Prevent copying of an Active Directory attribute when duplicating a user account

Many organizations use custom attributes and copy those attributes whenever copying a user account. In many cases this is not what you want. In this post, I show how you can prevent this behavior.

Author
Recent Posts

Tim Buntrock

Tim Buntrock is one of three enterprise administrators for the Active Directory service of a "global player" in the contact center business. He is a certified engineer for MCTS, MCITP, MCSA and MCPS.

Prevent copying an AD attribute

You need to be member of the Schema Admin group to perform this operation. Please remove your account from this group after changing extensionAttribute1. To deselect the option for extensionAttribute1, you can then perform the following steps:

Open a PowerShell console as administrator.
By default, the Active Directory Schema Microsoft Management Console (MMC) snap-in is not registered. You can register the snap-in with this command:
```
regsvr32 schmmgmt.dll
```
Register AD Schema snap in
Open the MMC and add the Active Directory Schemasnap-in.
Adding the AD Schema snap in

In the console, click on the Attributes folder, browse to extensionAttribute1, and right-click on click Properties. Deselect the Attribute is copied when duplicating a user checkbox and then click OK.
Deselect the Attribute is copied when duplicating a user checkbox

Finding copied attributes

How can we find attributes marked for copying and those that aren't when duplicating a user? We can get this information from our Schema Admin console. However, we don't want to browse through all the attributes manually.

To automate the task, we can use PowerShell. We need the Get-ADObject cmdlet to get the AD user object. We also need the Get-ADRootDSE cmdlet to retrieve the object that represents the root of the directory information tree that allows us to read the schemaNamingContext. The schemaNamingContext looks like CN=Schema,CN=Configuration,DC=domain,DC=com and defines our SearchBase.

-SearchBase $((Get-ADRootDSE).schemaNamingContext)

The last part is the LDAPFilter. First, we filter on the objectClass attributeSchema because we are looking for settings on our attribute located in our schema. In our case, we will filter for the object identifier (OID).

An OID is a sequence of numbers in a format that [RFC1778] describes. It is the standard internal representation of an attribute in many LDAP directories. We have to keep the following syntax: <Attribute name>:<OID>:=<decimal comparative value>.

The <Attribute name> is the searchFlags and <OID> would be 1.2.840.113556.1.4.803. This OID is Active Directory specific, and a match occurs only if all bits from the attribute match the value. The name for this LDAP Matching Rule is LDAP_MATCHING_RULE_BIT_AND. The last part <decimal comparative value> is set to 16 to find attributes configured to copy when duplicating the user.

If we put it all together, it looks like this:

Get-ADObject -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=16))"

In the output we see the DistinguishedName, Name ObjectClass, and ObjectGUID of the attributes configured to copy when duplicating the object.

As we only want to see the Name of those attributes, we just add | %{$_.Name} to our cmdlet.

Get-ADObject -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=16))" | %{$_.Name}

PowerShell output names only

It you want to retrieve the attributes not copied when duplicating an object, you just have to replace (searchFlags:1.2.840.113556.1.4.803:=16) with (!(searchFlags:1.2.840.113556.1.4.803:=16)).

Subscribe to 4sysops newsletter!

Get-ADObject -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&((objectClass=attributeSchema)(!(searchFlags:1.2.840.113556.1.4.803:=16))))" | %{$_.Name}

Want to write for 4sysops? We are looking for new authors.

4sysops members can earn and read without ads!