Identify writeable AD attributes with PowerShell

You should be able to retrieve easily the list of attributes which are writeable by using the constructed attribute allowedAttributesEffective (http://msdn.microsoft.com/en-us/library/ms675218(v=vs.85).aspx).

{codecitation style= »brush: PowerShell »}

$ADObject = New-Object system.DirectoryServices.DirectoryEntry (« LDAP://CN=alexandre augagneur,CN=Users,DC=corpnet,DC=net »)

$ADObject.RefreshCache(« allowedAttributesEffective »)

$ADObject.properties.allowedAttributesEffective

{/codecitation}

However, the constructed attribute returns some attributes which can’t be changed… So we have to do something more.

The best way I found is to retrieve all attributes which are protected by the system (http://msdn.microsoft.com/en-us/library/ms680025(v=vs.85).aspx). When it’s done, i’m just removing each of them from the list of allowed attributes returned by the constructed attribute allowedAttributesEffective.

{codecitation style= »brush: PowerShell »}

$SystemOnlyAttributes = @()

$TrulyAllowedAttributes = @()

 

 

# Get the desired object based on its distinguishedName

$ADObject = New-Object system.DirectoryServices.DirectoryEntry (« LDAP://CN=alexandre augagneur,CN=Users,DC=corpnet,DC=net »)

 

# Retrieve the constructed attribute ‘allowedAttributesEffective’

$ADObject.RefreshCache(« allowedAttributesEffective »)

 

# Store the list of allowed attributes  in a variable

$allowedAttributesEffective = $ADObject.properties.allowedAttributesEffective

 

# Retrieve the list of attributes in the schema which are protected

$ObjRootDSE = [ADSI] « LDAP://RootDSE »

$ADSearcher = new-object system.DirectoryServices.DirectorySearcher

$ADSearcher.SearchRoot = [ADSI] « LDAP://$($ObjRootDSE.schemaNamingContext) »

$ADSearcher.PropertiesToLoad.AddRange(@(« ldapdisplayname », »systemonly »))

$ADSearcher.Filter = « (systemonly=TRUE) »

$ADSearcher.FindAll() | %{ $SystemOnlyAttributes += $_.Properties.ldapdisplayname }

 

# Compare the list of allowed attributes returned by the constructed attribute

# with the list of protected attributes collected in the schema

foreach ( $Attribute in $allowedAttributesEffective )

{

if ( $SystemOnlyAttributes -notcontains $Attribute )

{

$TrulyAllowedAttributes += $Attribute

}

}

# The most efficient list of writeable attributes

$TrulyAllowedAttributes

{/codecitation}

 

If you have a better way… you are welcome !