Directory Services

Binding to Well-Known Objects Using WKGUID

Containers can have one, or more, important sub-objects that can be renamed or moved. It can be difficult to track of these sub-objects and build correct binding strings for them, especially if they are renamed or moved.

To support rename-safe binding to these objects within these containers, Active Directory has two attributes: wellKnownObjects and otherWellKnownObjects. These attributes have an attribute syntax of ADSTYPE_DN_WITH_BINARY. They allow multiple values and contain the GUID/DN tuples of well-known objects within the containers on which they are set. The Active Directory maintains the distinguished name portion of each wellKnownObjects and otherWellKnownObjects entry so that it contains the current distinguished name of the object specified when the entry was created.

The otherWellKnownObjects property can be set and used on any object.

The wellKnownObjects property is used on the domainDNS and configuration containers. The wellKnownObjects property is a system-only property and can only be modified by the operating system.

The domainDNS container has the following well-known objects:

The configuration container has the well-known object: Deleted Objects.

These objects are always in every domainDNS and configuration container in Active Directory.

You can bind to a well-known object using the WKGUID binding format. Binding with WKGUID is only supported in Active Directory, that is, the LDAP provider.

Important  Always use the WKGUID binding format to bind to the well-known objects, as listed above, in the domain and configuration containers. This ensures that these containers can be bound to even if they are moved or renamed.

The WKGUID binding string format is as follows.

LDAP://servername/<WKGUID=XXXXX,ContainerDN>

In this example, servername is the directory server name. The servername is optional.

XXXXX is the string representation of the hexadecimal value of the GUID that represents the well-known object. The GUID string is specified in the XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX form and is not the same form as the GUID string produced by the StringFromGUID2 function, which takes the form {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}. For a code example that demonstrates how to create a bindable string from a GUID, see Example Code for Creating a Bindable String Representation of a GUID.

To bind to an object specified in otherWellKnownObjects in an object, specify XXXXX as the bind string form of the well-known object GUID of the object. For more information, see Reading an Object's objectGUID and Creating a String Representation of the GUID. For more information about setting the otherWellKnownObjects property on objects, see Enabling Rename-Safe Binding with the otherWellKnownObjects Property.

To bind to an object specified in wellKnownObjects in domainDNS or configuration containers, specify XXXXX as one of the following constants, listed in the following table, as defined in Ntdsapi.h.

Container GUID Identifier
Users GUID_USERS_CONTAINER_W
Computers GUID_COMPUTRS_CONTAINER_W
System GUID_SYSTEMS_CONTAINER_W
Domain Controllers GUID_DOMAIN_CONTROLLERS_CONTAINER_W
Infrastructure GUID_INFRASTRUCTURE_CONTAINER_W
Deleted Objects GUID_DELETED_OBJECTS_CONTAINER_W
Lost and Found GUID_LOSTANDFOUND_CONTAINER_W

For example, to bind to the user container in a domain, specify GUID_USERS_CONTAINER_W as XXXXX.

ContainerDN is the distinguished name of the container object that has this object represented as a value in its wellKnownObjects property. For example, to bind to the users container in a domain, specify the domain distinguished name as the ContainerDN.

For example, to bind to the users container of the domain Fabrikam.com, use the following binding string.

LDAP://<WKGUID=a9d1ca15768811d1aded00c04fd8d5cd,dc=Fabrikam,dc=com>

For more information and a code example that shows how to bind to a well-known GUID, see Example Code for Binding to Well Known Objects.