Active Directory Attributes

In general, Windows Active Directory schema is featured with a large number of attributes which prove useful for administrators as it let them choose to define different AD objects. In fact, every value that is assigned to attribute is usually stored in Active Directory. And, every value is enabled by default during the installation of first domain controller. Index this attribute in the Active Directory property of the domain controller is very useful for administrators because it let them to enable the default attributes.

The Active Directory schema map-in present in the MMC is yet another important aspect that also allows administrator to select specific attributes 'N' number of time. Apart from the default attributes, just by extending the Active Directory schema structure additional attributes can also be added to the AD. In fact, after an attribute is assigned to an object, the attribute Schema thus created gets replicated in the Global Catalog (GC).

Consequently, to adjust any default attribute which gets replicated to the Active Directory GC, it is very important that one also ensure to modify the schema. But to achieve this task, the administrator must be made a member of the group "Schema Admins" and a registry key must be set to the Schema Master. But at the same time because schema modification is an intricate practice, therefore modifying Active Directory attributes is never considered as a good idea.

In the following section, there are some of the most commonly used Active Directory attributes, their syntaxes, meanings and vital objects that are contain them in the default AD schema map-in.

UserAccountControl (user)

This attribute in general consists of a set of bit flags and defines certain properties of user objects. It takes the form of a 32-bit integer and is a mixture of all the subsequent bit values:

Value Description:

• 1 The logon script will be executed.
• 2 The user account is disabled.
• 8 A home directory is required.
• 16 The account is locked out.
• 32 The account does not require a password.
• 64 Account is not allowed to change password.
• 512 The account is a typical user account.
• 65536 The account password never expires.

accountExpires (user)

This attribute helps in describing the date on which a user account will terminate and usually it takes the form of a long (64 bit) integer. The ADSearch Convert function is meant for converting this value into a textual date.

sAMAccountName (user, computer, group)

This attribute is primarily meant for defining the downlevel name of the object, which is generally seen by downlevel administrative tools and other pre-windows 200x tools. It takes the form of a single valued string.

logonHours (user)

This attribute describes the time, which a user is allowed to log on. It takes the form of an octet string. The ADSearch Convert function is utilized for converting the binary data (octet string) into a more important set of data.

member (group)

This attribute helps in defining those objects which are actually members of a group. It takes the form of a multi-valued string. The important feature to note is that each and every string element defines the distinguished name of a member. If the member is a Foreign Security Principal, the distinguished name will be in the form "CN=sid", where sid is the SID of the member.

objectSid (all security principals)

This attribute contains the security identifier of an AD object that can be utilized for presenting an object in different locations on the network (Active Directory, File System ACLs, etc.) In fact, it takes the form of a raw binary string, with each set of two characters signifying one byte of the binary data. In addition, the ADSearch Convert function is applied for converting this binary value into a textual value.

objectClass (all objects)

This attribute corresponds to the inheritance hierarchy of objects classes. It takes the form of a multi-valued string.

objectGUID (all objects)

This attribute defines a GUID which is nothing more than a distinctive identifier of an object present within the AD. It takes the form of a raw binary string, where every single set of two characters corrends to one byte of binary data. The ADSearch Convert function is meant for translating the raw binary data retrieved from the attribute into a more readable form.

dc (domainDNS)

This attribute defines the uplevel name of a domain or the leaf part of the distinguished name of the domain.