perform the steps outlined in the preceding section to create the console.
| 3. | Browse the directory to locate the correct user object.
| 4. | Right-click that user and select Properties.
| 5. | In the Attribute Editor page, click the button labeled Values in the window. This will sort the list of attributes based on the value string, with numbers followed by an alphabetical listing.
| 6. | Scroll to the bottom to find the value ZZZZ.
| 7. | Note the particular attribute name associated with the page value.
| 8. | If the value cannot be located, close the window, right-click the object, choose Refresh, and then open the properties again.
|
By using the Active Directory Users and Computers MMC snap-in, you find the attribute labeled Office actually has a directory name of PhysicalDeliveryOfficeName. If a script were trying to find this information referencing an attribute called Office, the script would always generate an error. Active Directory Schema MMC Snap-in The Active Directory Schema MMC snap-in is a powerful tool that can be used to modify and extend the Active Directory Schema. You can also use it to view and modify the characteristics of directory objects and attributes. For example, if a script will be used to populate a user object's Pager attribute, by using the Schema MMC snap-in, you can locate the Pager attribute to view attribute settings such as what type of data can be stored in this attribute, minimum and maximum range of characters it can support, and whether the attribute is single valued or multivalued. To create and use a Schema MMC snap-in, follow these steps: 1. | Log on to a workstation or server with Domain Admin rights and Local Admin rights on the machine.
| 2. | If you're using a Windows Server 2003 system, proceed to step 4.
| 3. | Install the Windows Server 2003 Administration pack from the setup CD. The Administration pack can be installed on Windows XP Professional systems. Install it by running the setup program D:\i386\Adminpak.MSI, where D represents the letter assigned to the CD-ROM if the setup CD-ROM is used.
| 4. | After you install the Administration pack, choose Start, Run.
| 5. | Type the command Regsvr32.exe schmmgmt.dll and click OK. A confirmation popup window should appear, stating that the file has been registered correctly. This makes the Schema MMC snap-in available for use. Click OK to close this pop-up confirmation window.
| 6. | Choose Start, Run.
| 7. | Type MMC and click OK to open the Microsoft Management Console.
| 8. | Choose File, Add/Remove Snap-in.
| 9. | In the Add/Remove Snap-in window, click the Add button to bring up a list of available snap-ins.
| 10. | On the Add Standalone Snap-in page, select Active Directory Schema Snap-in and click Add.
| 11. | When the Active Directory Schema snap-in is listed in the Add/Remove Snap-in window, click Close in the Add Standalone Snap-in page. Then click OK in the Add/Remove window.
| 12. | Choose File, Save.
| 13. | Save the console as Schema in the suggested location and click the Save button.
|
After you create the Schema MMC snap-in, you can review objects to understand which attributes are available for each object. For example, to find out the characteristics of a Pager attribute, follow these steps: | | 1. | If the Schema MMC snap-in is not open already, choose Start, All Programs, Administrative Tools and select Schema.msc. This, of course, assumes that the console was created as outlined in the preceding steps. Otherwise, open MMC and add the Schema MMC snap-in.
Note When connected, Domain Administrators can view the Schema using this tool, but only members of the Schema Admins group can make modifications to object classes or attributes. | 2. | Select the Attributes container in the left pane; then in the right pane, scroll down and select Pager. If you don't know the directory name of the desired attribute, refer to the "Discovering the Directory Name of a User Attribute" section earlier in this chapter.
| 3. | Right-click the Pager attribute and select Properties to open a window showing the attribute properties.
| 4. | If you need to change somethingfor example, if this attribute should be indexed in the global catalog to improve searches for pager numbersyou can make that change using this window. Only members of the Schema Admins group can make this change. Close this window and the Schema MMC snap-in when you're finished.
|
By using the Schema MMC snap-in, you can extend the Active Directory by adding new attributes that can be placed in specific classes, such as the user class. Extending the schema is beyond the scope of this chapter. For more information on extending the schema in a Windows Server 2003 forest of domains, refer to the Help and Support menu on a Windows Server 2003 server. This menu will also scan the Microsoft Knowledge Base on the Internet for relevant articles if the server has such access. |
