Directory Services

Characteristics of Object Classes

Each Microsoft® Active Directory® object class is defined by a classSchema object in the schema container. The attributes of a classSchema object specify the characteristics of the class, such as:

The following table lists the lDAPDisplayName and description of the key attributes of a classSchema object. For more information, and a complete list of the mandatory and optional attributes of a classSchema object, see classSchema.

lDAPDisplayName Description
cn (Common-Name) Every object in Active Directory has a naming attribute from which its Relative Distinguished Name (RDN) is formed. The naming attribute for classSchema objects is cn (Common-Name). The value assigned to cn is the value that the object class will have as its RDN. For example, the cn of the organizationalUnit object class is Organizational-Unit, which would appear in a distinguished name as CN=Organizational-Unit. The cn must be unique in the schema container.
lDAPDisplayName The name used by LDAP clients, such as the ADSI LDAP provider, to refer to the class, for example to specify the class in a search filter. A class's lDAPDisplayName must be unique in the schema container, which means it must be unique across all classSchema and attributeSchema objects. For more information about composing a cn and an lDAPDisplayName for a new class, see Naming Attributes and Classes.
schemaIDGUID A GUID stored as an octet string. This GUID uniquely identifies the class. This GUID can be used in access control entries to control access to objects of this class. For more information, see Setting Permissions on Child Object Operations.

On creation of the classSchema object, Active Directory generates this value if it is not specified. If you create a new class, generate your own GUID for each class so that all installations of your extension use the same schemaIDGUID to refer to the class.

adminDisplayName A display name of the class for use in administrative tools. If adminDisplayName is not specified when a class is created, the system uses the Common-Name value as the display name.

This display name is used only if a mapping does not exist in the classDisplayName property of the display specifier for the class. For more information, see Display Specifiers and Class and Attribute Display Names.

governsID The OID of the class. This value must be unique among the governsIDs of all classSchema objects and the attributeIDs of all attributeSchema objects. For more information, see Object Identifiers.
rDnAttId Identifies the naming attribute, which is the attribute that provides the RDN for this class — if different than the default (cn). Use of a naming attribute other than cn is discouraged. Naming attributes should be drawn from the well-known set (OU, CN, O, L, and DC) that is understood by all LDAP version 3 clients. For more information, see Object Names and Identities and Syntaxes for Active Directory Attributes.

A naming attribute must have the Directory String syntax. For more information, see Syntaxes for Active Directory Attributes.

mustContain, systemMustContain A pair of multi-valued properties that specify the attributes that must be present on instances of this class. These are mandatory attributes that must be present during creation and cannot be cleared after creation. After creation of the class, these properties cannot be changed.

The full set of mandatory attributes for a class is the union of the systemMustContain and mustContain values on this class and all inherited classes.

mayContain, systemMayContain A pair of multi-valued properties that specify the attributes that MAY be present on instances of this class. These are optional attributes that are not mandatory and, therefore, may or may not be present on an instance of this class. You can add or remove mayContain values from an existing category 1 or category 2 classSchema object. Before removing a mayContain value from a classSchema object, you should search for instances of the object class and clear any values for the attribute that you are removing. After creation of the class, the systemMayContain property cannot be changed

The full set of optional attributes for a class is the union of the systemMayContain and mayContain values on this class and all inherited classes.

possSuperiors, systemPossSuperiors A pair of multi-valued properties that specify the structural classes that can be legal parents of instances of this class. The full set of possible superiors is the union of the systemPossSuperiors and possSuperiors values on this class and any inherited structural or abstract classes. systemPossSuperiors and possSuperiors values are not inherited from auxiliary classes.

You can add or remove possSuperiors values from an existing category 1 or category 2 classSchema object. After creation of the class, the systemPossSuperiors property cannot be changed.

objectClassCategory An integer value that specifies the category of the class, which can be one of the following:
  • Structural, meaning that it can be instantiated in the directory.
  • Abstract, meaning that the class provides a basic definition of a class that can be used to form structural classes.
  • Auxiliary, meaning that a class that can be used to extend the definition of a class that inherits from it but cannot be used to form a class by itself.

For more information, see Structural, Abstract, and Auxiliary Classes.

subClassOf An OID for the immediate superclass of this class, that is, the class from which this class is derived.

For structural classes, subClassOf can be a structural or abstract class.

For abstract classes, subClassOf can be an abstract class only.

For auxiliary classes, subClassOf can be an abstract or auxiliary class.

If you define a new class, ensure that the subClassOf class exists or will exist when the new class is written to the directory. If class does not exist, the classSchema object is not added to the directory.

auxiliaryClass, systemAuxiliaryClass A pair of multi-valued properties that specify the auxiliary classes that this class inherits from. The full set of auxiliary classes is the union of the systemAuxiliaryClass and auxiliaryClass values on this class and all inherited classes.

For an existing classSchema object, values can be added to the auxiliaryClass property but not removed. After creation of the class, the systemAuxiliaryClass property cannot be changed.

defaultObjectCategory The distinguished name of this object class or one of its superclasses. When an instance of this object class is created, the system sets the objectCategory property of the new instance to the value specified in the defaultObjectCategory property of its object class. The objectCategory property is an indexed property used to increase the efficiency of object class searches.

If defaultObjectCategory is not specified when a class is created, the system sets it to the distinguished name (DN) of the classSchema object for this class. If this object will be frequently queried by the value of a superclass rather than the object's own class, you can set defaultObjectCategory to the DN of the superclass. For example, if you are subclassing a predefined (category 1) class, the best practice is to set defaultObjectCategory to the same value as the superclass. This enables the standard UI to "find" your subclass.

For more information, see Object Class and Object Category.

defaultHidingValue A Boolean value that specifies the default setting of the showInAdvancedViewOnly property of new instances of this class. Many directory objects are not interesting to end users. To keep these objects from cluttering the UI, every object has a Boolean attribute called showInAdvancedViewOnly.

If defaultHidingValue is set to TRUE, new object instances are hidden in the Administrative snap-ins and the Windows shell. A menu item for the object class will not appear in the New context menu of the Administrative snap-ins—even if the appropriate creation wizard properties are set on the object class's displaySpecifier object.

If defaultHidingValue is set to FALSE, new instances of the object are displayed in the Administrative snap-ins and the Windows shell. Set this property to FALSE to see instances of the class in the administrative snap-ins and the shell and enable a creation wizard and its menu item in the New menu of the administrative snap-ins.

If the defaultHidingValue value is not set, the default is TRUE.

systemFlags An integer value that contains flags that define additional properties of the class. The 0x10 bit identifies a category 1 class (a class that is part of the base schema that is included with the system). You cannot set this bit, which means that the bit is not set in category 2 classes (which are extensions to the schema).
systemOnly A Boolean value that specifies whether only Active Directory can modify the class. System-only classes can be created or deleted only by the Directory System Agent (DSA). System-only classes are those that the system depends on for normal operations.
defaultSecurityDescriptor Specifies the default security descriptor for new objects of this class. For more information, see Default Security Descriptor and How Security Descriptors are Set on New Directory Objects.
isDefunct A Boolean value that indicates whether the class is defunct. For more information, see Disabling Existing Classes and Attributes.
description A text description of the class for use by administrative applications.
objectClass Identifies the object class of which this object is an instance, which is the classSchema object class for all class definitions and the attributeSchema object class for all attribute definitions.