Skip to main content

What are the attributes in a User object in Active Directory

I believed that I have found most of them thanks to these MSDN sites:
http://msdn.microsoft.com/en-us/library/ms677605(v=vs.85).aspx
http://msdn.microsoft.com/en-us/library/ms677943(v=vs.85).aspx
http://msdn.microsoft.com/en-us/library/ms674997(v=vs.85).aspx

Be forewarned, it is a long list.



userPrincipalName
The userPrincipalName is a single-valued and indexed attribute that is a string that specifies the user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. The UPN is shorter than the distinguished name and easier to remember. By convention, this should map to the user's e-mail name. The point of the UPN is to consolidate the e-mail and logon namespaces so that the user need only remember a single name.

The UPN is the preferred logon name for Windows 2000 users. Users should be using their UPNs to log on to the domain. At logon time, a UPN is validated first by searching the local domain, then the global catalog. Failure to find the UPN in the local domain or the GC results in rejection of the UPN.

The UPN can be assigned, but is not required, when the user account is created. When assigned, the UPN is unaffected by changes to other attributes of the user object, for example, if the user is renamed or moved, or changes to the domains in the tree, for example, if a parent domain was renamed or a domain was moved. Thus, a user can keep the same login name, although the directory may be radically restructured. Be aware that the UPN can be changed administratively at any time.

The UPN is a string attribute that can contain any string value. However, the following scheme is recommended.

The user principal name has two parts: the UPN prefix (the user account name) and the UPN suffix (a DNS domain name). The parts are joined together by the at sign (@) symbol to make the complete UPN. For example, the user Someone who has an account in the Example domain would have a UPN of someone@example.com.

The UPN must be unique among all security principal objects within the directory forest. By default (that is, for the built-in user accounts and user accounts created using the Active Directory Users and Computers snap-in), the UPN can consist of any name for the user (such as the sAMAccountNameattribute of the user) and the domain tree name to which the user belongs in the following form: <name>@<tree name>.

The "<tree name>" is the domain name system (DNS) name of a domain, but is not required to be the name of the domain containing the user. However, the "<tree name>" portion of the UPN must be the name of a domain in the current forest or an alternate name listed in the upnSuffixes attribute of the Partitions container within the Configuration container. You can add or remove UPN suffixes by modifying the upnSuffixes attribute (or by choosing Properties for the root node of the Active Directory Domains and Trusts and modifying the UPN suffixes on the UPN Suffixes tab). Usually, the "<tree name>" is the name of the first domain in the first tree of the forest. In most cases, this domain name is the domain name registered as the enterprise domain on the Internet.

The "<tree name>" is formatted by binding to the rootDSE on any domain in the forest, reading theRootDomainNamingContext attribute, and then transforming this from DC format (dc=fabrikam,dc=com) to the UPN format (fabrikam.com) using the ADSI IADsNameTranslateinterface.

When creating a new user object, you should check the local domain and the global catalog for the proposed name to ensure it does not already exist.

objectGUID
The objectGUID attribute is a single-valued attribute that is the unique identifier for the object. This attribute is a Globally Unique Identifier (GUID). When an object is created in the directory, the Active Directory server generates a GUID and assigns it to the object's objectGUID attribute. The GUID is unique across the enterprise and anywhere else.

The objectGUID is a 128-bit GUID structure stored as an OctetString.

Because an object's distinguished name changes if the object is renamed or moved, the distinguished name is not a reliable identifier for an object. In Active Directory Domain Services, an object'sobjectGUID attribute is never changed, even if the object is renamed or moved to different places. Be aware that you can retrieve the string form of the objectGUID using the IADs.GUID attribute.

sAMAccountName
The sAMAccountName attribute is a single-valued attribute that is the logon name used to support clients and servers from a previous version of Windows (such as Windows NT 4.0 and earlier, Windows 95, Windows 98, and LAN Manager). The sAMAccountName should be less than 20 characters to support these clients and servers.

The sAMAccountName must be unique among all security principal objects within the domain.

Query for the new name against the domain to verify that the sAMAccountName is unique in the domain.

The sAMAccountName must be unique among all security principal objects within a domain container.

objectSid
The objectSid attribute is a single-valued attribute that specifies the security identifier (SID) of the user. The SID is a unique value used to identify the user as a security principal. It is a binary value that is set by the system when the user is created.

Each user has a unique SID issued by a Windows 2000 domain and stored in objectSid attribute of the user object in the directory. Each time a user logs on, the system retrieves the user's SID from the directory and places it in the user's access token. The user's SID is also used to retrieve the SIDs for the groups of which the user is a member and places them in the user's access token. The system uses the SIDs in the user's access token to identify the user and his/her group memberships in all subsequent interactions with Windows NT security.

When a SID has been used as the unique identifier for a user or group, it cannot be used again to identify another user or group.

sIDHistory
The sIDHistory attribute is a multi-valued attribute that contains previous SIDs used for the user object if the user was moved from another domain. When a user is moved from one domain to another, a new SID is created and that new SID becomes the objectSid. The previous SID is added to the sIDHistory attribute, that contains the SIDs from the user's previous domain moves.


accountExpires

The accountExpires attribute specifies when an account expires. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of TIMEQ_FOREVER (defined in Lmaccess.h) indicates that an account never expires.

altSecurityIdentities

The altSecurityIdentities attribute is a multi-valued attribute that contains mappings for X.509 certificates or external Kerberos user accounts to this user for the purpose of authentication. Various security packages, including Public Key authentication package and Kerberos, use this data to authenticate users when they present the alternative form of identification such as certificate, UNIX Kerberos ticket, and so on. Build a Windows 2000 token based on the corresponding user account such that they can access system resources.

For X.509 certificates, the values should be the Issuer and Subject names in 509v3 certificates, issued by an external public Certificate Authority, that map to the user account used to find an account for authentication. The SSL (Schannel) package uses the following syntax: X509:<somecertinfotype>somecertinfo. For example, the following value specifies the issuer DN "<I>" with the DN "C=US,O=InternetCA,CN=APublicCertificateAuthority" and the subject DN "<S>" with the DN "C=US,O=Fabrikam,OU=Sales,CN=Jeff Smith".


Copy
X509:<I>C=US,O=InternetCA,CN=APublicCertificateAuthority<S>C=US,O=Fabrikam,OU=Sales,CN=Jeff Smith

Be aware that "<I>" or "<I>" and "<S>" are supported. Having only "<S>" is not supported. Applications should not modify the values within "<I>" or "<S>" because partial DN matching is not supported.

For external Kerberos accounts, the values should be the Kerberos account name. The Kerberos package uses the following syntax: "Kerberos:MITaccountname". For example, the following is the value for an account at Fabrikam.com:


Kerberos:Jeff.Smith@Fabrikam.com





badPasswordTime





Non-replicated. The badPasswordTime attribute specifies the last time the user attempted to log on to the account using an incorrect password. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). This attribute is maintained separately on each domain controller in the domain. A value of zero means that the last bad password time is unknown. To get an accurate value for the user's last bad password time in the domain, each domain controller in the domain must be queried and the largest value should be used.





badPwdCount





Non-replicated. The badPwdCount attribute specifies the number of times the user attempted to log on to the account using an incorrect password. This attribute is maintained separately on each domain controller in the domain. A value of 0 indicates that the value is unknown. To get an accurate value for the user's total bad password attempts in the domain, each domain controller in the domain must be queried and the sum of the values should be used.





codePage





The codePage attribute specifies the code page for the user's chosen language. This value is not used by Windows 2000.





countryCode





The countryCode attribute specifies the country/region code for the user's language. This value is not used by Windows 2000.





homeDirectory





The homeDirectory attribute specifies the path of the home directory for the user. The string can be null.





If homeDrive is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC path of the form \\server\share\directory. This value can be a null string.





If homeDrive is not set, homeDirectory should be a local path, for example, C:\mylocaldir.





homeDrive





The homeDrive attribute specifies the drive letter to which to map the UNC path specified by homeDirectory. The drive letter must be specified in the following form:











<drive letter>:


where "<drive letter>" is the letter of the drive to map. For example:








Z:





If this attribute is not set, the homeDirectory should be a local path, for example, C:\mylocaldir.





lastLogoff





Non-replicated. The lastLogoff attribute specifies when the last logoff occurred. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). The high part of this large integer corresponds to the dwHighDateTime member of the FILETIME structure and the low part corresponds to thedwLowDateTime member of the FILETIME structure. This attribute is maintained separately on each domain controller in the domain. A value of zero means that the last logoff time is unknown. To get an accurate value for the user's last logoff in the domain, each domain controller in the domain must be queried and the largest value should be used.





lastLogon





Non-replicated. The lastLogon attribute specifies when the last logon occurred. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). The high part of this large integer corresponds to the dwHighDateTime member of the FILETIME structure and the low part corresponds to thedwLowDateTime member of the FILETIME structure. This attribute is maintained separately on each domain controller in the domain. A value of zero means that the last logon time is unknown. To get an accurate value for the user's last logon in the domain, each domain controller in the domain must be queried and the largest value should be used.





lmPwdHistory





The lmPwdHistory attribute is the password history of the user in LAN Manager (LM) one-way format (OWF). The LM OWF is used for compatibility with LAN Manager 2.x clients, Windows 95, and Windows 98. This attribute is used only by the operating system. Be aware that you cannot derive the plaintext password from the OWF form of the password.





logonCount





Non-replicated. The logonCount attribute counts the number of successful times that the user tried to log on to this account. This attribute is maintained on each domain controller in the domain. A value of 0 indicates that the value is unknown. To get an accurate value for the user's total number of successful logon attempts in the domain, each domain controller in the domain must be queried and the sum of the values should be used.





mail





The mail attribute is a single-valued attribute that contains the SMTP address for the user, for example, jeff@Fabrikam.com.





maxStorage





The maxStorage attribute specifies the maximum amount of hard-disk drive space that the user can use. Use the USER_MAXSTORAGE_UNLIMITED (defined in Lmaccess.h) value to use all available disk space.





memberOf





The memberOf attribute is a multi-valued attribute that contains groups of which the user is a direct member, depending on the domain controller (DC) from which this attribute is retrieved:





At a DC for the domain that contains the user, memberOf for the user is complete with respect to membership for groups in that domain; however, memberOf does not contain the user's membership in domain local and global groups in other domains.







At a GC server, memberOf for the user is complete with respect to all universal group memberships.





If both conditions are true for the DC, both sets of data are contained in memberOf.





Be aware that this attribute lists the groups that contain the user in their member attribute—it does not contain the recursive list of nested predecessors. For example, if user O is a member of group C and group B and group B were nested in group A, the memberOf attribute of user O would list group C and group B, but not group A.





This attribute is not stored—it is a computed back-link attribute.





ntPwdHistory





The ntPwdHistory attribute is the password history of the user in Windows NT one-way format (OWF). Windows 2000 uses the Windows NT OWF. This attribute is used only by the operating system. Be aware that you cannot derive the plaintext password back from the OWF form of the password.





otherMailbox





The otherMailbox attribute is a multi-valued attribute that contains other additional mail addresses in a form, for example, "CCMAIL: JeffSmith".





PasswordExpirationDate





The password expiration date is not an attribute on the user object. It is a calculated value based on the sum ofpwdLastSet for the user and maxPwdAge of the user's domain. To get the password expiration date, get theIADsUser.PasswordExpirationDate property. You cannot modify this attribute for a user; instead, set theIADsDomain.MaxPasswordAge property to change the setting for the domain.





primaryGroupID





The primaryGroupID attribute is a single-valued attribute that contains the primaryGroupToken of the group that is the primary group of the object. The primary group of the object is not included in the memberOf attribute. For example, by default, the primary group of a user object is the primaryGroupToken of the Domain Users group, but the Domain Users group is not part of the user object's memberOf attribute.





profilePath





The profilePath attribute specifies a path to the user's profile. This value can be a null string, a local absolute path, or a UNC path.





pwdLastSet





The pwdLastSet attribute specifies when the password was last changed. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC).





The system uses the value of this attribute and the maxPwdAge attribute of the domain that contains the user object to calculate the password expiration date. That is, the sum of pwdLastSet for the user and maxPwdAge of the user's domain.





This attribute controls whether the user must change the password when the user logs on next. If pwdLastSet is zero, the default, the user must change the password at next logon. The value -1 indicates that the user is not required to change the password at next logon. The system sets this value to -1 after user has set the password.





sAMAccountType





The sAMAccountType attribute specifies an integer that represents the account type. This is set by the operating system when the object is created.





scriptPath





The scriptPath attribute specifies the path of the user's logon script, .cmd, .exe, or .bat file. The string can be null.





unicodePwd





The unicodePwd attribute is the user password.





To set the user password, use the IADsUser.ChangePassword method, if your script or application enables the user to change his/her own password, or IADsUser.SetPassword method, if your script or application is allowing an administrator to reset a password.





The password of the user in Windows NT one-way format (OWF). Windows 2000 uses the Windows NT OWF. This attribute is used only by operating system. Be aware that you cannot derive the plaintext password back from the OWF form of the password.





userAccountControl





The userAccountControl attribute specifies flags that control password, lockout, disable/enable, script, and home directory behavior for the user. This attribute also contains a flag that indicates the account type of the object. The user object usually has the UF_NORMAL_ACCOUNT set.





The following flags are defined in Lmaccess.h.





Flag

Description





UF_SCRIPT

The logon script executed. This value must be set for LAN Manager 2.0 or Windows NT.





UF_ACCOUNTDISABLE

The user account is disabled.





UF_HOMEDIR_REQUIRED

The home directory is required. This value is ignored in Windows NT and Windows 2000.





UF_PASSWD_NOTREQD

No password is required.





UF_PASSWD_CANT_CHANGE

The user cannot change the password.





UF_LOCKOUT

The account is currently locked. This value can be cleared to unlock a previously locked account. This value cannot be used to lock a previously locked account.





UF_DONT_EXPIRE_PASSWD

Represents the password, which should never expire on the account.





The following flags describe the account type. Only one value can be set. You cannot change the account type.





Flag

Description





UF_NORMAL_ACCOUNT

This is a default account type that represents a typical user.





UF_TEMP_DUPLICATE_ACCOUNT

This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. The User Manager refers to this account type as a local user





account.


UF_WORKSTATION_TRUST_ACCOUNT

This is a computer account for a Windows NT Workstation/Windows 2000 Professional or Windows NT Server/Windows 2000 Server that is a member of this domain.





UF_SERVER_TRUST_ACCOUNT

This is a computer account for a Windows NT Backup Domain Controller that is a member of this domain.





UF_INTERDOMAIN_TRUST_ACCOUNT

This is a permit to trust account for a Windows NT domain that trusts other domains.





userCertificate





The userCertificate attribute is a multi-valued attribute that contains the DER-encoded X509v3 certificates issued to the user. Be aware that this attribute contains the public key certificates issued to this user by Microsoft Certificate Service.





userSharedFolder





The userSharedFolder attribute specifies a UNC path to the user's shared documents folder. The path must be a network UNC path of the form \\server\share\directory. This value can be a null string.





userWorkstations





The userWorkstations attribute is a single-valued attribute that contains the NetBIOS names of the workstations from which the user can log on to. Each NetBIOS name is separated by a comma.





If no values are set, this indicates that there is no restriction. To disable logons from all workstations to this account, set the UF_ACCOUNTDISABLE value (defined in Lmaccess.h) in userAccountControl attribute.





Attribute

Description





c


The country/region in the user's address.





The country/region is represented as the two-character country/region code based on ISO-3166. For the valid codes, see Values for countryCode.





co


The country/region in which the user is located.





notes


A comment. This string can be a null string.





department


The name for the department in which the user works.





description


The description to display for the user.





displayName


The name displayed in the address book for a particular user. This is usually the combination of the user's first name, middle initial, and last name.





directReports


The list of users that directly report to the user. The users listed as reports are those that have the manager attribute set to this user. Each item in the list is a linked reference to the object that represents the user; therefore, the Active Directory server automatically updates this attribute when a user's manager attribute adds or removes this user as a manager. The items are represented as distinguished names.





facsimileTelephoneNumber


The telephone number of the user's business fax machine.





givenName


The given name (first name) of the user.





homePhone


The primary home telephone number for the user.





initials


The initials for parts of the user's full name. This may be used as the middle initial in the Windows Address Book.





ipPhone


Used by Telephony.





l


The locality, such as the town or city, in the user's address.





managedObjects


The list of objects that are managed by the user. The objects listed are those that have the managedBy attribute set to this user. Each item in the list is a linked reference to the managed object; therefore, the Active Directory server automatically updates themanagedObjects attribute when an object's managedBy attribute adds or removes this user as its manager. The items are represented as distinguished names.





manager


The user who is the user's manager. The manager's user object contains adirectReports attribute that contains references to all user objects that have theirmanager attribute set to the manager's user object.





mobile


The primary cellular telephone number for the user.





otherFacsimileTelephoneNumber


The list of telephone numbers of alternate fax machines for the user.





otherIpPhone


Used by Telephony.





otherMobile


The list of alternate cellular telephone numbers for the user.





otherPager


The list of alternate pager telephone numbers for the user.





otherTelephone


The list of alternate business telephone numbers for the user.





pager


The primary pager telephone number for the user.





physicalDeliveryOfficeName


The office location in the user's place of business.





postalAddress


The user's postal address.





postalCode


The postal code for the user's postal address. The postal code is specific to the user's country/region. In the United States of America, this attribute contains the ZIP code.





postOfficeBox


The number or identifier of the user's post office box.





sn


The user's surname (family name or last name).





st


The state or province in the user's address.





streetAddress


The street address of the user's place of business.





telephoneNumber


The primary telephone number of the user's place of business.





title


The user's job title. This attribute is commonly used to indicate the formal job title, such as Senior Programmer, rather than occupational class, such as programmer. It is not typically used for "suffix" titles such as Esq. or DDS.





Examples: Managing Director, Programmer II, Associate Professor, and Development Lead.





url


The list of URLs for the user's alternate web pages.





wWWHomePage


The URL for the user's primary Web page.

Comments

Anonymous said…
I've been looking all over for this, thank you!

Popular posts from this blog

How to list all the AD LDS instances on a server

AD LDS allows you to provide directory services to applications that are free of the confines of Active Directory.  To list all the AD LDS instances on a server, follow this procedure: Log into the server in question Open a command prompt. Type dsdbutil and press Enter Type List Instances and press Enter . You will receive a list of the instance name, both the LDAP and SSL port numbers, the location of the database, and its status.

How to run GPResult on a remote client with PowerShell

In the past, to run the GPResult command, you would need to either physically visit this client, have the user do it, or use and RDP connection.  In all cases, this will disrupt the user.  First, you need PowerShell remoting enabled on the target machine.  You can do this via Group Policy . Open PowerShell and type this command. Invoke-Command –ScriptBlock {GPResult /r} –ComputerName <ComputerName> Replace <ComputerName> with the name of the target.  Remember, the target needs to be online and accessible to you.

Error icon when creating a GPO Preference drive map

You may not have an error at all.  Take a look at the drive mapping below. The red triangle is what threw us off.  It is not an error.  It is simply a color representation of the Replace option of the Action field in the properties of the drive mappings. Create action This give you a green triangle. The Create action creates a new mapped drive for users. Replace Action The Replace action gives you a red triangle.  This action will delete and recreate mapped drives for users. The net result of the Replace action is to overwrite all existing settings associated with the mapped drive. If the drive mapping does not exist, then the Replace action creates a new drive mapping. Update Action The Update action will have a yellow triangle. Update will modify settings of an existing mapped drive for users. This action differs from Replace in that it only updates settings defined within the preference item. All other settings remain as configured on the ma...