Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to explore Active Directory data types.
Hey, Scripting Guy! I need a way to see the data types of various Active Directory attributes. I know I can look up this information on MSDN, but I want to explore these on my own. Have you written an Active Directory schema browser?
—AB
Hello AB,
Microsoft Scripting Guy, Ed Wilson, is here. You know, more than five years ago I wrote an Active Directory schema browser in Windows PowerShell. I just looked at it again, and I will be honest, I was not really impressed. It seems that I have learned a bit about Windows PowerShell in the intervening years. But one thing I did not remember, was how I actually accessed the Active Directory schema in the first place. So from that 116 line Windows PowerShell script, the following line of script is about all I really needed. Good thing I saved that script, or I might have been in trouble. As I recall, it is not something that is easily found.
Use PowerShell to retrieve the Active Directory schema
I use the [DirectoryServices.ActiveDirectory.ActiveDirectorySchema] .NET Framework class and the GetCurrentSchema static to retrieve the current schema. I store the returned ActiveDirectorySchema object in a variable named $schema. This technique is shown here:
$schema =[DirectoryServices.ActiveDirectory.ActiveDirectorySchema]::GetCurrentSchema()
Now I look inside the $schema variable to see what I have obtained, as shown here:
PS C:\> $schema
SchemaRoleOwner Name
--------------- ----
dc1.iammred.net CN=Schema,CN=Configuration,DC=iammred,...
I decide to use Get-Member to see what this object will enable me to do. Here is the command and the results:
PS C:\> $schema | Get-Member
TypeName: System.DirectoryServices.ActiveDirectory.ActiveDirectorySchema
Name MemberType Definition
---- ---------- ----------
Dispose Method void Dispose(), void IDisposable.Dispose()
Equals Method bool Equals(System.Object obj)
FindAllClasses Method System.DirectoryServices.ActiveDirectory.Read...
FindAllDefunctClasses Method System.DirectoryServices.ActiveDirectory.Read...
FindAllDefunctProperties Method System.DirectoryServices.ActiveDirectory.Read...
FindAllProperties Method System.DirectoryServices.ActiveDirectory.Read...
FindClass Method System.DirectoryServices.ActiveDirectory.Acti...
FindDefunctClass Method System.DirectoryServices.ActiveDirectory.Acti...
FindDefunctProperty Method System.DirectoryServices.ActiveDirectory.Acti...
FindProperty Method System.DirectoryServices.ActiveDirectory.Acti...
GetDirectoryEntry Method adsi GetDirectoryEntry()
GetHashCode Method int GetHashCode()
GetType Method type GetType()
RefreshSchema Method void RefreshSchema()
ToString Method string ToString()
Name Property string Name {get;}
SchemaRoleOwner Property System.DirectoryServices.ActiveDirectory.Dire...
There were two properties displayed earlier when I examined the $schema variable. There are also a bunch of methods. These methods seem to be rather interesting. First, let me look at a User class:
PS C:\> $schema.FindClass("user")
Name : user
CommonName : User
Oid : 1.2.840.113556.1.5.9
Description :
IsDefunct : False
PossibleSuperiors : {msExchSystemObjectsContainer, builtinDomain,
organizationalUnit, domainDNS}
PossibleInferiors : {ms-net-ieee-80211-GroupPolicy,
msExchActiveSyncDevices,
ms-net-ieee-8023-GroupPolicy, classStore...}
MandatoryProperties : {cn, instanceType, nTSecurityDescriptor,
objectCategory...}
OptionalProperties : {accountExpires, accountNameHistory,
aCSPolicyName, adminCount...}
AuxiliaryClasses : {bootableDevice, samDomainBase,
simpleSecurityObject, ieee802Device...}
SubClassOf : organizationalPerson
Type : Structural
SchemaGuid : bf967aba-0de6-11d0-a285-00aa003049e2
DefaultObjectSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
Now let me look at the required properties of a User class:
$schema.FindClass("user").mandatoryproperties
The command returns a lot of information, but it seems to be rather cluttered. Here is the output:
I decide to pipe the output to the Out-GridView cmdlet. This provides me with a nice graphical tool and enables me to view the information more easily. Here is the command (ogv is an alias for the Out-GridView cmdlet):
$schema.FindClass("user").mandatoryproperties | ogv
The output from the previous command is represented in the following image:
Now I want to look at the User class optional attributes. To do this, I use the following command:
$schema.FindClass("user").optionalproperties | Out-GridView
There are hundreds of optional attributes for the user class object. They all appear in the following Grid View. As you can see, there is also a great deal of useful information available here.
The cool thing about using the Out-GridView tool is that I can easily filter the display to permit further discovery. The image that follows shows IsSingleValued equal to False (indicating multivalued attributes), IsInGlobalCatalog equal to True, IsIndexed equal to True, and it is sorted by Syntax.
In addition to using Out-GridView, I can use normal Windows PowerShell commands. For example, I can use the following command to find all the different types of unique syntax:
$schema.FindClass("user").optionalproperties | select syntax -Unique
The command and associated output are shown here:
AB, that is all there is to using Windows PowerShell to explore the Active Directory Schema. Join me tomorrow when I will talk about more cool Windows PowerShell stuff.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy