Wednesday, October 17, 2007

Common Active Directory Attributes, Syntaxes, and Meanings

The following contains a number of commonly used Active Directory attributes, their meanings, their syntax, and what objects contain them in the default Active Directory schema:

accountExpires (user)
The date which a user account will expire. This attribute takes the form of a long (64 bit) integer. To convert this value into a textual date use the ADSearch Convert function.

canonicalName (all objects)
A type of name for an object which takes the form of "domain.com/container/container/object". This style of name is very human readable. This attribute takes the form of a string.

cn (user, group, computer, contact)
The uplevel name of an object. It is the leaf part of a distinguishedName (for example, the "cn=joe" of "cn=joe,ou=someou,dc=domain,dc=com".)

dc (domainDNS)
The uplevel name of a domain. It is the leaf part of the distinguished name of the domain (for example, the "dc=domain" of "dc=domain,dc=com".)

distinguishedName (all objects)
This is the distinguished name of the object. It represents the full path to an object (without the server and provider) in the directory. This attribute takes the form of a single valued string. If you are searching the active directory, this attribute cannot be used as a key to search on. This is because it is a generated attribute (that is, it is generated everytime it is asked for).

isCriticalSystemObject (all objects)
This attribute specifies whether an object is critical for the operation of Active Directory. This attribute takes the form of a Boolean value. If its value is true, the object is critical to Active Directory and is not deletable.

logonHours (user)
The times which a user is allowed to log on. This attribute takes the form of an octet string (a sequence of hexadecimal characters with each set of two characters representing one byte.) To convert this binary data into a more meaningful set of data, use the ADSearch Convert function.

member (group)
The objects which are members of the group. This attribute takes the form of a multi-valued string, with each element being the distinguished name of a member. If the member is a Foreign Security Principal, the distinguished name will be in the form "CN=sid", where sid is the SID of the member.

objectCategory (all objects)
Represents the path to the schema class of which an object is an instance. This attribute takes the form of a single valued string. If searching for objects, it is recommended that this be used instead of the objectClass, as it is an indexed attribute and replicated to the Global Catalog. Note that the whole path need not be used to search on this attribute, rather only the cn of the class (for example, person for user and contact, and organizational-unit for OUs.)

objectClass (all objects)
Represents the inheritance hierarchy of an objects class. This attribute takes the form of a multi-valued string.

objectGUID (all objects)
A GUID which uniquely identifies an object within the directory. This attribute takes the form of a raw binary string, with each set of two characters representing one byte of binary data. To convert the raw binary data that is retrieved from this attribute to a more readable or useful form, use the ADSearch Convert function.

objectSid (all security principals)
Contains the security identifier of an object. This SID can be used to represent an object in various places on the network (Active Directory, File System ACLs, or anywhere else users are added to ACLs.) This attribute takes the form of a raw binary string, with each set of two characters representing one byte of binary data. To convert this binary value into a more useful textual value use the ADSearch Convert function.

ou (organizationalUnit)
The uplevel name of an organizational unit. It is the leaf part of the distinguished name of an organizational unit (for example, the "ou=someou" of "ou=someou,dc=domain,dc=com").

sAMAccountName (user, computer, group)
The downlevel name of the object. This is the name that will be seen by downlevel administrative tools and other pre-windows 200x tools. This attribute takes the form of a single valued string.

userAccountControl (user)
A set of bit flags defining certain properties of a user. This attribute takes the form of a 32-bit integer. This attribute is a combination of the following bit values:
Value Description
1 The logon script will be executed.
2 The user account is disabled.
8 A home directory is required.
16 The account is locked out.
32 The account does not require a password.
64 Account is not allowed to change password.
512 The account is a typical user account.
65536 The account password never expires.

2 comments:

  1. Cool, great list. Can you tell me where to find complete list of attributes of computer, user, groups AD objects?

    Miha

    ReplyDelete
  2. You'll find that here

    http://msdn.microsoft.com/en-us/library/ms675090(VS.85).aspx

    ReplyDelete

Note: Only a member of this blog may post a comment.