You want to view the properties of an attribute.
Open the Active Directory Schema snap-in.
In the left pane, click on the Attributes folder.
In the right pane, double-click the attribute you want to view.
Click on each tab to view the available properties.
In the following command, replace <AttrCommonName> with the common name (not LDAP display dame) of the attribute you want to view:
> dsquery * cn=schema,cn=configuration,<ForestRootDN> -scope onelevel -attr *[RETURN]
-filter "(&(objectcategory=attributeSchema)(cn=<AttrCommonName>))"
' This code displays the attributes for the specified attributeSchema object ' Refer to Recipe 4.2 for the DisplayAttributes( ) function code. ' ------ SCRIPT CONFIGURATION ------ ' Set to the common name (not LDAP display dame) of the attribute strAttrName = "<AttrCommonName>" ' e.g. surname ' ------ END CONFIGURATION --------- set objRootDSE = GetObject("LDAP://RootDSE") set objAttr = GetObject("LDAP://cn=" & strAttrName & "," & _ objRootDSE.Get("schemaNamingContext")) objAttr.GetInfo WScript.Echo "Properties for " & strAttrName & ":" DisplayAttributes(objAttr.ADsPath)
In the CLI and VBScript solutions, I mention that you need to specify the common name or cn of the attribute you want to view. The common name is a source of confusion for many people. For example, the surname attribute has the following distinguished name in the rallencorp.com forest:
cn=surname,cn=schema,cn=configuration,dc=rallencorp,dc=com
The problem is that most applications refer to attributes by their LDAP display name as defined in the lDAPDisplayName attribute for the attributeSchema object, which is typically different than the cn attribute. As an example, the surname attribute uses surname for its common name (cn), but sn for its LDAP display name (lDAPDisplayName).
In the CLI solution, if you want to use the LDAP display name instead of cn, simply change (cn=<AttrCommonName>) to (lDAPDisplayName=<AttrLDAPName>). In the VBScript solution, it is not that simple. When using cn, we can call GetObject since we know the DN of the attributeSchema object. If you want to use the lDAPDisplayName attribute instead, you'll need to do an ADO query and use the search criteria similar to that in the CLI solution.
One attribute of note that is defined on attributeSchema objects is the systemFlags bit flag, which is used to define a few miscellaneous properties about an attribute. Table 10-5 contains the bits associated with systemFlags. The values are cumulative, so a value of 17 (1 + 16) would indicate that the attribute is part of the base Active Directory installation and is not replicated.
Value |
Description |
---|---|
1 |
Not replicated among domain controllers. |
4 |
Dynamically constructed by Active Directory. |
16 |
Part of the base Active Directory installation. This value cannot be set. |
Recipe 4.2 for viewing the attributes of an object and Recipe 4.9 for searching with a bit-wise filter