Manage copying Active Directory attributes when duplicating user accounts

Original author: Tim Bantrok
  • Transfer
  • Tutorial

Many companies use additional Active Directory attributes that are copied along with duplicate user accounts. But there are many examples when this is inconvenient. Therefore, in this article I will tell you how to avoid such behavior or change it to fit your needs.

About the author of the original text:
Tim Bantrock is an Active Directory administrator for a large company that specializes in call centers. Certified Specialist MCTS, MCITP, MCSA, and MCPS.

Admins sometimes like to copy user accounts for reasons of convenience: additional attributes that would otherwise have to be manually configured would also be automatically transferred. But in some cases, this approach is fraught with problems.

For example, you use the extensionAttribute1 attribute as a unique mailbox ID to transfer this mailbox from one Microsoft Exchange system to another located in a separate AD forest. If for some user this ID is similar, synchronization will not work. Or Exchange synchronizes letters in a foreign mailbox.

But you can prevent the copying of a specific attribute by disabling the Attribute is copied when duplicating a user option in Active Directory.

To do this, you must have administrator rights for the scheme (do not forget to remove your account from this group when you are done with the settings). Deactivate the option to copy the extensionAttribute1 attribute as follows:

  1. Launch the PowerShell console as an administrator.
  2. By default, the Active Directory Schema snap-in is not registered with the MMC. Let's make it a command:
    regsvr32 schmmgmt.dll
  3. Now add the Active Directory Schema snap-in to the MMC.

    Adding the AD Schema snap-in.
  4. In the console, select the Attributes folder , then right-click extensionAttribute1 and select Properties . Uncheck Attribute is copied when duplicating a user and click OK.

    Uncheck Attribute is copied when duplicating a user.

Looking for attributes to copy

To determine which attributes will be copied and which are not, you can look into the AD Schema console. But viewing all its parameters manually is inconvenient.

Therefore, to automate the process, we use PowerShell:

  • a Get-ADObject command is required , with which you can get the user object;
  • you will also need the Get-ADRootDSE command that returns the directory root object - from it we take the schemaNamingContext .
    The value of schemaNamingContext defines the search area ( SearchBase ) and looks something like CN = Schema, CN = Configuration, DC = domain, DC = com .
    -SearchBase $((Get-ADRootDSE).schemaNamingContext)
  • and the last missing component is LDAPFilter . First, apply the filter by objectClass - attributeSchema. The filter will return only schema attributes.

Now you need to apply the filter by object identifier ( OID ). An OID is a numerical sequence whose format is defined by the RFC1778 standard. This format is standard for internal representations of most LDAP-compatible directories.

Use the following syntax: <Attribute Name>: <OID>: = <decimal value> .

  • <Attribute name> is searchFlags ;
  • <OID> should be equal to 1.2.840.113556.1.4.803 . The identifier is unique in Active Directory, and there will only be a match if the attribute matches the specified value bitwise ( LDAP_MATCHING_RULE_BIT_AND ).
  • The last part —– <decimal value> - must be 16 to find the properties that are copied along with the user account.

It turns out the following line:

Get-ADObject -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=16))"

As a result, we get DistinguishedName , the Name ObjectClass and ObjectGUID attributes that are copied to the user object.

Since only the names (of the need for these attributes the Name ), to add to the team | % {$ _. Name}.

Get-ADObject -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=16))" | %{$_.Name}

PowerShell now returns only names.

If you want to get attributes that will not be copied when duplicating an object, replace (searchFlags: 1.2.840.113556.1.4.803: = 16) with ( ! (SearchFlags: 1.2.840.113556.1.4.803: = 16)) :

Get-ADObject -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&((objectClass=attributeSchema)(!(searchFlags:1.2.840.113556.1.4.803:=16))))" | %{$_.Name}

What else can you read in the wake of PowerShell inspiration:

Also popular now: