ad schema & specime: ad_schema_&_specifiers.pdffiers

CHAPTER 1 Using Active DirectorySchSpe

Intro

This doryTM semodificextendattribut

Prerequisitess:\its\uss\pclan\documentation\ad_schema_&_specifiers.pdf 1

You must have installed the Microsoft Windows 2000 Server operating system(including Active Directory) on a server in your network. You can run the Adminis-trative Tools and scripts used in this walkthrough from the server or from a Win-dows 2000 Professional-based workstation. You will need two domain controllerswithin the same domain.

The Administrative Tools are installed by default on all Windows 2000 domaincontrollers. On stand-alone servers or workstations running Windows 2000, ActiveDirectory Administrative Tools are optional and can be installed from the Windows2000 optional components package. After installing all the Administrative Tools,you must manually install the Active Directory Schema snap-in.ema and Displaycifiers

duction

cument introduces you to advanced administration of the Active Directo-rvice, using the Active Directory Schema snap-in and display specifieration. You can add and modify classes and attributes in the schema andthe both the Administrative Tools and the Windows shell by modifyinges in display specifiers.

Using Active Directory Schema and Display Specifiers

2 s:\its\u

This step-by-step guide assumes that you have run the procedures in A Step-by-Step Guide to Common Infrastructure for Windows 2000 Server Deployment PartOne.

The coconfiguappropware re

able at

Scena

This ste

Maacc

exis Ma

tive

A fictioinformSocialauxiliaattributiary cla

To dispextensitional c

Mana

The AcActivespecifythe glofrequenss\pclan\documentation\ad_schema_&_specifiers.pdf

mmon infrastructure documents specify a particular hardware and softwareration. If you are not using the common infrastructure, you need to make the

riate changes to this document. The most current information about hard-quirements and compatibility for servers, clients, and peripherals is avail-the Windows 2000 Hardware and Software Compatibility Web site.

rios

p-by-step guide provides procedures for the following tasks:

nage the schema. This includes checking security permissions and Writeess to the schema, creating new classes and attributes, and extending theting classes.nage display specifiers. This involves extending the shell and Administra-Tools by adding context menus.

nal corporation stores additional user information in Active Directory. Thisation contains sensitive Human Resources (HR) data, including employeeSecurity numbers and salary levels. To support this extra information anry class called HumanResources is created. This class contains thees SocialSecurityNumber and SalaryLevel. The HumanResources auxil-ss is then added to the User class.

lay this information (using either the Administrative Tools or by creatingons to the Windows shell), you then create display specifiers for the addi-ontext menus for the new classes and attributes.

ging the Active Directory Schema

tive Directory Schema snap-in allows schema administrators to manage theDirectory schema by creating and modifying classes and attributes, anding which attributes are indexed and which attributes are to be catalogued inbal catalog. Administrators will not perform schema management tasks on at basis, and they should take some care when modifying the schema. Man-

s:\its\u

Managing the Active Directory Schema

agement of the schema is restricted to a group of administrators called schemaadministrators. There are three safety precautions that control and limit schemamodification:

Byentrthat

TheadmAdm

Onlis kcon

Note: Awith th

Check

BeforeAdminfor infoaccoun

Install

If you htrativeBy defadomain

To ins1. Clic2. Dou3. Sele4. Clic5. Clicss\pclan\documentation\ad_schema_&_specifiers.pdf 3

default, all domain controllers permit Read access to the schema. A registryy must be set on a domain controller to permit Write access to the schema ondomain controller.schema object is protected by the Windows 2000 Security model; therefore,inistrators must be given explicit permissions or be members of the Schemainistrators group to make changes to the schema.

y one domain controller can write to the schema at any given time. This rolenown as Schema Floating Single Master Operations (FSMO). You must benected to the schema FSMO to manage the schema.

ll subsequent procedures assume you are logged on as an administratore required permissions to manage the schema.

Membership to the Schema Administrators Group

proceeding, make sure that your account is a member of the Schemaistrators group. See Step-by-Step Guide to Managing the Active Directoryrmation about managing group memberships. By default, the administratort is a member of the Schema Administrator group.

ing the Windows 2000 Administrative Tools

ave not already done so, you must install all of the Windows 2000 adminis-tools on both domain controllers that you will be using for these scenarios.ult, only some of the tools are installed during normal installation of acontroller.

tall the complete set of toolsk Start, point to Settings, and click Control Panel.ble-click Add/Remove Programs.ct Windows 2000 Administrative Tools and click Change.k Next.k Install All Administrative Tools.


4 s:\its\u

6. Click Next.7. The components and files are installed, when complete, click Finish and then

click Close. Repeat this process on the second domain controller in your test-bed.

Startin

The Actool. BSchemmust loon the

To sta1. Clic2. On

Act3. You

soleSch

Note: P

Schem

Althouoperatiment. Otime. TBy defa

You cahave inprocedFSMOss\pclan\documentation\ad_schema_&_specifiers.pdf

g the Active Directory Schema Snap-in

tive Directory Schema snap-in is a Microsoft Management Console (MMC)ecause schema management is not frequently performed, there is no saveda console or Administrative Tool on the Administrative Tools menu. Youad the Schema Manager manually into MMC. Run the following proceduredomain controller that contains the schema.

rt the Active Directory Schema snap-nk Start, click Run, and type MMC in the Open box. Click OK.the Console menu, click Add/Remove Snap-in, click Add, and then clickive Directory Schema. Click Add, click Close, and then click OK.can save the MMC console containing the Schema snap-in. On the Con-menu, click Save As, and type a name for the saved console (for example,

ema.msc). Click Save.

erform these steps on both domain controllers in this testbed.

a FSMO

gh Active Directory is based on a multi-master administration model, someons support only a single master. One of these operations is schema manage-nly one domain controller is permitted to modify the schema at any given

he term used to describe this is Flexible Single Master Operations (FSMO).ult, the Schema snap-in is targeted to the schema FSMO role.

n transfer the schema FSMO from one server to another; however, if youstalled a single Windows 2000 domain controller in your network, then thisure is unnecessary. By default, that single domain controller is the schemarole holder.

s:\its\u


To transfer the schema FSMO to another domain controller1. Right-click Active Directory Schema in the right pane of the MMC console.

Click Change Domain Controller.2. Clic

Fig

FIG

3. RigMa

4. Clic5. Clic6. Clic

cess

Note: Sdomain

Settin

To allothat per

To set1. Rig

clicss\pclan\documentation\ad_schema_&_specifiers.pdf 5

k Specify Name and type in the name of the target domain controller. (Seeure below.)

URE 1.

ht-click the Schema root node in the left pane, and then click Operationsster.k Change.k OK to confirm that you want to change the Operations Master.k OK when you receive the message that the Operations Master was suc-fully transferred.

ubsequent procedures in this document are now performed on the secondcontroller (which is now the FSMO for the schema.)

g the Registry to Permit Write Operations to the Schema

w a domain controller to write to the schema, you must set a registry entrymits schema updates.

the registry keyht-click the Active Directory Schema root node in the left pane, and thenk Operations Master. \


6 s:\its\u

2. Select the The Schema may be modified on this Domain Controller checkbox, and then click OK.

FIGURE 2.

The serrestart

Creati

When c

Dodisp

Objas tdupmaytry.be u

You cass\pclan\documentation\ad_schema_&_specifiers.pdf

ver automatically detects the change to this registry. You do not need tothe server to permit the schema to be updated.

ng a New Attribute

reating classes and attributes, note the following:

not include spaces when entering the attribute and class names. An LDAPlay name with embedded spaces can cause problems.ect identifiers (OIDs) are issued by International Standards Authorities suchhe International Telecommunications Union (ITU) to prevent issuance oflicates. If your organization expects to create new classes and attributes, youwant to first request OIDs from the relevant standards body in your coun-

The OIDs listed here have been issued by Microsoft and are guaranteed tonique. Do not create your own OIDs.

n also obtain an ID from the Microsoft Certified for Windows Web site.

s:\its\u


To create new attributes for the HumanResources class

1. Click the + next to Active Directory Schema in the left pane.2. Rig3. Cli

thabe

FIG

4. Cre

5. Clic

TAB

Atti

SocberSalass\pclan\documentation\ad_schema_&_specifiers.pdf 7

ht-click Attributes in the left pane.ck New, and then select Attribute. You will receive a warningt creating schema objects is a permanent operation and cannotundone. Click Continue.

URE 3.

ate the following new attributes:

k OK after you create each new attribute.

LE 1.

rbute Name Attribute OID Attribute SyntaxialSecurityNum- 1.2.840.113556.1.4.7000.1

42Case InsensitiveString

ryLevel 1.2.840.113556.1.4.7000.141

Integer


8 s:\its\u

Creating a New Class

To create the HumanResources class

1. Rig2. Clic

sch

FIG

3. Cre

4. Clic

TAB

ValuComLDAUniPare

Classs\pclan\documentation\ad_schema_&_specifiers.pdf

ht-click Class.k New, and then click Class. You receive the same warning as before: that

ema objects cannot be removed once created. Click Continue.

URE 4.

ate the new class with the following values:

k Next and then click Finish.

LE 2.

e Type Thismon Name HumanResourcesP Displayname HumanResources

que X.500 Object ID 1.2.840.113556.1.4.7000.17nt Class Leave Blanks Type Auxilary

s:\its\u


Adding the Attributes to the Class

After you have created the class, add the attributes to the class.

To add1. Clic

righ

FIG

2. Clic3. On4. Rep

Whthisss\pclan\documentation\ad_schema_&_specifiers.pdf 9

attributes to the classk Classes in the left pane. Scroll to HumanResources in the right pane, andt click it.

URE 5.

k Properties, and then click the Attributes tab. Click Add.the Select Schema Object page, click SalaryLevel and click OK.eat these steps to add the SocialSecurityNumber attribute to the class.en you have finished, the attributes, illustrated in Figure 6, are displayed forclass on the Attributes tab.


10 s:\its\u

FIGURE 6.

Addin

After ythe clas

To add1. In t2. Clic3. Cliss\pclan\documentation\ad_schema_&_specifiers.pdf

g an Auxiliary Class to the User Class

ou have created the Human Resources auxiliary class and added attributes tos, you can add the new auxiliary class to the User class.

a new auxiliary classhe right pane, scroll to and right-click the User class node.k Properties. Click the Relationship tab.ck Add. Select HumanResources and click OK.

s:\its\u

Adding Values to the New Attributes

FIGURE 7.

Updat

Domaiyou neeSchem

To upd1. Rig

Sch

Minim

Addin

Modif

In thissalary lscript tss\pclan\documentation\ad_schema_&_specifiers.pdf 11

ing the Schema Cache

n controllers automatically update their schema cache every five minutes. Ifd to force an update immediately on the domain controller on which the

a snap-in is targeted, a menu item is provided to perform the reload.

ate the schema cache immediatelyht-click Active Directory Schema in the left pane, and click Reload theema.

ize the Active Directory Schema MMC console.

g Values to the New Attributes

ying All Users in the Marketing Organizational Unit

scenario, all the users in the Marketing organization have been issued newevels. You can use a simple Microsoft Visual Basic Scripting Editiono perform a batch modification for all user objects in the Marketing organi-


12 s:\its\u

zation. (Visual Basic Scripting Edition, also known as VBScript, is a subset of theMicrosoft Visual Basic language.) The script adds new values for the SalaryLeveland SocialSecurityNumber attributes. (Note that this script assigns the same Sala-ryLevel to all user objects and generates a random number for the SocialSecuri-tyNum

To useunit1. Clic2. Cop3. Clic4. Clo5. Clic6. At t

all othei

Displa

In thisSalary

To dis1. Use

ing2. Clic3. Clo4. Clic5. At t

all oryLss\pclan\documentation\ad_schema_&_specifiers.pdf

ber).

VBScript to modify all users in the Marketing organizational

k Start, point to Programs, point to Accessories, and click Notepad.y the following text into Notepad.k File, click Save As, and save the file as modify.vbs.se Notepad.k Start, click Run, and type cmd into the Open box. Click OK.he command prompt, type modify.vbs and press Enter. The script recursesbjects in the Marketing organizational unit and modifies all users, alteringr SalaryLevel and SocialSecurityNumber attributes.

y All Users in the Marketing Organizational Unit

procedure, you use a simple VBScript program to display the users name,Level, and Social Security Number.

play all users in the Marketing organizational unitthe same procedures as described in steps 1 and 2 above to copy the follow-

text into Notepad.k File, click Save As, and save the file as hrinfo.vbs.se Notepad.k Start, click Run, and type cmd into the Open box. Click OK.he command prompt, type hrinfo.vbs and press Enter. The script recursesbjects in the Marketing organizational unit and the users Name, Sala-evel and SocialSecurityNumber attributes.

s:\its\u

Modifying Display Specifiers

Modifying Display SpecifiersThe AcCompudynammit locand alsous pro

Displayin ActiDisplayEnglish

cn=

Each dlightweexamplfier obj

Addin

In thisneed todisplayryLeveand Co

To ext1. Use

ing2. Clic3. Clo4. Clic5. At t

attrSecss\pclan\documentation\ad_schema_&_specifiers.pdf 13

tive Directory Administrative Tools (such as the Active Directory Users andters snap-in) and the Windows shell extensions use display specifiers toically create context menu items and property pages. Display specifiers per-alization of class and attribute names, context menus, and property pages,o support new classes and attributessuch as those you created in the previ-cedures in this step-by-step guide.

specifiers are objects of class displaySpecifier and are stored in a containerve Directory that corresponds to the locale ID. This is, in turn, stored in the

Specifiers container in the Configuration namespace. For example, USdisplay specifiers are stored in the container

409/cn=Display Specifiers/cn=Configuration......

isplay specifier name is derived from the concatenation of an object classight directory access protocol (LDAP) display name and -Display. Fore the user object class, has a LDAP display name of user. Its display speci-ect is user-Display.

g Attribute Display Names

walkthrough, you added an auxiliary class to the existing user class. All youdo is add additional context menus and attribute display names to the userspecifier. You can add attribute display names for the new attributes Sala-

l and SocialSecurityNumber, a context menu for the Active Directory Usersmputers snap-in, and a context menu for the Windows shell.

end the User class display specifierthe same procedures as described in steps 1 and 2 above to copy the follow-

text into Notepad.k File, click Save As, and save the file as addmenu.vbs.se Notepad.k Start, click Run, and type cmd into the Open box. Click OK.he command prompt, type addmenu.vbs and press Enter. The script addsibute display names for the newly created attributes SalaryLevel and Social-urityNumber, adds Windows shell and Administrative Tools context


14 s:\its\u

menus, and creates two simple VBScript programshrshell.vbs and hrad-min.vbsin the Windows System directory.

Note: Run this application only once; repeated execution can result in duplicateattribu

Modif

You caattribut

1. ClicAct

2. Clic

Note: ICommoWindowfor this3. Rig4. A s

ryLscri

FIG

Search

You cass\pclan\documentation\ad_schema_&_specifiers.pdf

te display names and duplicate context menu items.

ying the New Attributes

n use the Active Directory Users and Computers snap-in to modify the newes for the users.

k Start, point to Programs, point to Administrative Tools, and clickive Directory Users and Computers.k Suki White.

f you did not populate the Active Directory using the Step-by-Step Guide to an Infrastructure for Windows 2000 Server DeploymentPart 1: Installing as 2000 Server as a Domain Controller, then this user will not be availableexercise. Choose a user within your sample organization.

ht-click Suki White, and click HR Admin.mall VBScript application starts that allows you to modify the users Sala-evel and SocialSecurityNumber. Click OK twice to get to this part of thept, and change this users salary level to 20000. Then click OK.

URE 8.

ing for Users Based on the New Attributes

n locate users based on attributes.

s:\its\u

Modifying Display Specifiers

1. Click and then right-click reskit.com in the left pane.2. Click Find.3. For the search objects, select Users, Contacts, and Groups. Click the

Adv4. Clic5. Sel

200theonl

FIG

6. Clo

Viewin

To view

1. DouNetDou

2. Douss\pclan\documentation\ad_schema_&_specifiers.pdf 15

anced tab.k the Field button, select Users, and then select Annual Salary.ect a search criteria, such as Annual Salary greater than00, then click Find Now. A message asks if you wish to addcurrent criteria to your search. Click Yes. The search retrievesy those users who meet the search criteria.

URE 9.

se all open windows and MMC consoles.

g New Attributes of a User in the Windows Interface

a users attributes in the Windows interface

ble-click the My Network Places icon on the desktop, double-click Entirework, click Entire Contents, and then double-click the Directory icon.ble-click reskit.com.ble-click the Accounts folder, and then double-click the Marketing icon.


16 s:\its\u

3. Right-click the user Suki White, and select HR Info from the con-text menu. A small VBScript message box displays the users HRinformation.

FIG

Note: Fonly alview anusers Hread orthis wass\pclan\documentation\ad_schema_&_specifiers.pdf

URE 10.

or security reasons, the default permissions for a users HR informationlow the user to view his or her own information. A user is not permitted toother users HR information. Only administrators are permitted to update aR information. The default permissions can be altered to allow other userswrite access to this information; those procedures are beyond the scope of

lkthrough.

CHAPTER 1 Using Active Directory Schema and Display SpecifiersIntroductionPrerequisitesScenariosManaging the Active Directory SchemaCheck Membership to the Schema Administrators GroupInstalling the Windows 2000 Administrative ToolsTo install the complete set of toolsStarting the Active Directory Schema Snap-inTo start the Active Directory Schema snap-nSchema FSMOTo transfer the schema FSMO to another domain controllerSetting the Registry to Permit Write Operations to the SchemaTo set the registry keyCreating a New AttributeTo create new attributes for the HumanResources classCreating a New ClassAdding the Attributes to the ClassTo add attributes to the classAdding an Auxiliary Class to the User ClassTo add a new auxiliary classUpdating the Schema CacheTo update the schema cache immediatelyAdding Values to the New AttributesModifying All Users in the Marketing Organizational UnitTo use VBScript to modify all users in the Marketing organizational unitDisplay All Users in the Marketing Organizational UnitTo display all users in the Marketing organizational unitModifying Display SpecifiersAdding Attribute Display NamesTo extend the User class display specifierModifying the New AttributesSearching for Users Based on the New AttributesViewing New Attributes of a User in the Windows Interface

ad schema & specime: ad_schema_&_specifiers.pdffiers

Documents