Question:

In Active Directory Users and Computers, one can right click on an existing account and select “Copy” to create a new user account which includes much of the same information as the original account (Department, Title, Group Memberships, etc.).  I would like to know how to add and remove the attributes that it copies over into the new user.  I suspect this is doable through adsiedit.msc but have not been able to discover how.

Solution:

An attribute is copied if the searchFlags attribute (in the Schema) contains a specific flag. See:

http://msdn.microsoft.com/en-us/library/ms679765(VS.85).aspx

That means you can find all attributes which will be copied by using this LDAP Filter against the Schema:

(searchFlags:1.2.840.113556.1.4.803:=16)

For instance, if you were to use PowerShell and Quest’s CmdLets to find those attributes it would be:

$Schema = ([DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).Schema.Name
Get-QADObject -SearchRoot $Schema -LdapFilter “(searchFlags:1.2.840.113556.1.4.803:=16)”

Or with ADFind:

ADFind.exe -schema -f “searchFlags:1.2.840.113556.1.4.803:=16″ lDAPDisplayName

You can add attributes to the copied set by modifying that flag in the Schema (with the usual, you’re playing with the Schema, be sure of your backups warning).

Chris