How to Create Custom Attributes in Active Directory?

All objects (classes) of Active Directory have a predefined set of attributes (properties). For example, the AD user class has the attributes Name, Surname, City, Office, OfficePhone, and so on. You can store user options in existing attributes, use the special extensionAttribute1-15, or create a new attribute. In this article, we’ll look at how to add a new attribute (for example, vehRegCode) to a user in on-prem Active Directory.

Important Notes

1. Schema change affects the entire AD forest;
2. You cannot undo the schema change and delete the new attribute;
3. Before changing the schema, back up Active Directory.

To change the schema, you need to have schema admin privileges. Add your account to the Schema Admins group.

Active Directory class attributes are configured in the AD schema. You should use the Schema Manager snap-in to edit the Active Directory schema. To run it, perform the command:

regsvr32 schmmgmt.dll

After registering a snap-in:

1. Open a new MMC Console (mmc.exe)
2. Click File > Add/Remove Snap-in;
3. Add the Active Directory Schema snap-in and click OK.

Connect to a domain controller that owns the FSMO Schema master role.

Expand Active Directory Schema, right-click Attributes, and select Create Attribute.

You will be warned that changing the AD schema is a permanent operation.

In the opened form, you need to fill in the parameters of the new attribute:

• Common Name — attribute name (must not contain spaces).
• LDAP Display Name — this value is automatically populated after the CN is determined, but you can change it. When an object is referenced in a script, it must be called using the LDAP display name instead of the CN.
• X500 Object ID — unique attribute ID in the AD schema. Use the below PowerShell script to generate this parameter value.
• Syntax — attribute type (Boolean, Unicode String, Numeric String, Integer, Large Integer, SID, Distinguished Name, etc.). Depending on the selected value in the Syntax field, you need to fill in other values. In our example, this will be a regular Unicode String with a maximum length of 10 characters.

PowerShell script to generate X500 Object ID:

$Prefix="1.2.840.113556.1.8000.2554"

$GUID=[System.Guid]::NewGuid().ToString()

$Parts=@()

$Parts+=[UInt64]::Parse($guid.SubString(0,4),"AllowHexSpecifier")

$Parts+=[UInt64]::Parse($guid.SubString(4,4),"AllowHexSpecifier")

$Parts+=[UInt64]::Parse($guid.SubString(9,4),"AllowHexSpecifier")

$Parts+=[UInt64]::Parse($guid.SubString(14,4),"AllowHexSpecifier")

$Parts+=[UInt64]::Parse($guid.SubString(19,4),"AllowHexSpecifier")

$Parts+=[UInt64]::Parse($guid.SubString(24,6),"AllowHexSpecifier")

$Parts+=[UInt64]::Parse($guid.SubString(30,6),"AllowHexSpecifier")

$OID=[String]::Format("{0}.{1}.{2}.{3}.{4}.{5}.{6}.{7}",$prefix,$Parts[0],$Parts[1],$Parts[2],$Parts[3],$Parts[4],$Parts[5],$Parts[6])

$oid

Complete all fields in the Create New Attribute form and click OK.

Now we need to add a new attribute to the user class:

1. Expand the Classes container, find the user class, open its properties and go to the Attributes tab;
2. Click the Add button and select the attribute you created earlier from the list.

Now run the Active Directory Users and Computers snap-in (dsa.msc), open the properties for any user, and verify if the Attribute Editor tab now displays the new attribute. You can change its value.

To get the value of a new attribute using PowerShell, use the command:

Get-ADUser –identity bjackson –properties vehRegCode|select name, vehRegCode

To change the value of a new user attribute:

Set-ADUser a.novak -Add @{vehRegCod = "3265JA"}