Prevent copying of an Active Directory attribute when duplicating a user account

Home Blog Prevent copying of an Active Directory attribute when duplicating a user account

4sysops - The online community for SysAdmins and DevOps

      1
Many organizations use custom attributes and copy those attributes whenever copying a user account. In many cases this is not what you want. In this post, I show how you can prevent this behavior.
Contents
  1. Prevent copying an AD attribute
  2. Finding copied attributes
Latest posts by Tim Buntrock (see all)

Admins like to copy an Active Directory user account because it allows pre-staging of some attributes in cases of copying the values automatically when duplicating a user account. However, this can cause various problems in some cases.

Let's say you are using the attribute extensionAttribute1 to store a unique ID to start moving a mailbox from one Exchange to another Exchange system, located in different forests. If another user has the same entry, the sync will fail, or Exchange will sync the mails to another mailbox.

However, you can prevent copying of an attribute by modifying the Active Directory option Attribute is copied when duplicating a user.

Prevent copying an AD attribute

You need to be member of the Schema Admin group to perform this operation. Please remove your account from this group after changing extensionAttribute1. To deselect the option for extensionAttribute1, you can then perform the following steps:

  1. Open a PowerShell console as administrator.
  2. By default, the Active Directory Schema Microsoft Management Console (MMC) snap-in is not registered. You can register the snap-in with this command: 
    regsvr32 schmmgmt.dll
    Register AD Schema snap in

    Register AD Schema snap in

  3. Open the MMC and add the Active Directory Schemasnap-in.
    Adding the AD Schema snap in

    Adding the AD Schema snap in

  1. In the console, click on the Attributes folder, browse to extensionAttribute1, and right-click on click Properties. Deselect the Attribute is copied when duplicating a user checkbox and then click OK.
    Deselect the Attribute is copied when duplicating a user checkbox

    Deselect the Attribute is copied when duplicating a user checkbox

Finding copied attributes

How can we find attributes marked for copying and those that aren't when duplicating a user? We can get this information from our Schema Admin console. However, we don't want to browse through all the attributes manually.

To automate the task, we can use PowerShell. We need the Get-ADObject cmdlet to get the AD user object. We also need the Get-ADRootDSE cmdlet to retrieve the object that represents the root of the directory information tree that allows us to read the schemaNamingContext. The schemaNamingContext looks like CN=Schema,CN=Configuration,DC=domain,DC=com and defines our SearchBase.

-SearchBase $((Get-ADRootDSE).schemaNamingContext)

The last part is the LDAPFilter. First, we filter on the objectClass attributeSchema because we are looking for settings on our attribute located in our schema. In our case, we will filter for the object identifier (OID).

An OID is a sequence of numbers in a format that [RFC1778] describes. It is the standard internal representation of an attribute in many LDAP directories. We have to keep the following syntax: <Attribute name>:<OID>:=<decimal comparative value>.

The <Attribute name> is the searchFlags and <OID> would be 1.2.840.113556.1.4.803. This OID is Active Directory specific, and a match occurs only if all bits from the attribute match the value. The name for this LDAP Matching Rule is LDAP_MATCHING_RULE_BIT_AND. The last part <decimal comparative value> is set to 16 to find attributes configured to copy when duplicating the user.

If we put it all together, it looks like this:

Get-ADObject -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=16))"

In the output we see the DistinguishedName, Name ObjectClass, and ObjectGUID of the attributes configured to copy when duplicating the object.

As we only want to see the Name of those attributes, we just add | %{$_.Name} to our cmdlet.

Get-ADObject -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=16))" | %{$_.Name}
PowerShell output names only

PowerShell output names only

It you want to retrieve the attributes not copied when duplicating an object, you just have to replace (searchFlags:1.2.840.113556.1.4.803:=16) with (!(searchFlags:1.2.840.113556.1.4.803:=16)).

Subscribe to 4sysops newsletter!

Get-ADObject -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&((objectClass=attributeSchema)(!(searchFlags:1.2.840.113556.1.4.803:=16))))" | %{$_.Name}
Related Articles
1 Comment
  1. easar ahmed 4 years ago

    Hi,

     

    I want to not allow copying some groups to new user while cloning with existing user. How can this be implemented.

     

    Regards,
    Easar Ahmed

    Reply

Leave a reply

Please enclose code in pre tags

Your email address will not be published.

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account