7

I have custom AD attribute added to my AD schema. Attribute's syntax is Unicode String. It is added to user class and the purpose of it is to store user ID of corporate ERP system. Problem is, that I can have two or more user objects with the same value stored in that attribute, which is something that I would like to avoid. Is there a way to configure AD attribute so it is unique within the domain boundary? (The same behavior as sAMAccountName attribute.)

i.e :

If there already exists user object in AD with this attribute set to "JSmith" and I try to set that attribute with the same value for another user, Direcory Services will refuse to update that object and give me "already exists" error.

Domain functional level is windows 2003.

Zilog
  • 173
  • 1
  • 4
  • How is the attribute filled, do you fill it out, does a program fill it out? – Winter Faulk Nov 10 '12 at 23:22
  • its filled by Service Desk personnel, when they create account – Zilog Nov 10 '12 at 23:23
  • Is it a string that could be generated by using something like a sha1 hash of the user name or email account? – Winter Faulk Nov 10 '12 at 23:25
  • It is just user id of erp system, string from 3 to 10 characters. It has to match user id defined in erp system. – Zilog Nov 10 '12 at 23:28
  • Wouldn't the ERP system require each string to be unique so you shouldn't ever be putting a duplicate string in? I'm asking all the questions because I don't think there is anyway to make it check to see if the string is already in use other then using a script that checks first and then input the value if unique. – Winter Faulk Nov 10 '12 at 23:32
  • ERP performing ldap authentication (bind) against that attribute. (there are some reasons they cannot/ don't want to use sAMAccountName, probably they would need to change users in ERP as they don't match). If value of attribute isn't unique, then authentication does not work. For the moment service desk is using ldap query against AD every time they create account to check if it already exist or not. Not really convenient + still error prone – Zilog Nov 10 '12 at 23:42
  • Ahh, you right maybe small app which will check and update it automatically ... good point :) – Zilog Nov 10 '12 at 23:44

1 Answers1

5

AD doesn't built-in functionality to allow schema extensions to have enforced uniqueness. Being a loose convergence multi-master database makes this a Hard Problem(tm). There is functionality built-in to check for duplication of some built-in schema attributes, but there are even situations when this can fail.

Your best hope is going to be to write something that periodically "groveled" though AD and alerted an Administrator to duplication (or to initiate some kind of conflict resolution logic on your own).

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • Yup I went through all the constrains in MS-ADTS doc already with no joy. Hope dies last :)) Thx for answer. – Zilog Nov 10 '12 at 23:53
  • PowerShell to the rescue! Instead of using whatever ldap tool you are currently using, have a powers he'll script do it instead. It can check for duplicates before setting the AD attribute. – longneck Nov 11 '12 at 00:49