Directory Services

Characteristics of Attributes

Each attribute in an Active Directory object is defined by an attributeSchema object in the schema container. The properties of an attributeSchema object specify the characteristics of the attribute, such as:

The following table lists the lDAPDisplayName and description of the key properties of an attributeSchema object. For more information and a complete list of the mandatory and optional properties of an attributeSchema object, see attributeSchema.

lDAPDisplayName Description
cn Every object in Active Directory has a naming attribute from which its RDN is formed. The naming attribute for attributeSchema objects is cn (common name). The value assigned to cn is the value that the attributeSchema object will have as its RDN. For example, the cn of the isSingleValued object in the schema container is Is-Single-Valued, which would appear in a distinguished name as CN=Is-Single-Valued. The cn must be unique in the schema container.
lDAPDisplayName The name used by LDAP clients, such as the ADSI LDAP provider, to read and write the attribute using the LDAP protocol. An attribute's lDAPDisplayName must be unique in the schema container, which means it must be unique across all classSchema and attributeSchema objects. For more information about composing a cn and an lDAPDisplayName for a new attribute, see Naming Attributes and Classes.
schemaIDGUID A GUID stored as an octet string. This GUID uniquely identifies the attribute. This GUID can be used in access control entries to control access to instances of this attribute. For more information, see Setting Permissions to a Specific Property.

On creation of the attributeSchema object, Active Directory generates this value if it is not specified. If you are creating a new attribute, it is recommended that you generate your own GUID for each attribute so that all installations of your extension will use the same schemaIDGUID to refer to the attribute.

adminDisplayName A display name of the attribute for use in administrative tools. If adminDisplayName is not specified when a class is created, the system uses the Common-Name value as the display name.

This display name is used only if a mapping does not exist in the attributeDisplayNames property of the display specifier for the class. For more information, see Display Specifiers and Class and Attribute Display Names.

attributeID The OID of this attribute. This value must be unique among the attributeID values of all attributeSchema objects and governsIDs of all classSchema objects. For more information, see Object Identifiers (OIDs).
attributeSecurityGUID A GUID stored as an octet string. This is an optional GUID that identifies the attribute as a member of an attribute grouping; this is also called a property set. You can use this GUID in access control entries to control access to all attributes in the property set, that is, to all attributes that have the specified GUID set in their attributeSecurityGUID property. For more information, see Setting Permissions on a Group of Properties.
attributeSyntax The object identifier of the syntax for this attribute. The combination of the attributeSyntax and oMSyntax properties determines the syntax of the attribute, that is, the type of data stored by instances of the attribute.

For more information about the attributeSyntax, oMSyntax, and oMObjectClass syntax attributes, see Syntaxes for Active Directory Attributes.

oMSyntax An integer that is the XDS representation of the syntax.
oMObjectClass An octet string that must be specified for attributes of oMSyntax 127. For attributes with any other oMSyntax value, this property is not used. If no oMObjectClass is specified for an attribute with an oMSyntax of 127, the default oMObjectClass is set. Usually, there is a one-to-one mapping between the attributeSyntax and the oMObjectClass.
rangeLower, rangeUpper A pair of integers that specify the lower and upper bounds of the range of values for this attribute. All values set for the attribute must be within or equal to the specified bounds. For attributes with numeric syntax the range specifies the minimum and maximum value. For attributes with string syntax the range specifies the minimum and maximum size, in characters. For attributes with binary syntax, the range specifies the number of bytes.

If both rangeLower and rangeUpper are set, rangeLower must be less than rangeUpper. If one constraint is present without the other, the missing constraint is unbounded. For example, if the rangeLower for an integer is 3, and rangeUpper is absent, it means there is no upper constraint on the attribute. Likewise, if rangeUpper for a string is 2000, and rangeLower is absent, this indicates that there is no lower constraint on the length.

isSingleValued A Boolean value that is TRUE if the attribute can have only one value or FALSE if the attribute can have multiple values. If this property is not set, the attribute has a single value.

Multi-valued attributes are unordered; there is no guarantee they will be stored or returned in any specific order. In the event of a replication collision, conflict resolution is for each attribute, not for each value within an attribute. The entire multi-value succeeds or fails. For more information about replication collision, see Consistency GUIDs.

searchFlags An integer value whose least significant bits indicates whether the attribute is indexed. For more information, see Indexed Attributes. The bit flags in this value are:

1 = Index over attribute only.

2 = Index over container and attribute.

4 = Add this attribute to the Ambiguous Name Resolution (ANR) set. This should be used in conjunction with 1.

8 = Preserve this attribute in the tombstone object for deleted objects.

16 = Copy the attribute value when a copy of the object is created - using IADsContainer.CopyHere instead of IADsContainer.MoveHere. For example, if you copy a user object, that is, use an existing user as a template for a new user, to copy some attribute values, but not others. This flag could be set for attributes like company and department to copy, but not set for attributes that must be unique like objectSid and sAMAccountName.

isMemberOfPartialAttributeSet A Boolean value that is TRUE if the attribute is replicated to the global catalog or FALSE if the attribute is not included in the global catalog. For more information, see Attributes Included in the Global Catalog.
linkID An integer that indicates that the attribute is a linked attribute. An even integer is a forward link and an odd integer is a back link.
systemFlags An integer value that contains flags that define additional properties of the attribute such as whether the attribute is constructed or non-replicated. The ADS_SYSTEMFLAG_ENUM enumeration contains values for the flags that you can assign to the systemFlags attribute of an attributeSchema object.

There are additional systemFlags bits that you cannot set, such as the 0x10 bit, which identifies a category 1 attribute, which is an attribute that is part of the base schema included with the syste). This bit is not set in category 2 attributes, which are extensions to the schema.

systemOnly A Boolean value that specifies whether only Active Directory can modify the attribute.
mAPIID An integer by which MAPI clients identify this attribute.
isDefunct A Boolean value that indicates whether the attribute is defunct. For more information, see Disabling Existing Classes and Attributes.
description A text description of the attribute.
objectClass Identifies the object class of which this object is an instance, which is the classSchema object class for all class definitions and the attributeSchema object class for all attribute definitions.

For more information about attributes, see: