Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
I've lost count of just how many blog posts have their origin in a customer question. Here's another:
"How do you use PowerShell to get a list of what attributes *could* be populated on an AD user object?"
A magnificent question!
The customer was unsure as to why some properties would appear as empty and other not appear at all when asking for -Properties * . Without searching online documentation, how would they have know that adminCount, for example, existed, as it only showed in the list of returned properties when actually populated.
In a couple of minutes I threw this together:
Get-ADObject -SearchBase (Get-ADRootDSE).SchemaNamingContext -Filter {name -like "User"} -Properties MayContain,SystemMayContain |
Select-Object @{n="Attributes";e={$_.maycontain + $_.systemmaycontain}} |
Select-Object -ExpandProperty Attributes |
Sort-Object
The User class in the Active Directory schema has a couple of properties we can use to examine its attributes - MayContain, SystemMayContain. The above one-liner grabs both of these and combines them into a single property that we then sort on to display our list of possible attributes.
One final piece of the puzzle: there are more attributes available... these aren't defined in the schema, rather, these are cdreated programmatically when you ask for them. Here's how to list constructed attributes:
Get-ADObject -SearchBase (Get-ADRootDSE).SchemaNamingContext -ldapfilter '(systemFlags:1.2.840.113556.1.4.803:=4)' -Properties systemFlags |
Select-Object Name |
Sort-Object Name
