Extending Active Directory Users and Computers with Custom Attributes


If you've ever wanted to add columns for unlisted attributes to Active Directory Users and Computers, you've been out of luck without editing the displaySpecifiers manually.

Until I had enough of it.

How does it work?  I'm so glad you asked.  So, if you're not familiar with the functionality that I'm talking about, open up Active Directory Users and Computers (or ADUC, since we make acronyms out of every damn thing), select an OU, right-click, point to View and then click Add/Remove Columns.

From here, you'll see the familiar list of column titles that you can add to the view.

So what happens when the column you want to view isn't there?  You're SOL, right?

Not exactly.  Crack open ADSIEdit.msc and let's go exploring.  You'll want to connect to the configuration container, and then expand the Configuration Naming Context, expand CN=Configuration,DC=domain,dc=com, expand CN=DisplaySpecifiers and select CN=organizationalUnit-Display in the main window.

Double-click CN=organiztionalUnit-Display and scroll down to extraColumns.  This is where you can add items to dsiplay in ADUC.  You'll notice that by default, it is null (<not set>).

This is a multivalued attribute, and the format is:

attributeName,Attribute Column Title,<visibility>,<width>,<reserved>

So, if you wanted to add extensionAttribute1 and have the column name display as "Extension Attribute 1," set the visibility to "True" (which will equate to "always on"), and the column width to auto, it would look like this:

Click add, and OK.  Piece of cake, right?

WRONG AGAIN, BOBBY BOUCHER!

After you close and reopen ADUC, you'll see that you now can ONLY select that column and a few base properties, but all of the others have disappeared.

Great job, Aaron!  Now you've really messed it up.

What happened?  When you populate the extraColumns attribute, that becomes the authoritative list for additional properties to surface in ADUC. How do we fix it?

  1. Go back to ADSIEdit.
  2. Clear the extraColumns attribute for CN=organizationalUnit-Display.
  3. Run the script I wrote.

So what's special about the script I wrote?  It pulls in all of the display specifiers in cn=default-Display and then adds your new one.  Here's what it looks like:

Now, when you close and re-run ADUC, you'll see all of the properties you previously had available.

And there you go.  You can get this latest installment of wizardry by going to the Technet Gallery or following the link below.  Happy modding!

https://gallery.technet.microsoft.com/Extend-Active-Directory-ccad3d1a/file/147298/2/Add-ADUCAttribute.ps1

Comments (10)

  1. Tony Confalone says:

    Thank you for this, very helpful. Question…I needed to added a column to CN=container-Display so see the column in the default users container. That went well, however, the script will not add all the default display identifiers back to cn=default-Display; looks like they are missing from CN=organizationalUnit-Display as well. Can you help?

    1. So you want additional columns available at the a different level?

  2. Steve Furniss says:

    Can you do a similar thing with Exchange 2013?

    1. What do you mean by “similar thing with Exchange 2013”? If you mean editing the ASP/html files for the web console, no. But if you mean adding Exchange attributes to the ADUC console, yes. You can actually use any attribute in the AD schema.

  3. Thanks for this Aaron, really useful. I’ve been trying to get it working with the pwdLastSet attribute but it never seems to generate any data in the column. Any ideas?

    1. Unfortunately not. pwdLastSet is indicated in ticks so even if you could display it, it wouldn’t be useful data.

  4. Nick Burdett says:

    Thanks Aaron, this is perfect!
    I’m now trying to add my columns to the ‘Find Computers’ search window – do you know which display specifier this would be in?

    1. I don’t know if it’s possible. The custom display specifiers don’t show up there, either, for users. I tried looking into “Search Folders” and saved queries, but that appears to pull from a list defined elsewhere. I’ll keep poking around and post back if I find anything.

  5. Sebastian Becker says:

    Hi, this looks promising for me. I need to add a column for “AccountExpires” or “AccountExpirationDate”. As mentioned before with the “pwdLastSet” – the column shows up, but no data. I tried both “AccountExpires” and “accountExpires”.

  6. Sebastian Becker says:

    Hi thanks, this looks promising for me. I need to add a column for “AccountExpires” or “AccountExpirationDate”. As mentioned before with the “pwdLastSet” – the column shows up, but no data. I tried both “AccountExpires” and “accountExpires”.

Skip to main content