Directory Services

User Object Attributes

A user object has multiple attributes. This section documents key attributes used by Windows, administrative tools, and the Windows Address Book (WAB). It does not describe all attributes; many attributes are not used for the user object.

Some attributes are stored in the directory, such as cn, nTSecurityDescriptor, objectGUID, and so on, and replicated to all domain controllers within a domain. A subset of these attributes is also replicated to the global catalog.

Non-replicated attributes are stored on each domain controller, but are not replicated elsewhere, such as badPwdCount, lastLogon, lastLogoff, and so on. The non-replicated attributes are attributes that pertain to a particular domain controller. For example, lastLogon is the last date and time that the user network logon was validated by the particular domain controller that is returning the property.

A user object also has constructed attributes that are not stored in the directory, but are calculated by the domain controller, such as canonicalName, distinguishedName, allowedAttributes, and so on.

Attributes for user objects are classified as:

Base Object Attributes
This category includes attributes required for all directory objects, such as objectClass, nTSecurityDescriptor, and so on.
Naming Attributes
This category includes attributes used to refer to or identify the object, such as distinguishedName, objectGUID, objectSID, and so on. For more information about naming attributes for user objects, see User Naming Attributes.
Security Attributes
This category includes attributes for logon and access control. For more information about security attributes for user objects, see User Security Attributes.
Address Book Attributes
This category includes attributes for e-mail and user data. For more information about address book attributes for user objects, see User Address Book Attributes.
Application Specific Attributes
This category includes user-specific configuration data for specific applications.

For more information about reading and modifying attributes for a user object, see Reading and Writing Attributes of Active Directory Objects.

For more information about the User class, including a complete list of the mayContain and mustContain attributes of the class, see User.

Setting Passwords

The password for a user cannot be modified directly because this would involve sending an unencrypted password over the network. To set the password for a user, it is necessary to use the IADsUser.ChangePassword or IADsUser.SetPassword method. The IADsUser.ChangePassword method is used when the application is allowing the user to change thier own password. The IADsUser.SetPassword method is used when the application enables an administrator to reset a password.