question

Zoddo avatar image
0 Votes"
Zoddo asked DaisyZhou-MSFT commented

Set linkID on custom Schema attributes

Hello,

We want to add linked attributes in our Active Directory Schema.
I've found some documentation here and here.

However, while doing some tests in a lab environnement, I was unable to set the linkID attribute on my newly created attribute. It seems to be read-only.
90362-image.png
(the button on bottom left says "Show" instead of "Edit")

I'm logged in with the builtin Administrator account which is a schema administrator, and the mmc is started as administrator on the only DC of this lab.
Security permissions shows that Schema Administrators should be able to write the linkID attribute.

So, how can I create these linked attributes? Am I missing something ?


windows-active-directory
image.png (10.8 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @Zoddo,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @Zoddo,

Thank you for posting here.

Based on the screenshot above, what object Properties it is?

I have done a test in my lad.

1-I linked the linkID attribute to user object class manually.
90548-att2.png

2-Then I open a user Properties and edit linkID, I can not edit it, either.

90613-att3.png

Tip:I only have one DC(PDC) and i am the built-in Domain Administrator.

3-I have checked from the link you provided, the linkID attribute is the default attribute of attributeSchema class.

90525-att1.png

We can try to edit this attribute value on one AD object corresponding to attributeSchema class.
Such as user class (one AD user named Daisy22).


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou



============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.


att2.png (39.0 KiB)
att3.png (91.2 KiB)
att1.png (25.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Zoddo avatar image
0 Votes"
Zoddo answered DaisyZhou-MSFT commented

It's on the object representing the custom schema attribute I've created.

The attribute was created in the "Active Directory Schema" snap-in:
90757-h7n5sabsig.png

Then I'm trying to set the value from the ADSI Editor (attribute editor tab isn't accessible from the schema snap-in itself):
90758-tmzdwpb4cj.png



h7n5sabsig.png (42.1 KiB)
tmzdwpb4cj.png (59.1 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @Zoddo,
Thank you for your update.

I can not find PrimaryAccount in my lab, is the attribute your custom attribute?

91559-pri1.png

Best Regards,
Daisy Zhou


0 Votes 0 ·
pri1.png (43.5 KiB)
Zoddo avatar image
0 Votes"
Zoddo answered

Hello @DaisyZhou-MSFT,

Yes, PrimaryAccount is my custom attribute.
Sorry if it wasn't clear.

Best Regards

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered Zoddo edited

Hello @Zoddo,

Thank you for your update.

I have discussed with my colleague, we can not edit/set the attribute value of the linkID.
We can run command to check:

 Get-ADObject -SearchBase (Get-ADRootDSE).SchemaNamingContext -LDAPFilter "(LinkID=*)"  -Properties LinkID,LDAPDisplayname | Get-Member

92563-obj1.png

We can only get the attribute value of the linkID for the following class objects, run command:

 Get-ADObject -SearchBase (Get-ADRootDSE).SchemaNamingContext -LDAPFilter "(LinkID=*)"  -Properties LinkID,LDAPDisplayname

92592-lin1.png


92574-link2.png


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou



============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.




get.png (85.5 KiB)
lin1.png (158.4 KiB)
link2.png (54.6 KiB)
obj1.png (121.9 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Your response confuse me as the following docs suggest that we can create additional linked attributes:
- https://docs.microsoft.com/en-us/windows/win32/ad/linked-attributes
- https://docs.microsoft.com/en-us/windows/win32/ad/obtaining-a-link-id

Even in this third-party book, it seems the author managed to create them: https://flylib.com/books/en/1.434.1/modeling_one_to_many_and_many_to_many_relationships.html


By the way, there is applications in the wild that add linked attributes in the AD schema (i.e. Exchange, to mention a Microsoft's product). These attributes are not built in Active Directory, and are added upon installation of these applications. So, I'm almost certain that there is a way to set the linkID attribute.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @Zoddo,

Thank you for your update.

Based on my knowledge, not all attributes can be set/edit.

One of the link you provided is "Obtaining a Link ID".

I am sorry, I do not know how to edit it.

Meanwhile, the class with linkID value can not be edit, either.
92815-link.png


From the link you provided, I can see:

The system will automatically generate a link ID for a new linked attribute when the attribute's linkID attribute is set to 1.2.840.113556.1.2.50.

The linkID values must be unique among all attributeSchema objects. To avoid conflicts, you should auto-generate the linkID by following the instructions in the topic Obtaining a Link ID.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou



============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.




link.png (18.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.