A user object has multiple attributes. This section documents key attributes used by Windows, administrative tools, and the Windows Address Book (WAB). It does not describe all attributes; many attributes are not used for the user object.
Some attributes are stored in the directory, such as cn, nTSecurityDescriptor, objectGUID, and so on, and replicated to all domain controllers within a domain. A subset of these attributes is also replicated to the global catalog.
Non-replicated attributes are stored on each domain controller, but are not replicated elsewhere, such as badPwdCount, lastLogon, lastLogoff, and so on. The non-replicated attributes are attributes that pertain to a particular domain controller. For example, lastLogon is the last date and time that the user network logon was validated by the particular domain controller that is returning the property.
A user object also has constructed attributes that are not stored in the directory, but are calculated by the domain controller, such as canonicalName, distinguishedName, allowedAttributes, and so on.
Attributes for user objects are classified as:
For more information about reading and modifying attributes for a user object, see Reading and Writing Attributes of Active Directory Objects.
For more information about the User class, including a complete list of the mayContain and mustContain attributes of the class, see User.
The password for a user cannot be modified directly because this would involve sending an unencrypted password over the network. To set the password for a user, it is necessary to use the IADsUser.ChangePassword or IADsUser.SetPassword method. The IADsUser.ChangePassword method is used when the application is allowing the user to change thier own password. The IADsUser.SetPassword method is used when the application enables an administrator to reset a password.