Getting all possible classes / attributes for a AD Object

So in the World of the AD everything is build by classes. Classes are stored in the Schema part of the AD. So what does this mean?

The fast basics

Each AD object has a objectClass which matches to a class in the schema.
Each class has a parent (subClassof)
One class has itself as its parent (top)
Each class has available attributes which might or must be set on an AD object.
An AD object can use all attributes of its class and all above it.

There are 4 attributes defined for each class which says which attributes it carries:

MayContain
MustContain
systemMayContain
systemMustContain

Lets get all classes that is assigned to a AD Object

For simplicty I have dediced to go for the Administrator account, if you are working on a Localized version of Active Directory, please change as needed.

#First of if you are running this on Windows 2008 or earlier it will fail.
#This script uses the AD Module
Import-Module ActiveDirectory
#First off, lets get an AD object or User to play with, and rembember to request objectClass
$ADObj = Get-ADUser "Administrator" -Properties objectClass
#So what is the objectClass for the administrator account?
Write-Host "The object class for $($ADObj.Name) is $($ADObj.objectClass)`n"
#So how do we now see what parent user has?
#Lets read the objectClass from the schema and store it in $userclass
$userclass = Get-ADObject -SearchBase "$((Get-ADRootDSE).SchemaNamingContext)" -Filter {lDAPDisplayName -eq 

$ADObj.objectClass} -properties subClassOf
#What is the parent of the User class then?
Write-Host "$($ADObj.objectClass) is a subclass of $($userclass.subClassOf)`n"
#But we cant go on like that that might take ages. Lets build a small loop:
#Lets reuse that $ADObj since before
Write-Host "$($ADObj.Name) is a member of the following classes:"
$NextClass = $ADObj.ObjectClass
Do
{
  $CurrentClass = $NextClass
  $NextClass = Get-ADObject -SearchBase "$((Get-ADRootDSE).SchemaNamingContext)" -Filter {lDAPDisplayName -eq $NextClass} -properties subClassOf |Select-Object -ExpandProperty subClassOf
  Write-Host "$($CurrentClass)"
}
While($CurrentClass -ne $NextClass)

The output:

Getting all attributes for the administrator account

So now that we know that which classes the Administrator account has the possibility of using, lets just see what attributes there are. So do you really want to walk through that by hand?

#This script uses the AD Module
Import-Module ActiveDirectory
#First off, lets get an AD object or User to play with, and rembember to request objectClass
$ADObj = Get-ADUser "Administrator" -Properties objectClass
#lets get all classes and store in a variable.
$NextClass = $ADObj.ObjectClass
$AllClasses = Do
{
 $CurrentClass = $NextClass
 $NextClass = Get-ADObject -SearchBase "$((Get-ADRootDSE).SchemaNamingContext)" -Filter {lDAPDisplayName -eq $NextClass} -properties subClassOf |Select-Object -ExpandProperty subClassOf
 $CurrentClass
}
While($CurrentClass -ne $NextClass)
#Know that we have our classes in $allClasses lets turn to the attributes
$attributAttributes = 'MayContain','MustContain','systemMayContain','systemMustContain'
Write-Host "Attempting to find all attributes for the AD Object: $($ADObj.Name)"
$AllAttributes = ForEach ($Class in $AllClasses)
 {
 $ClassInfo = Get-ADObject -SearchBase "$((Get-ADRootDSE).SchemaNamingContext)" -Filter {lDAPDisplayName -eq $Class} -properties $attributAttributes 
 ForEach ($attribute in $attributAttributes)
 {
 Write-Host "Getting $($ClassInfo.$attribute.Count) attributes from $attribute on $Class"
 $ClassInfo.$attribute
 }
 }
#So did we find any attributes? Remember that not all of these are usable.
Write-Host "Found a total of $($AllAttributes.count) attributes for $($ADObj.Name)"

So that is how you find all attributes that really exist. But not all are changeable by the users. Say for instance memberOf is a backlink from the groups members attribute.