3

I've bumped into a highly-customized Active Directory environment (2003 FL) that's got me wondering if there's any particularly easy way to figure out what a custom attribute's function is, and what, if anything, is "using" that particular attribute. And then what some good options for potentially removing custom attributes from the schema might be. Aside from a restore or starting from scratch. If such an option exists.

For example, I think I can be fairly certain what the "isDumbass" attribute with a value of TRUE means, but not so much with "IRPextCONST", containing a value of 393684. Likewise, I'd think it should be pretty safe to delete the "isDumbass" attribute, but would like to a) be sure and b) find out what's querying or updating that value anyway, because I suspect that anything using that attribute might be next on the list of things to remove. Ideally, without having to run a search on the contents of every custom script and bit of source code I can get my hands on, of course.

And finally, aside from rebuilding from scratch, or doing an authoritative AD restore from backups that don't exist... is there a way to delete a given custom attribute? (Not blank the value, but actually delete the attribute from the schema - some folks would rather not have attributes like [redacted] hanging around.) I've been able to find and successfully test a method on Windows 2k, but it seems like Microsoft disabled this option in SP4, and the domain in question is a 2003 functional level.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
  • 2
    I for one vote for moving `isDumbass` into the official Active Directory schema. `FaggotMeter` is derogatory towards gay people, so I'll skip that one, but `DouchebagCounter` seems like another good candidate. – Mark Henderson Jun 20 '12 at 20:32
  • 1
    It does make it a lot easier to tell who pissed off the sysadmin, and which users probably shouldn't have computers... but a lot of the suits and HR people want even the useful derogatory attributes gone nonetheless. Oddly, a lot of their dumbass booleans got set to TRUE. Go figure. – HopelessN00b Jun 20 '12 at 20:41
  • Personally, I'd go for the rebuild from scratch, on the grounds that there's no way to know what other little surprises the prior admins might have left behind. – Harry Johnston Jun 21 '12 at 03:03
  • Harry, that's a brilliant idea (I know because I recommended the same thing), but it's not an option because it would either cost too much money and/or it would take too long and result in too much downtime for the suits. – HopelessN00b Jun 21 '12 at 17:20

2 Answers2

3

No, AD schema attributes should be considered permanent.

If you only want the attribute to not appear in the Attribute Editor tab, or other dialogs where an object may present the list of possible attributes, you may want to try editing the User class object in AD Schema MMC, and removing the attribute from the list of optional attributes. You would need to right-click on the Schema root and select "Reload the schema" for it to take effect, or wait five minutes for the domain controller to reload the schema.

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
2

As for finding what's using the attributes, I think your best hope is some rather severe logging of the directory service access events by enabling the setting for it in the audit config of the Domain Controllers GPO, as well as setting aggressive audit ACLs to inherit throughout the domain. The logs will likely get very noisy.

If possible, the new Directory Services auditing features in 2008 might be a great help in this process; get a 2008 domain controller if you can!


When you're ready to get rid of those schema modifications - there's unfortunately no way to actually purge all memory of a schema modification, but you can at least halt its use and make it appear to be deleted.

You'll modify the attribute object in the schema to have an isDefunct value of TRUE; this can be done through ADSIEdit or the Active Directory Schema snap-in. See the "Removing Information from the Schema" section of this documentation for more info.

If you're not 100% certain that an attribute is out of use, it's ok to try making it defunct; you can reverse the change by setting isDefunct back to FALSE (the old values will still be there when it's reactivated). Definitely go down the auditing path if possible first, but the option is there.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248