A question came to me last week when I was doing a deep drill of Azure AD Connect user attribute mapping and replication:
What attributes can an Active Directory user object possibly have? Not just the populated ones. Not just the ones visible in AD Users & Computers advanced view. But: ALL OF THEM!
I looked around and found a couple of half answers. One post suggested looking at the mayContain and systemMayContain attributes of the User object in the AD Schema. Also, in forums you’ll see partial answers to this intriguing question.
To get THE FULL answer you need to understand the way Active Directory schema classes inherit their attributes.
Active Directory Classes and Attribute Inheritance
In the Active Directory schema you will find all definitions of classes and attributes.
A class can be of three types:
- Structural – you can create an actual object from this type of class
- Abstract – you can inherit from this class but not create an object
- Auxiliary – defines supplemental classes implemented by a class
A class (of any type) may have up to four lists of attributes included in it’s definition. These lists are defined in the following class attributes:
- mayContain
- mustContain
- systemMayContain
- systemMustContain
Additionally, all classes inherit from a parent class (except the root of all classes, the “top” class).
The following diagram shows you how the user class is designed in the Active Directory schema:
It inherits from the organizationPerson class, which again inherits from the person class, which again inherits from the top class.
The user class includes the class definition (more attributes!) from a number of supplemental classes as defined in the auxiliaryClass and systemAuxiliaryClass attributes.
The user class, all the inherited classes and all the supplemental classes define the attributes that can be included in a user object (in the above diagram the mayContain, mustContain, systemMayContain and systemMustContain are only shown for the user class to keep it simple).
Extending AD Management to Include Office 365
Using third-party tools like Easy365Manager allows you to manage Office 365 licenses and mailboxes directly from AD Users & Computers:
With Easy365Manager you no longer have to log into to multiple web consoles and have an on-premises Exchange Server to manage your hybrid Office 365 environment.
Using PowerShell to List All AD User Attributes
Per the previous AD class overview you need to examine the following to get the full list of potential attributes for any class definition:
- Find a list of all classes inherited by the class (inheritance chain)
- Find a list of all supplemental (auxiliary) classes for the classes found in the previous step
- Find all attribute lists in the four mustContain/mayContain attributes of the classes found in the two previous (don’t forget the class itself)
A PowerShell script to undertake this task could look like this:
Import-Module ActiveDirectory
$Loop = $True
$ClassName = "User"
$ClassArray = [System.Collections.ArrayList]@()
$UserAttributes = [System.Collections.ArrayList]@()
# Retrieve the User class and any parent classes
While ($Loop) {
$Class = Get-ADObject -SearchBase (Get-ADRootDSE).SchemaNamingContext -Filter { ldapDisplayName -Like $ClassName } -Properties AuxiliaryClass, SystemAuxiliaryClass, mayContain, mustContain, systemMayContain, systemMustContain, subClassOf, ldapDisplayName
If ($Class.ldapDisplayName -eq $Class.subClassOf) {
$Loop = $False
}
$ClassArray.Add($Class)
$ClassName = $Class.subClassOf
}
# Loop through all the classes and get all auxiliary class attributes and direct attributes
$ClassArray | % {
# Get Auxiliary class attributes
$Aux = $_.AuxiliaryClass | % { Get-ADObject -SearchBase (Get-ADRootDSE).SchemaNamingContext -Filter { ldapDisplayName -like $_ } -Properties mayContain, mustContain, systemMayContain, systemMustContain } |
Select-Object @{n = "Attributes"; e = { $_.mayContain + $_.mustContain + $_.systemMaycontain + $_.systemMustContain } } |
Select-Object -ExpandProperty Attributes
# Get SystemAuxiliary class attributes
$SysAux = $_.SystemAuxiliaryClass | % { Get-ADObject -SearchBase (Get-ADRootDSE).SchemaNamingContext -Filter { ldapDisplayName -like $_ } -Properties MayContain, SystemMayContain, systemMustContain } |
Select-Object @{n = "Attributes"; e = { $_.maycontain + $_.systemmaycontain + $_.systemMustContain } } |
Select-Object -ExpandProperty Attributes
# Get direct attributes
$UserAttributes += $Aux + $SysAux + $_.mayContain + $_.mustContain + $_.systemMayContain + $_.systemMustContain
}
$UserAttributes | Sort-Object | Get-UniqueThe output of the script depends of course on what schema version and extensions you’re running. In my test lab the output looks like this:
Summary
As illustrated it’s not a super simple task to list all attributes of a schema class definition.
You need to take parent classes and supplemental classes into account.
Plus you need to look at four different class attributes for each class definition associated with the class.
But then, and only then, you will see everything clearly! 😉