Installing, Securing, and Viewing the Schema
Updated: December 30, 2008
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
In most Active Directory forests, you do not have to manage schema objects or their properties in any way other than to provide security to ensure that only authorized administrators have access to the schema. The default access to schema objects and properties is limited to the Administrator account in the forest root domain. However, you may occasionally want to provide schema permissions to other administrators if, for example, an application developer needs to modify a schema object or troubleshoot a schema compatibility problem for an application.
You also may need to install the Active Directory Schema snap-in on other domain controllers. You can use the Active Directory Schema snap-in to view schema class and attribute objects and properties.
Installing the Active Directory Schema snap-in
Because schema management is not a typical administrative objective and because schema changes have potentially harmful forest-wide consequences, the Active Directory Schema snap-in is not installed by default when you add the Active Directory Domain Services (AD DS) role. Before you can add the Active Directory Schema snap-in to Microsoft Management Console (MMC), you must register Schmmgmt.dll in AD DS. The requirement for this preliminary step discourages improper use of the tool. After you register Schmmgmt.dll, the Active Directory Schema snap-in is available to be added to MMC.
Providing administrative access to the schema
Members of the Schema Admins group have permission to perform all modifications to the schema except Delete All Child Objects. By default, the only member of the Schema Admins group is the Administrator account in the forest root domain.
Granting permissions to an administrator
You can use the Active Directory Users and Computers snap-in to add another user to the Schema Admins group. Only one additional user should be added to the group at a time. As a best practice, if you determine that a change must be made to the schema, add an administrative user to the Schema Admins group to allow the change. After the change is complete, remove the administrative user from the group.
Specifying individual permissions
You can also provide permissions for specific schema management tasks without allowing permissions to make all changes. Use the Permissions option to grant specific access to a user or group. Again, when the access is no longer needed, remove the permissions for the user or group.
Viewing class and attribute definitions
The Active Directory Schema snap-in provides a view of the classSchema and attributeSchema objects.