Many companies use additional Active Directory attributes that are copied along with duplicate user accounts. But there are plenty of examples when this is inconvenient. Therefore, in this article I will explain how to avoid such behavior or change it to suit your needs.

About the author of the original text:
Tim Bantrok is an Active Directory administrator for a large company that specializes in call centers. Certified MCTS, MCITP, MCSA and MCPS specialist.

Admins sometimes like to copy user accounts for reasons of convenience: additional attributes that would otherwise have to be manually configured will be automatically transferred as well. But in some cases, this approach is fraught with problems.

For example, you use the extensionAttribute1 attribute as a unique mailbox ID to transfer this mailbox from one Microsoft Exchange system to another, located in a separate AD forest. If a user has the same ID, synchronization will not work. Or Exchange synchronizes letters in another's box.

But you can prevent a particular attribute from being copied if you disable the Attribute is copied when duplicating a user option in Active Directory.

To do this, you must have schema administrator rights (do not forget to delete your account from this group when you are finished with the settings). You can deactivate the copying attribute of extensionAttribute1 as follows:

1. Run the PowerShell console as an administrator.
2. By default, the Active Directory Schema snap-in is not registered with MMC. Make this a command:
   

   regsvr32 schmmgmt.dll 

3. Now add the Active Directory Schema snap-in to the MMC.
   
   Add the AD Schema snap-in.
4. In the console, select the Attributes folder, then right-click on extensionAttribute1 and select Properties . Deselect Attribute is copied when duplicating a user and click OK.
   
   Deselect Attribute is copied when duplicating a user.

We are looking for attributes to be copied.

To determine which attributes will be copied and which will not, you can look at the AD Schema console. But viewing all its parameters manually is inconvenient.

Therefore, to automate the process, we use PowerShell:

• you need a command Get-ADObject , with which you can get a user object;
• you still need a Get-ADRootDSE command that returns the directory root object — take schemaNamingContext from it.
  The value of schemaNamingContext defines the search area ( SearchBase ) and looks something like CN = Schema, CN = Configuration, DC = domain, DC = com .
  

   -SearchBase $((Get-ADRootDSE).schemaNamingContext) 

• and the last missing component is the LDAPFilter . To begin, apply the filter by objectClass - attributeSchema. The filter will return only the attributes of the schema.

Now you need to apply a filter by object identifier ( OID ). An OID is a numeric sequence, the format of which is defined by the RFC1778 standard. This format is standard for the internal views of most LDAP-compatible directories.

Use the following syntax: <attribute name>: <OID>: = <decimal value> .

• <Attribute name> is searchFlags ;
• <OID> should be equal to 1.2.840.113556.1.4.803 . The identifier is unique in Active Directory, and there will only be a match if the attribute matches the specified value bit by bit ( LDAP_MATCHING_RULE_BIT_AND ).
• The last part —– <decimal value> - must be equal to 16 to find properties that are copied along with the user account.

It turns out the following line:

 Get-ADObject -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=16))" 

As a result, we get the DistinguishedName , Name ObjectClass and ObjectGUID attributes that are copied along with the user object.

Since these attributes require only names ( Name ), we add to the command | % {$ _. Name}.

 Get-ADObject -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=16))" | %{$_.Name} 

Now PowerShell returns only names.

If you want to get attributes that will not be copied when duplicating an object, replace (searchFlags: 1.2.840.113556.1.4.803: = 16) with ( ! (SearchFlags: 1.2.840.113556.1.4.803: = 16)) :

 Get-ADObject -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&((objectClass=attributeSchema)(!(searchFlags:1.2.840.113556.1.4.803:=16))))" | %{$_.Name} 

What else can you read in the wake of PowerShell inspiration:

• Excel instead of PowerShell: queries to AD and system reports "on the knee . "
• We turn logs as we want - analysis of logs on Windows systems .
• Cross-pollination: manage Linux from under Windows, and vice versa .