Florian’s Blog

You probably have read or heard that there are two kinds of attributes in Active Directory. Not the “good” attribute and “bad” attribute discussion or anything like that. I mean the technical separation of attributes into category 1 and category 2.

The separation is easy:

Category 1 attributes are attributes that come with the base schema provided by Microsoft.

Category 2 attributes are all other attributes.

This distinction can be used to determin whether an attribute in question was customly added, installed with a third party tool or provided by Microsoft. You would also want to know if you’re dealing with a category 1 or category 2 attribute when it comes to using the confidentiality bit in searchFlags. The “confidential” bit can be set to disallow ordinary users “Read” access to base attributes. Read more on the “confidential” bit on Tomek’s blog (don’t miss Jorge’s comment!). Unfortunately, the confidential bit doesn’t work with category 1 attributes - so you might wanna know before you mess with the searchFlags.

The problem is that you don’t see whether an attribute is cat 1 or cat 2 by just looking at it’s name. You’ll have to dig deeper and query Active Directory to get to know whether an attribute is in the base schema or not. The information we need to evaluate is buried in the systemFlags attribute of the attributeSchema-object in the Schema partition. When bit 5 is set (value 16), we know we’re dealing with an cat 1 attribute.

I’ll use ADfind to first count the attributes:

and display them afterwards:

using the NOT-operator (!)Â shows/counts cat 2 attributes:

Now… let’s check if a specific attribute we need is a cat 1 or cat 2 attribute. I’ll try “employeeID”. The command is a ADfind-must-lover as it’s a shortcut that displays the schema definition of an attribute pretty easily:

Yeah, adfind -sc -s:<attributeName> systemFlags is all it takes, folks!

A cat 2 attribute would be “roomNumber” which came with Exchange, I think: