A PowerShell script to document all attributes of a specified Active Directory object. The script first documents all mandatory attributes for the class of the object, then all optional attributes. The script documents each attribute lDAPDisplayName, the syntax, if it is multi-valued, if it is operational (also called constructed), and the value or values assigned. If the attribute has no value assigned for the object, this is indicated.
The object is identified by distinguished name. Either pass the distinguished name in quotes as a parameter to the script, or the script will prompt for the distinguished name. For example, to document a user object and specify the distinguished name:
.\DocumentADAttributes.ps1 "cn=Jim Smith,ou=Sales,ou=West,dc=domain,dc=com"
The object can be in any naming context. For example, to document a site link, and let the script prompt for the distinguished name:
.\DocumentADAttributes.ps1
Enter the AD object distinguished name: cn=West,cn=IP,cn=Inter-Site Transports,cn=Sites,cn=Configuration,dc=domain,dc=com
The output can be large. It is best to redirect the output to a text file.
Notes:
- For each attribute the script outputs the attribute lDAPDisplayName, the attribute syntax, and the value.
- If the attribute has no value assigned in AD, the value is displayed as "<not set>".
- If the attribute is multi-valued, the syntax has the string "[]" appended at the end. For example "OctetString[]"
- Multi-valued attributes have each value displayed on a separate line.
- If the attribute is operational (also called constructed), the script displays the syntax with the string "<operational>" appended at the end. For example "DirectoryString <operational>" or "Oid[] <operational>".
- The values of multi-valued SID attributes that are operational are retrieved using extra code. In addition, the Translate method is used to display the corresponding sAMAccountName in parentheses. An example is the tokenGroups attribute of a security principal.
- Integer values are displayed with culture-specific separators (commas or periods) separating digits.
- Large Integers (64-bit) are converted into DateTime or TimeSpan values, as appropriate.
- Byte arrays that are more than 100 bytes long are not displayed. Instead the number of bytes is shown.
- Byte arrays less than 100 bytes are displayed as space delimited decimal values. The exception is byte arrays for the following attributes, which are converted into friendly formats: all GUIDs, all SIDs, logonHours, schedule.
- The logonHours attribute (if a value is assigned) is displayed on 7 lines, one for each day of the week. A pattern of 24 bits each day is displayed where a "1" means the user is allowed to logon, and a "0" means they are not. The values are in the time zone of the local computer.
- The schedule attribute is displayed on 7 lines, one for each day of the week. Each line displays 24 hours. For each hour the output shows if replication is scheduled during any of the 15-minute intervals in the hour. A "Y" means replication is scheduled, "n" means it is not. An hour will be similar to "YYnn". The values are in the time zone of the local computer.
- The following "flag" attributes are interpreted to display what the value means: userAccountControl, msDS-User-Account-Control-Constructed, groupType, searchFlags, systemFlags, sAMAccountType, instanceType
DocumentADAttributes.txt <<-- Click here to view or download the program