Reputation: 1517
Is there a complete list of Active Directory attributes, and a mapping to LDAP?
I'm querying Active Directory from c++, using the LDAP interface (using iads.h). I notice there is a difference in attributenames for Users.
When executing in Powershell
Get-ADUser sih -Properties *
there is an attribute EmailAddress. When querying the AD from C++, the attribute EmailAddress is not found. Mail is however found, both with Powershell and C++.
Is there any mapping, or why are some attributes present in Powershell and not in the C++ interface for the User object?
Note: when using Active Directory Explorer (https://technet.microsoft.com/en-us/sysinternals/adexplorer.aspx), the attribute EmailAddress is not shown either for users. It seems that all attribute shown here can be fetched from C++.
I'm looking for a mapping from AD to LDAP, to offer the possibility to fetch all values from AD.
Upvotes: 4
Views: 4033
Answers (2)
Reputation: 200393
The PowerShell AD cmdlets do more than just returning the bare attributes of a user. To make account information easier to use they create additional properties, some just with a more "speaking" name (e.g. mail→EmailAddress), others with the raw data converted to a more digestible format (e.g. pwdLastSet→PasswordLastSet, accountExpires→AccountExpirationDate) or to show particular flags (e.g. Enabled, which indicates whether the flag ACCOUNTDISABLE is set in the userAccountControl attribute).
Upvotes: 0
Reputation: 174720
Those are two different questions.
For a mapping between internal attribute names and LDAP display names: It's called the Schema :-)
Retrieve all objects with objectClass=attributeSchema and compare the adminDisplayName and lDAPDisplayName attribute values:
Get-ADObject -Filter 'objectClass -eq "attributeSchema"' -SearchBase 'CN=Schema,CN=Configuration,DC=forest,DC=tld' -Properties adminDisplayName,lDAPDisplayName |Select-Object adminDisplayName,lDAPDisplayName
For a mapping between the user-friendly property names in the PowerShell ActiveDirectory module (like EmailAddress) and the LDAP display names (like mail), these are hard-coded as internal constants in the Microsoft.ActiveDirectory.Management.dll assembly.
Here's how you can retrieve them using a bit of reflection magic:
# Import the Active Directory module:
Import-Module ActiveDirectory
# Now, obtain a reference to the assembly itself:
$ADAssembly = [Microsoft.ActiveDirectory.Management.ADEntity].Assembly
# Now we'll need to retrieve the internal class that defines the constants:
$LDAPAttributes = $ADAssembly.GetType('Microsoft.ActiveDirectory.Management.Commands.LdapAttributes')
# Then use GetFields() to retrieve the internal constants
$LDAPNameConstants = $LDAPAttributes.GetFields('Static,NonPublic') |Where-Object {$_.IsLiteral}
# Finally build a hashtable with the Property Names -> LDAP Name mapping
$LDAPPropertyMap = @{}
$LDAPNameConstants |ForEach-Object {
$LDAPPropertyMap[$_.Name] = $_.GetRawConstantValue()
}
$LDAPPropertyMap now contains your mappings
Upvotes: 4
Related Questions
- LDAP - Retrieve a list of all attributes/values?
- LDAP query in PowerShell
- How can I read the Active Directory schema programmatically
- How can I lookup an Active Directory Class's "Schema-Id-Guid" and an Attribute's "System-Id-Guid" using PowerShell
- PowerShell Active Directory list all Multi-Valued attributes
- How to get All attributes from an Active Directory user in C#
- What is the proper way to get some specific user attributes from Active Directory via LDAP C API?
- Active Directory Attribute List Using c#
- Getting all possible LDAP Attributes of special object classes in AD using C#
- LDAP query operational attributes