This week I attended “Designing and Planning AD Schema Extensions”, a session given by Brian Desmond at TEC Europe. During the session someone in the audience gave the remark that besides the “physicalDeliveryOffice” and “drink” attributes, the extensionAttribute1-15 are also often used to store company data. These extensionAttributes are in fact contributed by a schema extension from Exchange. They are there to use, but some Exchange actions do impact the content of these attributes!
Below are some screenshots of the timestamps which show which attributes were touched after doing a certain action, In the first one I created a new user and using ADUC I’ve set a value for each extensionAttribute. The user was created at 15:52, the attributes were set at 15:55.
After using the Exchange 2010 Management Tools to create a mailbox for this user, the timestamps look like the screenshot below, you can see a lot of attributes got added at 15:58, but the extensionAttributes didn’t got touched. So no problems so far.
After Disabling the mailbox using the Exchange 2010 Management Tools things look differently, besides the expected Exchange related attributes, also all of the extensionAttributes are touched at the exact same time: 16:01. In fact, using ADUC you can verify that all extensionAttributes are empty.
This doesn’t have to be a problem, as long as you take it into account. Perhaps if you have FIM in your environment, things get automagically corrected afterwards. Perhaps emptying the attributes is part of your deprovisioning process anyhow. But on the other hand, this might also be the explanation why some users have lost the content for these attributes. Besides the impact of Exchange, using the extensionAttributes however is tricky, you never know what third party application is going to store its data there. As Brian said during his session, don’t be afraid to extend the schema, just think/plan it thoroughly.
No Response to "Avoiding an AD schema extension: extensionAttributes1-15 a good choice?"
Add Your Comment