Azure Hybrid & Cloud Migration Blog

Creating custom Active Directory Schema Classes and Attributes and OID X500 Generation Script

Scenario:

Let’s say your Application Team made one in-house developed application, which needs to save some data related to users in Active Directory, and for this they asked you to create two new custom user fields in Active Directory, and as well as create with restricted Service Account for the Application, which can have access to these fields in Active Directory.

Phase I: Creating custom fields in Active Directory Schema Management snap-in:

Step I: Register Schema Extention for Active Directory Schema Management Snap-in:

Start, Run, regsvr32 schmmgmt.dll

Step II: Create required Classes and Attributes for your work.

From the Schema Management Snap-in, you can create new classes and attribute, once you will going create a new class or attribute, so it will ask you to provide the Unique X500 Object ID, and for getting this unique X500 Object ID, this whole article is about.

Use the below script to run on your machine, and get your unique X500 Object ID for creating custom classes and attributes in Active Directory.

NOTE: Add the custom created attribute into respective classes, e.g. user class.

Copy below text and paste in a notepad, and save it as a “.vbs”
Visual Basic
' oidgen.vbs
' 
' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 
' OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR 
' FITNESS FOR A PARTICULAR PURPOSE.
'
' Copyright (c) Microsoft Corporation. All rights reserved
'
' This script is not supported under any Microsoft standard support program or service. 
' The script is provided AS IS without warranty of any kind. Microsoft further disclaims all
' implied warranties including, without limitation, any implied warranties of merchantability
' or of fitness for a particular purpose. The entire risk arising out of the use or performance
' of the scripts and documentation remains with you. In no event shall Microsoft, its authors,
' or anyone else involved in the creation, production, or delivery of the script be liable for 
' any damages whatsoever (including, without limitation, damages for loss of business profits, 
' business interruption, loss of business information, or other pecuniary loss) arising out of 
' the use of or inability to use the script or documentation, even if Microsoft has been advised 
' of the possibility of such damages.
' ----------------------------------------------------------------------
Function GenerateOID()
    'Initializing Variables
    Dim guidString, oidPrefix
    Dim guidPart0, guidPart1, guidPart2, guidPart3, guidPart4, guidPart5, guidPart6
    Dim oidPart0, oidPart1, oidPart2, oidPart3, oidPart4, oidPart5, oidPart6
    On Error Resume Next
    'Generate GUID
    Set TypeLib = CreateObject("Scriptlet.TypeLib")
    guidString = TypeLib.Guid
    'If no network card is available on the machine then generating GUID can result with an error.
    If Err.Number <> 0 Then
        Wscript.Echo "ERROR: Guid could not be generated, please ensure machine has a network card."
        Err.Clear
        WScript.Quit
    End If
    'Stop Error Resume Next
    On Error GoTo 0
    'The Microsoft OID Prefix used for the automated OID Generator
    oidPrefix = "1.2.840.113556.1.8000.2554"
    'Split GUID into 6 hexadecimal numbers
    guidPart0 = Trim(Mid(guidString, 2, 4))
    guidPart1 = Trim(Mid(guidString, 6, 4))
    guidPart2 = Trim(Mid(guidString, 11, 4))
    guidPart3 = Trim(Mid(guidString, 16, 4))
    guidPart4 = Trim(Mid(guidString, 21, 4))
    guidPart5 = Trim(Mid(guidString, 26, 6))
    guidPart6 = Trim(Mid(guidString, 32, 6))
    'Convert the hexadecimal to decimal
    oidPart0 = CLng("&H" & guidPart0)
    oidPart1 = CLng("&H" & guidPart1)
    oidPart2 = CLng("&H" & guidPart2)
    oidPart3 = CLng("&H" & guidPart3)
    oidPart4 = CLng("&H" & guidPart4)
    oidPart5 = CLng("&H" & guidPart5)
    oidPart6 = CLng("&H" & guidPart6)
    'Concatenate all the generated OIDs together with the assigned Microsoft prefix and return
    GenerateOID = oidPrefix & "." & oidPart0 & "." & oidPart1 & "." & oidPart2 & "." & oidPart3 & _
        "." & oidPart4 & "." & oidPart5 & "." & oidPart6
End Function
'Output the resulted OID with best practice info
Wscript.Echo "Your root OID is: " & VBCRLF & GenerateOID & VBCRLF & VBCRLF & VBCRLF & _
    "This prefix should be used to name your schema attributes and classes. For example: " & _
    "if your prefix is ""Microsoft"", you should name schema elements like ""microsoft-Employee-ShoeSize"". " & _
    "For more information on the prefix, view the Schema Naming Rules in the server " & _ 
    "Application Specification (http://www.microsoft.com/windowsserver2003/partners/isvs/appspec.mspx)." & _
    VBCRLF & VBCRLF & _
    "You can create subsequent OIDs for new schema classes and attributes by appending a .X to the OID where X may " & _
    "be any number that you choose.  A common schema extension scheme generally uses the following structure:" & VBCRLF & _
    "If your assigned OID was: 1.2.840.113556.1.8000.2554.999999" & VBCRLF & VBCRLF & _
    "then classes could be under: 1.2.840.113556.1.8000.2554.999999.1 " & VBCRLF & _ 
    "which makes the first class OID: 1.2.840.113556.1.8000.2554.999999.1.1" & VBCRLF & _
    "the second class OID: 1.2.840.113556.1.8000.2554.999999.1.2     etc..." & VBCRLF & VBCRLF & _
    "Using this example attributes could be under: 1.2.840.113556.1.8000.2554.999999.2 " & VBCRLF & _
    "which makes the first attribute OID: 1.2.840.113556.1.8000.2554.999999.2.1 " & VBCRLF & _
    "the second attribute OID: 1.2.840.113556.1.8000.2554.999999.2.2     etc..." & VBCRLF & VBCRLF & _
     "Here are some other useful links regarding AD schema:" & VBCRLF & _
    "Understanding AD Schema" & VBCRLF & _
    "http://technet2.microsoft.com/WindowsServer/en/Library/b7b5b74f-e6df-42f6-a928-e52979a512011033.mspx " & _
    VBCRLF & VBCRLF & _
    "Developer documentation on AD Schema:" & VBCRLF & _
    "http://msdn2.microsoft.com/en-us/library/ms675085.aspx " & VBCRLF & VBCRLF & _
    "Extending the Schema" & VBCRLF & _
    "http://msdn2.microsoft.com/en-us/library/ms676900.aspx " & VBCRLF & VBCRLF & _
    "Step-by-Step Guide to Using Active Directory Schema and Display Specifiers " & VBCRLF & _
    "http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/howto/adschema.mspx " & _
    VBCRLF & VBCRLF & _
    "Troubleshooting AD Schema " & VBCR & _
    "http://technet2.microsoft.com/WindowsServer/en/Library/6008f7bf-80de-4fc0-ae3e-51eda0d7ab651033.mspx  " & _
    VBCRLF & VBCRLF

 

For more information, please find below URL:

http://msdn.microsoft.com/en-us/library/ms677620(VS.85).aspx
http://gallery.technet.microsoft.com/ScriptCenter/en-us/56b78004-40d0-41cf-b95e-6e795b2e8a06

 

Phase II: Giving restricted access to Application Service Account to access the data saved in Active Directory for these two custom created filed:

–          Create the Service Account for the Application from Active Directory Users and Computers 

–          Give the restricted access to above created Application service account: 

  • Open Active Directory Users and Computers snap-in
  • Set the view level to ADVANCED
  • Right click on either DOMAIN / any specific OU on which you want to do the delegation
  • Select the service account which you created above
  • Go to custom rights
  • Select the created custom fields created above for the application in Active Directory Schema Management snap-in for READ / WRITE.
  • Finshed.

 Verified on the following platforms

Windows Server 2008 R2 Yes
Windows Server 2008 Yes
Windows Server 2003 Yes
Windows 7 No
Windows Vista No
Windows XP Yes
Windows 2000 Yes

 

Important Notice:

If you are doing schema modification, and you really don’t know what you are doing, then read my lips, it can turn you and your entire Systems environment into a nightmare, so first do your homework and prepare your self, for the required schema modification, and then go ahead taste the meat-and-potato.

  Zahir Hussain Shah

Azure Hybrid Blog
,

12 responses to “Creating custom Active Directory Schema Classes and Attributes and OID X500 Generation Script”

  1. noman

    hello
    i need some information i want to add new schema in the AD.. can you tell me step by step procedure to do that or provide me any link

  2. ZAHIR HUSSAIN SHAH

    Dear Noman,

    Follow the below steps to fulfill your requirements:

    1) Download the script from my post or from Microsoft site (http://gallery.technet.microsoft.com/ScriptCenter/en-us/56b78004-40d0-41cf-b95e-6e795b2e8a06)

    2) Cope and paste the script code into a notepad file and save it as “.VBS”

    3) This will give you OIDs for your AD Schema Class Creation.

    4) Go to Root Domain Controller (GC – Containing Schema Master Role) login as Administrator of your domain or any user account which has Schema Admins rights.

    3)Open Schema Management Console (by default schema management console is not available as normal MMC in MMC console), you have to register a .DLL on DC for accessing it. (search for registering schema management dell)

    4) Once you have Schema Management Console opened then either from Attribute or Class create a new class and put the OIDs number, which script provided you.

    I hope it was helpful, for more details see my post (https://zhshah.wordpress.com/2010/10/04/creating-custom-active-directory-schema-classes-and-attributes-and-oid-x500-generation-script-2/#comments)

    Zahir

  3. Noman

    hmmm awesome…
    well i am Software Engineer and not much knowledge of these things i just want to build the schema in LDAP directory and consume it with programmatic..

    my desired Active Directory Schema would be that

    [SyStudentID]
    [Portal Login ID]

    FName
    LName
    Email
    [Multiple Entries]

    o SeqNum [For Priority]

    o AppID

    o LoginID

    · [Multiple Entries]

    o CampusID

    o CampusName

    [Ex: Parents]

  4. Noman

    hmmm awesome…
    well i am Software Engineer and not much knowledge of these things i just want to build the schema in LDAP directory and consume it with programmatic..

    my desired Active Directory Schema would be that

    · [SyStudentID]

    · [Portal Login ID]

    ·

    o FName

    o LName

    o Email

    · [Multiple Entries]

    o SeqNum [For Priority]

    o AppID

    o LoginID

    · [Multiple Entries]

    o CampusID

    o CampusName

    can you tell me how can i design this in active directory..

  5. Noman

    I understand how to create the custom attribute and map it with User

    But I have little bit confusion about classes,
    I have some questions can you please answer me

    1: what is the basic purpose of creating new class (create from sanp-In)

    2: how we can see this custom define class in Active Directory in Tree view..

    3: from above schema do you think i need to define new class or just define OU and create the attribute

    thank

  6. Zahir Hussain Shah

    Here are you go…

    1: what is the basic purpose of creating new class (create from sanp-In)

    Classes are the parent objects in AD Schema, for instance User class of AD Schema, has all the User Object level attributes associated with it, like SAMAccountName, UserPrincipleName, Location, emailaddress and etc… We create attributes and then link/attach them with the object level corresponding Schema Class.

    2) You can use Schema Management Console, by default schema Management console is not appears in the MMC (Start\Run\MMC – add schema from Add snapint), we have to register a .dll to see Schema Management Snapin in MMC, by registering the “To register the dll run this command “regsvr32 c:\winnt\system32\schmmgmt.dll”.

    3) First of all, always remember that AD Schema modification is a one time work, you can not go back using any time machine :), so be careful and I would recommend you that you really dont need to create a new schema class, just create new attributes, or somehow you dont need to create new attribute, for running into complexity, there are 15 or some free attributes use them and thats it.

    I hope it explains what exactly you need.

    Zahir

  7. Noman

    Dear Zahir
    Thanks for providing such a interesting information. you provide me very quick and brief detail.
    i will keep posting here if want to know something related to Active Directory.
    Thanks again

  8. Noman

    hi
    i need to know something. how we store multiple entries of some information in AD.
    i mean if student in my AD and there is a information of student like student subjects how we store this kind of information related to single student

    i know there is a multi value attribute in AD but is there any other way

  9. Zahir Hussain Shah

    Noman,

    As I got understood in the early communication, that you are testing your project / application to read and write data to LDAP based Directory Services, where you currently using ADAM or ADDS, as part of your qeustion that I think the only available attributes which will help you to store multiple entries for one User Object, it will be same as you said Multi Value Attribute, but I would recommend to use SQL Server Express Edition, as it will fulfill all your application’s requirement, because configuring your LDAP server would be little bit risky and not difficult as well.

  10. Noman

    sorry for late replay..

    well you mean i store such a info in my Database(SQL Server Express Edition)?

    if i store this info inside my Db and some info in my AD first my application query to AD to authenticate the student and then i request to Database to provide other related information of this authenticated student. is this not a slow down my process to get student information i 2 times query to both AD and Database..

    what you say about it.

  11. In the memories of Year 2010 « Zahir Hussain Shah's

    […] The busiest day of the year was November 30th with 134 views. The most popular post that day was Creating custom Active Directory Schema Classes and Attributes and OID X500 Generation Script. […]

  12. Ghouse

    Dear Zahir,

    How do we ensure that the data entered for each in a custom attribute like a employee ID be unique.

Leave a comment