CHAPTER 1

Using Active Directory

Schema and Display
Specifiers

Introduction
This document introduces you to advanced administration of the Active DirectoryTM service, using the Active Directory Schema snap-in and display specifier
modification. You can add and modify classes and attributes in the schema and
extend the both the Administrative Tools and the Windows shell by modifying
attributes in display specifiers.

Prerequisites
You must have installed the Microsoft Windows 2000 Server operating system
(including Active Directory) on a server in your network. You can run the Administrative Tools and scripts used in this walkthrough from the server or from a Windows 2000 Professional-based workstation. You will need two domain controllers
within the same domain.
The Administrative Tools are installed by default on all Windows 2000 domain
controllers. On stand-alone servers or workstations running Windows 2000, Active
Directory Administrative Tools are optional and can be installed from the Windows
2000 optional components package. After installing all the Administrative Tools,
you must manually install the Active Directory Schema snap-in.

s:\its\uss\pclan\documentation\ad_schema_&_specifiers.pdf

Using Active Directory Schema and Display Specifiers

This step-by-step guide assumes that you have run the procedures in A Step-byStep Guide to Common Infrastructure for Windows 2000 Server Deployment Part
One.
The common infrastructure documents specify a particular hardware and software
configuration. If you are not using the common infrastructure, you need to make the
appropriate changes to this document. The most current information about hardware requirements and compatibility for servers, clients, and peripherals is available at the Windows 2000 Hardware and Software Compatibility Web site.

Scenarios
This step-by-step guide provides procedures for the following tasks:

Manage the schema. This includes checking security permissions and Write
access to the schema, creating new classes and attributes, and extending the
existing classes.

Manage display specifiers. This involves extending the shell and Administrative Tools by adding context menus.
A fictional corporation stores additional user information in Active Directory. This
information contains sensitive Human Resources (HR) data, including employee
Social Security numbers and salary levels. To support this extra information an
auxiliary class called HumanResources is created. This class contains the
attributes SocialSecurityNumber and SalaryLevel. The HumanResources auxiliary class is then added to the User class.
To display this information (using either the Administrative Tools or by creating
extensions to the Windows shell), you then create display specifiers for the additional context menus for the new classes and attributes.

Managing the Active Directory Schema

The Active Directory Schema snap-in allows schema administrators to manage the
Active Directory schema by creating and modifying classes and attributes, and
specifying which attributes are indexed and which attributes are to be catalogued in
the global catalog. Administrators will not perform schema management tasks on a
frequent basis, and they should take some care when modifying the schema. Man-

s:\its\uss\pclan\documentation\ad_schema_&_specifiers.pdf

Managing the Active Directory Schema

agement of the schema is restricted to a group of administrators called schema

administrators. There are three safety precautions that control and limit schema
modification:

By default, all domain controllers permit Read access to the schema. A registry
entry must be set on a domain controller to permit Write access to the schema on
that domain controller.

The schema object is protected by the Windows 2000 Security model; therefore,
administrators must be given explicit permissions or be members of the Schema
Administrators group to make changes to the schema.

Only one domain controller can write to the schema at any given time. This role
is known as Schema Floating Single Master Operations (FSMO). You must be
connected to the schema FSMO to manage the schema.
Note: All subsequent procedures assume you are logged on as an administrator
with the required permissions to manage the schema.

Check Membership to the Schema Administrators Group

Before proceeding, make sure that your account is a member of the Schema
Administrators group. See Step-by-Step Guide to Managing the Active Directory
for information about managing group memberships. By default, the administrator
account is a member of the Schema Administrator group.

Installing the Windows 2000 Administrative Tools

If you have not already done so, you must install all of the Windows 2000 administrative tools on both domain controllers that you will be using for these scenarios.
By default, only some of the tools are installed during normal installation of a
domain controller.

To install the complete set of tools

1.

Click Start, point to Settings, and click Control Panel.

2.

Double-click Add/Remove Programs.

3.

Select Windows 2000 Administrative Tools and click Change.

4.

Click Next.

5.

Click Install All Administrative Tools.

s:\its\uss\pclan\documentation\ad_schema_&_specifiers.pdf

Using Active Directory Schema and Display Specifiers

6.

Click Next.

7.

The components and files are installed, when complete, click Finish and then
click Close. Repeat this process on the second domain controller in your testbed.

Starting the Active Directory Schema Snap-in

The Active Directory Schema snap-in is a Microsoft Management Console (MMC)
tool. Because schema management is not frequently performed, there is no saved
Schema console or Administrative Tool on the Administrative Tools menu. You
must load the Schema Manager manually into MMC. Run the following procedure
on the domain controller that contains the schema.

To start the Active Directory Schema snap-n

1.

Click Start, click Run, and type MMC in the Open box. Click OK.

2.

On the Console menu, click Add/Remove Snap-in, click Add, and then click
Active Directory Schema. Click Add, click Close, and then click OK.

3.

You can save the MMC console containing the Schema snap-in. On the Console menu, click Save As, and type a name for the saved console (for example,
Schema.msc). Click Save.

Note: Perform these steps on both domain controllers in this testbed.

Schema FSMO
Although Active Directory is based on a multi-master administration model, some
operations support only a single master. One of these operations is schema management. Only one domain controller is permitted to modify the schema at any given
time. The term used to describe this is Flexible Single Master Operations (FSMO).
By default, the Schema snap-in is targeted to the schema FSMO role.
You can transfer the schema FSMO from one server to another; however, if you
have installed a single Windows 2000 domain controller in your network, then this
procedure is unnecessary. By default, that single domain controller is the schema
FSMO role holder.

s:\its\uss\pclan\documentation\ad_schema_&_specifiers.pdf

Managing the Active Directory Schema

To transfer the schema FSMO to another domain controller

1.
2.

Right-click Active Directory Schema in the right pane of the MMC console.
Click Change Domain Controller.
Click Specify Name and type in the name of the target domain controller. (See
Figure below.)
FIGURE 1.

3.

Right-click the Schema root node in the left pane, and then click Operations
Master.

4.

Click Change.

5.

Click OK to confirm that you want to change the Operations Master.

6.

Click OK when you receive the message that the Operations Master was successfully transferred.

Note: Subsequent procedures in this document are now performed on the second
domain controller (which is now the FSMO for the schema.)

Setting the Registry to Permit Write Operations to the Schema

To allow a domain controller to write to the schema, you must set a registry entry
that permits schema updates.

To set the registry key

1.

Right-click the Active Directory Schema root node in the left pane, and then
click Operations Master. \

s:\its\uss\pclan\documentation\ad_schema_&_specifiers.pdf

Using Active Directory Schema and Display Specifiers

2.

Select the The Schema may be modified on this Domain Controller check
box, and then click OK.
FIGURE 2.

The server automatically detects the change to this registry. You do not need to
restart the server to permit the schema to be updated.

Creating a New Attribute

When creating classes and attributes, note the following:

Do not include spaces when entering the attribute and class names. An LDAP
display name with embedded spaces can cause problems.

Object identifiers (OIDs) are issued by International Standards Authorities such

as the International Telecommunications Union (ITU) to prevent issuance of
duplicates. If your organization expects to create new classes and attributes, you
may want to first request OIDs from the relevant standards body in your country. The OIDs listed here have been issued by Microsoft and are guaranteed to
be unique. Do not create your own OIDs.
You can also obtain an ID from the Microsoft Certified for Windows Web site.

s:\its\uss\pclan\documentation\ad_schema_&_specifiers.pdf

Managing the Active Directory Schema

To create new attributes for the HumanResources class

1.

Click the + next to Active Directory Schema in the left pane.

2.

Right-click Attributes in the left pane.

3.

Click New, and then select Attribute. You will receive a warning
that creating schema objects is a permanent operation and cannot
be undone. Click Continue.
FIGURE 3.

4.

Create the following new attributes:

TABLE 1.

5.

Attirbute Name

Attribute OID

Attribute Syntax

SocialSecurityNumber

1.2.840.113556.1.4.7000.1
42

Case Insensitive
String

SalaryLevel

1.2.840.113556.1.4.7000.1
41

Integer

Click OK after you create each new attribute.

s:\its\uss\pclan\documentation\ad_schema_&_specifiers.pdf

Using Active Directory Schema and Display Specifiers

Creating a New Class

To create the HumanResources class
1.

Right-click Class.

2.

Click New, and then click Class. You receive the same warning as before: that
schema objects cannot be removed once created. Click Continue.
FIGURE 4.

3.

Create the new class with the following values:

TABLE 2.

4.

Value

Type This

Common Name

HumanResources

LDAP Displayname

HumanResources

Unique X.500 Object ID

1.2.840.113556.1.4.7000.17

Parent Class

Leave Blank

Class Type

Auxilary

Click Next and then click Finish.

s:\its\uss\pclan\documentation\ad_schema_&_specifiers.pdf

Managing the Active Directory Schema

Adding the Attributes to the Class

After you have created the class, add the attributes to the class.

To add attributes to the class

1.

Click Classes in the left pane. Scroll to HumanResources in the right pane, and
right click it.
FIGURE 5.

2.
3.
4.

Click Properties, and then click the Attributes tab. Click Add.
On the Select Schema Object page, click SalaryLevel and click OK.
Repeat these steps to add the SocialSecurityNumber attribute to the class.
When you have finished, the attributes, illustrated in Figure 6, are displayed for
this class on the Attributes tab.

s:\its\uss\pclan\documentation\ad_schema_&_specifiers.pdf

Using Active Directory Schema and Display Specifiers

FIGURE 6.

Adding an Auxiliary Class to the User Class

After you have created the Human Resources auxiliary class and added attributes to
the class, you can add the new auxiliary class to the User class.

To add a new auxiliary class

10

1.

In the right pane, scroll to and right-click the User class node.

2.

Click Properties. Click the Relationship tab.

3.

Click Add. Select HumanResources and click OK.

s:\its\uss\pclan\documentation\ad_schema_&_specifiers.pdf

Adding Values to the New Attributes

FIGURE 7.

Updating the Schema Cache

Domain controllers automatically update their schema cache every five minutes. If
you need to force an update immediately on the domain controller on which the
Schema snap-in is targeted, a menu item is provided to perform the reload.

To update the schema cache immediately

1.

Right-click Active Directory Schema in the left pane, and click Reload the
Schema.

Minimize the Active Directory Schema MMC console.

Adding Values to the New Attributes

Modifying All Users in the Marketing Organizational Unit
In this scenario, all the users in the Marketing organization have been issued new
salary levels. You can use a simple Microsoft Visual Basic Scripting Edition
script to perform a batch modification for all user objects in the Marketing organi-

s:\its\uss\pclan\documentation\ad_schema_&_specifiers.pdf

11

Using Active Directory Schema and Display Specifiers

zation. (Visual Basic Scripting Edition, also known as VBScript, is a subset of the
Microsoft Visual Basic language.) The script adds new values for the SalaryLevel
and SocialSecurityNumber attributes. (Note that this script assigns the same SalaryLevel to all user objects and generates a random number for the SocialSecurityNumber).

To use VBScript to modify all users in the Marketing organizational

unit
1.

Click Start, point to Programs, point to Accessories, and click Notepad.

2.

Copy the following text into Notepad.

3.

Click File, click Save As, and save the file as modify.vbs.

4.

Close Notepad.

5.

Click Start, click Run, and type cmd into the Open box. Click OK.

6.

At the command prompt, type modify.vbs and press Enter. The script recurses
all objects in the Marketing organizational unit and modifies all users, altering
their SalaryLevel and SocialSecurityNumber attributes.

Display All Users in the Marketing Organizational Unit

In this procedure, you use a simple VBScript program to display the users name,
Salary Level, and Social Security Number.

To display all users in the Marketing organizational unit

12

1.

Use the same procedures as described in steps 1 and 2 above to copy the following text into Notepad.

2.

Click File, click Save As, and save the file as hrinfo.vbs.

3.

Close Notepad.

4.

Click Start, click Run, and type cmd into the Open box. Click OK.

5.

At the command prompt, type hrinfo.vbs and press Enter. The script recurses
all objects in the Marketing organizational unit and the users Name, SalaryLevel and SocialSecurityNumber attributes.

s:\its\uss\pclan\documentation\ad_schema_&_specifiers.pdf

Modifying Display Specifiers

Modifying Display Specifiers

The Active Directory Administrative Tools (such as the Active Directory Users and
Computers snap-in) and the Windows shell extensions use display specifiers to
dynamically create context menu items and property pages. Display specifiers permit localization of class and attribute names, context menus, and property pages,
and also support new classes and attributessuch as those you created in the previous procedures in this step-by-step guide.
Display specifiers are objects of class displaySpecifier and are stored in a container
in Active Directory that corresponds to the locale ID. This is, in turn, stored in the
Display Specifiers container in the Configuration namespace. For example, US
English display specifiers are stored in the container
cn=409/cn=Display Specifiers/cn=Configuration......

Each display specifier name is derived from the concatenation of an object class
lightweight directory access protocol (LDAP) display name and -Display. For
example the user object class, has a LDAP display name of user. Its display specifier object is user-Display.

Adding Attribute Display Names

In this walkthrough, you added an auxiliary class to the existing user class. All you
need to do is add additional context menus and attribute display names to the user
display specifier. You can add attribute display names for the new attributes SalaryLevel and SocialSecurityNumber, a context menu for the Active Directory Users
and Computers snap-in, and a context menu for the Windows shell.

To extend the User class display specifier

1.

Use the same procedures as described in steps 1 and 2 above to copy the following text into Notepad.

2.

Click File, click Save As, and save the file as addmenu.vbs.

3.

Close Notepad.

4.

Click Start, click Run, and type cmd into the Open box. Click OK.

5.

At the command prompt, type addmenu.vbs and press Enter. The script adds
attribute display names for the newly created attributes SalaryLevel and SocialSecurityNumber, adds Windows shell and Administrative Tools context

s:\its\uss\pclan\documentation\ad_schema_&_specifiers.pdf

13

Using Active Directory Schema and Display Specifiers

menus, and creates two simple VBScript programshrshell.vbs and hradmin.vbsin the Windows System directory.
Note: Run this application only once; repeated execution can result in duplicate
attribute display names and duplicate context menu items.

Modifying the New Attributes

You can use the Active Directory Users and Computers snap-in to modify the new
attributes for the users.
1.

Click Start, point to Programs, point to Administrative Tools, and click

Active Directory Users and Computers.

2.

Click Suki White.

Note: If you did not populate the Active Directory using the Step-by-Step Guide to a
Common Infrastructure for Windows 2000 Server DeploymentPart 1: Installing a
Windows 2000 Server as a Domain Controller, then this user will not be available
for this exercise. Choose a user within your sample organization.
3.
4.

Right-click Suki White, and click HR Admin.

A small VBScript application starts that allows you to modify the users SalaryLevel and SocialSecurityNumber. Click OK twice to get to this part of the
script, and change this users salary level to 20000. Then click OK.
FIGURE 8.

Searching for Users Based on the New Attributes

You can locate users based on attributes.

14

s:\its\uss\pclan\documentation\ad_schema_&_specifiers.pdf

Modifying Display Specifiers

1.

Click and then right-click reskit.com in the left pane.

2.

Click Find.

3.

For the search objects, select Users, Contacts, and Groups. Click the
Advanced tab.

4.

Click the Field button, select Users, and then select Annual Salary.

5.

Select a search criteria, such as Annual Salary greater than

20000, then click Find Now. A message asks if you wish to add
the current criteria to your search. Click Yes. The search retrieves
only those users who meet the search criteria.
FIGURE 9.

6.

Close all open windows and MMC consoles.

Viewing New Attributes of a User in the Windows Interface

To view a users attributes in the Windows interface
1.

Double-click the My Network Places icon on the desktop, double-click Entire

Network, click Entire Contents, and then double-click the Directory icon.
Double-click reskit.com.

2.

Double-click the Accounts folder, and then double-click the Marketing icon.

s:\its\uss\pclan\documentation\ad_schema_&_specifiers.pdf

15

Using Active Directory Schema and Display Specifiers

3.

Right-click the user Suki White, and select HR Info from the context menu. A small VBScript message box displays the users HR
information.
FIGURE 10.

Note: For security reasons, the default permissions for a users HR information
only allow the user to view his or her own information. A user is not permitted to
view another users HR information. Only administrators are permitted to update a
users HR information. The default permissions can be altered to allow other users
read or write access to this information; those procedures are beyond the scope of
this walkthrough.

16

s:\its\uss\pclan\documentation\ad_schema_&_specifiers.pdf