Friday, August 18, 2006

User Properties and Return Values

Adsearch User properties and return values that can be returned for a user. The first indicates the names that are indicated on the MMC GUI Users and Computers and the name associated to Active Directory attribute.

The value returned may be a string (textual), multistring (list of textual entries), boolean (True or false, 0 or 1) , binary, or a date.

First name - givenName Single value string
Initials - initials Single value string
Last name - sn Single value string
Display name - displayName Single value string
Description - description Single value string
Office - physicalDeliveryOfficeName Single value string
Telephone number - telephoneNumber Single value string
Other telephone number - otherTelephone Multi value string
Email - mail Single value string
Web page - wWWHomePage Single value string
Other web page url Multi value string

Street - streetAddress Single value string
P.O. Box - postOfficeBox Single value string
City - l (letter 'L') Single value string
State/province - st Single value string
Zip/Postal Code - postalCode Single value string
Country/region - co Single value string

User logon name - userPrincipalName Single value string
User logon name (pre W2K) - samAccountName Single value string
Logon Hours - logonHours (see Note 1 below this table) Single value string
Log On To - userWorkstations Multi value string
Account locked out ACT-LockedOut (see Note 2 below this table) "true" or "false"
User must change password at next logon ACT-PassMustChange (see Note 2 below this table) "true" or "false"
User cannot change password ACT-PassNoChange (see Note 2 below this table) "true" or "false"
Password never expires ACT-PassNoExpire (see Note 2 below this table) "true" or "false"
Store password using reversible encryption ACT-ReverseEncrypt (see Note 2 below this table) "true" or "false"
Account is Disabled ACT-AccountDisabled (see Note 2 below this table) "true" or "false"
Smart card is required for interactive logon ACT-SmartCardReq (see Note 2 below this table) "true" or "false"
Account is trusted for delegation ACT-AccountTrusted (see Note 2 below this table) "true" or "false"
Account is sensitive and cannot be delegated ACT-AccountSensitive (see Note 2 below this table) "true" or "false"
Use DES encryption types for this account ACT-UseDES (see Note 2 below this table) "true" or "false"
Do not require Kerberos pre-authentication ACT-KerberosNotReq (see Note 2 below this table) "true" or "false"

Account expires accountExpires date string

1. Output for logonHours is in the textual form of hours representing a 7-day period. The string is divided into 7 slots, each slot representing a day and indicating a mix of hour ranges and/or single hours. Example of allowing logon 9am to 6pm, Monday through Friday, and between 1pm and 2pm Saturday: "<->10-18<->10-18<->10-18<->10-18<->10-18<->14", where "<->" is the delimiter.

2. Most of the 'ACT' attribute names are stored as bit flags in the Active Directory integer attribute userAccountControl. They are uniquely identified here with artificial names to make it easier to get their values.

Profile path - profilePath Single value string
Logon script - scriptPath Single value string
Local path - homeDirectory Single value string
Connect - homeDrive Single value string home
Directory (The Connect and To fields created the remote path when applied in MMC Users and Computers) Single value string

Home - homePhone Single value string
Other Home - otherhomePhone Multi value string
Pager - pager Single value string
Other Pager - otherPager Multi value string
Mobile - mobile Single value string
Other Mobile - otherMobile Multi value string
Fax - facsimileTelephoneNumber Single value string
Other Fax - otherfacsimileTelephoneNumber Multi value string
IP Phone - ipPhone Single value string
Other IP Phone - otheripPhone Multi value string Notes info Single value string

Title - title Single value string
Company - company Single value string
Department - department Single value string
Manager - manager Single value string
Direct Reports - directReports Multi value string

Member Of:
Member Of - memberOf Multi value string

Remote Access Permission msNPAllowDialin "true" or "false"
Callback Options:No Callback/ Set by caller/Always callback to ACT-Callback (see note below this table) "false" means callback is disabled."true" means callback is enabled and the callback number is set by the user."true555-1234" means callback is enabled and the callback number is pre-set.

The 'ACT-Callback' attribute name above is uniquely identified here with an artificial name to make it easier to retrieve the value.

Fully qualified domain name of object - canonicalName Single value string
Created - whenCreated date string Modified whenChanged date string
Original USN - uSNCreated Single value string
Current USN - uSNChanged Single value string

SID - objectSID binary (Requies conversion from raw format)
GUID - objectGUID- binary (Requires conversion from raw format)