Skip to main content

Finding out what 'SearchFlags' are set on you AD attributes

Whilst doing some research into indexed attributes, I posted this a while back on how to find your index attributes.  Since then, I have looked a little deeper into what indexing really means and found this excellent explanation on the numbers that can be found in the searchflags attribute of a schema object.

Using Florian’s reference, I built the following script (which is both powershell v1 and v2 compatible) to get the schema attributes from the forest schema and return (among other things) the breakdown of your attributes search flags.

$forest = [System.DirectoryServices.ActiveDirectory.forest]::getcurrentforest()
$schema = [ADSI]('LDAP://CN=Schema,CN=Configuration,dc=' + ($($forest).name -replace "[.]",",dc="))
$attributes = $schema.psbase.children | where {$_.objectClass -eq "attributeSchema"}

$collection = @()
foreach ($attr in $attributes){
$store = "" | select "Name","lDAPDisplayName","singlevalued","GC","indexed","ContainerIndexing","ANR","PreserveonDelete","CopyonCopy","ToupleIndexing","SubtreeIndexing","Confidential","AttributeAuditing","RODCenabled"
$ATDE = [adsi]("LDAP://$($attr.distinguishedName)")
$ = $ATDE.Name[0]
$store.singlevalued = $ATDE.isSingleValued.ToString()
$store.GC = $ATDE.isMemberOfPartialAttributeSet.ToString()
[int]$number = $ATDE.searchflags.ToString()
While ($number -gt 0){
switch ($number){
{$_ -ge 512} {$number = $number-512;$store.RODCenabled=$true;break}
{$_ -ge 256} {$number = $number-256;$store.AttributeAuditing=$true;break}
{$_ -ge 128} {$number = $number-128;$store.Confidential=$true;break}
{$_ -ge 64} {$number = $number-64;$store.SubtreeIndexing=$true;break}
{$_ -ge 32} {$number = $number-32;$store.ToupleIndexing=$true;break}
{$_ -ge 16} {$number = $number-15;$store.CopyonCopy=$true;break}
{$_ -ge 8} {$number = $number-8;$store.PreserveonDelete=$true;break}
{$_ -ge 4} {$number = $number-4;$store.ANR=$true;break}
{$_ -ge 2} {$number = $number-2;$store.ContainerIndexing=$true;break}
{$_ -ge 1} {$number = $number-1;$store.indexed=$true;break}

$store.lDAPDisplayName = $ATDE.lDAPDisplayName.ToString()
$collection += $store

$collection | Export-Csv "schema-atts-$($" -NoTypeInformation

The basis of it is to get the schema attributes - $attributes = $schema.psbase.children | where {$_.objectClass -eq "attributeSchema"} and 'foreach' them. Store the searchflags attribute as an integer - [int]$number = $ATDE.searchflags.ToString() and while the number is greater than zero, switch through the number removing the largest 'bit' value each time from number {$_ -ge 512} {$number = $number-512;... . For each bit that is removed the corresponding csv output is set to true and the switch is reset  ...$store.RODCenabled=$true;break}.

If you need a better explanation, let me know.



  1. Thanks Adam - Your script was just what I was looking for. Worked a treat.


  2. Cleaner (PS should not require much string manipulation):

    $schema = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySchema]::GetCurrentSchema().GetDirectoryEntry()

    There is also a very interesting "isInGlobalCatalog" attribute.


Post a Comment

Popular posts from this blog

PowerShell 3 behavioural change

It's taken me way too long to get into PowerShell 3, I guess opportunity hasn't shown it's self until now and so, here, my V3 journey begins.

I was asked to debug a script that would run fine in PS v2 and not in v3.  The issue was a that a variable length was being checked and was failing in v3.  This is why...

In v2 if a variable is undefined, this test returns false

PS C:\windows\system32> $var.length -eq 0

In v3 the same test returns true....

PS C:\windows\system32> $var.length -eq 0

Not a biggie, but as in this case, a script has broken so something to consider!



Enable Powershell Remoting (WinRM) via Group Policy

I have been doing some testing on enabling WinRM via group policy, being that WinRM is the service that Powershell v2 sets up it remoting capabilities. Here are the GPO settings that you need to configure WinRM ....

set the winrm service to auto start

Computer Configuration \ Policies \ Windows Settings \ Security Settings \ System Services

Windows Remote Management (WS-Management)  set Startup Mode to Automatic

start the service

incorporated in to the above - you may need a restart.

create a winrm listener

Computer Configuration / Policies / Administrative Templates / Windows Components / Windows Remote Management (WinRM) / WinRM Service / Allow automatic configuration of listeners

IPv4 filter: *

* is listen on all addresses, or if you only want a particular IP address to respond use an iprange eg - don't forget that this IP range has to be valid for all hosts that fall in the scope of the GPO you are creating.  You can use -, - …

compare-object in Powershell - comparing mulitple values

I'm starting to use compare-object more and more, and one thing I noticed, is that you can compare 2 objects based on multiple attributes. here is how it is constructed...
Compare-Object -ReferenceObject $object1 -DifferenceObject $object2 -Property a,b,c,d,eIf a,b,c and d are the same, but e is different, compare object will return a difference. In the following example, I use "-eq $null" as a check because by default compare-object returns $null if the objects are the same.
#create an array of objects to check against

$collection = @()
foreach ($entry in ("aaaaa","bbbbb","ccccc","ddddd")){
   $store = "" | select "a","b","c","d","e"
   $store.a = $entry*1
   $store.b = $entry*2
   $store.c = $entry*3
   $store.d = $entry*4
   $store.e = $entry*5
   $collection += $store

#create an object similar to those in the array
$object = "" | select "a","b…