Directory Services

Restrictions on Schema Extension

In order to reduce the possibility of schema changes by one application breaking other applications and to maintain schema consistency, Active Directory enforces restrictions on the type of schema changes that an application or user is allowed to make.

The restrictions are imposed only on modification of existing schema objects. The schema is categorized into two categories. The schema objects that ship with Microsoft® Windows® 2000 in the base schema belong to Category 1. Any schema objects added later by other applications or users through dynamic schema extension belong to Category 2. The category of a schema object can be determined by the 0x10 bit set in the systemFlags attribute on the classSchema object. This bit is only set on Category 1 objects, and cannot be altered, nor can it be set on any Category 2 object.

The systemFlags attribute is used internally by Active Directory to identify special characteristics of "infrastructure" objects in the base schema. In addition to identifying Category 1 objects, systemFlags controls whether an object can be moved, deleted, or renamed. These operations are prevented for objects that Windows 2000 depends on to run.

Restrictions on all schema objects

On any schema objects, Category 1 or 2, Active Directory imposes the following restrictions:

Additional restrictions on Category 1 objects

In addition, the following additional restrictions are imposed on Category 1 schema objects, since many Windows 2000 components depend on the following: