Identify writeable AD attributes with PowerShell

Envoyer Imprimer PDF

You should be able to retrieve easily the list of attributes which are writeable by using the constructed attribute allowedAttributesEffective (http://msdn.microsoft.com/en-us/library/ms675218(v=vs.85).aspx).

$ADObject = New-Object system.DirectoryServices.DirectoryEntry ("LDAP://CN=alexandre augagneur,CN=Users,DC=corpnet,DC=net")
$ADObject.RefreshCache("allowedAttributesEffective")
$ADObject.properties.allowedAttributesEffective

However, the constructed attribute returns some attributes which can’t be changed… So we have to do something more.

The best way I found is to retrieve all attributes which are protected by the system (http://msdn.microsoft.com/en-us/library/ms680025(v=vs.85).aspx). When it's done, i'm just removing each of them from the list of allowed attributes returned by the constructed attribute allowedAttributesEffective.

$SystemOnlyAttributes = @()
$TrulyAllowedAttributes = @()
 
 
# Get the desired object based on its distinguishedName
$ADObject = New-Object system.DirectoryServices.DirectoryEntry ("LDAP://CN=alexandre augagneur,CN=Users,DC=corpnet,DC=net")
 
# Retrieve the constructed attribute 'allowedAttributesEffective'
$ADObject.RefreshCache("allowedAttributesEffective")
 
# Store the list of allowed attributes  in a variable
$allowedAttributesEffective = $ADObject.properties.allowedAttributesEffective
 
# Retrieve the list of attributes in the schema which are protected
$ObjRootDSE = [ADSI] "LDAP://RootDSE"
$ADSearcher = new-object system.DirectoryServices.DirectorySearcher
$ADSearcher.SearchRoot = [ADSI] "LDAP://$($ObjRootDSE.schemaNamingContext)"
$ADSearcher.PropertiesToLoad.AddRange(@("ldapdisplayname","systemonly"))
$ADSearcher.Filter = "(systemonly=TRUE)"
$ADSearcher.FindAll() | %{ $SystemOnlyAttributes += $_.Properties.ldapdisplayname }
 
# Compare the list of allowed attributes returned by the constructed attribute
# with the list of protected attributes collected in the schema
foreach ( $Attribute in $allowedAttributesEffective )
{
if ( $SystemOnlyAttributes -notcontains $Attribute )
{
$TrulyAllowedAttributes += $Attribute
}
}
# The most efficient list of writeable attributes
$TrulyAllowedAttributes

 

If you have a better way… you are welcome !

Mise à jour le Mercredi, 24 Septembre 2014 21:04