How do I find what attributes are in use, in Active Directory?

This seems completely unnecessary – surely you already know what attributes you already use for your Active Directory objects, right?

Well, not always. And why is it even important to know?

When working in large Active Directory environments, architecture and governance are often after-thoughts – and many of the largest Active Directory environments I’ve worked on suffer from this problem; which leads to  a lack of formalised processes and documentation.

When you finally get around to writing that documentation,  you will invariably need to answer questions like “when we create an object in AD, what attributes are mandetory and which are optional?”

So, here’s how I have reverse-engineered the in-use attributes, in order to write the governance around the creation of various object types (users vs computers vs groups etc).

The script below is for user accounts, and can be easily modified to check computer objects, groups and more.

Note: this is a pretty resource intensive script (pulling all attributes) and may take a long time if you have a very large number of objects.


Running the above script (on a very small scale) shows the attribute count, below, for 143 users.

As you can see, 143 out of 143 accounts have a whenCreated attribute set (obviously).  But also, the three attributes highlighted stand out to me as “widely used” and worth documenting and standardising:


Leave a Reply

Your email address will not be published. Required fields are marked *