Shockwave’s Blog

We’ve been introducing a new HR and Payroll application recently within the organisation, as part of this we need some method of linking Active Directory (AD) accounts with employee records as clearly this will present untold benefits, like… errr, well, benefits!

Anyway, to achieve this we simply leveraged the power of the existing employeeID attribute within AD. To enable this you need to open a new MMC console and add the Active Directory Schema snap in –  You should do this on the Domain Controller which holds the Schema Admin FSMO role and that you are both a Domain Admin and a Schema Admin. If you can’t see the Schema snap in when you try to add it to your MMC then you’ve forgotten to run “regsvr32 schmmgmt.dll”.

Okay, now that you’ve done that you will find yourself in the AD Schema configuration, careful now! Here’s what you should do next:

1. Expand the Active Directory Schema object and then expand the Classes container.
2. Scroll down to the “user” class. Right-click on the “user” class and select Properties.
3. In the “user Properties” dialog box, click the Attributes tab and then click the Add button.
4. You should now be at the Select Schema Object window. Scroll down and select employeeID and then click OK.
5. In the “user Properties” dialog box, click OK.

Once complete this will have made the relevant changes… Now a warning (NOW a warning?!?) this is a Forest wide change and will impact all Domains within that Forest. But you knew that already, right?

Finally, now that we have this attribute, can you see it in Active Directory Users and Computers, well, no. You’re gonna have to get creative with your scripting. I have seen and heard of people using Visual Basic to add, change, delete these, however, given that we’re now in the Powershell world, that’d be my preference. So I intend to spend a little time looking at this. To date I have found the following code snippet:

Import-CSV C:\MyFile.csv | ForEach-Object { Set-QADUser $_.samAccountName
-ObjectAttributes @{employeeid=$_.employeeid }}

This uses the Quest AvtiveRoles cmdlets which can be found HERE and and -ObjectAttributes which will allow you to modify any AD property your heart desires. Once I’ve had a chance to play with this I will post a little more of a  Powershell update. I also need to come up with a clever way of working out which AD account links with which HR record in the first place to enter these IDs which should be fun!