Saturday, November 10, 2007

Adding attributes to the Exchange details templates (revisited)

I am updating this post. Microsoft Escalation Engineer Dave Goldman has posted some suggestions on his blog about this topic and emphasizes that the types of changes I am telling you about here are NOT within the boundaries of Microsoft's support obligations.
_________
On a number of occasions, I have had to add and modify the Exchange details template to change attribute names or to their label names in the template. Any Exchange administrator with Exchange Admins rights to the Exchange organization can modify these templates. I discussed modifying these templates in Exchange Server 2003 24seven.

However, sometimes when you need to add new "Edit" fields to the template, not all Active Directory attributes are available when you list the available attributes. Microsoft Knowledge Base article 313962 "How to modify Exchange 2000 or Exchange 2003 details templates" shows how to customize the msExchCustomAttributes object so that additional attributes will show up when you edit the details templates.

In article 313962, step 7 shows the following text:

Note For the attributes to appear correctly in the details templates, you must add attributes that have an associated MAPI identifier (ID). To verify that an Active Directory attribute has an associated MAPI ID, you can use the ADSI Edit utility to view the optional mAPIID property for an attribute.

But, the article does not tell you what to do if the object does not have a mAPIID property. I have a client that has done extensive attribute customization to their Active Directory and they wanted to have an additional property page show up on the User details template with their attributes.

The mAPIID property must be edited with the ADSIEDIT console, not the Active Directory Schema console.



But if you pick an attribute that you have extended in to the Active Directory and try to give it a mAPIID, you may get an error telling you: "The attribute cannot be modified because it is owned by the system."

I had to spend some time on the phone with both Exchange and Active Directory PSS engineers, but we finally figured out how to modify the mAPII propery of new attributes added to the Active Directory. This requires the use of LDP.EXE in addition to ADSIEDIT.MSC.





  1. Login as a member of Schema Admins (preferably on the Schema Master FSMO)
  2. Launch LDP.EXE
  3. Connect to the Schema Master FSMO using LDP.EXE
  4. Bind to the Schema Master using an account with Schema Admin permissions.
  5. From the Browse menu, choose Modify
  6. In the Modify dialog box, leave the DN field blank, and type schemaUpgradeInProgress in the Attribute field. In the Value field, enter the number 1. Click the Enter button, then click the Run button.
  7. Close the Modify dialog box.
  8. Launch ADSIEDIT.MSC and modify the mAPIID values for the necessary attributes. (You may need to wait for the Active Directory to replicate.)
  9. Run LDP again, and change the value of schemaUpgradeInProgress from 1 to 0.
  10. From the Active Directory Schema console, right click on the console and choose "Reload the Schema"

I know you are probably saying, okay, I have got these new attributes I have extended, what value should I use for the mAPIID. I have been unable to find any (but I still have a few queries out about this), so I have just been using unique numbers above 50000 in hopes of avoiding a conflict with an existing attribute.

As always, take EXTREME care when modifying the schema. Many changes to the schema cannot be un-done!!!!

13 Comments:

At 12:56 PM, Blogger Dennis Nagel said...

You have no idea how rightously helpful that little set of instructions is to me!!! ... then again, I suppose you do... Many Thanks!

 
At 11:13 PM, Blogger Unknown said...

Do you know how you can get an Active directory attribute that is of type string(Octet). I want to get the attribute thumbnailphoto to be displayed in the user property of a user. But all attributes in AD that is of the type string(Octet) can not be choosen in details templates even if you add a mapiid. Any suggestions?

 
At 10:36 PM, Blogger Dennis Nagel said...

I thought this might be a useful source of information... one in which I used your post to aide me in my quest to marry AD and DB2 using CF6. I have more somewhere if I can find it or theres interest.

Active Directory Preperation and Setup Process for JDE-AD-Sync
==============================================================================

1. Prepare an MMC console... the following snap-ins are required:
Active Directory Users and Computers
Exchange Server Manager
ADSI Edit
Domain NC
Configuration (for use in a later extension to this project if approved)
Schema

If necessary:
Adsiedit.msc is a snap-in that runs in the Microsoft Management Console (MMC).

You can add the snap-in to any .msc file through Add/Remove Snap-in menu
option in MMC or just open the Adsiedit.msc file from Windows Explorer.
The Adsiedit.msc will not run unless the adsiedit.dll is registered. This will happen automatically if support tools are installed. However, if the support tool files are copied instead of installed, then you must run the regsvr32 command on the adsiedit.dll before running the adsiedit.msc snap-in.
Adsiedit.msc (the MMC snap-in for ADSI Edit) automatically attempts to load
the current domain to which the user is logged on. If the computer is
installed in a work group or otherwise not logged onto a domain, the message
"The specified domain does not exist" displays repeatedly.
To avoid problems in this situation, open Mmc.exe, add the ADSI Edit snap-in
manually, make any connections that are appropriate for you with whatever
credentials are necessary, and then save the console file. This gives you
your own default console that works with ADSI Edit.
Active Directory Schema

If necessary:
Register the Schmmgmt.dll file to make the Active Directory Schema snap-in
available.
a. Click Start, and then click Run.
b. In the Open box, type regsvr32 schmmgmt.dll, and then click OK.

Note The Schmmgmt.dll file has been successfully registered when you receive
the following message:
"DllRegisterServer in schmmgmt.dll succeeded"

If you are running the Active Directory Schema snap-in on a Microsoft Windows
2000-based domain controller, follow these steps.

Note You do not have to follow this step if you are using a Windows Server 2003-
based domain controller.
a. Right-click Active Directory Schema, and then click Operations Master.
b. Click to select the The Schema may be modified on this Domain Controller
check box, and then click OK.

2. Change the number of returned records from 1000 to 20,000

THIS MAY HAVE BEEN DONE ALREADY !!!

AD implements a default LDAP Query Policy that includes a MaxPageSize of
1000 records. To change this, start a cmd prompt and type NTDSUTIL (at any
ntdsutil prompt type ? for help)

type LDAP POLICIES
type CONNECTION
type CONNECT TO DOMAIN XXXXXX (where XXXXXX is your AD LDAP Domain Name)
type QUIT
type SHOW VALUES (and note the MaxPageSize value of 1000)
type SET MaxPageSize TO YYYY
(where YYYY is the number of records you want returned per page. I suggest we do 20000)
type SHOW VALUES (and note the new value)
type COMMIT CHANGES (to write the change.)
type QUIT
type QUIT


3. Add the new Attributes:
Open the Active Directory Schema snap-in.
Right click on Attributes and choose
New --> Attribute
Click Continue

These are the new attributes we need to add to the system...

Common Name granite-manager
LDAP Display Name granite-manager
Unique X500 Object ID 1.2.840.113556.1.4.7000.233.28688.28684.8.217090.345016.898473.743238.1
Description Identifies the direct manager of this employee
Syntax: Case Insensitive String

Repeat the process for the remaining attributes:

Common Name granite-regionName
LDAP Display Name granite-regionName
Unique X500 Object ID 1.2.840.113556.1.4.7000.233.28688.28684.8.217090.345016.898473.743238.2
Description Identifies the region that this employee is assigned to
Syntax: Case Insensitive String

Common Name granite-areaName
LDAP Display Name granite-areaName
Unique X500 Object ID 1.2.840.113556.1.4.7000.233.28688.28684.8.217090.345016.898473.743238.3
Description Identifies the area that this employee is assigned to
Syntax: Case Insensitive String

Right click on "Active Directory Schema [Server Name]" and choose "Reload the Schema"

Open ADSI Edit and right click on Domain NC and choose "Update Schema Now"... click OK.

Note: we are waiting on iana (Internet Assigned Numbers Authority) to process a request
for our own private name space range for the Unique X500 Object ID. It takes up to 30
days for them to respond with our assignment. If we do not receive it before we create
these attributes, then we will use the generated numbers above which reside inside of the
Microsoft owned public range.

The OIDGEN Utility can be obtained from the Network Management cab in the W2K resource
kit. This utility will generate two sets of OIDs that can be used for our purposes if
you are more comfortable with grabbing a new set of numbers off of your own DC.

4. Prepare the attributes for use with Exchange:
Expand Active Directory Schema, and then expand the Classes folder.
Right-click the msExchCustomAttributes object, and then click Properties.
Click the Attributes tab, and then click Add.
In the "Select a schema object" dialog box,

Click the "employeeNumber" attribute, and then Click OK.

Click Add again and repeat the process with the following attributes:
granite-areaName
granite-regionName
granite-manager
division
departmentNunber

The next step involves modifying a system owned property of these attributes...
...And in order to accomplish this we need to tell Active Directory that we are allowed
to modify System owned objects... This process will temporarily expose Active directory
to a higher than normal privelege level. Please be careful, you will have the rights to
do things that are not normally possible.

Launch LDP.EXE from the Start --> Run box...
Click Connection -->Connect and type in the name of the (Schema Master FSMO) AD Server,
Click OK.
Click Connection -->Bind... and provide your User/pass/domain combination (remember must
be an account with Schema Admin permissions.)
Click Browse --> Modify
In the Modify dialog box, leave the DN field blank.
Type schemaUpgradeInProgress in the Attribute field.
Type 1 In the Value field.
Click the "Enter" button (not the Enter Key on the keyboard)
Then click the Run button.
Close the Modify dialog box.

Leaving the Modify Window Open, go back to your MMC console and open ADSI Edit.
Right Click the words ADSI Edit and choose Refresh.
click through to the Schema and click on the folder underneath. (CN=Schema, cn=...)
Locate the four attributes that I list below : (i.e. CN=granite-manager ...etc...)

(You may need to wait for the Active Directory to replicate after this process.)

We'll be altering the mAPIID for these values which correctly enables them for use with
Exchange.
Attribute mAPIID
------------------- ------
granite-manager 61440
granite-areaName 61441
granite-regionName 61442
division 61443
departmentNumber 61444

Go back to the LDP "Modify" window, click on the only item in the "Entry List", and click
Remove.
Change the Values: textbox to 0 and Click "Enter" button, then click Run.
Click Close
Click Connection --> Disconnect, and then close LDP.

From the Active Directory Schema console, right click on the console and choose "Reload
the Schema"

5. Now we will modify the Exchange details template for Users to provide visibility to the
additional (new) fields in the properties page of the address book entry for all the
granite Users...

1. locate the Exchange System Manager console inside your MMC winndow.
2. Expand the Recipients container.
3. Expand the Details Templates container, and then click English.
4. In the right pane, right-click User, and then click Properties.
5. Click the Templates tab to load the schema.
6. After the schema loads, the current details template properties appear.

To display the current form, click Test.

We're going to add a new tab as well as labels and Edit boxes... This process will
duplicate information found on other tabs so that it is easier to locate the information
from one place.

Scroll to the bottom of the list
Click the last item, click Add... Choose Page Break, and in the "Text" box, type in
"Granite"

Scroll to the bottom of the list
Click the 2nd to last item (our new one) and choose Move Down from the right side.

*** Repeat ***

Scroll to the bottom of the list
Click the last item, click Add... Choose Label, you'll see a list of values now
required...
X 6
Y 4
Width 359
Height 8
Text Employee Number
After entering the values Click OK.

Scroll to the bottom of the list
Click the 2nd to last item (our new one) and choose Move Down from the right side.

Scroll to the bottom of the list
Click the last item, click Add... Choose Edit, you'll see a list of values now
required...
X 6
Y 4
Width 359
Height 8
Field Employee-Number
Length 512
After entering the values Click OK.

Scroll to the bottom of the list
Click the 2nd to last item (our new one) and choose Move Down from the right side.

*** /Repeat ***

heres the list of values that we'll need to cycle through using that process:

X Y Width Height Text/Field Length
----- ----- ----- ------- ----------------------- -------
6 4 58 8 Employee Number
6 14 58 12 Employee-Number 512

80 4 280 8 Manager
80 14 280 12 granite-manager 512

6 28 354 8 Region
6 38 354 12 granite-regionName 512

6 52 354 8 Division
6 62 354 12 division 256

6 76 354 8 Company
6 86 354 12 company 64

6 100 354 8 Area
6 110 354 12 granite-areaName 512

6 124 58 8 Dept/Proj Number
6 134 58 12 departmentNumber (This needs to be a multivalue
ListBox, not an Edit Box)
80 124 280 8 Department/Project
80 134 280 12 department 64

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

BONUS:
To add the Employee number to the search dialog, use these values.

183 90 70 8 Employee Number
254 90 100 12 Employee-Number 512



Click the Test button when this process is complete an it will show you what the form
will look like when it is displayed to the employees in the outlook address book user
properties page.


Close the MMC window... saving it in an appropriate location for use in the future if
necessary.

 
At 3:47 AM, Anonymous Anonymous said...

your post is helpful and informative
website design nyc

 
At 12:14 PM, Anonymous Anonymous said...

I am grateful to you for this great content.
lezbiyenler
lezbiyen
lez

 
At 5:53 PM, Blogger sky said...

I have tried the method of setting the schemaUpgradeInProgress attribute to 1 before modifying the schema. It works well in all our NON PROD environments.

However, when we moved to perform the same in PROD, in spite of updating the attribute on the schema master, we are still getting the error "The attribute cannot be modified because it is owned by the system" on updating the schema.
Can you please advice what can be the reason for the problem.

 
At 1:30 AM, Blogger paulin said...

Your HELP Needed :

I have added one attribute (EmpBdate - Employee Birthdate) using the article. It is also showing me in AD Schema as well as in Exchange User Templates. But not able to update data in the field. Is there any way to update the same using script.

In Schema Config. the new added attribute is shown as # CN=EmpBdate,CN=Schema,CN=Configuration,DC=ABC,DC=Local.

Waiting for your reply. Thanks in ADVANCE.

*************************

 
At 1:31 AM, Blogger paulin said...

hello

 
At 4:01 PM, Blogger aai333 said...

Nice article written by you
Nice cheap Nike dunk
articlediscount nike dunk
written nike dunk
bydiscount nike shoes
youcheap nike shoes
Christian Louboutin boots
Chloe outlet
cheap Chloe
discount Chloe
newest Chloe
Chloe bags 2010
Chloe totes
bape shoes
bape clothing
discount bape shoes
cheap bape shoes
bape jackets
wholesale ed hardy
ed hardy wholesale
discount ed hardy
Babyliss
Benefit GHD
MBT boots
MBT shoes in fashion
cheap mbt shoes sale
discount mbt outlet 2010
MBT Walking Shoes
MTB shoes

 
At 7:29 PM, Blogger Unknown said...

abercrombie & fitch clothing
abercrombie clothing
abercrombie clothing
abercrombie outlet
abercrombie and fitch shirts
abercrombie fitch outlet
abercrombie & fitch clothing
abercrombie and fitch clothes
abercrombie and fitch clothing
abercrombie fitch
abercrombie & fitch
abercrombie fitch clothing
abercrombie and fitch
abercrombie and fitch outlet
cheap abercrombie fitch
abercrombie shirt
discount abercrombie and fitch clothes
ed hardy wholesale
cheap ed hardy wholesale
discount ed hardy wholesale
wholesale ed hardy
ed hardy outlet
paulsmith
paulsmith outlet
paulsmith 2010
cheap paulsmith
discount paulsmith
paul smith shoes
Burberry
Burberry outlet
cheap Burberry
discount Burberry
newest Burberry
Burberry Shoes outlet
Burberry bags
Burberry purse

 
At 7:31 PM, Blogger Unknown said...

Burberry sunglasses
newest Burberry suit
moncler
Moncler jackets
cheap ugg boots

 
At 8:10 PM, Blogger Unknown said...

Ed hardy streak of clothing is expanded into its wholesale ED Hardy chain so that a large number of fans and users can enjoy the cheap ED Hardy Clothes range easily with the help of numerous secured websites, actually, our discount ED Hardy Outlet. As we all know, in fact Wholesale Ed Hardy,is based on the creations of the world renowned tattoo artist Don Ed Hardy. Why Ed hardy wholesale? Well, this question is bound to strike the minds of all individuals. Many people may say cheap Prada shoes is a joke, but we can give you discount Prada Sunglasses , because we have authentic Pradas bags Outlet. Almost everyone will agree that newest Pradas Purses are some of the most beautiful designer handbags ( Pradas handbags 2010) marketed today. Now we have one new product: Prada totes. The reason is simple: fashion prohibited by ugg boots, in other words, we can say it as Cheap ugg boots or Discount ugg boots. We have two kinds of fashionable boots: classic ugg boots and ugg classic tall boots. Ankh Royalty--the Cultural Revolution. Straightens out the collar, the epaulette epaulet, the Ankh Royalty Clothing two-row buckle. Would you like to wear Ankh Royalty Clothes?Now welcome to our AnkhRoyalty Outlet. And these are different products that bear the most famous names in the world of fashion, like Ankh Royalty T-Shirt, by the way-Prada, Spyder, Moncler(Moncler jackets,or you can say Moncler coats, Moncler T-shirt, Moncler vest,and you can buy them from our discount Moncler outlet), GHD, ED Hardy, designer Sunglasses, Ankh Royalty, Twisted Heart.

 
At 8:13 PM, Blogger Unknown said...

Ed hardy streak of clothing is expanded into its wholesale ED Hardy chain so that a large number of fans and users can enjoy the cheap ED Hardy Clothes range easily with the help of numerous secured websites, actually, our discount ED Hardy Outlet. As we all know, in fact Wholesale Ed Hardy,is based on the creations of the world renowned tattoo artist Don Ed Hardy. Why Ed hardy wholesale? Well, this question is bound to strike the minds of all individuals. Many people may say cheap Prada shoes is a joke, but we can give you discount Prada Sunglasses , because we have authentic Pradas bags Outlet. Almost everyone will agree that newest Pradas Purses are some of the most beautiful designer handbags ( Pradas handbags 2010) marketed today. Now we have one new product: Prada totes. The reason is simple: fashion prohibited by ugg boots, in other words, we can say it as Cheap ugg boots or Discount ugg boots. We have two kinds of fashionable boots: classic ugg boots and ugg classic tall boots. Ankh Royalty--the Cultural Revolution. Straightens out the collar, the epaulette epaulet, the Ankh Royalty Clothing two-row buckle. Would you like to wear Ankh Royalty Clothes?Now welcome to our AnkhRoyalty Outlet. And these are different products that bear the most famous names in the world of fashion, like Ankh Royalty T-Shirt, by the way-Prada, Spyder, Moncler(Moncler jackets,or you can say Moncler coats, Moncler T-shirt, Moncler vest,and you can buy them from our discount Moncler outlet), GHD, ED Hardy, designer Sunglasses, Ankh Royalty, Twisted Heart.

 

Post a Comment

<< Home