Set linkID on custom Schema attributes

Question

Set linkID on custom Schema attributes

Zoddo 81

Hello,

We want to add linked attributes in our Active Directory Schema.
I've found some documentation here and here.

However, while doing some tests in a lab environnement, I was unable to set the linkID attribute on my newly created attribute. It seems to be read-only.

(the button on bottom left says "Show" instead of "Edit")

I'm logged in with the builtin Administrator account which is a schema administrator, and the mmc is started as administrator on the only DC of this lab.
Security permissions shows that Schema Administrators should be able to write the linkID attribute.

So, how can I create these linked attributes? Am I missing something ?

Anonymous

2021-05-05T09:16:07.943+00:00

Hello @Zoddo ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

6 answers

Your answer

Anonymous

2021-05-05T09:16:07.943+00:00

Hello @Zoddo ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

Answer 1

Hello,

It looks like I never came back with the solution.

The issue was that I created these new attributes using the ADSI UI (which doesn't populate linkID), and then tried to set the linkID afterwards.
However, the linkID can only be set when creating the attribute.

To set it when creating the attribute, you need to write an ldif script that includes the linkID and load it with the ldifde command.

In my case, considering the attribute "PrimaryAccount" as a forward link, and "SecondaryAccounts" as back link on the domain "example.com", my ldif script looks like this:
(note: OIDs should be generated as documented here: https://learn.microsoft.com/en-us/windows/win32/ad/obtaining-an-object-identifier-from-microsoft)

dn: CN=PrimaryAccount,CN=Schema,CN=Configuration,DC=exmaple,DC=com  
changetype: add  
adminDisplayName: PrimaryAccount  
attributeID: 1.2.840.113556.1.8000.2554.47216.25588.34843.17632.44633.477697.7625458.1.2  
attributeSyntax: 2.5.5.1  
cn: PrimaryAccount  
isMemberOfPartialAttributeSet: FALSE  
isSingleValued: TRUE  
lDAPDisplayName: PrimaryAccount  
linkID: 1.2.840.113556.1.2.50  
distinguishedName: CN=PrimaryAccount,CN=Schema,CN=Configuration,DC=exmaple,DC=com  
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=exmaple,DC=com  
objectClass: attributeSchema  
oMObjectClass:: KwwCh3McAIVK  
oMSyntax: 127  
searchFlags: 0  
name: PrimaryAccount  
  
DN:  
changetype: modify  
add: schemaUpdateNow  
schemaUpdateNow: 1  
-  
  
dn: CN=SecondaryAccounts,CN=Schema,CN=Configuration,DC=exmaple,DC=com  
changetype: add  
adminDisplayName: SecondaryAccounts  
attributeID: 1.2.840.113556.1.8000.2554.47216.25588.34843.17632.44633.477697.7625458.1.3  
attributeSyntax: 2.5.5.1  
cn: SecondaryAccounts  
isMemberOfPartialAttributeSet: FALSE  
isSingleValued: FALSE  
lDAPDisplayName: SecondaryAccounts  
linkID: 1.2.840.113556.1.8000.2554.47216.25588.34843.17632.44633.477697.7625458.1.2  
distinguishedName: CN=SecondaryAccounts,CN=Schema,CN=Configuration,DC=exmaple,DC=com  
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=exmaple,DC=com  
objectClass: attributeSchema  
oMObjectClass:: KwwCh3McAIVK  
oMSyntax: 127  
searchFlags: 0  
name: SecondaryAccounts  
  
DN:  
changetype: modify  
add: schemaUpdateNow  
schemaUpdateNow: 1  
-  
  
DN: CN=User,CN=Schema,CN=Configuration,DC=exmaple,DC=com  
changetype: modify  
add: mayContain  
mayContain: SecondaryAccounts  
-  
  
DN:  
changetype: modify  
add: schemaUpgradeInProgress  
schemaUpgradeInProgress: 1  
-  
  
DN: CN=Top,CN=Schema,CN=Configuration,DC=exmaple,DC=com  
changetype: modify  
add: mayContain  
mayContain: PrimaryAccount  
-  
  
DN:  
changetype: modify  
add: schemaUpdateNow  
schemaUpdateNow: 1  
-

You can see the linkID of the PrimaryAccount attribute set to 1.2.840.113556.1.2.50 which is a special value that will get replaced when the attribute will be created as documented here.
The linkID of the SecondaryAccounts attribute points back to the attributeID of PrimaryAccount (this will also be automatically replaced by a proper linkID upon creation).

Once the ldif script is created, you can import it on the Schema Master DC (using an account that is member of the Schema Administrator group) with the following command:

ldifde -i -k -c CN=Schema,CN=Configuration,DC=example,DC=com CN=Schema,CN=Configuration,DC=example,DC=com -s dc1.domain.com -f ./ldif_linkID.ldf

Wait for replication across all DCs, then you should be able to set "PrimaryAccount".

Answer 2

Hello @Zoddo ,

Thank you for posting here.

Based on the screenshot above, what object Properties it is?

I have done a test in my lad.

1-I linked the linkID attribute to user object class manually.

2-Then I open a user Properties and edit linkID, I can not edit it, either.

Tip:I only have one DC(PDC) and i am the built-in Domain Administrator.

3-I have checked from the link you provided, the linkID attribute is the default attribute of attributeSchema class.

We can try to edit this attribute value on one AD object corresponding to attributeSchema class.
Such as user class (one AD user named Daisy22).

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 3

Zoddo 81

It's on the object representing the custom schema attribute I've created.

The attribute was created in the "Active Directory Schema" snap-in:

Then I'm trying to set the value from the ADSI Editor (attribute editor tab isn't accessible from the schema snap-in itself):

Anonymous

2021-04-27T03:23:28.617+00:00

Hello @Zoddo ,
Thank you for your update.

I can not find PrimaryAccount in my lab, is the attribute your custom attribute?

Best Regards,
Daisy Zhou

Answer 4

Zoddo 81

Hello @Anonymous ,

Yes, PrimaryAccount is my custom attribute.
Sorry if it wasn't clear.

Best Regards

Answer 5

Anonymous

Hello @Zoddo ,

Thank you for your update.

I have discussed with my colleague, we can not edit/set the attribute value of the linkID.
We can run command to check:

Get-ADObject -SearchBase (Get-ADRootDSE).SchemaNamingContext -LDAPFilter "(LinkID=*)"  -Properties LinkID,LDAPDisplayname | Get-Member

We can only get the attribute value of the linkID for the following class objects, run command:

Get-ADObject -SearchBase (Get-ADRootDSE).SchemaNamingContext -LDAPFilter "(LinkID=*)"  -Properties LinkID,LDAPDisplayname

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Zoddo 81 Reputation points

2021-04-29T15:15:59.733+00:00
Your response confuse me as the following docs suggest that we can create additional linked attributes:

https://learn.microsoft.com/en-us/windows/win32/ad/linked-attributes

https://learn.microsoft.com/en-us/windows/win32/ad/obtaining-a-link-id

Even in this third-party book, it seems the author managed to create them: https://flylib.com/books/en/1.434.1/modeling_one_to_many_and_many_to_many_relationships.html

By the way, there is applications in the wild that add linked attributes in the AD schema (i.e. Exchange, to mention a Microsoft's product). These attributes are not built in Active Directory, and are added upon installation of these applications. So, I'm almost certain that there is a way to set the linkID attribute.

Share via

Set linkID on custom Schema attributes

6 answers

Your answer