Change Active Directory Copy Behavior

Change Active Directory Copy Behavior

Hello,

Just like the tombstone behavior, the copy behavior can be altered to fir your needs. This is the same concept as before, you just need to change the SearchFlags attribute in your schema. In fact, you can alter a lot of basic functionality of Active Directory this way.

Possible Schema SearchFlags Modifications

Value Description
1 (0x00000001) Create an index for the attribute.
2 (0x00000002) Create an index for the attribute in each container.
4 (0x00000004) Add this attribute to the Ambiguous Name Resolution (ANR) set. This is used to assist in finding an object when only partial information is given. For example, if the LDAP filter is (ANR=JEFF), the search will find each object where the first name, last name, email address, or other ANR attribute is equal to JEFF. Bit 0 must be set for this index take affect.
8 (0x00000008) Preserve this attribute in the tombstone object for deleted objects.
16 (0x00000010) Copy the value for this attribute when the object is copied.
32 (0x00000020) Create a tuple index for the attribute. This will improve searches where the wildcard appears at the front of the search string. For example, (sn=*mith).
64 (0x00000040) Supported beginning with ADAM. Creates an index to greatly help VLV performance on arbitrary attributes.
128 (0x00000080) Mark attribute as confidential. Ignored for base schema attributes (systemFlags=0x10).
64 (0x00000040) Supported beginning with Windows ServerĀ 2008. Create an index to improve VLV search performance on this attribute.

This is extracted from this Microsoft page.

Today, the line we care about is the one starting with 16. So if you take any attribute in the Active Directory schema, and add 16 to its current SearchFlags value, it will be copied when you use the “Active Directory Users & Computers” copy feature.

If you need to keep track of all the attributes you modified:

Get-ADObject -LDAPFilter '(searchFlags:1.2.840.113556.1.4.803:=16)' -SearchBase (Get-ADRootDSE).schemaNamingContext
Change Active Directory Copy Behavior - Attribute List

Change Active Directory Copy Behavior – Attribute List

As you can see, this list is quite long, a lot of people use this copy feature without knowing the implications, there are some uncommon attributes in it:

  • Assistant
  • Home-Directory
  • Profile-Path
  • User-Account-Control

Some of those shouldn’t be copied lightly.

Change Active Directory Copy Behavior

You need to add/remove 16 to the SearchFlags attribute on the attribute in the schema. Hereunder an example with the job title attribute:

Set-ADObject -Identity "CN=Title,$((Get-ADRootDSE).schemaNamingContext)" -Replace @{SearchFlags=$NewValue}

Leave a Reply