Exploring Active Directory Data Types with PowerShell

Doctor Scripto

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to explore Active Directory data types.

Hey, Scripting Guy! Question Hey, Scripting Guy! I need a way to see the data types of various Active Directory attributes. I know I can look up this information on MSDN, but I want to explore these on my own. Have you written an Active Directory schema browser?

—AB

Hey, Scripting Guy! Answer Hello AB,

Microsoft Scripting Guy, Ed Wilson, is here. You know, more than five years ago I wrote an Active Directory schema browser in Windows PowerShell. I just looked at it again, and I will be honest, I was not really impressed. It seems that I have learned a bit about Windows PowerShell in the intervening years. But one thing I did not remember, was how I actually accessed the Active Directory schema in the first place. So from that 116 line Windows PowerShell script, the following line of script is about all I really needed. Good thing I saved that script, or I might have been in trouble. As I recall, it is not something that is easily found.

Use PowerShell to retrieve the Active Directory schema

I use the [DirectoryServices.ActiveDirectory.ActiveDirectorySchema] .NET Framework class and the GetCurrentSchema static to retrieve the current schema. I store the returned ActiveDirectorySchema object in a variable named $schema. This technique is shown here:

$schema =[DirectoryServices.ActiveDirectory.ActiveDirectorySchema]::GetCurrentSchema()

Now I look inside the $schema variable to see what I have obtained, as shown here:

PS C:\> $schema

 

SchemaRoleOwner                            Name

—————                            —-

dc1.iammred.net                            CN=Schema,CN=Configuration,DC=iammred,…

I decide to use Get-Member to see what this object will enable me to do. Here is the command and the results:

PS C:\> $schema | Get-Member

 

   TypeName: System.DirectoryServices.ActiveDirectory.ActiveDirectorySchema

 

Name                     MemberType Definition

—-                     ———- ———-

Dispose                  Method     void Dispose(), void IDisposable.Dispose()

Equals                   Method     bool Equals(System.Object obj)

FindAllClasses           Method     System.DirectoryServices.ActiveDirectory.Read…

FindAllDefunctClasses    Method     System.DirectoryServices.ActiveDirectory.Read…

FindAllDefunctProperties Method     System.DirectoryServices.ActiveDirectory.Read…

FindAllProperties        Method     System.DirectoryServices.ActiveDirectory.Read…

FindClass                Method     System.DirectoryServices.ActiveDirectory.Acti…

FindDefunctClass         Method     System.DirectoryServices.ActiveDirectory.Acti…

FindDefunctProperty      Method     System.DirectoryServices.ActiveDirectory.Acti…

FindProperty             Method     System.DirectoryServices.ActiveDirectory.Acti…

GetDirectoryEntry        Method     adsi GetDirectoryEntry()

GetHashCode              Method     int GetHashCode()

GetType                  Method     type GetType()

RefreshSchema            Method     void RefreshSchema()

ToString                 Method     string ToString()

Name                     Property   string Name {get;}

SchemaRoleOwner          Property   System.DirectoryServices.ActiveDirectory.Dire…

There were two properties displayed earlier when I examined the $schema variable. There are also a bunch of methods. These methods seem to be rather interesting. First, let me look at a User class:

PS C:\> $schema.FindClass(“user”)

 

Name                            : user

CommonName                      : User

Oid                             : 1.2.840.113556.1.5.9

Description                     :

IsDefunct                       : False

PossibleSuperiors               : {msExchSystemObjectsContainer, builtinDomain,

                                  organizationalUnit, domainDNS}

PossibleInferiors               : {ms-net-ieee-80211-GroupPolicy,

                                  msExchActiveSyncDevices,

                                  ms-net-ieee-8023-GroupPolicy, classStore…}

MandatoryProperties             : {cn, instanceType, nTSecurityDescriptor,

                                  objectCategory…}

OptionalProperties              : {accountExpires, accountNameHistory,

                                  aCSPolicyName, adminCount…}

AuxiliaryClasses                : {bootableDevice, samDomainBase,

                                  simpleSecurityObject, ieee802Device…}

SubClassOf                      : organizationalPerson

Type                            : Structural

SchemaGuid                      : bf967aba-0de6-11d0-a285-00aa003049e2

DefaultObjectSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity

Now let me look at the required properties of a User class:

$schema.FindClass(“user”).mandatoryproperties

The command returns a lot of information, but it seems to be rather cluttered. Here is the output:

Image of command output

I decide to pipe the output to the Out-GridView cmdlet. This provides me with a nice graphical tool and enables me to view the information more easily. Here is the command (ogv is an alias for the Out-GridView cmdlet):

$schema.FindClass(“user”).mandatoryproperties | ogv

The output from the previous command is represented in the following image:

Image of command output

Now I want to look at the User class optional attributes. To do this, I use the following command:

$schema.FindClass(“user”).optionalproperties | Out-GridView

There are hundreds of optional attributes for the user class object. They all appear in the following Grid View. As you can see, there is also a great deal of useful information available here.

Image of command output

The cool thing about using the Out-GridView tool is that I can easily filter the display to permit further discovery. The image that follows shows IsSingleValued equal to False (indicating multivalued attributes), IsInGlobalCatalog equal to True, IsIndexed equal to True, and it is sorted by Syntax.

Image of command output

In addition to using Out-GridView, I can use normal Windows PowerShell commands. For example, I can use the following command to find all the different types of unique syntax:

$schema.FindClass(“user”).optionalproperties | select syntax -Unique

The command and associated output are shown here:

Image of command output

AB, that is all there is to using Windows PowerShell to explore the Active Directory Schema. Join me tomorrow when I will talk about more cool Windows PowerShell stuff.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy 

0 comments

Discussion is closed.

Feedback usabilla icon