| Directory Services |
Each object in Active Directory contains a set of attributes that describes the characterstics of the object. Each attribute is descibed by an attributeSchema object in the schema container that defines the attribute. The attribute definition inludes information such as what object types the attribute applies to and the syntax type of the attribute. For more information about attribute schema defintions, see Characteristics of Attributes.
All Active Directory attributes are stored in one of three ways.
| Term | Description |
|---|---|
| Domain-replicated, stored attributes | Some attributes are stored in the directory (such as cn, nTSecurityDescriptor, objectGUID, and so on) and replicated to all domain controllers within a domain. A subset of these attributes is also replicated to the global catalog. If you enumerate attributes of an object from the global catalog, only the attributes replicated to the global catalog are returned. Some attributes are also indexed because including an indexed property in a query improves the performance of the query. |
| Non-replicated, locally stored attributes | Non-replicated attributes, such as badPwdCount, lastLogon, and lastLogoff are stored on each domain controller, but are not replicated elsewhere. The non-replicated attributes are attributes that pertain to a particular domain controller. For example, lastLogon attribute is the last date and time that the user's network logon was validated by that particular domain controller that is returning the property. These attributes can be retrieved in the same way as the domain-wide attributes described previously. However, for these attributes, each domain controller stores only values that pertain to that particular domain controller. For example, to obtain the last time a user logged on to the domain, it would be necessary to retrieve the lastLogon attribute for the user from every domain controller in the domain and find latest date and time. |
| Non-stored, constructed attributes | A user object also has constructed attributes that are not stored in the directory, but are calculated by the domain controller, such as canonicalName and allowedAttributes. |