Recipe 10.8 Viewing an Attribute

10.8.1 Problem

You want to view the properties of an attribute.

10.8.2 Solution Using a graphical user interface
  1. Open the Active Directory Schema snap-in.

  2. In the left pane, click on the Attributes folder.

  3. In the right pane, double-click the attribute you want to view.

  4. Click on each tab to view the available properties. Using a command-line interface

In the following command, replace <AttrCommonName> with the common name (not LDAP display dame) of the attribute you want to view:

> dsquery * cn=schema,cn=configuration,<ForestRootDN> -scope onelevel -attr *[RETURN]
-filter "(&(objectcategory=attributeSchema)(cn=<AttrCommonName>))" Using VBScript
' This code displays the attributes for the specified attributeSchema object
' Refer to Recipe 4.2 for the DisplayAttributes( ) function code.
' Set to the common name (not LDAP display dame) of the attribute
strAttrName = "<AttrCommonName>"   ' e.g. surname
' ------ END CONFIGURATION ---------

set objRootDSE = GetObject("LDAP://RootDSE")
set objAttr = GetObject("LDAP://cn=" & strAttrName & "," & _
WScript.Echo "Properties for " & strAttrName & ":"

10.8.3 Discussion

In the CLI and VBScript solutions, I mention that you need to specify the common name or cn of the attribute you want to view. The common name is a source of confusion for many people. For example, the surname attribute has the following distinguished name in the forest:


The problem is that most applications refer to attributes by their LDAP display name as defined in the lDAPDisplayName attribute for the attributeSchema object, which is typically different than the cn attribute. As an example, the surname attribute uses surname for its common name (cn), but sn for its LDAP display name (lDAPDisplayName).

In the CLI solution, if you want to use the LDAP display name instead of cn, simply change (cn=<AttrCommonName>) to (lDAPDisplayName=<AttrLDAPName>). In the VBScript solution, it is not that simple. When using cn, we can call GetObject since we know the DN of the attributeSchema object. If you want to use the lDAPDisplayName attribute instead, you'll need to do an ADO query and use the search criteria similar to that in the CLI solution.

One attribute of note that is defined on attributeSchema objects is the systemFlags bit flag, which is used to define a few miscellaneous properties about an attribute. Table 10-5 contains the bits associated with systemFlags. The values are cumulative, so a value of 17 (1 + 16) would indicate that the attribute is part of the base Active Directory installation and is not replicated.

Table 10-5. systemFlags bit values




Not replicated among domain controllers.


Dynamically constructed by Active Directory.


Part of the base Active Directory installation. This value cannot be set.

10.8.4 See Also

Recipe 4.2 for viewing the attributes of an object and Recipe 4.9 for searching with a bit-wise filter

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List