Recipe 10.16 Finding the Linked Attributes

10.16.1 Problem

You want to find attributes that are linked.

10.16.2 Solution

10.16.2.1 Using a graphical user interface
  1. Open LDP.

  2. From the menu, select Connection Connect.

  3. For Server, enter the name of a domain controller (or leave blank to do a serverless bind).

  4. For Port, enter 389.

  5. Click OK.

  6. From the menu, select Connection Bind.

  7. Enter credentials of a domain user.

  8. Click OK.

  9. From the menu, select Browse Search.

  10. For BaseDN, type the Schema container DN (e.g., cn=schema,cn=configuration,dc=rallencorp,dc=com).

  11. For Scope, select One Level.

  12. To find linked attributes, use the following for Filter:

    (&(objectcategory=attributeSchema)(linkid=*))
  13. Click Run.

10.16.2.2 Using a command-line interface
> dsquery * cn=schema,cn=configuration,<ForestRootDN> -scope onelevel -filter[RETURN]
"(&(objectcategory=attributeSchema)(linkid=*))" -attr cn linkID
10.16.2.3 Using VBScript
' This code prints out all of the attributes that are linked
' and their corresponding linkID values
set objRootDSE = GetObject("LDAP://RootDSE")
strBase    = "<LDAP://" & objRootDSE.Get("SchemaNamingContext") & ">;"
strFilter  = "(&(objectcategory=attributeSchema)(linkid=*));" 
strAttrs   = "cn,linkid;"
strScope   = "onelevel"

set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)
objRS.MoveFirst
while Not objRS.EOF
    Wscript.Echo objRS.Fields(1).Value & " : " & objRS.Fields(0).Value
    objRS.MoveNext
wend

10.16.3 Discussion

The values of some attributes in Active Directory are linked. For example, if you set the manager attribute on one user object to be the DN of a second user object, the reports attribute on the second user object will automatically contain the first user object's DN. In this example, the manager attribute, or the attribute that gets set, is considered the forward link and the reports attribute, or the attribute that automatically gets calculated, is called the back link. Another common example is group membership. The member attribute of the group object represents the forward link, while the memberOf attribute of the corresponding object (e.g., user) represents the back link.

You can identify which attributes are linked in the schema by searching for attributeSchema objects that have a linkID attribute that contains some value. The linkID value for a forward-link attribute will be an even, positive number. The corresponding back-link attribute will be the forward-linkID plus 1. For example, the manager attribute linkID is 42 and the back-link reports attribute has a linkID of 43.



    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List