Share via


One-Liner: Query the AD Schema for User Object Attributes

I've lost count of just how many blog posts have their origin in a customer question. Here's another:

 

"How do you use PowerShell to get a list of what attributes *could* be populated on an AD user object?"

 

A magnificent question!

 

The customer was unsure as to why some properties would appear as empty and other not appear at all when asking for -Properties * . Without searching online documentation, how would they have know that adminCount, for example, existed, as it only showed in the list of returned properties when actually populated.

In a couple of minutes I threw this together:

 

 
Get-ADObject -SearchBase (Get-ADRootDSE).SchemaNamingContext -Filter {name -like "User"} -Properties MayContain,SystemMayContain |
Select-Object @{n="Attributes";e={$_.maycontain + $_.systemmaycontain}} | 
Select-Object -ExpandProperty Attributes |
Sort-Object

 

The User class in the Active Directory schema has a couple of properties we can use to examine its attributes - MayContain, SystemMayContain. The above one-liner grabs both of these and combines them into a single property that we then sort on to display our list of possible attributes.

 

 

One final piece of the puzzle: there are more attributes available... these aren't defined in the schema, rather, these are cdreated programmatically when you ask for them. Here's how to list constructed attributes:

 

 
Get-ADObject -SearchBase (Get-ADRootDSE).SchemaNamingContext -ldapfilter '(systemFlags:1.2.840.113556.1.4.803:=4)' -Properties systemFlags |
Select-Object Name |
Sort-Object Name