How to Create Custom Attributes in Active Directory?

All objects (classes) of Active Directory have a predefined set of attributes (properties). For example, the AD user class has the attributes Name, Surname, City, Office, OfficePhone, and so on. You can store user options in existing attributes, use the special extensionAttribute1-15, or create a new attribute. In this article, we’ll look at how to add a new attribute (for example, vehRegCode) to a user in on-prem Active Directory.

Notes.

  • Schema change affects the entire AD forest;

  • You cannot undo the schema change and delete the new attribute;

  • Before changing the schema, back up your Active Directory.

To change the schema, you need to have schema admin privileges. Add your account to the Schema Admins group.

custom attributes in active directory

Active Directory class attributes are configured in the AD schema. You should use the Schema Manager snap-in to edit the Active Directory schema. To run it, perform the command:

regsvr32 schmmgmt.dll

After registering a snap-in:

  1. Open a new MMC Console (mmc.exe)
  2. Click File > Add/Remove Snap-in;
  3. Add the Active Directory Schema snap-in and click OK.

ad custom attributes

Connect to a domain controller that owns the FSMO Schema master role.

Expand Active Directory Schema, right-click Attributes, and select Create Attribute.

You will be warned that changing the AD schema is a permanent operation.

create custom attribute in active directory

In the opened form, you need to fill in the parameters of the new attribute:

  • Common Name — attribute name (must not contain spaces).
  • LDAP Display Name — this value is automatically populated after the CN is determined, but you can change it. When an object is referenced in a script, it must be called using the LDAP display name instead of the CN.
  • X500 Object ID — unique attribute ID in the AD schema. Use the below PowerShell script to generate this parameter value.
  • Syntax — attribute type (Boolean, Unicode String, Numeric String, Integer, Large Integer, SID, Distinguished Name, etc.). Depending on the selected value in the Syntax field, you need to fill in other values. In our example, this will be a regular Unicode String with a maximum length of 10 characters.

PowerShell script to generate X500 Object ID:

$Prefix="1.2.840.113556.1.8000.2554"

$GUID=[System.Guid]::NewGuid().ToString()

$Parts=@()

$Parts+=[UInt64]::Parse($guid.SubString(0,4),"AllowHexSpecifier")

$Parts+=[UInt64]::Parse($guid.SubString(4,4),"AllowHexSpecifier")

$Parts+=[UInt64]::Parse($guid.SubString(9,4),"AllowHexSpecifier")

$Parts+=[UInt64]::Parse($guid.SubString(14,4),"AllowHexSpecifier")

$Parts+=[UInt64]::Parse($guid.SubString(19,4),"AllowHexSpecifier")

$Parts+=[UInt64]::Parse($guid.SubString(24,6),"AllowHexSpecifier")

$Parts+=[UInt64]::Parse($guid.SubString(30,6),"AllowHexSpecifier")

$OID=[String]::Format("{0}.{1}.{2}.{3}.{4}.{5}.{6}.{7}",$prefix,$Parts[0],$Parts[1],$Parts[2],$Parts[3],$Parts[4],$Parts[5],$Parts[6])

$oid

active directory create custom attribute

Complete all fields in the Create New Attribute form and click OK.

create custom ad attribute

Now we need to add a new attribute to the user class:

  1. Expand the Classes container, find the user class, open its properties and go to the Attributes tab;
  2. Click the Add button and select the attribute you created earlier from the list.

create a custom attribute in active directory

Now run the Active Directory Users and Computers (dsa.msc), open the properties for any user, and verify if the Attribute Editor tab now displays the new attribute. You can change its value.

create custom attribute active directory

To get the value of a new attribute using PowerShell, use the command:

Get-ADUser –identity bjackson –properties vehRegCode|select name, vehRegCode

To change the value of a new user attribute:

Set-ADUser a.novak -Add @{vehRegCod = "3265JA"}
I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.