How to modify Custom Attribute Syntax

Question

I was asked to create three custom attributes in AD for our Big5 application user:

F5-F5OS-UID

F5-F5OS-GID

F5-F5OS-SHELL

I follow the following guide to create these custom attributes in my AD:

https://www.rebeladmin.com/2017/11/step-step-guide-create-custom-active-directory-attributes/

I left "Syntax" as Default while creating which was "Access Point"!

Now I received the values for these custom attributes for the user account which are:

F5-F5OS-UID = 1001 (Integer)

F5-F5OS-GID = 9000 (Integer)

F5-F5OS-SHELL = /var/lib/controller/ (string)

Somehow I found that I cannot edit syntax for these custom attributes anymore!

is there any solution to modify these custom attributes?

Answer 1

Hello Muhammad Shiraz AlamKhan,

Thank you for posting in Microsoft Community forum.

In my test lab, I checked the Syntax on one attribute.

I find if we selected one Syntax when we create a new Attribute, it will generate a Syntax value for the same Syntax type.

And we cannot change the Syntax type and attributeSyntax for one created attribute.

For example:

If we select Distinguished Name as Syntax. It will generate 2.5.5.1=(DISTNAME) as attributeSyntax.

Based on "Now I received the values for these custom attributes for the user account", as I understand, for the created attribute, after you link it to one AD object, if you do not edit this attribute on specific AD object, there will be no value for this attribute on specific AD object.

Do you mean it is attributeSyntax for the three attributes instead of value of attribute are below?

F5-F5OS-UID = 1001 (Integer)

F5-F5OS-GID = 9000 (Integer)

F5-F5OS-SHELL = /var/lib/controller/ (string)

If so, I am afraid you may need to create the three attributes above again and then select correct Syntax.

I hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

Answer 2

Modifying the syntax of a custom attribute in Active Directory can be a challenging endeavor, as once set, these attributes are typically not editable. However, there are viable workarounds to achieve your desired changes.

Firstly, you can create entirely new custom attributes with the correct syntax, which entails defining these new attributes and migrating data from the old ones. Another approach involves attribute value transformation, utilizing scripting or specialized tools to modify the values within the existing attributes to align them with the desired syntax.

Alternatively, you can consider a backup and restore method where you export the user attributes, delete and recreate the attributes with the correct syntax, and then restore the values. If you've enabled the Active Directory Recycle Bin, you also have the option to delete the attributes and subsequently recover them with the corrected syntax.

However, it's crucial to exercise extreme caution when making any changes to the Active Directory schema. Always ensure you have robust backups in place and establish a test environment for conducting schema modifications safely.

It's advisable to consult with your Active Directory administrator or seek guidance from Microsoft support, especially if your Active Directory setup is complex or unique, to ensure the most suitable approach for your specific needs.

Answer 3

Hi Flowace,

Thank you for your post. How does one delete an attribute? Do you have a link to the script/tool for modifying syntax?

Answer 4

I'm having the same issue with incorrect syntax. So, I tried to remove the custom attributes I created but it's not letting me delete them. The error I get is "The requested delete operation could not be performed."

The following is the command I tried.

Remove-ADObject -Identity 'CN=JobTitleArabic,CN=Schema,CN=Configuration,DC=EBLA,DC=local'