Step-by-Step Guide to Using Active Directory Schema and Display Specifiers
This step-by-step guide introduces you to advanced administration of the Microsoft® Windows® 2000 Active DirectoryTM service, using the Active Directory Schema snap-in and display specifier modification. You can add and modify classes and attributes in the schema and extend both the Administrative Tools and the Windows shell by modifying attributes in display specifiers.
Introduction Scenarios Managing the Active Directory Schema Adding Values to the New Attributes Modifying Display Specifiers
This document introduces you to advanced administration of the Active DirectoryTM service, using the Active Directory Schema snap-in and display specifier modification. You can add and modify classes and attributes in the schema and extend the both the Administrative Tools and the Windows shell by modifying attributes in display specifiers.
Prerequisites
You must have installed the Microsoft Windows 2000 Server operating system (including Active Directory) on a server in your network. You can run the Administrative Tools and scripts used in this walkthrough from the server or from a Windows 2000 Professional-based workstation. You will need two domain controllers within the same domain.
The Administrative Tools are installed by default on all Windows 2000 domain controllers. On stand-alone servers or workstations running Windows 2000, Active Directory Administrative Tools are optional and can be installed from the Windows 2000 optional components package. After installing all the Administrative Tools, you must manually install the Active Directory Schema snap-in.
This step-by-step guide assumes that you have run the procedures in Step-by-Step Guide to a Common Infrastructure for Windows 2000 Server Deployment.
The common infrastructure documents specify a particular hardware and software configuration. If you are not using the common infrastructure, you need to make the appropriate changes to this document. The most current information about hardware requirements and compatibility for servers, clients, and peripherals is available at the Windows 2000 Hardware and Software Compatibility Web site ( https://www.microsoft.com/windows2000/server/howtobuy/upgrading/compat/default.asp ).
This step-by-step guide provides procedures for the following tasks:
Manage the schema. This includes checking security permissions and Write access to the schema, creating new classes and attributes, and extending the existing classes.
Manage display specifiers. This involves extending the shell and Administrative Tools by adding context menus.
A fictional corporation stores additional user information in Active Directory. This information contains sensitive Human Resources (HR) data, including employee Social Security numbers and salary levels. To support this extra information an auxiliary class called HumanResources is created. This class contains the attributes SocialSecurityNumber and SalaryLevel. The HumanResources auxiliary class is then added to the User class.
To display this information (using either the Administrative Tools or by creating extensions to the Windows shell), you then create display specifiers for the additional context menus for the new classes and attributes.
The Active Directory Schema snap-in allows schema administrators to manage the Active Directory schema by creating and modifying classes and attributes, and specifying which attributes are indexed and which attributes are to be catalogued in the global catalog. Administrators will not perform schema management tasks on a frequent basis, and they should take some care when modifying the schema. Management of the schema is restricted to a group of administrators called schema administrators. There are three safety precautions that control and limit schema modification:
By default, all domain controllers permit Read access to the schema. A registry entry must be set on a domain controller to permit Write access to the schema on that domain controller.
The schema object is protected by the Windows 2000 Security model; therefore, administrators must be given explicit permissions or be members of the Schema Administrators group to make changes to the schema.
Only one domain controller can write to the schema at any given time. This role is known as Schema Floating Single Master Operations (FSMO). You must be connected to the schema FSMO to manage the schema.
Note: All subsequent procedures assume you are logged on as an administrator with the required permissions to manage the schema.
Before proceeding, make sure that your account is a member of the Schema Administrators group. See Step-by-Step Guide to Managing the Active Directory for information about managing group memberships. By default, the administrator account is a member of the Schema Administrator group.
If you have not already done so, you must install all of the Windows 2000 administrative tools on both domain controllers that you will be using for these scenarios. By default, only some of the tools are installed during normal installation of a domain controller.
To install the complete set of tools
Click Start, point to Settings, and click Control Panel.
Double-click Add/Remove Programs.
Select Windows 2000 Administrative Tools and click Change.
Click Next.
Click Install All Administrative Tools.
Click Next.
The components and files are installed, when complete, click Finish and then click Close. Repeat this process on the second domain controller in your testbed.
The Active Directory Schema snap-in is a Microsoft Management Console (MMC) tool. Because schema management is not frequently performed, there is no saved Schema console or Administrative Tool on the Administrative Tools menu. You must load the Schema Manager manually into MMC. Run the following procedure on the domain controller that contains the schema.
To start the Active Directory Schema snap-n
Click Start, click Run, and type MMC in the Open box. Click OK.
On the Console menu, click Add/Remove Snap-in, click Add, and then click Active Directory Schema. Click Add, click Close, and then click OK.
You can save the MMC console containing the Schema snap-in. On the Console menu, click Save As, and type a name for the saved console (for example, Schema.msc). Click Save.
Note: Perform these steps on both domain controllers in this testbed.
Although Active Directory is based on a multi-master administration model, some operations support only a single master. One of these operations is schema management. Only one domain controller is permitted to modify the schema at any given time. The term used to describe this is Flexible Single Master Operations (FSMO). By default, the Schema snap-in is targeted to the schema FSMO role.
You can transfer the schema FSMO from one server to another; however, if you have installed a single Windows 2000 domain controller in your network, then this procedure is unnecessary. By default, that single domain controller is the schema FSMO role holder.
To transfer the schema FSMO to another domain controller
Right-click Active Directory Schema in the right pane of the MMC console. Click Change Domain Controller.
Click Specify Name and type in the name of the target domain controller. (See Figure 1 below.)
Figure 1: Changing the domain controller
Right-click the Schema root node in the left pane, and then click Operations Master.
Click Change.
Click OK to confirm that you want to change the Operations Master.
Click OK when you receive the message that the Operations Master was successfully transferred.
Note: Subsequent procedures in this document are now performed on the second domain controller (which is now the FSMO for the schema.)
To allow a domain controller to write to the schema, you must set a registry entry that permits schema updates.
To set the registry key
Right-click the Active Directory Schema root node in the left pane, and then click Operations Master.
Select the The Schema may be modified on this Domain Controller check box, and then click OK.
Figure 2: Allow modifications to the Schema
The server automatically detects the change to this registry. You do not need to restart the server to permit the schema to be updated.
When creating classes and attributes, note the following:
Do not include spaces when entering the attribute and class names. An LDAP display name with embedded spaces can cause problems.
Object identifiers (OIDs) are issued by International Standards Authorities such as the International Telecommunications Union (ITU) to prevent issuance of duplicates. If your organization expects to create new classes and attributes, you may want to first request OIDs from the relevant standards body in your country. The OIDs listed here have been issued by Microsoft and are guaranteed to be unique. Do not create your own OIDs.
You can also obtain an ID from the Microsoft Certified for Windows Web site.
To create new attributes for the HumanResources class
Click the + next to Active Directory Schema in the left pane.
Right-click Attributes in the left pane.
Click New, and then select Attribute. You will receive a warning that creating schema objects is a permanent operation and cannot be undone. Click Continue.
Figure 3: Creating a new attribute object
Create the following new attributes:
Attribute Name
Attribute OID
Attribute Syntax
SocialSecurityNumber
1.2.840.113556.1.4.7000.142
Case Insensitive String
SalaryLevel
1.2.840.113556.1.4.7000.141
Integer
Click OK after you create each new attribute.
To create the HumanResources class
Right-click Class.
Click New, and then click Class. You receive the same warning as before: that schema objects cannot be removed once created. Click Continue.
Figure 4: Creating the HumanResources class
Create the new class with the following values:
Value
Type This
Common Name
HumanResources
LDAP Displayname
HumanResources
Unique X.500 Object ID
1.2.840.113556.1.4.7000.17
Parent Class
Leave blank
Class Type
Auxiliary
Click Next and then click Finish.
After you have created the class, add the attributes to the class.
To add attributes to the class
Click Classes in the left pane. Scroll to HumanResources in the right pane, and right click it.
Figure 5: HumanResources class
Click Properties, and then click the Attributes tab. Click Add.
On the Select Schema Object page, click SalaryLevel and click OK.
Repeat these steps to add the SocialSecurityNumber attribute to the class. When you have finished, the attributes, illustrated in Figure 6, are displayed for this class on the Attributes tab.
Figure 6: Added attributes
Click OK.
After you have created the Human Resources auxiliary class and added attributes to the class, you can add the new auxiliary class to the User class.
To add a new auxiliary class
In the right pane, scroll to and right-click the User class node.
Click Properties. Click the Relationship tab.
Click Add. Select HumanResources and click OK.
Figure 7: Adding the auxiliary class to the existing User class
Click OK.
Domain controllers automatically update their schema cache every five minutes. If you need to force an update immediately on the domain controller on which the Schema snap-in is targeted, a menu item is provided to perform the reload.
To update the schema cache immediately
- Right-click Active Directory Schema in the left pane, and click Reload the Schema.
Minimize the Active Directory Schema MMC console.
In this scenario, all the users in the Marketing organization have been issued new salary levels. You can use a simple Microsoft Visual Basic® Scripting Edition script to perform a batch modification for all user objects in the Marketing organization. (Visual Basic Scripting Edition, also known as VBScript, is a subset of the Microsoft Visual Basic language.) The script adds new values for the SalaryLevel and SocialSecurityNumber attributes. (Note that this script assigns the same SalaryLevel to all user objects and generates a random number for the SocialSecurityNumber).
To use VBScript to modify all users in the Marketing organizational unit
Click Start, point to Programs, point to Accessories, and click Notepad.
Copy the sample script of VBScript 1 (below) into Notepad.
Click File, click Save As, and save the file as modify.vbs.
Close Notepad.
Click Start, click Run, and type cmd into the Open box. Click OK.
At the command prompt, type modify.vbs and press Enter. The script recurses all objects in the Marketing organizational unit and modifies all users, altering their SalaryLevel and SocialSecurityNumber attributes.
VBScript 1:
Sub ModifyUsers(oObject) Dim oUser For Each oUser in oObject Select Case oUser.Class Case "user" oUser.Put "SalaryLevel","10000" oUser.Put "SocialSecurityNumber",CStr(Int(9999*Rnd()+1)) oUser.Setinfo Case "organizationalUnit" , "container" ModifyUsers(oUser) End select Next End Sub Dim oDomain Set oDomain=GetObject("LDAP://OU=Accounts,DC=reskit,DC=com") ModifyUsers(oDomain) Set oDomain = Nothing MsgBox "Finished" WScript.Quit
In this procedure, you use a simple VBScript program to display the user's name, Salary Level, and Social Security Number.
To display all users in the Marketing organizational unit
Use the same procedures as described in steps 1 and 2 above to copy the sample script in VBScript 2 into Notepad.
Click File, click Save As, and save the file as hrinfo.vbs.
Close Notepad.
Click Start, click Run, and type cmd into the Open box. Click OK.
At the command prompt, type hrinfo.vbs and press Enter. The script recurses all objects in the Marketing organizational unit and the users' Name, SalaryLevel and SocialSecurityNumber attributes.
VBScript 2:
Sub ModifyUsers(oObject) Dim oUser For Each oUser in oObject Select Case oUser.Class Case "user" Wscript.Echo oUser.Name & " " & oUser.SalaryLevel & " " & oUser.SocialSecurityNumber Case "organizationalUnit" , "container" ModifyUsers(oUser) End select Next End Sub Dim oDomain Set oDomain=GetObject("LDAP://OU=Accounts,DC=reskit,DC=com") ModifyUsers(oDomain) Set oDomain = Nothing MsgBox "Finished" WScript.Quit
The Active Directory Administrative Tools (such as the Active Directory Users and Computers snap-in) and the Windows shell extensions use display specifiers to dynamically create context menu items and property pages. Display specifiers permit localization of class and attribute names, context menus, and property pages, and also support new classes and attributes—such as those you created in the previous procedures in this step-by-step guide.
Display specifiers are objects of class displaySpecifier and are stored in a container in Active Directory that corresponds to the locale ID. This is, in turn, stored in the Display Specifiers container in the Configuration namespace. For example, US English display specifiers are stored in the container
cn=409/cn=Display Specifiers/cn=Configuration......
Each display specifier name is derived from the concatenation of an object class lightweight directory access protocol (LDAP) display name and -Display. For example the user object class, has a LDAP display name of user. Its display specifier object is user-Display.
In this walkthrough, you added an auxiliary class to the existing user class. All you need to do is add additional context menus and attribute display names to the user display specifier. You can add attribute display names for the new attributes SalaryLevel and SocialSecurityNumber, a context menu for the Active Directory Users and Computers snap-in, and a context menu for the Windows shell.
To extend the User class display specifier
Use the same procedures as described in steps 1 and 2 above to copy the following text into Notepad:
Dim oRoot Dim oDisp Dim oCont Dim aMenu Dim iCount Dim sNewMenu Dim oFileSystem Dim sOutFile Dim sSystemFolder Set oFileSystem = WScript.CreateObject("Scripting.FileSystemObject") sSystemFolder = oFileSystem.GetSpecialFolder(1) 'Connect to Display Specifiers Container set oRoot = Getobject("LDAP://RootDSE") set oCont = GetObject("LDAP://" & "CN=409, CN=DisplaySpecifiers," & oRoot.get("configurationNamingContext")) Set oDisp = oCont.GetObject("displaySpecifier","cn=user-Display") MsgBox "Display Specifier: " & oDisp.Name 'Add Attribute Display Names oDisp.PutEx 3,"attributeDisplayNames" , Array("SalaryLevel,Annual Salary","SocialSecurityNumber,Social Security Number") oDisp.SetInfo 'Add Shell Context Menu MsgBox "Adding Shell Context Menu item" iCount = 0 If Not IsEmpty(oDisp.shellContextMenu) Then aMenu = oDisp.GetEx("shellContextMenu") For iCount = LBound(aMenu) to UBound(aMenu) MsgBox "Existing Menu item: " & aMenu(iCount) Next iCount = iCount + 1 End If sNewMenu = CStr(iCount) & ",&HR Info...,hrshell.vbs" oDisp.PutEx 3,"shellContextMenu" , Array(sNewMenu) oDisp.SetInfo MsgBox "Adding Shell Context Menu Program" Set sOutFile = oFileSystem.CreateTextFile(sSystemFolder & "\hrshell.vbs",True) sOutFile.WriteLine "Dim Args" sOutFile.WriteLine "Dim oUser" sOutFile.WriteLine "Set Args = Wscript.Arguments" sOutFile.WriteLine "MsgBox " & Chr(34) & "LDAP Path: " & Chr(34) & " & Args(0)" sOutFile.WriteLine "MsgBox " & Chr(34) & "Object Class: " & Chr(34) & " & Args(1)" sOutFile.WriteLine "Set oUser = GetObject(Args(0))" sOutFile.WriteLine "MsgBox " & Chr(34) & "HR Info" & Chr(34) & " & vbCRLF & " & Chr(34) & "Salary: " & Chr(34) & " & oUser.SalaryLevel & vbCRLF & " & Chr(34) & "Soc Sec No: " & Chr(34) & " & oUser.SocialSecurityNumber" sOutFile.WriteLine "Set oUser = Nothing" sOutFile.WriteLine "WScript.Quit" sOutFile.Close 'Add Admin Context Menu MsgBox "Adding Admin Context Menu item" iCount = 0 If Not IsEmpty(oDisp.adminContextMenu) Then aMenu = oDisp.GetEx("adminContextMenu") For iCount = LBound(aMenu) to UBound(aMenu) MsgBox "Existing Menu item: " & aMenu(iCount) Next iCount = iCount + 1 End If sNewMenu = CStr(iCount) & ",&HR Admin...,hradmin.vbs" oDisp.PutEx 3,"adminContextMenu" , Array(sNewMenu) oDisp.SetInfo MsgBox "Adding Admin Context Menu Program" Set sOutFile = oFileSystem.CreateTextFile(sSystemFolder & "\hradmin.vbs",True) sOutFile.WriteLine "Dim Args" sOutFile.WriteLine "Dim oUser" sOutFile.WriteLine "Dim temp" sOutFile.WriteLine "Set Args = Wscript.Arguments" sOutFile.WriteLine "MsgBox " & Chr(34) & "LDAP Path: " & Chr(34) & " & Args(0)" sOutFile.WriteLine "MsgBox " & Chr(34) & "Object Class: " & Chr(34) & " & Args(1)" sOutFile.WriteLine "Set oUser = GetObject(Args(0))" sOutFile.WriteLine "temp = InputBox(" & Chr(34) & "Old Salary: " & Chr(34) & " & oUser.SalaryLevel & vbCRLF & " & Chr(34) & "New Salary" & Chr(34) & ")" sOutFile.WriteLine "if temp <> " & Chr(34) & Chr(34) & " then oUser.Put " & Chr(34) & "SalaryLevel" & Chr(34) & ",temp" sOutFile.WriteLine "temp = InputBox(" & Chr(34) & "Soc Sec Number: " & Chr(34) & " & oUser.SocialSecurityNumber & vbCRLF & " & Chr(34) & "New Number" & Chr(34) & ")" sOutFile.WriteLine "if temp <> " & Chr(34) & Chr(34) & " then oUser.Put " & Chr(34) & "SocialSecurityNumber" & Chr(34) & ",temp" sOutFile.WriteLine "oUser.SetInfo" sOutFile.WriteLine "Set oUser = Nothing" sOutFile.WriteLine "WScript.Quit" sOutFile.Close MsgBox "Quit..." Set oDisp = Nothing Set oCont = Nothing Set oRoot = Nothing Set oFileSystem = Nothing WScript.Quit
Click File, click Save As, and save the file as addmenu.vbs.
Close Notepad.
Click Start, click Run, and type cmd into the Open box. Click OK.
At the command prompt, type addmenu.vbs and press Enter. The script adds attribute display names for the newly created attributes SalaryLevel and SocialSecurityNumber, adds Windows shell and Administrative Tools context menus, and creates two simple VBScript programs—hrshell.vbs and hradmin.vbs—in the Windows System directory.
Note: Run this application only once; repeated execution can result in duplicate attribute display names and duplicate context menu items.
You can use the Active Directory Users and Computers snap-in to modify the new attributes for the users.
Click Start, point to Programs, point to Administative Tools, and click Active Directory Users and Computers.
Click Suki White.
Note: If you did not populate the Active Directory using the Step-by-Step Guide to a Common Infrastructure for Windows 2000 Server Deployment—Part 1: Installing a Windows 2000 Server as a Domain Controller, then this user will not be available for this exercise. Choose a user within your sample organization.
Right-click Suki White, and click HR Admin.
A small VBScript application starts that allows you to modify the user's SalaryLevel and SocialSecurityNumber. Click OK twice to get to this part of the script, and change this user's salary level to 20000. Then click OK.
Figure 8: Modifying the SalaryLevel attribute
You can locate users based on attributes.
Click and then right-click reskit.com in the left pane.
Click Find.
For the search objects, select Users, Contacts, and Groups. Click the Advanced tab.
Click the Field button, select Users, and then select Annual Salary.
Select a search criteria, such as Annual Salary greater than 20000, then click Find Now. A message asks if you wish to add the current criteria to your search. Click Yes. The search retrieves only those users who meet the search criteria.
Figure 9: Using attributes to find specific users
Close all open windows and MMC consoles.
To view a user's attributes in the Windows interface
Double-click the My Network Places icon on the desktop, double-click Entire Network, click Entire Contents, and then double-click the Directory icon. Double-click reskit.com.
Double-click the Accounts folder, and then double-click the Marketing icon.
Right-click the user Suki White, and select HR Info from the context menu. A small VBScript message box displays the user's HR information.
Figure 10: Displaying a user's attributes
Note: For security reasons, the default permissions for a user's HR information only allow the user to view his or her own information. A user is not permitted to view another user's HR information. Only administrators are permitted to update a user's HR information. The default permissions can be altered to allow other users read or write access to this information; those procedures are beyond the scope of this walkthrough.