Active Directory Schema

Last Edited

by

in

Active Directory Schema is a Microsoft Windows system administrative tool that can be used to modify Active Directory.

What is Schema?

Schema is a set of rules for Active Directory in Microsoft Windows 2000 that defines which objects can be contained in the directory and what attributes those objects can have. The schema can be considered a formal definition of Active Directory.

The Default Active Directory Schema

Active Directory comes with a default schema that defines various common default object classes such as Users, Groups, Computers, and Domains – plus, it defines their attributes. The default schema is sufficient in most instances and that defines common network objects in the directory such as users, groups, domains, and computers.

Using Active Directory Schema, you can modify your organization’s schema by:

  • Creating new classes and modifying existing ones
  • Creating new attributes and modifying existing ones
  • Deactivating unnecessary classes and attributes
Active Directory Schema
Active Directory Schema

Members of the Schema Admins group, of which the default Administrator account is automatically a member, are the only users who can make changes to the schema. A typical use for Active Directory Schema is adding new attributes to an existing User object, for example a SeniorityLevel attribute.

Qualified administrators only

Active Directory Schema is an advanced tool that should be used only by qualified administrators, as an inexperienced user could easily render your Active Directory inoperable. Before you can use this tool to modify the schema, you must add a registry setting to your machine and specify the one domain controller that can be used to modify the schema for your enterprise.

This prevents unauthorized access to the schema and inconsistencies that can occur when the schema is simultaneously modified in more than one place. You must also install the snap-in for this tool in a Microsoft Management Console (MMC) console before you can use it – it is not available from the Start menu’s list of Administrative Tools.

Modifying Active Directory schema

Another way of modifying the Active Directory schema is to write a script that uses Active Directory Service Interfaces (ADSI) to make calls that modify the schema. This is the best solution if you want to modify the schema for an entire enterprise or if you want to automate modifications to the schema.

Want to know more about Active Directory? Try this list of Active Directory books from Amazon: active directory

Altering the read-only permission on the schema

As a safety measure, domain controllers by default have read-only permissions on the schema. If you want to write changes to the schema, you must first modify a registry setting on the domain controller on which you plan to make modifications. (Make modifications to the schema from only one domain controller at a time.) The Schema Manager MMC snap-in offers a check box that you can use to set or clear the key. To modify the registry manually, you add the parameter Schema Update Allowed with data type REG_DWORD and a nonzero value to the following registry key:

HKEY_LOCAL_MACHINE
\System
\CurrentControlSet
\Services
\NTDS
\Parameters

See also

Search