Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2009-08-05) Attribute Names In AD And How These Are Displayed

Posted by Jorge on 2009-08-05


As you may know by now, AD has tons of attributes that store all kinds of information. Each attribute can have multiple names which are used in different ways. The most interesting name that’s used is the "lDAPDisplayName" property of an attribute, which is used for example for:

  • Manipulating that attribute, such as adding/removing/updating values through command line LDAP tools such LDP, ADFIND/ADMOD, etc.
  • Configuring permissions for delegation through the use of for example DSACLS
  • Configuring permissions for delegation through the SECURITY tab of an object
  • Configuring permissions for delegation through the Delegation Of Control Wizard

Especially in the last 2 options it can be quite a challenge because an attribute might not always be listed because it is filtered by "Active Directory Users and Computers (ADUC)". To make sure an attribute is not filtered anymore and it shows itself in the last two options, you need to follow the procedure as specified in "How to modify the filtered properties of an object". Examples of such attributes that are filtered are: "pwdLastSet", "physicalDeliveryOfficeName", "mail", etc. Be aware though there may be a difference between operating systems of which attributes are shown or not. For example, "pwdLastSet" by default is not shown in W2K, but is in W2K3 and later.

Interesting to say is that some attributes are not filtered by default, but you may not find them right away through their lDAPDisplayName. Examples are "sAMAccountName" and "userPrincipalName". Another scenario is that after disabling filtering for "physicalDeliveryOfficeName" and "mail" you still cannot find them through their lDAPDisplayName. So what’s up with this?

So try this yourself. For "physicalDeliveryOfficeName" and "mail" configure DSSEC.DAT (according to "How to modify the filtered properties of an object") with ‘physicalDeliveryOfficeName=0’ and ‘mail=0’.

How try to find the attributes to delegate permissions to which have the following lDAPDisplayName:

  • lDAPDisplayName=physicalDeliveryOfficeName
  • lDAPDisplayName=mail
  • lDAPDisplayName=sAMAccountName
  • lDAPDisplayName=userPrinicpalName
  • lDAPDisplayName=cn
  • lDAPDisplayName=name

You may not find these, except for the last, but you will find something like (remember: this may depend on the OS!):

  • lDAPDisplayName=physicalDeliveryOfficeName –> attributeDisplayName=Office Location
  • lDAPDisplayName=mail –> attributeDisplayName=E-mail Address
  • lDAPDisplayName=sAMAccountName –> attributeDisplayName=Logon Name (pre-Windows 2000)
  • lDAPDisplayName=userPrincipalName –> attributeDisplayName=Logon Name
  • lDAPDisplayName=cn –> attributeDisplayName=Name (the one with the uppercase N)
  • lDAPDisplayName=name –> attributeDisplayName=NOT APPLICABLE

Let’s check the schema definition of the attribute with property: lDAPDisplayName=physicalDeliveryOfficeName

[RFSRWDC1] C:>adfind -schema -f "lDAPDisplayName=physicalDeliveryOfficeName"

AdFind V01.40.00cpp Joe Richards (joe@joeware.net) February 2009

Using server: RFSRWDC1.ADCORP.LAB:389
Directory: Windows Server 2008
Base DN: CN=Schema,CN=Configuration,DC=ADCORP,DC=LAB

dn:CN=Physical-Delivery-Office-Name,CN=Schema,CN=Configuration,DC=ADCORP,DC=LAB
>objectClass: top
>objectClass: attributeSchema
>cn: Physical-Delivery-Office-Name
>distinguishedName: CN=Physical-Delivery-Office-Name,CN=Schema,CN=Configuration,DC=ADCORP,DC=LAB
>instanceType: 4
>whenCreated: 20051109234235.0Z
>whenChanged: 20081229200942.0Z
>uSNCreated: 6686
>attributeID: 2.5.4.19
>attributeSyntax: 2.5.5.12
>isSingleValued: TRUE
>rangeLower: 1
>rangeUpper: 128
>mAPIID: 14873
>uSNChanged: 6686
>showInAdvancedViewOnly: TRUE
>adminDisplayName: Physical-Delivery-Office-Name
>adminDescription: Physical-Delivery-Office-Name
>oMSyntax: 64
>searchFlags: 5
>lDAPDisplayName: physicalDeliveryOfficeName
>name: Physical-Delivery-Office-Name
>objectGUID: {C935B42E-37AB-45F5-BFF2-16F249A151EA}
>schemaIDGUID: {BF9679F7-0DE6-11D0-A285-00AA003049E2}
>attributeSecurityGUID: {77B5B886-944A-11D1-AEBD-0000F80367C1}
>systemOnly: FALSE
>systemFlags: 16
>isMemberOfPartialAttributeSet: TRUE
>objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=ADCORP,DC=LAB
>dSCorePropagationData: 16010101000000.0Z

1 Objects returned

05-Aug-2009 22:35:25.76

[RFSRWDC1] C:>

As you can see, you will not find the attributeDisplayName=Office Location

So where can you find this information? It is in the configuration naming context for each language code and for each object. So let’s get the properties of the "user-Display" object for language code 409.

[RFSRWDC1] C:>adfind -config -rb "CN=user-Display,CN=409,CN=DisplaySpecifiers"

AdFind V01.40.00cpp Joe Richards (joe@joeware.net) February 2009

Using server: RFSRWDC1.ADCORP.LAB:389
Directory: Windows Server 2008
Base DN: CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=ADCORP,DC=LAB

dn:CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=ADCORP,DC=LAB
>objectClass: top
>objectClass: displaySpecifier
>cn: user-Display
>distinguishedName: CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=ADCORP,DC=LAB
>instanceType: 4
>whenCreated: 20080907011315.0Z
>whenChanged: 20081229201004.0Z
>uSNCreated: 10090
>uSNChanged: 10090
>showInAdvancedViewOnly: TRUE
>name: user-Display
>objectGUID: {1BE87DC8-D018-46E5-A02F-FAFE22C62ACA}
>contextMenu: 0,{62AE1F9A-126A-11D0-A14B-0800361B1103}
>adminPropertyPages: 11,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}
>adminPropertyPages: 10,{4c796c30-f96b-11d2-ac78-0008c7726cf7}
>adminPropertyPages: 100,{AB255F23-2DBD-4bb6-891D-38754AC280EF}
>adminPropertyPages: 99,{D405D7D3-DB8F-420e-9D59-AB62514597A3}
>adminPropertyPages: 9,{FA3E1D55-16DF-446d-872E-BD04D4F39C93}
>adminPropertyPages: 8,{0910dd01-df8c-11d1-ae27-00c04fa35813}
>adminPropertyPages: 7,{8c5b1b50-d46e-11d1-8091-00a024c48131}
>adminPropertyPages: 6,{4E40F770-369C-11d0-8922-00A024AB2DBB}
>adminPropertyPages: 5,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
>adminPropertyPages: 4,{FD57D295-4FD9-11D1-854E-00C04FC31FD3}
>adminPropertyPages: 3,{B52C1E50-1DD2-11D1-BC43-00C04FC31FD3}
>adminPropertyPages: 1,{6dfe6485-a212-11d0-bcd5-00c04fd8d5b6}
>shellPropertyPages: 2,{dde2c5e9-c8ae-11d0-bcdb-00c04fd8d5b6}
>shellPropertyPages: 1,{f5d121ed-c8ac-11d0-bcdb-00c04fd8d5b6}
>classDisplayName: User
>adminContextMenu: 100,{AB255F23-2DBD-4bb6-891D-38754AC280EF}
>adminContextMenu: 2,{f27de543-395d-4151-8e7d-834f06200ae5}
>adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
>attributeDisplayNames: distinguishedName,Distinguished Name
>attributeDisplayNames: mSDS-PhoneticLastName,Phonetic Last Name
>attributeDisplayNames: mSDS-PhoneticFirstName,Phonetic First Name
>attributeDisplayNames: mSDS-PhoneticDisplayName,Phonetic Display Name
>attributeDisplayNames: mSDS-PhoneticDepartment,Phonetic Department
>attributeDisplayNames: mSDS-PhoneticCompanyName,Phonetic Company Name
>attributeDisplayNames: msRTCSIP-PrimaryHomeServer,Office Communications Server
>attributeDisplayNames: msRTCSIP-UserEnabled,Enabled for Office Communications Server
>attributeDisplayNames: msRTCSIP-PrimaryUserAddress,Office Communications Server Address
>attributeDisplayNames: wWWHomePage,Web Page Address
>attributeDisplayNames: userPrincipalName,Logon Name
>attributeDisplayNames: userWorkstations,Logon Workstations
>attributeDisplayNames: displayName,Display Name
>attributeDisplayNames: url,Web Page Address (Others)
>attributeDisplayNames: title,Job Title
>attributeDisplayNames: telexNumber,Telex Number (Others)
>attributeDisplayNames: telephoneNumber,Telephone Number
>attributeDisplayNames: streetAddress,Street Address
>attributeDisplayNames: st,State/Province
>attributeDisplayNames: sn,Last Name
>attributeDisplayNames: samAccountName,Logon Name (pre-Windows 2000)
>attributeDisplayNames: primaryTelexNumber,Telex Number
>attributeDisplayNames: primaryInternationalISDNNumber,International ISDN Number
>attributeDisplayNames: postOfficeBox,Post Office Box
>attributeDisplayNames: postalCode,ZIP/Postal Code
>attributeDisplayNames: physicalDeliveryOfficeName,Office Location
>attributeDisplayNames: personalTitle,Title
>attributeDisplayNames: pager,Pager Number
>attributeDisplayNames: otherTelephone,Phone Number (Others)
>attributeDisplayNames: otherPager,Pager Number (Others)
>attributeDisplayNames: otherMobile,Mobile Number (Others)
>attributeDisplayNames: otherMailbox,E-Mail Address (Others)
>attributeDisplayNames: otherIpPhone,IP Phone Number (Others)
>attributeDisplayNames: otherHomePhone,Home Phone Number (Others)
>attributeDisplayNames: otherFacsimileTelephoneNumber,Fax Number (Others)
>attributeDisplayNames: info,Notes
>attributeDisplayNames: mobile,Mobile Number
>attributeDisplayNames: middleName,Middle Name
>attributeDisplayNames: memberOf,Member Of
>attributeDisplayNames: manager,Manager
>attributeDisplayNames: mail,E-Mail Address
>attributeDisplayNames: l,City
>attributeDisplayNames: ipPhone,IP Phone Number
>attributeDisplayNames: internationalISDNNumber,International ISDN Number (Others)
>attributeDisplayNames: initials,Initials
>attributeDisplayNames: homePostalAddress,Home Address
>attributeDisplayNames: homePhone,Home Phone
>attributeDisplayNames: homeDrive,Home Drive
>attributeDisplayNames: homeDirectory,Home Folder
>attributeDisplayNames: givenName,First Name
>attributeDisplayNames: generationQualifier,Generational Suffix
>attributeDisplayNames: facsimileTelephoneNumber,Fax Number
>attributeDisplayNames: employeeID,Employee ID
>attributeDisplayNames: division,Division
>attributeDisplayNames: directReports,Direct Reports
>attributeDisplayNames: description,Description
>attributeDisplayNames: department,Department
>attributeDisplayNames: company,Company
>attributeDisplayNames: comment,Comment
>attributeDisplayNames: co,Country
>attributeDisplayNames: c,Country Abbreviation
>attributeDisplayNames: cn,Name
>attributeDisplayNames: assistant,Assistant
>objectCategory: CN=Display-Specifier,CN=Schema,CN=Configuration,DC=ADCORP,DC=LAB
>treatAsLeaf: TRUE
>dSCorePropagationData: 16010101000000.0Z
>adminMultiselectPropertyPages: 1,{50d30564-9911-11d1-b9af-00c04fd8d5b0}

1 Objects returned

05-Aug-2009 22:41:07.64

[RFSRWDC1] C:>

Now for the following list, look at the mappings above (red text) between ‘lDAPDisplayName‘ and ‘attributeDisplayName‘:

  • lDAPDisplayName=physicalDeliveryOfficeName –> attributeDisplayName=Office Location
  • lDAPDisplayName=mail –> attributeDisplayName=E-mail Address
  • lDAPDisplayName=sAMAccountName –> attributeDisplayName=Logon Name (pre-Windows 2000)
  • lDAPDisplayName=userPrincipalName –> attributeDisplayName=Logon Name
  • lDAPDisplayName=cn –> attributeDisplayName=Name (the one with the uppercase N)
  • lDAPDisplayName=name –> attributeDisplayName=NOT APPLICABLE

So if you are looking for certain attributes when delegating permissions and you cannot find an attribute then think in the following order:

  • Is it filtered by ADUC?
  • Is it not filtered by ADUC or has it been adjusted according to "How to modify the filtered properties of an object" and you can still not find it, then check what the attributeDisplayName is of that attribute as mentioned above.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

2 Responses to “(2009-08-05) Attribute Names In AD And How These Are Displayed”

  1. Hi Jorge,

    There is a document in MS Site by name “Active_Directory_Delegation_Appendices” in which Appendix H: Active Directory Display Name Mappings which are giving class, Attribute Display mapping.
    All LDAP DisplayNames are not Viewable (DisplayName) right ?

    Inorder to View attribute in any console do we need to modify x.409 Display specifier @ “CN=409,CN=DisplaySpecifiers,CN=Configuration,CN=Domain,CN=com”

    Am asking this question because in one of our environment we modified Schema and added 10 different attributes for user. Which need to be flow by MIIS to different apps. and directories.
    Is it a way to make them available visually by creating another tab or existing one in user properties page ?

    Jagadeesh

  2. Jorge said

    If you want to VIEW other attributes in ADUC, you need to extend that MMC by creating your own DLL. OR you can use a script that can be called through the admincontext of a user. OR use a Windows Server 2008 box and you will be able to use the new ATTRIBUTE EDITOR tab in ADUC

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: