Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy Enhancements
Writer: Joe Davies
On This Page
Abstract
Introduction
Extending Active Directory Schema
Extending the Schema for Wireless Group Policy Settings
Extending the Schema for Wired Group Policy Settings
For More Information
Abstract
Wireless and wired clients running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008 and wired clients running Windows XP with Service Pack 3 support enhancements that can be configured through Group Policy settings that are supported by domain controllers running Windows Server 2008 R2 or Windows Server 2008. To support these enhancements for an Active Directory directory service environment consisting of domain controllers running Windows Server 2003 or Windows Server 2003 R2, the Active Directory schema must be extended. This article describes how to extend the Active Directory schema to support these new features.
Note This article requires horizontal scrolling to preserve the contents of the 802.11Schema.ldf and 802.3Schema.ldf schema extension files that are included as text in this article. |
Introduction
Computers running Windows Vista support the following enhancements to Group Policy-based configuration:
Wired LAN settings Windows Vista and Windows XP Service Pack 3 now support the configuration of IEEE 802.1X-authenticated wired connections through Group Policy.
Mixed security mode You can now configure several profiles with the same SSID with different security methods so that clients with different security capabilities can all connect to a same wireless network.
Allow and deny lists for wireless networks You can configure a list of wireless networks to which the Windows Vista wireless client can connect and a list of wireless networks to which the Windows Vista wireless client cannot connect.
Extensibility You can import profiles that have specific connectivity and security settings of wireless vendors, such as different EAP types.
Active Directory uses the following schema attributes and attribute values for storing GUID and data relating to wireless Group Policy:
ms-net-ieee-80211-GP-PolicyGUID
A unique identifier for the wireless group policy object.
ms-net-ieee-80211-GP-PolicyData
Stores the wireless policy settings.
ms-net-ieee-80211-GP-PolicyReserved
Reserved for future use.
Active Directory uses the following schema attributes and attribute values for storing GUID and data relating to wired Group Policy:
ms-net-ieee-8023-GP-PolicyGUID
A unique identifier for the wired group policy object.
ms-net-ieee-8023-GP-PolicyData
Stores the wired policy settings.
ms-net-ieee-8023-GP-PolicyReserved
Reserved for future use.
To deploy the Windows Vista wireless and wired Active Directory schema changes, do the following:
Extend the Active Directory schema (for wireless, wired, or both) as described in this article.
Install Windows Vista on a domain member computer.
Configure enhanced wireless or wired Group Policy settings for the appropriate Active Directory containers (site, domain, organizational unit) by using the Group Policy Editor snap-in on the computer running Windows Vista.
The enhanced wireless and wired settings are automatically downloaded to computers running Windows Vista as part of Computer Configuration Group Policy settings. Computers running Windows XP prior to Service Pack 3 or Windows Server 2003 will ignore the enhanced wireless and wired settings. Computers running Windows XP with Service Pack 3 support the enhanced wired settings.
Extending Active Directory Schema
Before extending the schema, you must understand the following:
Schema modifications are global When you extend the schema, the changes apply to every domain controller in the entire forest.
Schema classes related to the system cannot be modified You cannot modify default system classes (those classes required for Windows to run) within the schema. However, directory-enabled applications that modify the schema may add new classes that you can modify.
Schema extensions are not reversible Attributes or classes cannot be removed after creation. At best, they can be modified or deactivated. For more information, see Deactivating a class or attribute.
Document your changes If you do decide to extend the schema, be sure to document the changes.
A very simple way to avoid damaging or costly schema mistakes in your production forest is to first test your schema extensions on a test forest. By using a test environment, you can identify any potential problems in your plan before they affect your users and your production environment.
After making schema changes in a test forest, you can reinstall the default schema by demoting each domain controller in the test forest to which the schema changes have replicated. Then, use the Active Directory Installation Wizard to reinstall Active Directory on the servers. This procedure is practical only in a test environment.
For a technical overview of Active Directory schema, see How the Active Directory Schema Works.
Extending the Schema for Wireless Group Policy Settings
To extend the Active Directory schema for Windows Vista wireless Group Policy enhancements, you need to do the following:
Create the 802.11Schema.ldf file.
Use the Ldifde.exe tool to extend the Active Directory schema.
Creating the 802.11Schema.ldf File
To create the 802.11Schema.ldf file, do the following:
From the Windows desktop, click Start, click Programs, click Accessories, and then click Notepad.
Select the text of the "Contents of 802.11Schema.ldf" section of this article (not including the section title).
Right-click the selected section, and then click Copy.
Click the open Notepad window, click Edit, and then click Paste.
Click File, click Save As, navigate to the appropriate folder, type 802.11Schema.ldf for the File name, in Save as type, select All files, select ANSI for the Encoding, and then click Save.
Using the Ldifde.exe Tool to Extend the Active Directory Schema
To use the Ldifde.exe tool to extend the Active Directory for wireless settings, do the following:
If needed, copy the 802.11Schema.ldf file to a folder on a domain controller running Windows Server 2003 or Windows Server 2003 R2.
On a domain controller running Windows Server 2003 or Windows Server 2003 R2, click Start, click Run, type cmd, and then click OK.
Change to the folder containing the 802.11Schema.ldf file.
At the Windows command prompt, issue the following command:
ldifde -i -v -k -f 802.11Schema.ldf -c DC=X Dist_Name_of_AD_Domain
Dist_Name_of_AD_Domain is the distinguished name of the Active Directory domain whose schema is being modified. An example of a distinguished name is DC=wcoast,DC=microsoft,DC=com for the wcoast.microsoft.com Active Directory domain.
The 802.11Schema.ldf file uses the string "DC=X" to denote the distinguished name of the Active Directory domain. The -c option substitutes the string "DC=X" with the string corresponding to your Active Directory domain name when the 802.11Schema.ldf is imported.
For example, for the Active Directory domain named example.com, the command is:
ldifde -i -v -k -f 802.11Schema.ldf -c DC=X DC=example,DC=com
For more information about the Ldifde.exe tool, see LDIFDE.
The Ldifde.exe tool uses the instructions in the 802.11Schema.ldf file to modify the Active Directory schema to contain the additional attributes and values needed to store the enhancements for wireless Group Policy settings supported by Windows Vista wireless clients.
Contents of 802.11Schema.ldf
# -----------------------------------------------------------------------
# Copyright (c) 2006 Microsoft Corporation
# MODULE: 802.11Schema.ldf
# -----------------------------------------------------------------------
# -----------------------------------------------------------------------
# define schemas for these attributes:
#ms-net-ieee-80211-GP-PolicyGUID
#ms-net-ieee-80211-GP-PolicyData
#ms-net-ieee-80211-GP-PolicyReserved
# -----------------------------------------------------------------------
dn: CN=ms-net-ieee-80211-GP-PolicyGUID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ms-net-ieee-80211-GP-PolicyGUID
adminDisplayName: ms-net-ieee-80211-GP-PolicyGUID
adminDescription: This attribute contains a GUID which identifies a specific 802.11 group policy object on the domain.
attributeId: 1.2.840.113556.1.4.1951
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 64
schemaIdGuid:: YnBpNa8ei0SsHjiOC+T97g==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-net-ieee-80211-GP-PolicyData,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ms-net-ieee-80211-GP-PolicyData
adminDisplayName: ms-net-ieee-80211-GP-PolicyData
adminDescription: This attribute contains all of the settings and data which comprise a group policy configuration for 802.11 wireless networks.
attributeId: 1.2.840.113556.1.4.1952
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 4194304
schemaIdGuid:: pZUUnHZNjkaZHhQzsKZ4VQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-net-ieee-80211-GP-PolicyReserved,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ms-net-ieee-80211-GP-PolicyReserved
adminDisplayName: ms-net-ieee-80211-GP-PolicyReserved
adminDescription: Reserved for future use
attributeId: 1.2.840.113556.1.4.1953
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 4194304
schemaIdGuid:: LsZpD44I9U+lOukjzsB8Cg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
# -----------------------------------------------------------------------
# Reload the schema cache to pick up altered classes and attributes
# -----------------------------------------------------------------------
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# -----------------------------------------------------------------------
# define schemas for the parent class:
#ms-net-ieee-80211-GroupPolicy
# -----------------------------------------------------------------------
dn: CN=ms-net-ieee-80211-GroupPolicy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: ms-net-ieee-80211-GroupPolicy
adminDisplayName: ms-net-ieee-80211-GroupPolicy
adminDescription: This class represents an 802.11 wireless network group policy object. This class contains identifiers and configuration data relevant to an 802.11 wireless network.
governsId: 1.2.840.113556.1.5.251
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1953
systemMayContain: 1.2.840.113556.1.4.1952
systemMayContain: 1.2.840.113556.1.4.1951
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: 1.2.840.113556.1.3.23
systemPossSuperiors: 2.5.6.6
schemaIdGuid:: Yxi4HCK4eUOeol/3vcY4bQ==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-net-ieee-80211-GroupPolicy,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
# -----------------------------------------------------------------------
# Reload the schema cache to pick up altered classes and attributes
# -----------------------------------------------------------------------
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Extending the Schema for Wired Group Policy Settings
To extend the Active Directory schema for Windows Vista wired Group Policy enhancements, you need to do the following:
Create the 802.3Schema.ldf file.
Use the Ldifde.exe tool to extend the Active Directory schema.
Creating the 802.3Schema.ldf File
From the Windows desktop, click Start, click Programs, click Accessories, and then click Notepad.
Select the text of the "Contents of 802.3Schema.ldf" section of this article (not including the section title).
Right-click the selected section, and then click Copy.
Click the open Notepad window, click Edit, and then click Paste.
Click File, click Save As, navigate to the appropriate folder, type 802.3Schema.ldf for the File name, in Save as type, select All files, select ANSI for the Encoding, and then click Save.
Using the Ldifde.exe Tool to Extend the Active Directory Schema
To use the Ldifde.exe tool to extend the Active Directory for wired settings, do the following:
If needed, copy the 802.3Schema.ldf file to a folder on a domain controller running Windows Server 2003 or Windows Server 2003 R2.
On a domain controller running Windows Server 2003 or Windows Server 2003 R2, click Start, click Run, type cmd, and then click OK.
Change to the folder containing the 802.3Schema.ldf file.
At the Windows command prompt, issue the following command:
ldifde -i -v -k -f 802.3Schema.ldf -c DC=X Dist_Name_of_AD_Domain
Dist_Name_of_AD_Domain is the distinguished name of the Active Directory domain whose schema is being modified. An example of a distinguished name is DC=wcoast,DC=microsoft,DC=com for the wcoast.microsoft.com Active Directory domain.
The 802.3Schema.ldf file uses the string "DC=X" to denote the distinguished name of the Active Directory domain. The -c option substitutes the string "DC=X" with the string corresponding to your Active Directory domain name when the 802.3Schema.ldf is imported.
For example, for the Active Directory domain named example.com, the command is:
ldifde -i -v -k -f 802.3Schema.ldf -c DC=X DC=example,DC=com
For more information about the Ldifde.exe tool, see LDIFDE.
The Ldifde.exe tool uses the instructions in the 802.3Schema.ldf file to modify the Active Directory schema to contain the additional attributes and values needed to store the enhancements for wired Group Policy settings supported by Windows Vista wired clients.
Contents of 802.3Schema.ldf
# -----------------------------------------------------------------------
# Copyright (c) 2006 Microsoft Corporation
# MODULE: 802.3Schema.ldf
# -----------------------------------------------------------------------
# -----------------------------------------------------------------------
# define schemas for these attributes:
#ms-net-ieee-8023-GP-PolicyGUID
#ms-net-ieee-8023-GP-PolicyData
#ms-net-ieee-8023-GP-PolicyReserved
# -----------------------------------------------------------------------
dn: CN=ms-net-ieee-8023-GP-PolicyGUID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ms-net-ieee-8023-GP-PolicyGUID
adminDisplayName: ms-net-ieee-8023-GP-PolicyGUID
adminDescription: This attribute contains a GUID which identifies a specific 802.3 group policy object on the domain.
attributeId: 1.2.840.113556.1.4.1954
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 64
schemaIdGuid:: WrCnlLK4WU+cJTnmm6oWhA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-net-ieee-8023-GP-PolicyData,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ms-net-ieee-8023-GP-PolicyData
adminDisplayName: ms-net-ieee-8023-GP-PolicyData
adminDescription: This attribute contains all of the settings and data which comprise a group policy configuration for 802.3 wired networks.
attributeId: 1.2.840.113556.1.4.1955
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 1048576
schemaIdGuid:: i5SYg1d0kU29TY1+1mnJ9w==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-net-ieee-8023-GP-PolicyReserved,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ms-net-ieee-8023-GP-PolicyReserved
adminDisplayName: ms-net-ieee-8023-GP-PolicyReserved
adminDescription: Reserved for future use
attributeId: 1.2.840.113556.1.4.1956
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 1048576
schemaIdGuid:: xyfF0wYm602M/RhCb+7Izg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
# -----------------------------------------------------------------------
# Reload the schema cache to pick up altered classes and attributes
# -----------------------------------------------------------------------
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# -----------------------------------------------------------------------
# define schemas for the parent class:
#ms-net-ieee-8023-GroupPolicy
# -----------------------------------------------------------------------
dn: CN=ms-net-ieee-8023-GroupPolicy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: ms-net-ieee-8023-GroupPolicy
adminDisplayName: ms-net-ieee-8023-GroupPolicy
adminDescription: This class represents an 802.3 wired network group policy object. This class contains identifiers and configuration data relevant to an 802.3 wired network.
governsId: 1.2.840.113556.1.5.252
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1956
systemMayContain: 1.2.840.113556.1.4.1955
systemMayContain: 1.2.840.113556.1.4.1954
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: 1.2.840.113556.1.3.23
systemPossSuperiors: 2.5.6.6
schemaIdGuid:: ajqgmRmrRkSTUAy4eO0tmw==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-net-ieee-8023-GroupPolicy,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
# -----------------------------------------------------------------------
# Reload the schema cache to pick up altered classes and attributes
# -----------------------------------------------------------------------
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
For More Information
For more information about wireless and wired support in Windows Vista, consult the following resources: