Each attribute in an Active Directory object is defined by an attributeSchema object in the schema container. The properties of an attributeSchema object specify the characteristics of the attribute, such as:
The following table lists the lDAPDisplayName and description of the key properties of an attributeSchema object. For more information and a complete list of the mandatory and optional properties of an attributeSchema object, see attributeSchema.
|cn||Every object in Active Directory has a naming attribute from which its RDN is formed. The naming attribute for attributeSchema objects is cn (common name). The value assigned to cn is the value that the attributeSchema object will have as its RDN. For example, the cn of the isSingleValued object in the schema container is Is-Single-Valued, which would appear in a distinguished name as CN=Is-Single-Valued. The cn must be unique in the schema container.|
|lDAPDisplayName||The name used by LDAP clients, such as the ADSI LDAP provider, to read and write the attribute using the LDAP protocol. An attribute's lDAPDisplayName must be unique in the schema container, which means it must be unique across all classSchema and attributeSchema objects. For more information about composing a cn and an lDAPDisplayName for a new attribute, see Naming Attributes and Classes.|
|schemaIDGUID||A GUID stored as an octet string. This GUID uniquely identifies
the attribute. This GUID can be used in access control entries to
control access to instances of this attribute. For more
information, see Setting
Permissions to a Specific Property.
On creation of the attributeSchema object, Active Directory generates this value if it is not specified. If you are creating a new attribute, it is recommended that you generate your own GUID for each attribute so that all installations of your extension will use the same schemaIDGUID to refer to the attribute.
|adminDisplayName||A display name of the attribute for use in administrative
tools. If adminDisplayName is not specified when a class is
created, the system uses the Common-Name value as the display name.
This display name is used only if a mapping does not exist in the attributeDisplayNames property of the display specifier for the class. For more information, see Display Specifiers and Class and Attribute Display Names.
|attributeID||The OID of this attribute. This value must be unique among the attributeID values of all attributeSchema objects and governsIDs of all classSchema objects. For more information, see Object Identifiers (OIDs).|
|attributeSecurityGUID||A GUID stored as an octet string. This is an optional GUID that identifies the attribute as a member of an attribute grouping; this is also called a property set. You can use this GUID in access control entries to control access to all attributes in the property set, that is, to all attributes that have the specified GUID set in their attributeSecurityGUID property. For more information, see Setting Permissions on a Group of Properties.|
|attributeSyntax||The object identifier of the syntax for this attribute. The
combination of the attributeSyntax and oMSyntax
properties determines the syntax of the attribute, that is, the
type of data stored by instances of the attribute.
For more information about the attributeSyntax, oMSyntax, and oMObjectClass syntax attributes, see Syntaxes for Active Directory Attributes.
|oMSyntax||An integer that is the XDS representation of the syntax.|
|oMObjectClass||An octet string that must be specified for attributes of oMSyntax 127. For attributes with any other oMSyntax value, this property is not used. If no oMObjectClass is specified for an attribute with an oMSyntax of 127, the default oMObjectClass is set. Usually, there is a one-to-one mapping between the attributeSyntax and the oMObjectClass.|
|rangeLower, rangeUpper||A pair of integers that specify the lower and upper bounds of
the range of values for this attribute. All values set for the
attribute must be within or equal to the specified bounds. For
attributes with numeric syntax the range specifies the minimum and
maximum value. For attributes with string syntax the range
specifies the minimum and maximum size, in characters. For
attributes with binary syntax, the range specifies the number of
If both rangeLower and rangeUpper are set, rangeLower must be less than rangeUpper. If one constraint is present without the other, the missing constraint is unbounded. For example, if the rangeLower for an integer is 3, and rangeUpper is absent, it means there is no upper constraint on the attribute. Likewise, if rangeUpper for a string is 2000, and rangeLower is absent, this indicates that there is no lower constraint on the length.
|isSingleValued||A Boolean value that is TRUE if the attribute can have only one
value or FALSE if the attribute can have multiple values. If this
property is not set, the attribute has a single value.
Multi-valued attributes are unordered; there is no guarantee they will be stored or returned in any specific order. In the event of a replication collision, conflict resolution is for each attribute, not for each value within an attribute. The entire multi-value succeeds or fails. For more information about replication collision, see Consistency GUIDs.
|searchFlags||An integer value whose least significant bits indicates whether
the attribute is indexed. For more information, see Indexed Attributes. The bit flags in
this value are:
1 = Index over attribute only.
2 = Index over container and attribute.
4 = Add this attribute to the Ambiguous Name Resolution (ANR) set. This should be used in conjunction with 1.
8 = Preserve this attribute in the tombstone object for deleted objects.
16 = Copy the attribute value when a copy of the object is created - using IADsContainer.CopyHere instead of IADsContainer.MoveHere. For example, if you copy a user object, that is, use an existing user as a template for a new user, to copy some attribute values, but not others. This flag could be set for attributes like company and department to copy, but not set for attributes that must be unique like objectSid and sAMAccountName.
|isMemberOfPartialAttributeSet||A Boolean value that is TRUE if the attribute is replicated to the global catalog or FALSE if the attribute is not included in the global catalog. For more information, see Attributes Included in the Global Catalog.|
|linkID||An integer that indicates that the attribute is a linked attribute. An even integer is a forward link and an odd integer is a back link.|
|systemFlags||An integer value that contains flags that define additional
properties of the attribute such as whether the attribute is
constructed or non-replicated. The ADS_SYSTEMFLAG_ENUM
enumeration contains values for the flags that you can assign to
the systemFlags attribute of an attributeSchema
There are additional systemFlags bits that you cannot set, such as the 0x10 bit, which identifies a category 1 attribute, which is an attribute that is part of the base schema included with the syste). This bit is not set in category 2 attributes, which are extensions to the schema.
|systemOnly||A Boolean value that specifies whether only Active Directory can modify the attribute.|
|mAPIID||An integer by which MAPI clients identify this attribute.|
|isDefunct||A Boolean value that indicates whether the attribute is defunct. For more information, see Disabling Existing Classes and Attributes.|
|description||A text description of the attribute.|
|objectClass||Identifies the object class of which this object is an instance, which is the classSchema object class for all class definitions and the attributeSchema object class for all attribute definitions.|
For more information about attributes, see: