Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2014-12-23) Finding Attributes Marked As Constructed

Posted by Jorge on 2014-12-23


When an attribute is defined with the bit 2^2 (=4) in the systemFlags property, the attribute is marked as constructed. This means that the data is not actually stored in AD, but it is calculated on the fly when queried for it. The data in these attributes can only be retrieved when using base searches. It cannot be retrieved when using onelevel or subtree searches.

ADFIND

ADFIND -h RFSRWDC1.ADCORP.LAB -schema -f "(&(objectClass=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=4))" -dn

OR

ADFIND -h RFSRWDC1.ADCORP.LAB -bit -schema -f "(&(objectClass=attributeSchema)(systemFlags:AND:=4))" -dn

OR

ADFIND -sc CONSTRUCTED -dn (sorted output: ADFIND -sc CONSTRUCTEDL -dn)

image

Figure 1: Example Output

AD PoSH Module

Get-ADObject -Server RFSRWDC1.ADCORP.LAB -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&(objectClass=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=4))" | %{$_.DistinguishedName}

ADSI Through PoSH

$targetDC = "RFSRWDC1.ADCORP.LAB"
$rootDSE = [ADSI]"LDAP://$targetDC/RootDSE"
$schemaNamingContext = $rootDSE.schemaNamingContext
$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$Search.SearchRoot = "LDAP://$targetDC/$schemaNamingContext"
$search.filter = "(&(objectClass=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=4))"
$search.FindAll() | %{$_.Properties.distinguishedname}

PS: replace the FQDN of the DC with your info

PS: the opposite of this query can be found by replacing (systemFlags:1.2.840.113556.1.4.803:=4) with (!(systemFlags:1.2.840.113556.1.4.803:=4))

PS: And yes, some constructed attributes can be retrieved when not using base LDAP queries. Examples are: msDS-ResultantPSO and msDS-PrincipalName

More information:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

3 Responses to “(2014-12-23) Finding Attributes Marked As Constructed”

  1. joe said

    adfind -sc constructedl

  2. Yves St-Cyr said

    Jorge,

    Did you mean to say (&(objectClass=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=4)) ?

    As far as I am concerned, the attributes returned by searchFlags:1.2.840.113556.1.4.803:=4 are not constructed. Look at your output, Display-Name is constructed?

    • Jorge said

      good catch. you are correct. It should be systemFlags instead of searchFlags. Blog post has been updated!
      Thanks again!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: