active-directoryldapopenldapapacheds

Finding System modifiable attributes for each object class in Microsoft Active Directory


We could see attributes which are part of systemMayContain attributes list are user modifiable. If we consider the computer object class. Below is the definition of object class ( 1.2.840.113556.1.3.30 NAME 'computer' SUP user STRUCTURAL MAY (cn $ networkAddress $ localPolicyFlags $ defaultLocalPolicyObject $ machineRole $ location $ netbootInitialization $ netbootGUID $ netbootMachineFilePath $ siteGUID $ operatingSystem $ operatingSystemVersion $ operatingSystemServicePack $ operatingSystemHotfix $ volumeCount $ physicalLocationObject $ dNSHostName $ policyReplicationFlags $ managedBy $ rIDSetReferences $ catalogs $ netbootSIFFile $ netbootMirrorDataFile $ msDS-AdditionalDnsHostName $ msDS-AdditionalSamAccountName $ msDS-ExecuteScriptPassword $ msDS-KrbTgtLink $ msDS-RevealedUsers $ msDS-NeverRevealGroup $ msDS-RevealOnDemandGroup $ msDS-RevealedList $ msDS-AuthenticatedAtDC $ msDS-isGC $ msDS-isRODC $ msDS-SiteName $ msDS-PromotionSettings $ msTPM-OwnerInformation $ msTSProperty01 $ msTSProperty02 $ msDS-IsUserCachableAtRodc $ msDS-HostServiceAccount $ msTSEndpointData $ msTSEndpointType $ msTSEndpointPlugin $ msTSPrimaryDesktopBL $ msTSSecondaryDesktopBL $ msTPM-TpmInformationForComputer $ msDS-GenerationId $ msImaging-ThumbprintHash $ msImaging-HashAlgorithm $ netbootDUID $ msSFU30Name $ msSFU30Aliases $ msSFU30NisDomain $ nisMapName ) )

Below is the list systemMayContain attributes "systemMayContain":["msImaging-HashAlgorithm","msImaging-ThumbprintHash","msDS-GenerationId","msTPM-TpmInformationForComputer","msTSSecondaryDesktopBL","msTSPrimaryDesktopBL","msTSEndpointPlugin","msTSEndpointType","msTSEndpointData","msDS-HostServiceAccount","msDS-IsUserCachableAtRodc","msTSProperty02","msTSProperty01","msTPM-OwnerInformation","msDS-RevealOnDemandGroup","msDS-NeverRevealGroup","msDS-PromotionSettings","msDS-SiteName","msDS-isRODC","msDS-isGC","msDS-AuthenticatedAtDC","msDS-ExecuteScriptPassword","msDS-RevealedList","msDS-RevealedUsers","msDS-KrbTgtLink","volumeCount","siteGUID","rIDSetReferences","policyReplicationFlags","physicalLocationObject","operatingSystemVersion","operatingSystemServicePack","operatingSystemHotfix","operatingSystem","networkAddress","netbootSIFFile","netbootMirrorDataFile","netbootMachineFilePath","netbootInitialization","netbootDUID","netbootGUID","msDS-AdditionalSamAccountName","msDS-AdditionalDnsHostName","managedBy","machineRole","location","localPolicyFlags","dNSHostName","defaultLocalPolicyObject","cn","catalogs"]

If we consider msImaging-HashAlgorithm, msImaging-ThumbprintHash, msTPM-TpmInformationForComputer, msTSEndpointPlugin, msTSEndpointType, msTSEndpointData, msDS-HostServiceAccount, msTSProperty02, msTSProperty01, msTPM-OwnerInformation, msDS-RevealOnDemandGroup, msDS-NeverRevealGroup, msDS-PromotionSettings, msDS-AuthenticatedAtDC, msDS-RevealedUsers, msDS-KrbTgtLink, volumeCount, rIDSetReferences, policyReplicationFlags, physicalLocationObject, operatingSystemVersion, operatingSystemServicePack, operatingSystemHotfix, operatingSystem, networkAddress, managedBy, machineRole, location, localPolicyFlags, dNSHostName, defaultLocalPolicyObject, cn, catalogs these fields are user modifiable and part of systemMayContain list. When tried with setting value while creating Computer object it allows. Is there any way to know only system fields which does not allow user input? Thank you.


Solution

  • This information is specific to Active Directory. MSDN has documentation for each schema attribute -- e.g. CN -- which documents if the attribute is "system only" or not.

    For an automated process, search at the base cn=schema,cn=configuration,dc=example,dc=com with the filter (&(ldapDisplayName=AttributeName))and return the value of systemOnly. E.G. this shows that operatingSystemServicePack is user writable.

    ***Searching...
    ldap_search_s(ld, "cn=schema,cn=configuration,dc=example,dc=com", 2, "(&(ldapDisplayName=operatingSystemServicePack))", attrList,  0, &msg)
    Getting 1 entries:
    Dn: CN=Operating-System-Service-Pack,CN=Schema,CN=Configuration,dc=example,dc=com
    systemOnly: FALSE; 
    

    You can also list all of the system-only attributes by using the filter (&(systemOnly=TRUE)) and returning ldapDisplayName

    ***Searching...
    ldap_search_s(ld, "cn=schema,cn=configuration,dc=example,dc=com", 2, "(&(systemOnly=TRUE))", attrList,  0, &msg)
    Getting 189 entries:
    Dn: CN=OM-Object-Class,CN=Schema,CN=Configuration,dc=example,dc=com
    lDAPDisplayName: oMObjectClass; 
    
    Dn: CN=Canonical-Name,CN=Schema,CN=Configuration,dc=example,dc=com
    lDAPDisplayName: canonicalName; 
    
    Dn: CN=Managed-Objects,CN=Schema,CN=Configuration,dc=example,dc=com
    lDAPDisplayName: managedObjects; 
    
    Dn: CN=MAPI-ID,CN=Schema,CN=Configuration,dc=example,dc=com
    lDAPDisplayName: mAPIID; 
    
    Dn: CN=Mastered-By,CN=Schema,CN=Configuration,dc=example,dc=com
    lDAPDisplayName: masteredBy; 
    
    Dn: CN=Top,CN=Schema,CN=Configuration,dc=example,dc=com
    lDAPDisplayName: top; 
    
    Dn: CN=NTDS-DSA-RO,CN=Schema,CN=Configuration,dc=example,dc=com
    lDAPDisplayName: nTDSDSARO; 
    
    Dn: CN=Application-Process,CN=Schema,CN=Configuration,dc=example,dc=com
    lDAPDisplayName: applicationProcess; 
    ...