- Create a self-signed certificate with PowerShell - Thu, Aug 9 2018
- Prevent copying of an Active Directory attribute when duplicating a user account - Thu, Mar 29 2018
- Find and delete unlinked (orphaned) GPOs with PowerShell - Thu, Mar 15 2018
Admins like to copy an Active Directory user account because it allows pre-staging of some attributes in cases of copying the values automatically when duplicating a user account. However, this can cause various problems in some cases.
Let's say you are using the attribute extensionAttribute1 to store a unique ID to start moving a mailbox from one Exchange to another Exchange system, located in different forests. If another user has the same entry, the sync will fail, or Exchange will sync the mails to another mailbox.
However, you can prevent copying of an attribute by modifying the Active Directory option Attribute is copied when duplicating a user.
Prevent copying an AD attribute
You need to be member of the Schema Admin group to perform this operation. Please remove your account from this group after changing extensionAttribute1. To deselect the option for extensionAttribute1, you can then perform the following steps:
- Open a PowerShell console as administrator.
- By default, the Active Directory Schema Microsoft Management Console (MMC) snap-in is not registered. You can register the snap-in with this command:
regsvr32 schmmgmt.dll
- Open the MMC and add the Active Directory Schemasnap-in.
- In the console, click on the Attributes folder, browse to extensionAttribute1, and right-click on click Properties. Deselect the Attribute is copied when duplicating a user checkbox and then click OK.
Finding copied attributes
How can we find attributes marked for copying and those that aren't when duplicating a user? We can get this information from our Schema Admin console. However, we don't want to browse through all the attributes manually.
To automate the task, we can use PowerShell. We need the Get-ADObject cmdlet to get the AD user object. We also need the Get-ADRootDSE cmdlet to retrieve the object that represents the root of the directory information tree that allows us to read the schemaNamingContext. The schemaNamingContext looks like CN=Schema,CN=Configuration,DC=domain,DC=com and defines our SearchBase.
-SearchBase $((Get-ADRootDSE).schemaNamingContext)
The last part is the LDAPFilter. First, we filter on the objectClass attributeSchema because we are looking for settings on our attribute located in our schema. In our case, we will filter for the object identifier (OID).
An OID is a sequence of numbers in a format that [RFC1778] describes. It is the standard internal representation of an attribute in many LDAP directories. We have to keep the following syntax: <Attribute name>:<OID>:=<decimal comparative value>.
The <Attribute name> is the searchFlags and <OID> would be 1.2.840.113556.1.4.803. This OID is Active Directory specific, and a match occurs only if all bits from the attribute match the value. The name for this LDAP Matching Rule is LDAP_MATCHING_RULE_BIT_AND. The last part <decimal comparative value> is set to 16 to find attributes configured to copy when duplicating the user.
If we put it all together, it looks like this:
Get-ADObject -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=16))"
In the output we see the DistinguishedName, Name ObjectClass, and ObjectGUID of the attributes configured to copy when duplicating the object.
As we only want to see the Name of those attributes, we just add | %{$_.Name} to our cmdlet.
Get-ADObject -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=16))" | %{$_.Name}
It you want to retrieve the attributes not copied when duplicating an object, you just have to replace (searchFlags:1.2.840.113556.1.4.803:=16) with (!(searchFlags:1.2.840.113556.1.4.803:=16)).
Subscribe to 4sysops newsletter!
Get-ADObject -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&((objectClass=attributeSchema)(!(searchFlags:1.2.840.113556.1.4.803:=16))))" | %{$_.Name}
Hi,
I want to not allow copying some groups to new user while cloning with existing user. How can this be implemented.
Regards,
Easar Ahmed