Using a Tool to Modify the Active Directory Schema

Enterprise Networking Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

In Part 1 of this series, I began explaining the process of adding custom attributes to Active Directory classes. In this article, I’ll complete the process. As I mentioned in Part 1, this process is dangerous: Making a mistake could destroy Windows and/or your data. Therefore, before attempting to use any of the techniques in this article, be sure you have a complete backup of your domain controller.

Adding the Tool to the MMC

At the end of the last article, we had just finished installing all of the extra administrative tools necessary for modifying the Active Directory. Now, it’s time to use one of those tools to modify the schema. This one doesn’t appear on the menu; to add the tool to the Microsoft Management Console, follow these steps:

  1. Enter “MMC” at the Run prompt. When the console opens, select the Add/Remove Snap-in command from the Console menu.
  2. In the resulting Add/Remove Snap-in dialog box, click Add to display a list of available snap-ins.
  3. Select Active Directory Schema from the list and click Add.
  4. Click Close and OK to return to the main console screen. The Active Directory Schema snap-in will appear in the console.

Modifying the Schema

You’re now ready to modify the schema. Before you do, however, make absolutely sure that you’re working directly with the domain controller on which you enabled schema write access. Then, follow these steps:

  1. To create a new attribute, right-click on Attributes in the console tree and select Create Attribute from the resulting context menu. A warning message will indicate that you’re about to make a permanent change: The new attribute you’re creating can later be disabled, but it can’t be erased.
  2. Click Continue, and the Create New Attribute dialog box will open. At the top of this dialog box are fields for a common name, LDAP display name, and X.500 Object ID. Even if you’re working with an isolated network, you should be extremely careful about making up your own X.500 Object ID–it’s very easy to accidentally use an OID that’s already in use. Normally, OIDs are issued by the International Telecommunications Union. Having such an organization to distribute OIDs prevents accidental duplication. (You can access the International Telecommunications Union’s Web site at
  3. Once you’ve acquired a unique OID number, select the type of data that the attribute will contain by selecting it from the Syntax drop-down list. You can also use the corresponding fields to specify a minimum and maximum value for the data.
  4. If the attribute will contain more than one value, select the Multi-Valued check box.
  5. Click OK to create the attribute.

In Part 3, I’ll show you how to add a newly created attribute to a class so that you can begin using the attribute. //

Brien M. Posey is an MCSE who works as a freelance writer. His past experience includes working as the director of information systems for a national chain of health care facilities and as a network engineer for the Department of Defense. Because of the extremely high volume of e-mail that Brien receives, it’s impossible for him to respond to every message, although he does read them all.

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.

Latest Articles

Follow Us On Social Media

Explore More