List all Constructed Attributes

Constructed (or computed) Attributes are an important part of the way Active Directory is functioning. Basically, these are not real attributes, in the sense that they do not really exist, but are calculated by AD when being queried. They contain very useful info (for example well known primaryGroupToken and modifyTimeStamp) but they obviously have a few limitations such as not being “settable” or not available for filtering, so knowing which are which is quite useful!

Here’s how you get a list of all computed attributes in your AD:

Get-QADObject -SearchRoot CN=Schema,CN=Configuration,dc=MyDomain,dc=COM -Type attributeSchema -IncludedProperties systemFlags -SizeLimit 0 | where {$_.SystemFlags -band 4}

Basically, this one-liner retrieves all (-SizeLimit 0) attributes (-type attributeSchema) from the Schema partition (-SearchRoot "CN=Schema,CN=Configuration,dc=MyDomain,dc=COM"), together with their system flags (-IncludedProperties systemFlags), and leaves just the ones with FLAG_ATTR_IS_CONSTRUCTED (where {$_.SystemFlags -band 4}).

Thanks to Andrey Moiseev who shared this with me recently!

[UPDATE] Check out Aleksandar’s post on making this oneliner run 40 times faster. 😉

Tags: , , , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

My Recent Tweets


The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

August 2008

%d bloggers like this: