Re: AD Schema extension and ACLing

---

• From: "Brad Turner [MIIS MVP]" <bradturner32@xxxxxxxxx>
• Date: 11 Sep 2006 12:32:07 -0700

---

Paul,

Thanks for the reply - the example will work out great. I see that I
will need to make a few calls to schemaUpdateNow and I see an example
of the class defaultSecurityDescriptor so I should be able to export my
examples and weed out the unneeded lines.

Now in the MSDN reference under "Defining a new Attribute"
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/defining_a_new_attribute.asp)
they show a matrix that claims that schemaIDGUID is required but I
don't see how that is possible before creation - is that a doc bug?

Also, do you have any comments on the ACL problem of protecting the
custom attributes themselves from Read access?

Brad Turner, MIIS MVP

Paul Williams [MVP] wrote:

LDIFDE in export mode (default) will produce an LDIF file for you. It's a
bit stupid and dumps a couple of constructed or system-only attributes that
need to be excluded, e.g. whenChanged, but otherwise works fine.

If you have some schema extensions and want an LDIF file of those, there's
also the schema analyser tool that ships with ADAM SP1 (R2).

An example can be found here:
--
http://www.microsoft.com/technet/itsolutions/network/wifi/vista_ad_ext.mspx


Basically, you have something like this:

dn: cn=new-attr,cn=schema,cn=configuration,dc=domain-name,dc=com
changeType: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: newAttribute
attributeId: <ID goes here>
attributeSyntax: 2.5.5.3
omSyntax: 27
isSingleValued: TRUE

# reload the cache
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

# class
dn: cn=new-class,cn=schema,cn=configuration,dc=domain-name,dc=com
changeType: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: newClass
governsId: <ID goes here>
objectClassCategory: 3
rDNAttID: cn
mayContain: newAttribute


--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

.

---

• Follow-Ups:
  • Re: AD Schema extension and ACLing
    • From: Joe Kaplan
  • Re: AD Schema extension and ACLing
    • From: Paul Williams [MVP]

• References:
  • AD Schema extension and ACLing
    • From: Brad Turner [MIIS MVP]
  • Re: AD Schema extension and ACLing
    • From: Paul Williams [MVP]

• Prev by Date: Re: Quick Launch
• Next by Date: Re: ADFS
• Previous by thread: Re: AD Schema extension and ACLing
• Next by thread: Re: AD Schema extension and ACLing
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Problem in Extending the schema for ADAM ... changetype: ntdsschemaadd ... objectClass: attributeSchema ... ldapDisplayName: slb-securityFlag ... add: schemaUpdateNow ... (microsoft.public.windows.server.active_directory) dynamically linking an auxillary class ... user.i created an auxillary class. ... preventing me from assigning a auxillaryclass name to the objectclass ... changetype: modify ... add: schemaUpdateNow ... (microsoft.public.windows.server.active_directory) Re: Schema extension delay ... Here is the first LDF, which creates the attribute and adds it to 'user': ... changetype: ntdsschemaadd ... objectClass: attributeSchema ... add: schemaUpdateNow ... (microsoft.public.windows.server.active_directory) Re: ADAM with auxiliary objectclass eduperson ... changeType: ntdsSchemaAdd ... objectClass: attributeSchema ... eduPerson per Internet2 and EDUCAUSE ... add: schemaUpdateNow ... (microsoft.public.windows.server.active_directory) Re: Schema extension for ADAM to add samAccountName resulted error ... changetype: ntdsschemaadd ... objectClass: attributeSchema ... systemFlags: 16 ... add: schemaUpdateNow ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2006-09