Last Update: Sep 26, 2022 | Published: Jan 06, 2009
How can I add additional attributes to the users objects in Active Directory?
Windows 2000 and Windows Server 2003 Active Directory allows you to edit the Schema and add additional attributes to it. These attributes can be easily connected to existing Object Classes such as users, groups, computers and so on.
Adding items to the Schema, also called “extending the Schema”, or even modifying existing objects can be a tricky business, and if done without proper knowledge, can be very destructive to your existing Active Directory infrastructure. This is because the Schema is a forest-wide setting, and any additions or changes to the Schema will be immediately replicated to each and every Domain Controller in each and every domain in your AD Forest. You cannot make any changes to the Schema and yet keep it within your domain’s boundaries. Furthermore, changing existing attributes (such as configuring an attribute to replicate itself to the Global Catalog) will cause a forest-wide replication of all the attributes and objects, even if your change was just made on one attribute. Note that this behavior was changed in Windows Server 2003, but even so, you might unintentionally cause a major network load and a lot of overhead by simply clicking one one small checkbox on one small attribute.
Many articles talk about adding items and extending the Schema. However on this article I wish to show you a simple method of adding attributes to the Schema, and by using these examples you can modify them and use them for your own purposes.
Warning! First, let me stress the fact that the Schema is not a child’s play. If you don’t know what you’re doing – stop now. Go read a good book about AD, consult a knowledgeable friend, go play with traffic. Don’t blame me if you mess up your corporate network because you’ve made careless changes to the schema. Read my lips: I will not be held responsible for any of your actions, and for any of the results that follow these actions.
Now, read ahead.
In order to extend the Schema you’ll need to be a member of the Enterprise Admins and Schema Admins groups. These groups are part of the AD Forest Root Domain, and if you’re not already a member of these groups, then it probably means that you have no business in messing with the Schema in the first place.
Next, in most cases, you’d be better off by doing this on the Domain Controller that is holding the Schema Master FSMO role (read more about Understanding FSMO Roles in Active Directory).
Register the Active Directory Schema snap-in in order to later use it from an MMC window
regsvr32 schmmgmt.dll
You should get a confirmation message.
Windows 2000 only – Enable write operations to the Schema
If you’re running Windows 2000-based AD, you’ll probably need to allow the Schema to be written. To do so follow these guidelines (only required for W2K-based DC):
One method of creating new attributes in the Schema is by using the Active Directory Schema snap-in from an MMC.
In order to use this snap-in you must first register it with the following command:
regsvr32 schmmgmt.dll
One method of creating new attributes in the Schema is by using the Active Directory Schema snap-in from an MMC.
In order to use this snap-in you must first register it with the following command:
regsvr32 schmmgmt.dll
After adding the new attributes we now need to verify their existence and functionality.
After the new attributes were successfully added to the Schema and we’ve verified their functionality, we would now like to begin working with these attributes and begin populating their values.
You may find these related articles of interest to you:
You Cannot Mount the Database, and Receive Events 9518 and 455 – 294367