Appendix D: Steps to Add an Attribute to the RODC Filtered Attribute Set

Updated: May 1, 2009

Applies To: Windows Server 2008

Appendix D shows how to add an attribute to the RODC filtered attribute set, and then mark it as confidential. The example in this appendix shows how to use the Ldifde command-line tool to add the attribute Employee-Number from the default AD DS schema.

For more information about what the RODC filtered attribute set is and how it works, see RODC Features.

To add an attribute to the RODC filtered attribute set, you must first determine the current searchFlags value of the attribute that you want to add, and then set the following values for searchflags:

  • Set the 10th bit to 0x200 to add the attribute to the RODC filtered attribute set.

  • Set the 7th bit to 0x080 to mark the attribute as confidential.

For example, if the attribute that you want to add is indexed and no other bits are set, then the current searchflags value is 0x001 (or 1, as stated in decimal format). If you set the 10th bit of the attribute to 0x200 (512) and the 7th bit to 0x080 (128), the new searchFlags value is 0x281 (or 641). In the following procedure, which uses the Employee-Number attribute, no other bits are set for searchFlags, so the current value is 0.

  1. Click Start, right-click Command Prompt, and then click Run as administrator.

  2. Type the following command, and then press ENTER:

    ldifde –d CN=Employee-Number,CN=Schema,CN=Configuration,DC=<domain> –f en_ldif –l searchflags

    Where <domain> is the distinguished name for your domain.

  3. Verify that the output of the file named en_ldif appears as follows:

    dn: CN=Employee-Number,CN=Schema,CN=Configuration,DC=<domain>

    changetype: add

    searchFlags: 0

  4. Copy the contents of the output file to a new file named en-fas.ldif.

  5. Modify the new file, en-fas.ldif, so that it appears as follows, and then save it:

    dn: CN=Employee-Number,CN=Schema,CN=Configuration,DC=<domain>

    changetype: modify

    replace: searchFlags

    searchFlags: 640


    Be sure to include the terminator "-" character or the following procedure will not work.

  6. Type the following command, and then press ENTER to import the modified en-fas.ldif file:

    ldifde –i -f en-fas.ldif

Use the following procedure to verify that an attribute is added to the RODC filtered attribute set.

Administrative Credentials

To perform this procedure, you can be any authenticated user.

  1. Click Start, click Administrative Tools, and then click ADSI Edit.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. Right-click ADSI Edit, and then click Connect to.

  4. Click Select a well known Naming Context, click Schema and then click OK.

  5. In the console tree, double-click Schema, and then click the CN=Schema,CN=Configuration,DC=<domain> container.

  6. In the details pane, right-click CN=Employee-Number, and then click Properties.

  7. In the list of attributes, verify that the Confidential and RODC_Filtered flags are set.

Community Additions