Active Directory fun: How to verify the presence of an attribute in your schema

Alerted by an old net.friend The Cerebrate via his blog, I was stunned to discover that the Windows Server 2003 flavor of the Active Directory schema seems to include an attribute named drink, which is meant to store a person or object’s favorite drink.

I confirmed that this attribute is at least present in the MSDN docs. But does it actually reside in Windows Server 2003? Which leads us to the main question — how does one go about finding out whether a given object or attribute exists in the AD schema?

So, I fired up LDP (although you can use ADSIEdit too, and probably should, since it’s very easy to use LDP to mess up AD — and whichever tool you use, make sure you’re not using an account with write access) and headed over to the schema naming context (CN=Schema,CN=Configuration,DC=domain,DC=rootdomain,DC=tld) for a quick look-see. Lo and behold:

Expanding base 'CN=drink,CN=Schema,CN=Configuration,DC=domain,DC=rootdomain,DC=tld'...
Result <0>: (null)
Matched DNs: 
Getting 1 entries:
>> Dn: CN=drink,CN=Schema,CN=Configuration,DC=domain,DC=rootdomain,DC=tld
	2> objectClass: top; attributeSchema; 
	1> cn: drink; 
	1> distinguishedName: CN=drink,CN=Schema,CN=Configuration,DC=domain,DC=rootdomain,DC=tld; 
	1> instanceType: 0x4 = ( IT_WRITE ); 
	1> whenCreated: 10/22/2002 18:50:14 Pacific Standard Time Pacific Daylight Time; 
	1> whenChanged: 08/07/2003 13:10:41 Pacific Standard Time Pacific Daylight Time; 
	1> uSNCreated: 4305; 
	1> attributeID: 0.9.2342.19200300.100.1.5; 
	1> attributeSyntax: 2.5.5.12; 
	1> isSingleValued: FALSE; 
	1> rangeLower: 1; 
	1> rangeUpper: 256; 
	1> uSNChanged: 4305; 
	1> showInAdvancedViewOnly: TRUE; 
	1> adminDisplayName: drink; 
	1> adminDescription: The drink (Favourite Drink) attribute type specifies the favorite drink of an object (or person).; 
	1> oMSyntax: 64; 
	1> searchFlags: 0; 
	1> lDAPDisplayName: drink; 
	1> name: drink; 
	1> objectGUID: db19f4f8-a922-429c-bd37-bd1e0a3dfd9c; 
	1> schemaIDGUID: 1a1aa5b5-262e-4df6-af04-2cf6b0d80048; 
	1> systemOnly: FALSE; 
	1> objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=domain,DC=rootdomain,DC=tld; 
-----------

So there you have it.

Update: Tony and I are now swapping ideas for AD-based drinking games:

  • Tony proposes writing a desktop agent that alerts you when your AD user object has been queried; when it has, take a drink. [Edit: that would require hooking into all your DCs, which would be a massive pain in the ass. I don’t think it’ll fly, but it’s fun!]
  • I proposed a game where you have to pick an object that has the drink attribute populated (without scanning the directory first); if they do, they take a drink and are the next person to choose, and if they don’t you get to take a drink and choose again.

What kind of AD drinking games can you come up with?

I wonder if our Cookbook editor Robbie knows about this. I’d be willing to bet he can come up with some great AD drinking games.