#PSTip List all Active Directory constructed attributes
Active Directory has a special kind of attributes called Constructed attributes. Constructed attributes are not “real” attributes, they are not stored in the directory. Instead, their values are calculated (by a domain controller) from normal attributes (for read) and/or have effects on the values of normal attributes (for write). For example, a user object has constructed attributes such as canonicalName and distinguishedName.
The following LDAP filter queries the Active Directory schema by using a bitwise filter to return only objects that match a particular bit being set. 1.2.840.113556.1.4.803 is the LDAP_MATCHING_RULE_BIT_AND rule. The matching rule is true only if all bits from the property match the value. This rule is like the bitwise AND operator (1.2.840.113556.1.4.804 is the LDAP_MATCHING_RULE_BIT_OR rule).
Using the bitwise AND rule, we can determine if an attribute has the FLAG_ATTR_IS_CONSTRUCTED bit set. The value of FLAG_ATTR_IS_CONSTRUCTED is 4. We check that the objectClass is an attributeSchema and the attribute flags match the FLAG_ATTR_IS_CONSTRUCTED value.
$FLAG_ATTR_IS_CONSTRUCTED=4
$filter = "(&(systemFlags:1.2.840.113556.1.4.803:=$FLAG_ATTR_IS_CONSTRUCTED)(ObjectClass=attributeSchema))"
Get-ADObject -SearchBase (Get-ADRootDSE).SchemaNamingContext -LDAPFilter $filter |
Select-Object Name,DistinguishedName | Sort-Object Name
Name DistinguishedName
---- -----------------
Allowed-Attributes CN=Allowed-Attributes,CN=Schema,CN=Configuration,DC=doma...
Allowed-Attributes-Effective CN=Allowed-Attributes-Effective,CN=Schema,CN=Configurati...
Allowed-Child-Classes CN=Allowed-Child-Classes,CN=Schema,CN=Configuration,DC=d...
Allowed-Child-Classes-Effective CN=Allowed-Child-Classes-Effective,CN=Schema,CN=Configur...
ANR CN=ANR,CN=Schema,CN=Configuration,DC=domain,DC=com
Attribute-Types CN=Attribute-Types,CN=Schema,CN=Configuration,DC=domain,...
Canonical-Name CN=Canonical-Name,CN=Schema,CN=Configuration,DC=domain,D...
Create-Time-Stamp CN=Create-Time-Stamp,CN=Schema,CN=Configuration,DC=domai...
DIT-Content-Rules CN=DIT-Content-Rules,CN=Schema,CN=Configuration,DC=domai...
Entry-TTL CN=Entry-TTL,CN=Schema,CN=Configuration,DC=domain,DC=com
Extended-Attribute-Info CN=Extended-Attribute-Info,CN=Schema,CN=Configuration,DC...
Extended-Class-Info CN=Extended-Class-Info,CN=Schema,CN=Configuration,DC=dom...
From-Entry CN=From-Entry,CN=Schema,CN=Configuration,DC=domain,DC=com
Modify-Time-Stamp CN=Modify-Time-Stamp,CN=Schema,CN=Configuration,DC=domai...
ms-DS-Approx-Immed-Subordinates CN=ms-DS-Approx-Immed-Subordinates,CN=Schema,CN=Configur...
ms-DS-Auxiliary-Classes CN=ms-DS-Auxiliary-Classes,CN=Schema,CN=Configuration,DC...
ms-DS-isGC CN=ms-DS-isGC,CN=Schema,CN=Configuration,DC=domain,DC=com
ms-DS-isRODC CN=ms-DS-isRODC,CN=Schema,CN=Configuration,DC=domain,DC=com
ms-DS-Is-User-Cachable-At-Rodc CN=ms-DS-Is-User-Cachable-At-Rodc,CN=Schema,CN=Configura...
ms-DS-KeyVersionNumber CN=ms-DS-KeyVersionNumber,CN=Schema,CN=Configuration,DC=...
ms-DS-Local-Effective-Deletion-Time CN=ms-DS-Local-Effective-Deletion-Time,CN=Schema,CN=Conf...
ms-DS-Local-Effective-Recycle-Time CN=ms-DS-Local-Effective-Recycle-Time,CN=Schema,CN=Confi...
ms-DS-NC-Repl-Cursors CN=ms-DS-NC-Repl-Cursors,CN=Schema,CN=Configuration,DC=d...
ms-DS-NC-Repl-Inbound-Neighbors CN=ms-DS-NC-Repl-Inbound-Neighbors,CN=Schema,CN=Configur...
ms-DS-NC-Repl-Outbound-Neighbors CN=ms-DS-NC-Repl-Outbound-Neighbors,CN=Schema,CN=Configu...
ms-DS-Principal-Name CN=ms-DS-Principal-Name,CN=Schema,CN=Configuration,DC=do...
ms-DS-Quota-Effective CN=ms-DS-Quota-Effective,CN=Schema,CN=Configuration,DC=d...
ms-DS-Quota-Used CN=ms-DS-Quota-Used,CN=Schema,CN=Configuration,DC=domain...
ms-DS-Repl-Attribute-Meta-Data CN=ms-DS-Repl-Attribute-Meta-Data,CN=Schema,CN=Configura...
ms-DS-Repl-Value-Meta-Data CN=ms-DS-Repl-Value-Meta-Data,CN=Schema,CN=Configuration...
ms-DS-Resultant-PSO CN=ms-DS-Resultant-PSO,CN=Schema,CN=Configuration,DC=dom...
ms-DS-Revealed-List CN=ms-DS-Revealed-List,CN=Schema,CN=Configuration,DC=dom...
ms-DS-Revealed-List-BL CN=ms-DS-Revealed-List-BL,CN=Schema,CN=Configuration,DC=...
ms-DS-SiteName CN=ms-DS-SiteName,CN=Schema,CN=Configuration,DC=domain,D...
ms-DS-Top-Quota-Usage CN=ms-DS-Top-Quota-Usage,CN=Schema,CN=Configuration,DC=d...
ms-DS-User-Account-Control-Computed CN=ms-DS-User-Account-Control-Computed,CN=Schema,CN=Conf...
ms-DS-User-Password-Expiry-Time-Computed CN=ms-DS-User-Password-Expiry-Time-Computed,CN=Schema,CN...
Object-Classes CN=Object-Classes,CN=Schema,CN=Configuration,DC=domain,D...
Parent-GUID CN=Parent-GUID,CN=Schema,CN=Configuration,DC=domain,DC=com
Possible-Inferiors CN=Possible-Inferiors,CN=Schema,CN=Configuration,DC=doma...
Primary-Group-Token CN=Primary-Group-Token,CN=Schema,CN=Configuration,DC=dom...
SD-Rights-Effective CN=SD-Rights-Effective,CN=Schema,CN=Configuration,DC=dom...
Structural-Object-Class CN=Structural-Object-Class,CN=Schema,CN=Configuration,DC...
SubSchemaSubEntry CN=SubSchemaSubEntry,CN=Schema,CN=Configuration,DC=domai...
Token-Groups CN=Token-Groups,CN=Schema,CN=Configuration,DC=domain,DC=com
Token-Groups-Global-And-Universal CN=Token-Groups-Global-And-Universal,CN=Schema,CN=Config...
Token-Groups-No-GC-Acceptable CN=Token-Groups-No-GC-Acceptable,CN=Schema,CN=Configurat...