Note: This solution is not a novelty, and you can find a number of English tutorials on the internet, I have only added a Czech version.
The Active Directory directory contains a wide range of attributes, some of which were added from the Windows Server 2003 version. AD is compatible with the LDAP directory and therefore contains various attributes defined for LDAP, which, however, it does not use as standard. Using the Snap-In to the MMC console Active Directory Users And Computers (hereinafter referred to as ADUC), we can display and edit only some attributes.
To access all attributes, we can use a tool (such as ldp.exe) or a programming language that uses the LDAP protocol. Or we can use the MS tool ADSIEdit, which is located in the Windows Server 2000/2003 Support Tools (for example, Windows Server 2003 Service Pack 2 32-bit Support Tools).
The ADUC component, however, can be edited and extended by ourselves. One option is to edit the library, an example is Additional Account Info directly from MS (part of the Windows 2003 Server Resource Kit, the library must be registered - regsvr32 acctinfo.dll), but it is not that simple. The second option is to use a Visual Basic script, which we run from the ADUC context menu.
The following example shows how to create a script to display and edit the employeeID attribute (employee number). And how to extend the User object context menu so that this script can be run.
Creating a script for the employeeID attribute
First, we need to create a simple VB script that will do all the work of reading, displaying, and writing values from/to AD. This is just a simpler example that could be extended and supplemented with some checks.
Set wshArgs = Wscript.Arguments
Set objAD = GetObject(wshArgs(0))
eID = objAD.employeeID
if eID = "" then eID = "empty"
res = InputBox("Person: " & objAD.cn & vbCrLf & vbCrLf & "Current employee number: " & eID & vbCrLf & vbCrLf & "Enter new employee number:", objAD.cn & " employee number", objAD.employeeID)
if res <> "" then
Err.Clear
objAD.EmployeeID = res
objAD.setinfo
if Err Then MsgBox "Employee number could not be saved.", vbCritical, "Error !!!"
end if
Save this script, for example, as employeeID.vbs and place it in a location accessible to everyone who will need it. The context menu modification applies to the domain, so anyone who accesses this value through ADUC must have access to the script. A suitable place to store the script is the NETLOGON directory on the domain controller.
Adding an item to the context menu
- Run ADSIEdit.msc with the necessary permissions (Domain Admin or Enterprise Admin depending on the structure)
- Open Configuration, then our domain and CN=DisplaySpecifiers
- Depending on the language, select the next folder, CN=409 for English, CN=405 for Czech
- Here we will find the item CN=user-Display and open it by double-clicking
(so the full DN record isCN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=domain,DC=tld) - The first attribute in the list should be adminContextMenu, open it by double-clicking
- Now we will create an item in the user context menu, the first value we will enter is some free number, the second is the name of the item in the context menu, and the last is the path to the script that will run
Example:6,&Employee number,\\domain-server\netlogon\employeeID.vbs
Interesting links
- Step-by-Step Guide to Using Active Directory Schema and Display Specifiers - description of the issue by MS
- Scripts and Files of the Inside Active Directory - series of VB scripts for inspiration
- Scripts to manage Active Directory Users - additional VB scripts
- VBScript Fundamentals for Windows Scripting - ADSI - description of writing VB scripts for ADSI
There are no comments yet.