Extending the Active Directory Schema To Track Custom Info
In the summer of 2000, a couple of network administrators at the University of California San Diego asked me whether there was a way they could store employee identification numbers and social security numbers in the Active Directory (AD) database. After a little research, I found a resource on the Microsoft Web site that helped me to get the answer. Since then, I've refined the solution a bit and updated it to work with Windows Server 2003 Active Directory. In this article, you'll learn just how easy it is to modify Active Directory to store all sorts of useful stuff.
As you may already know, the Active Directory schema consists mostly of classes and attributes:
Classes represent the types of objects that exist in Active Directory. For example, the user class defines the type of information that can be stored about users.
Each class has its own set of attributes. For example, the user class has Telephone-Number, Display-Name, Logon-Hours, and a whole lot more linked to it when Active Directory is installed. Each attribute represents a piece of information that can be stored about a user. Shortly, I'll show you how to create a new attribute for storing social security numbers (SSN) and how to extend the user class to include Employee-ID, Employee-Number, and SSN attributes (see Figure 1).
Figure 1 An AD schema class and attributes to be modified.
The best way to learn how to modify the AD schema is to give it a try. I'll address key concepts along the way. If you can, go to a non-production Windows Server 2003 server that has Active Directory installed, and follow along.
Most of these steps work pretty much the same way on Windows 2000actually, there are fewer steps on Windows 2000so you shouldn't get lost if you're still using that product.
Important: You won't be able to perform the steps in this article unless you have access to a user account that's a member of both the Schema Admins and Domain Admins groups (or with equivalent permissions). The default administrator of an Active Directory domain has all the necessary permissions to perform all the steps in this article. You must also be working on the computer that holds the Schema Master Operations role. By default, the first domain controller that you install in your forest is the Schema Master. You can learn more about operations master roles from Microsoft Knowledge Base Article 255690, "HOW TO: View and Transfer FSMO Roles in the Graphical User Interface" (FSMO stands for Flexible Single Master Operations).