Directory Services

Querying for Category 1 or 2 Schema Objects

The systemFlags property of attributeSchema and classSchema objects is an integer bit-mask that containins flags that indicate additional system qualities of the attribute or class. The ADS_SYSTEMFLAG_ENUM enumeration contains values that correspond to the bits you can set in the systemFlags attribute. There are additional systemFlags bits that you cannot set, such as the 0x10 bit which indicates whether the attribute or class is category 1 or category 2. The 0x10 bit is set for category 1 objects, which are the classes and attributes included in the base schema included with the system. The bit is not set for category 2 attributes and classes, which are extensions to the schema. If no systemFlags property exists on an attributeSchema or classSchema object, it is category 2.

To query for category 1 or 2 objects, or for any object based on a bit set in a property, use a filter that contains a matching rule.

Matching rules have the following syntax.

attibutename:ruleOID:=value

Where attributename is the lDAPDisplayName of the attribute, ruleOID is the OID for the matching rule, and value is the value to use for comparison. Be aware that spaces cannot be used in this string. Also be aware that value must be a decimal number; it cannot be a hexadecimal number or a constant name such as ADS_GROUP_TYPE_SECURITY_ENABLED.

Active Directory supports two matching rules that are listed in the following table.

Matching Rule OID Description
1.2.840.113556.1.4.803 LDAP_MATCHING_RULE_BIT_AND

The matching rule is TRUE when all bits from the property that correspond to 1-bits in the value are 1.

1.2.840.113556.1.4.804 LDAP_MATCHING_RULE_BIT_OR

The matching rule is TRUE when any bits from the property match that correspond to 1-bits in the value are 1.

These two matching rules are only different when the value is a bit mask with multiple bits set. For example, the following queries return the same result because they contain a single bit mask in the value—the query returns all attributeSchema objects with the ADS_SYSTEMFLAG_ATTR_NOT_REPLICATED bit flag set.

(&(objectCategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=1) )

and

(&(objectCategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.804:=1) )

In the following query filters, the value combines the 0x10 bit for category 1 objects with the ADS_SYSTEMFLAG_ATTR_NOT_REPLICATED flag (16 + 1 = 17). Because multiple bits are specified, the AND and OR matching rules will return different results. The first filter uses the AND operator to query for attributeSchema objects with both bits set.

(&(objectCategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=17) )

The second filter uses the OR operator, which queries for objects with either bit set.

(&(objectCategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.804:=17) )

To find an exact match of a value, use the equals operator. The following code example returns attributeSchema objects that have only the ADS_SYSTEMFLAG_ATTR_NOT_REPLICATED and 0x10 bits set.

(&(objectCategory=attributeSchema)(systemFlags=17))

Querying for Category 1

The following code example searches for category 1 attributes (attributeSchema objects with the 0x10 bit set in the systemFlags property).

(&(objectCategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.804:=16) )

Be aware that, in the code example above, the LDAP query syntax requires decimal values; therefore, the hex value of the flag must be converted to decimal. In this case, category 1 bit is 0x10 so the filter value must be specified as 16.

Querying for Category 2

The following query string searches for category 2 attributes (attributeSchema objects that do not have the 0x10 bit set in the systemFlags property).

(&(objectCategory=attributeSchema)(!(systemFlags:1.2.840.113556.1.4.804:=16)))

Be aware that this query also returns attributeSchema objects that do not have a systemFlags property, and, therefore, implicitly do not have the specified flag set).