Introduce
New Custom Attribute
Add Custom
attribute, to store Service Account owner information.
Creating
custom attribute in AD, we need schema dll need to be register first.
Once
schema registered, open Schema snap-ins.
Select
Attributes, and create attribute.
Then, the system will
give a warning about schema object creation. Click OK to continue and the
following screen will open:
New
Attribute form look like below.
Common Name:
This is the name of the object. You can only use letters, numbers, and hyphens
for the common name (CN).
LDAP
Display Name: When
an object is referring to a script, program, or command-line utility, it needs
to be called using the LDAP display name instead of the CN. When you define the
CN, it will automatically create an LDAP Display Name.
Unique
X500 Object ID:
Each and every attribute in an AD schema has a unique object ID (OID) value.
There is a script developed by Microsoft to generate these unique OID values. It can
be found at https://gallery.technet.microsoft.com/scriptcenter/Generate-an-Object-4c9be66a#content.
It
includes the following script, which will generate the OID:
#---
$Prefix="1.2.840.113556.1.8000.2554"
$GUID=[System.Guid]::NewGuid().ToString()
$Parts=@()
$Parts+=[UInt64]::Parse($guid.SubString(0,4),
"AllowHexSpecifier")
$Parts+=[UInt64]::Parse($guid.SubString(4,4),
"AllowHexSpecifier")
$Parts+=[UInt64]::Parse($guid.SubString(9,4),
"AllowHexSpecifier")
$Parts+=[UInt64]::Parse($guid.SubString(14,4),
"AllowHexSpecifier")
$Parts+=[UInt64]::Parse($guid.SubString(19,4),
"AllowHexSpecifier")
$Parts+=[UInt64]::Parse($guid.SubString(24,6),
"AllowHexSpecifier")
$Parts+=[UInt64]::Parse($guid.SubString(30,6),
"AllowHexSpecifier")
$OID=[String]::Format("{0}.{1}.{2}.{3}.{4}.{5}.{6}.{7}",
$prefix,$Parts[0],$Parts[1],$Parts[2],$Parts[3],$Parts[4],
$Parts[5],$Parts[6])
$oid
#---
Syntax:
This defines the storage representation for the object. You are only allowed to
use a syntax defined by Microsoft. One attribute can only associate with one
syntax. In the following table, I have listed a few commonly used syntaxes:
Syntax
|
Description
|
Boolean
|
True or
false
|
Unicode
String
|
A large
string
|
Numeric
String
|
String of
digits
|
Integer
|
32-bit
numeric value
|
Large
Integer
|
64-bit
numeric value
|
SID
|
Security
identifier value
|
Distinguished
Name
|
String value
to uniquely identify object in AD
|
With
all the above notes, we will fill the below form.
As the next step, we
need to add it to the user class. In order to do that, go to the Classes
container, double-click on the user class,
Click on the Attributes
tab. In there, by clicking the Add button, we can browse and select the newly
added attribute from the list:
Now
when we open a user account, we can see the new attribute. Update owner employee id info,
Now all
efforts are done, let see we can retrieve from PowerShell.
**************************Happy Learning************************