000013546 - AM7.1/AM8.0: How to create a custom attribute in Active Directory

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013546
Applies ToMicrosoft Active Directory 2003 or 2008

The customer was a government agency which has a requirement to deploy On-Demand tokens, but not to disclose management's private mobile numbers to Exchange Server properties feeding from Active Directory.

One way of achieving this is to create a custom attribute in AD and to map to RSA Authentication Manager

IssueCreate a custom attribute in Active Directory to map to RSA Authentication Manager

I Follow these steps to configure  a custom attribute

1.       Install the Schema snap-in (Start, Run, regsvr32 schmmgmt.dll).

2.       Go to Start -> Run -> Type MMC and press Enter

3.       Go to File -> Add/Remove Snap-in -> click Add -> Select Active Directory Schema and click Add

4.       Expand the Active Directory schema and Right Click Attributes

5.       Click ?Create Attribute?

6.       Create New Attribute window will appear

7.       In Common name enter ?privateMobile?

8.       Enter LDAP name also as ?privateMobile?

9.       For our demo we have used DUMMY Values like (For your base OID number, please refer to a Microsoft article ms677620)

10.   Select the appropriate syntax, which in our case may be Unicode String.

11.   Mention Minimum and Maximum values if required. These are optional you can leave them blank.

12.   Once Attribute is created, select Classes

13.   Expand CLASSES and Select PERSON

14.   Click PERSON and select Properties

15.   Click Attribute Tab and click Add

16.   Select the Attribute you created and click OK.

17.   Click OK to close all property windows

18.   Go to Start ->Run -> Type adsiedit.msc.

19.   Open the Active Directory Service Interfaces (ADSI) Edit utility

20.   Right-click ADSI Edit and click on Connect to?

21.   In the Select a well known Naming Context drop-down menu, select Configuration and click OK.

22.   Navigate to CN=DisplaySpecifiers, CN=409 and double-click

23.   In the right-pane, locate and right-click CN=user-display, and select Properties.

24.   Select AdminContextMenu and click EDIT

25.   In the Edit Attribute box, type the following:

26.   Enter the following in the Empty box and Click Add

       3,&Private Mobile, c:\EnterAttrib.vbs

28.   Click OK to close all window popups

29.   Select Configuration in ADSIEDIT panel and Right Click

30. Click "Update Schema Now"


II These steps configure the options PrivateMobile on the context menu for a user in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.

Place the following scripts on your C:\EnterAttrib.vbs or in your file path:


Dim oVar

Dim oUsr

Dim tmp

Set oVar = Wscript.Arguments

Set oUsr = GetObject(oVar(0))

tmp = InputBox("The Private Mobile of the user is: " & oUsr.privateMobile &  vbCRLF & vbCRLF & "Enter the new Private Mobile Below")

if tmp <> "" then oUsr.Put "privateMobile",tmp


Set oUsr = Nothing



Note:This will enable to add a new mobile number or replace the existing one.


III How To Add Custom Attributes to the Directory Service Find List

1.          Use ADSIEdit to select the Configuration namespace.

2.          Expand the displaySpecifier container.

3.          Expand the appropriate displaySpecifier container. For example, "409" is English.

4.          View the Properties for the user-Display object.

5.          Modify the attributeDisplayNames attribute by adding a value in the format:



For example, "Private Mobile" looks like this:

privateMobile,Private Mobile


IV Map the object to the RSA Authentication Manager

Security Console > Identity > Identity Attribute Definitions > Enter the custom attribute created for privateMobile in your Active Directory column

Legacy Article IDa62178